March’s Malformed Sausage

(This post went to Patronizers at the beginning of March, and the public at the beginning of April)

Last month, I mentioned blood pressure problems.

The good news is, I have the blood pressure under control. The bad news, it’s given me a cough so fierce that I occasionally fall over. People have told me I work to hard, so now I’m taking a thirty-minute break every four hours around the clock for a breathing treatment that leaves me wheezing and quivery but functional. It’s an opportunity to prove the maxim “sleep is for the weak,” and I needed to develop my abs and rib muscles anyway. The doc changed my meds yesterday, so I’m hopeful I can exchange these side effects for less inconvenient ones.

This is all covid damage. I’m not risking developing more problems. You want me at your events, enforce a mask policy. I got too many books to write to put up with any more symptoms.

I also failed to finish Run Your Own Mail Server last month. See the above cough. I’m down to one technical issue, MTA-STS, and a few social issues that only require spewing words. I was tempted to wait on this post until I write those, but that’s pretty much a guarantee that I won’t complete either. You folks are my strongest supporters, and I need to give you the attention I agreed to. (Not the attention you deserve, of course. I don’t have that much attention.)

One of the headaches in this book has been its constant violation of one of my usual writing rules: do the hard part first. When I approach a new project, I rank the contents in order of difficulty. Usually, there’s at least one thing I haven’t previously done. Those are the things I need to write first. Writing the stuff I know how to do is pretty straightforward, but the unknowns wreck my plans. RYOMS could only be written in one way, though. The services must be set up and documented in a particular order, without shortcuts. If the book said “This is wrong but we’ll come back and fix it later,” I know perfectly well that none of you would go back and fix it. We have to set it up right the first time. Which led to some extra work. I use pyspf-milter so I wrote about it, but rspamd turns out to be a wiser choice. Retreat, refactor, rearrange, try again.

On the fiction side, I sold a new Rats’ Man’s Lackey tale to a magazine. The RML tales have a strange publishing history; every magazine or anthology I’ve sold one too has collapsed before they could publish my tale. Once a story destroys a publication, I put it up on my bookstore. I’ve written enough of those to release a collection, but a few buyers are still in business so I have to wait for them to implode–uh, publish. Publish.

I’m most of the way of a massive Terry Pratchett Discworld reread, not just studying his craft but how he improved his craft. There’s something fascinating about reading a large body of work in the order it was written. The quality of Pratchett’s early work was borderline, but some editor saw something unique in his craft and decided to give the kid a chance. You can see him improving with every book. At a technical level, there’s a certain fascination in saying “Oh! This is where Sir Terry discovered cliffhangers!” “Hey, he learned the difference between description and setting!” “Ooooh, he figured out how to stop violating drifting point-of-view, thank you Om.” This binge gives me hope for my own craft, because nothing Terry with his craft did was magic. The art expressed through his craft was magic, but art is not craft. I started reading Pratchett when The Light Fantastic came out, and in retrospect I can honestly say he taught me how to improve my craft.

Note that you can’t binge-study James Patterson. This kind of study requires examining the work of someone who writes their own books. You also can’t binge-study Ayn Rand, because she never got better.

Anyway, this binge study leaves me feeling validated about my method of deliberately practicing one skill per project. That’s a dangerous feeling; I don’t study to see what I’m doing write, I’m looking for ways to improve. I’ve found a few, but I still suspect I’m missing something big. Oh well. I guess, in a year or two, I’ll have to… study Pratchett again.

I’m going to cut this a little short, because the coughing has backed off and I desperately want to finish RYOMS this week. Thanks for supporting me, everyone!

xz backdoor vs “$ git commit murder” sale

I’ve gotten half a dozen messages on various forums declaring that the xz backdoor is eerily reminiscent of a major plot element of $ git commit murder.

I’ve been a sysadmin for decades, and hanging around with operating system developers nearly as long. I came up with a plan for a “difficult but achievable” hack. I checked with various actual developers to see if it was realistic, and adjusted the hack based on their feedback.

Target a userland tool. Hook it into the operating system core. Proceed from there. The plan is easy, the execution fiercely difficult, the coincidence unsurprising.

I can say that if Dale had developed this hack, it would not have damaged the host’s ability to serve SSH requests. He would have caught that and fixed it before deployment.

I feel compelled to acknowledge this similarity, however. Coupon code xzhack gets you 50% off $ git commit murder and $ git sync murder at my store. This expires 8 April 2024.

To all the sysadmins who are having a bad weekend because of this hack, I offer my sincere condolences. Just because the blast missed me this time doesn’t mean I don’t feel your pain, or that I won’t be caught next time.

To the author of the hack I would like to say: you are a dick.

Vultr backed down, but so what?

(Quick note, because very busy day.)

Vultr had a rights grab in their ToS. They just took it out, after community outrage.

So, is everything fine?

Nope.

This is exactly what Findaway tried. I’ve read the whole ToS. There is no misunderstanding.

The CEO has said that users are not lawyers. I am not a lawyer, true. But I deal with a lot of intellectual property contracts. My books are intellectual property, and I have to read ToS and contracts for every one of them. When reading a contract, you have to assume that the other party will be sold to a complete bastard who will exploit the contract as far as possible.

It’s highly unlikely that Constant Contact (Vultr’s parent firm) would use a book stored on my site to make a film. But suppose their parent company did so. A film I didn’t want made would come out, destroying the value of any film I might have made. I could sue, spending my money to fight a much larger firm. This is a losing proposition.

Perhaps Vultr’s lawyers are merely incompetent.

But their parent firm is a content company. And many content companies are doing rights grabs.

Rights grabs are becoming more common, though. I believe that the only way to stop them is to stop doing business with any company that attempts one. Backing down from a rights grab is too late.

39: I Carry A Grudge

This book won’t be in progress long. I hope.

These block lists are distributed via DNS, and are called DNS Block Lists (DNSBL). (You’ll also see Reputation Block Lists, or RBLs, but that term is trademarked.) By refusing all mail from hosts on a reliable block list, you immediately stop the overwhelming majority of spam.

That’s the catch: a reliable block list.

This is the Internet. Just as anyone can run a web site, anyone can publish a block list—and you can’t tell by the name. These projects were overwhelmingly founded by infuriated geeks, and often grew beyond their original intent and scale. “Spam Eating Monkey” is a highly trustworthy list provider, while some official-looking lists should more properly be named “HTML Email Is Immoral And I Carry A Grudge.”

The scheduling on RYOMS is gonna be weird due to outside forces I can’t control, but I’ll get it in your hands as soon as possible.

Vultr Just Betrayed Us

(followup at https://mwl.io/archives/23504)

I suppose the hip kids would say this is enshittification, but it’s certainly a betrayal.

According to their new Terms of Service:

You hereby grant to Vultr a non-exclusive, perpetual, irrevocable, royalty-free, fully paid-up, worldwide license (including the right to sublicense through multiple tiers) to use, reproduce, process, adapt, publicly perform, publicly display, modify, prepare derivative works, publish, transmit and distribute each of your User Content, or any portion thereof, in any form, medium or distribution method now known or hereafter existing, known or developed, and otherwise use and commercialize the User Content in any way that Vultr deems appropriate, without any further consent, notice and/or compensation to you or to any third parties, for purposes of providing the Services to you.

This is unacceptable. No other hosting company does this.

The TLDR on the side is deceitful. They say that we own our stuff. Fine. The fine print declares that we license our stuff to them, for full exploitation, without compensation.

I have not agreed to those ToS. Fortunately, I can migrate off their systems without console access, so I do not have to agree. If you use vultr, I suggest you do the same. Also contact them through their contact page and state your refusal. I’m told you can cancel via their page without logging in, but haven’t yet tried it.

I am now investigating alternatives for hosting FreeBSD and OpenBSD systems. Preferably that take custom installs.

Shopify vs Woocommerce for Author Bookstores

The hot new idea in writer circles is the author-owned bookstore. According to the Wayback Machine I’ve had my author-owned bookstore since 17 May 2013, so you can imagine I’m fully on board with this. This store now accounts for 35% of my income, more than Amazon, so it’s a critical part of my business.

When folks look at building a store, though, they’re immediately confronted with choosing a platform. There’s two major platforms: Shopify and Woocommerce. Which should you pick? The costs are comparable. The skill level to use either is about the same. They then commit a grievous error and ask me for my opinion.

I will always advise Woocommerce. Always.

When I say this, many authors immediately jump up and say “I tried Woo and it sucked, Shopify works better!” I would reframe that. “The first store I built sucked, the second store I built is much better!” The first book you wrote probably sucked, too. The first iteration of my Woo store also sucked. I look at a lot of author bookstores and immediately say, “Oh sweetie, no, this is not how you do it.” Some of them hired ‘technical’ people to build the store. Technical people are like literary agents: there is no qualifying exam, they act in their own interests according to their own biases, and you can’t afford a good one. Even a disaster is educational, though. Your failed first store taught you how to build a second store containing less suck. (It’s amazing how many writers are willing to spend years noodling over a manuscript, but expect their first store to work perfectly on their first try.)

My motivation for standing up my own bookstore is to declare independence from any outside channel. A decade ago, Amazon was the majority of my income. Making my books available in all channels increased the number of readers I drew while reducing my dependence on Amazon. Adding my own bookstore reduced my dependence on anyone. Yes, I use outside components and services, but every one of those parts can be replaced. Why would I replace a dependency on Amazon with a dependence on Shopify?

Cory Doctorow recently made a big splash with the word enshittifcation. He describes it as the process where an Internet company starts off being useful, becomes powerful, then starts squeezing values out of suppliers and then customers. It’s standard business practice at Internet scale. Ford and General Electric would totally do the same, if federal regulation didn’t prevent it. Amazon exists with very little federal regulation.

I prefer a simpler word: betrayal. It’s harsh, yes, but it fits.

Internet companies betray their user every day. Glassdoor sold itself as a place to anonymously rat out employers. Now the company wants to monetize its users, and is attaching real names to user profiles. While I could laugh and say You idiots trusted an Internet company, what did you expect? this will literally destroy lives and careers. Findaway Voices sold itself as one service, got bought by Spotify, changed its ToS to become an IP-pillaging company, and appeared to back down under protest. People thought it was a victory. It was not. We lost. We lost huge. It was an absolute rout. Compare their current terms of service to the pre-Spotify terms of service. Now consider what a minor update like “we added three carefully-chosen words to the ToS, they’re harmless legal boilerplate, we promise” could do. I guarantee that Findaway’s lawyers knew what words they would add and where they would put them before releasing these “friendly” Terms of Service. In Reddit’s quest to raise money, it trashed the people who create its value. All that’s only in the last year.

Betrayal is the Internet’s business model.

Businesses look out for their own interests. If a business believes it exists solely to maximize shareholder value, and has no legal, regulatory, or competitive barriers, it will become invaluable and then betray you.

What happens if either Shopify or Woo betrays me?

The Shopify software and all hosting thereof is fully controlled by the Shopify company. When folks tell me that they’re lovely people, what I hear is “the company’s current management is lovely, but the owners have decided to not betray their users. Yet.” A third of my income is at risk. If they become a problem I must hurry up and find a new store system, without advance warning, right freaking now.

The Woo software is freely available under a permissive license, and is hosted on a WordPress site I pay for. There is a Woocommerce company, yes, but they make money by selling support and add-ons. The actual software cannot be taken away. Yes, I buy some Woo plugins. There’s a super healthy plugin marketplace. If Woo Inc betrayed me, I’d have time to switch. After all, I have all the code. It’s running on my server. Betrayal would vex me, and I’d feel obliged to rant and rave. Also, Woo is a fork of Jigoshop. If Woo betrays its users, any number of those outside firms would leap up and happily take their place. And Woo knows it. That’s how they replaced Jigoshop. One day they’ll get bought and the new owners will go for a betrayal anyway, though.

When Shopify inevitably betrays me, over a third of my income is at risk.

When Woocommerce inevitably betrays me, I am not at risk. I’m merely pissed off.

Either way, you need to experiment with your store. Polish it. Experiment. Some of those experiments will be complete failures. Some will succeed worrying well. It’s all about what your readers want. Give readers a seamless buying experience, and expect that it’s gonna take a while.

38: A Fanatical Devotion to Magic Mushrooms

Today’s snippet is from a new Rats’ Man’s Lackey tale.

Whackadoo Manor was least creepy at sunrise.

The sideways light highlighted the bright white gingerbread scrollwork that framed the broad full-circle porch and surrounded the windows and eaves. The antique glass in the windows rippled into rainbows that shifted with my every step. The place always looked like a talented Victorian carpenter with a fanatical devotion to magic mushrooms had been given a lifetime supply of wormwood-laced absinthe and all the lumber he could scroll-saw, but this morning the sprawling mansion looked like it might actually be large enough to hold half of the rooms within. Even the leaded-glass conservatory loomed along the side opposite the driveway, and that place almost never deigned to show up.

It might have looked homey, if the edge of my vision hadn’t kept catching extra colors in the rainbows.

I shouldn’t have favorite children, but the Rats’ Mans’ Lackey tales are some of my favorites.

“Run Your Own Mail Server” off for tech review

I just finished the first draft of “Run Your Own Mail Server.” Copies have gone to my volunteer tech reviewers and my sponsors.

When I need to mass-mail my sponsors, I normally can only mail a dozen or so at a time without making Google and Microsoft throw a fit. This time, I mailed all 147 sponsors at once. None of the big providers even looked askance.

Requested feedback by 15 April, just to make tax day extra special. That’ll let me open the Kickstarter by Penguicon.

37: Send Physical Postcards

Still focusing on Run Your Own Mail Server, and so close to the end I could spit on it.

Remember, we’re talking about a protocol that doesn’t require validating certificate authenticity. The standards for TLS in email are low, no matter how we might wish otherwise.

So, what do we do?

One group of mail operators prioritizes broad compatibility. They still allow deprecated TLS and weak ciphers because they’re better than plain text. Postfix ships with this configuration, because otherwise people complain. Another group prioritizes transport integrity. They encourage DANE (or more recently, MTA-STS) and reject both plain text and any version of TLS other than 1.2 and 1.3. A third group keeps reminding everyone that email is not secure, has never been secure, and if you want privacy you should send physical postcards. You must understand which group you fall in, and recognize that other groups have different requirements.

Performing MTA-STS lookups is the last technical topic I must write about, then it’s social stuff I can blast out in a day.