Images, Objects, and Privacy Badger False Positives

Tweet by Kay Marie showing beautiful image of Piper lying on a bed seductivelyToday on Twitter I saw the a tweet by Kay Marie showing a very seductive and enticingly beautiful image of Piper for a group blog she had written at Humiliation Bootcamp.

Just to be clear, it is an adult blog so do not go looking at it if you are not at least 18 years of age and at least the minimum age to look at adult content where you are located (might be above 18 in some places)

Anyway I followed the link to the blog, expecting the image to be part of the blog, but I did not see it. A reduced size of what I saw is below.

Screenshot of Humiliation Bootcamp blog with Privacy Badger blocked image

No image in the blog, but because the tweet about the blog had one, usually that means there is suppose to be one. The culprit blocking it is often Privacy Badger.

So I looked at what suspected trackers Privacy Badger was blocking, and one of them was Piper’s main blog – Your Naughty Lover.

DISCLAIMER – I am not in any way responsible for the content, code, or administration of those mentioned blogs. They are just referenced here as a demonstration of what I want to create a general solution for.

Her main blog wasn’t trying to track me, it’s just a standard WordPress blog. But since I had been to her blog, my browser had a cookie from her blog with a unique identifier. That means if a blog on HumiliationBootcamp.com contains an image hosted at YourNaughtyLover.com that cookie will be sent when my browser requests the image, and that is why Privacy Badger saw it as a potential tracker and blocked it.

Adding YourNaughtyLover.com to the white list in Privacy Badger allowed it to load:

Screenshot of Humiliation Bootcamp blog

That’s better, much better, and is what I was intended to see.

Several problems however were exposed that have solutions. Well, will have solutions once I finish work on them.

The Exposed Problems

The obvious problem is that a side effect of the image being hosted on Piper’s main blog is that anyone who has been to her main blog without clearing the cookie will have a cookie that is sent with the request for the image. That triggers privacy software to block it, because it looks like a tracker and could be a tracker.

The less obvious problem is that all the benefits of responsive images have been lost. When you view the source to the blog, you see the following:

[LEFT ANGLE BRACKET]img class=" wp-image-3355" src="http://yournaughtylover.com/wp-content/uploads/2018/02/2a-1024x683.jpg" alt="" width="444" height="296" /[RIGHT ANGLE BRACKET]

There is a single version of the image available. However many modern web applications, including WordPress, are capable of responsive images. Responsive images are where many versions of the same image exist and the browser selects the smallest one that is large enough to render in the space provided taking the device pixel density into consideration.

In this case, only one image was provided, but knowing how WordPress works I was able to easily guess that many other versions of the image actually existed on the original host. Here is a link to the largest version of that image:

http://yournaughtylover.com/wp-content/uploads/2018/02/2a.jpg

There are many other sizes too, automatically created when the largest one is uploaded. But they are not available to the Humiliation Bootcamp blog because it does not know about them.

Alice’s Solution

One of the things I am working towards is file resources as objects. As in as PHP objects. An image would be seen by the web application as a PHP object and not as a URI path as web applications currently see them. Yes, when the page is served it is a URI path, but to the web application it is an object.

So uploading the image 2a.jpg to Piper’s blog would not only resize the image, but also create a Redis database entry with information about the entry needed for PHP to create and cache the the object view of the resource.

Part of that object could be that path to a cookieless pull type server that external servers could use when referencing the image. For example, say LDW had a cookieless domain set up at images.ldwgroup.com that acted as a pull server.

Piper’s blog wouldn’t need to reference images as being on that host (though it could), but that host would be referenced in the image object as PHP sees it.

When Piper wants to use the image in a blog hosted at another domain, she can just keep doing what she does now – give http://yournaughtylover.com/wp-content/uploads/2018/02/2a-1024x683.jpg as the URL to the image in the blog on the other domain.

However that other blog before just using that one version of the image would look to see if http://yournaughtylover.com/wp-content/uploads/2018/02/2a-1024x683.json (note the extension is different) existed – and if it did, that JSON file would include the information needed for HumiliationBootcamp.com to create its own own object – including using images.ldwgroup.com as the image source and all the sizes the image is available in so that HumiliationBootcamp can create a responsive image tailored to the device displaying the image.

When the browser asks for the image from images.ldwgroup.com since that hypothetical domain would not ever set any cookies, browsers wouldn’t have cookies for that domain, and it would never be blocked as a false positive potential tracker.

images.ldwgroup.com if it had the image would directly serve it – but if not, it would ask for the image (based on path) from YouNaughtyLover.com and then serve it, but then it would have that version of the image next time it was requested (that’s what a pull server is – sometimes called a pull CDN if there are many geographical endpoints).

Anyway, that’s the kind of thing I’m working on with my File Resource class –

https://github.com/AliceWonderMiscreations/FileResource

That’s just the base abstract class, but what I’m doing with it, that’s what is going to be wicked.

Alice Out.

Advertisements

The Danger of Facebook Trackers

If you use Privacy Badger, it is easy to see what trackers a website has embedded in it. They will be listed in the list of trackers Privacy Badger is blocking.

Privacy Badger Logo
Privacy Badger Logo

If you are not using Privacy Badger, you probably should be.

Privacy Badger is a project of the EFF and can be downloaded from https://www.eff.org/privacybadger.

It detects tracking cookies and blocks them. It also gives you the ability to white-list those you either know are false positives or otherwise do not mind being tracked by. For example, I do not mind being tracked by Spreaker, I believe they are a good company and do not believe they are doing nefarious things with what they track about me. I am choosing to let them track me, it helps them suggest podcasts I might enjoy.

But most trackers I do not like.

Yesterday, I went to a website where one of the trackers was a Facebook tracker. That is very very common. I decided to temporarily disable Privacy Badger and look at what was actually being done. It shocked the hell out of me.

This wasn’t just a tracker with a unique identifier, Facebook was transmitting personal information about me over an insecure connection.

The Tracker

The tracker visually was in the right-most column of a typical WordPress 3 column display. Note that on phones, it would still be there, but just not visible at all – the column it is in would have a CSS display property of none. But it would still be there.

Anyway this is what it looked like:

screen shot from web page showing facebook link
Screenshot from Web Page

The blue areas are what I blotted out to keep the identity of the web site secret, I informed them of what is going on and they removed the tracker.

Anyway there was a text hyperlink stating “Follow xxxx on Facebook” – with empty white space below it.

That empty white space I suspect is suppose to have a Facebook like button, but that seems to have not worked.

The white space though was an iframe.

If you are not familiar with what an iframe is, it is basically the HTML5 method for embedding one web page inside of another web page.

The embedded web page is quite often on a completely different server, and in this case, the embedded web page was on a facebook server.

FireFox menu list that has inspect element in it
FireFox right-click menu

In FireFox when you right click a part of a web page, you are presented with a menu list of options.

The Inspect Element (Q) menu option lets you look at the HTML source as the browser see it.

This is different than View Page Source. View Page Source only shows you the HTML of the page as it was served. Inspect Element shows you what it is like after scripts have run and third party resource have loaded and helps you see what CSS rules are applied etc.

Anyway, Inspect Element is how one views the source for an iframe as it is pulled into the web page, and that is what I needed to do to see what the Facebook code in this page looks like and actually does.

Insecure Connection – Shame on Facebook

Inspect Element results

That’s what the Inspect Element frame looked like, again I used Blue to protect the privacy of the company running this web site.

Cropped View of Inspect Element

That is a cropped view. Look at the iframe src – it uses standard http for the iframe, it does not use https. That means the html source from the facebook server is being sent to the web browser WITHOUT encryption. Anybody can read or even modify the contents of the iframe.

The highlighted line is the HTML source for what is in the iframe, that is what I really wanted to look at.

iframe html sourceAs you can see, there is not much in it. There does not need to be much in it, the intent as I suspect is just to produce a “Like on Facebook” button.

Why that did not work and there was no like button, I do not know, but that did not concern me. What did concern me is what was in those three script nodes.

The first two were just short fallback stuff to detect if async was possible, etc. The third script node however shocked me.

inspect element view of third script nodeAgain the blue blotches are to conceal the website this was on.

The yellow blotches however are to conceal my own private information – both my legal name and my facebook user ID number that remains static even if my legal name changes. A cropped view:

Cropped view of source to third script node

The script itself, sent over an insecure connection, contained my Facebook Account ID, my full legal name (I blotted out my last name there), and my short name. It’s possible my birthday is there too but in part of the script that isn’t visible in the Inspect Element window without horizontal scrolling – there were some JS variable names that had the word birthday in it, but I did not hunt through the code off to the side to see if it was there.

Anyway, there you have it.

Over an insecure connection, Facebook was sending a piece of plain text JavaScript that is easy to machine parse that included both the name of the website running the WordPress blog (blobbed out in Blue in the image) and my full legal name and Facebook account ID number.

Anyone could sniff that data, and the fact that I was at that website isn’t really something I would want Facebook to know about.

That is what trackers do. They invade privacy, and very often with extremely sloppy security that makes it easy for your private data to be leaked to anyone with just a little skill.

Facebook isn’t the only one that is this sloppy, many of them are.

They don’t give a damn.

Autism and Empathy 2

I wrote a blog about this earlier but now I have a specific example that I think quite clearly demonstrates the difference between Autistic emotion and Neurotypical emotion.

I hope I am not burning any bridges by posting this, I will not share this on social media and almost no one reads this blog so hopefully it won’t be seen as offensive.

Recently a company I am a customer of, I have frequently in private expressed my frustration at the third party trackers that company has all over the websites it manages. I have expressed that concern for years. I do not like it.

I can block most of it myself with Privacy Badger but it bothers me that they are so willing to trade tracking information of their users in exchange for widgets on their sites. They should hire someone to write the widgets they need without trackers. Not me, their site is WordPress and I fucking hate the WordPress code base and even got kicked off their mailing list for calling some of their devs a bunch of fucking idiots (just for the record, I agree with getting kicked off the list for that, but I was also being truthful).

Yet here I am using a WordPress blog. My purpose is actually to expose myself to the user interface because I want to create something secure that users will use, and while I am good with code, I don’t understand what users want in an interface.

Anyway, Internet Tracking is a huge invasion of user privacy and the fact that it is so prevalent is a very serious issue for me. This company is one that especially should be concerned about the tracking of their users.

I love the company, I really do. For years, every time I share a link to their products and services it creates an internal conflict because in doing so, I am exposing other people who follow the links to the tracking that takes place as a result.

It may seem silly to the neurotypical people, but to me it is a very real problem and to a large extent I feel betrayed because on the surface, the company claims that privacy is important to them, they claim to provide high quality service, yet they continue to trade the privacy of their customers in exchange for free WordPress widgets instead of hiring a coder to create what they need that doesn’t track, or even finding free widgets that do not track.

My emotion that I frequently feel is that they are lying to me when they say my privacy matters to them, when they say the privacy of others matters to them, because I have informed them of the privacy violations taking place and they do not take action to change it.

From the song “Behind Blue Eyes” — ‘No one bites back as hard on their anger

For years I have been holding back on how upsetting it is for me for a company that is in an industry where privacy is important, for a company that claims that privacy is important to them, for a company that claims part of their higher than industry average fees is higher quality service, to allow their customers to be so blatantly tracked by third parties.

It has been a serious battle for me to hold back for as long as I have because it does feel like a betrayal to me. I know they do not intend it as a betrayal, but that is what it feels like whether it is intentional or not. And the only reason I have bitten back for so long is because I really really really like this company.

It is clear to me that either they do not care about why I feel that way, or they do not understand that I feel that way even though I have tried to express it in private. I choose to believe the latter because I do believe they are good people.

But not understanding my feelings doesn’t mean they aren’t real or that I do not have them, it just means they either do not know I feel that or do not comprehend why I feel that way. The feeling themselves are very real, but without understanding them, it is not possible for them to have empathy with those feelings. That’s an important concept.

-=-

Two things happened that cracked my ability to continue my silence on the issue. First, I went to one of the websites run by this company and Privacy Badger reported an unusually high number of trackers on that page, I mean radically high. When I looked at what Privacy Badger was reporting, most of them were legitimate trackers and not false positives.

I then wrote a blog post on the issue. Since deleted, but I had to vent somewhere, because it really really bothered me.

A few days later, the Cambridge Data / Facebook misuse of tracking data broke.

That triggered some pretty strong emotions from me. Not because I was surprised, I knew this sort of thing was happening.

Basically when data about a person is collected without explicit informed consent, it will be abused. How can it not be abused when the person does not know how the data is to be used to even agree with what is being done with it?

Some people may not agree it is abuse, but whether tracked information can be used for a purpose is not the decision of those people, it is the decision of the person who tracked. Without their explicit permission, it is abuse. And often the abuse negatively impacts the person,.

The only way to collect data without explicit consent and not have the data not be abused is to completely anomymize the data in such a way as it is simply not possible to connects the dots from the data to the person.

It wasn’t that the data was being abused that bothered me, it is that I have been warning about this very thing for YEARS and people shrugged it aside and then suddenly when it is revealed my warnings were dead on, people were suddenly shocked and offended. Incidentally, Facebook is precisely one of the trackers I specifically warned about but was brushed aside as a loon for having concerns.

What that trigger did, I posted a screenshot from privacy badger of a website run by this company specifically showing that their sites include third party trackers from Facebook, and I tagged two of their blog administrators in the tweet.

That resulted in a response from the company, but not what I was looking for. What I was looking for was “We are working to fix this issue” but that is not what happened.

Keep in mind that notifying them in private is something I had tried numerous times in the past, and not just with them – with many companies. Publicly calling a company out over an issue the public is presently concerned with is often the only way to get action, which was my goal. My method at attaining that goal clearly failed, instead I think I pissed them off.

Clearly the approach I took was wrong. It caused emotional pain, I need to learn how not to do that. I acknowledge that, I own that. What is the right approach to get the trackers taken out of their site, I do not know, wish I could figure it out. They say they care about privacy so they can’t be adverse to removing them, I just don’t know how to get the action needed for their websites to match what they state.

Why is this is so important to me? Believe it or not, empathy!

Secret recordings show Cambridge Analytica would spread gay rumors to take down candidates

The same company that was misusing the private data from Facebook was involved in anti-gay bigotry as propaganda.

What happens when someone is exploring gender identity issues they do not want to have public, so they go to a website run by this company, and are tracked for visiting those sites – tracking that ties to their identity – and that tracking data ends up in the hands of someone like Cambridge Analytics that will use it for ill?

I do not want to see that happen.

-=-

The emotions this conveyed to me are real, I can not deny that. However, I do not understand them. Just like they do not understand my emotions. That makes it impossible for me to empathize with their emotions.

I was told that it “felt like a betrayal of trust” because they thought I was “part of the team”. That is their emotion, I just do not understand it.

First of all I do not know what it means to be considered “part of the team”.

I do not work for them, I am not their employee nor have I done any contract work for them.

Many years ago when I had a lot of money to spend with them, I wrote a WordPress plugin that anonymized Gravitar data collection – Gravitar takes an unsalted md5sum of an e-mail address which isn’t very secure, it becomes easy to determine if a particular e-mail address created a particular post reply. So I created a WordPress plugin that added a salt first to prevent that from happening. They ran it, so maybe that is what they meant by “part of the team” but that was so long ago and it appears they no longer use it. I’m guessing a WordPress plugin broke it, an Automattic employee once expressed that he did not like what my plugin did (Gravitar makes it cake for Automattic to track users) , I wouldn’t be surprised if code was put in specifically to break my plugin. I don’t know, I just would not be surprised.

I offered them a birthday calendar plugin, the company CEO said she would have the blog admin look at it but I could tell from the server logs no one ever accessed it, so my guess is they did not want it but just wanted to be nice about it, and I can both understand that and empathize with that.

I initially offered Naughty.Audio to this company and again they said they would look at it but it was clear to me they did not want it. So I run that myself.

I offered to recreate a stale site of theirs that full of bad links, but that also was something that ultimately they did not want.

I offered to create a solution to an audio problem that exists on one of their sites, and at that point since I was fucking broke and nearing eviction, I offered to do it for a price but I got no response at all.

I don’t see how I can possibly be considered part of any “team” or what they mean by that, but apparently they saw me as part of the “team”.

I certainly do not feel like any part of a “team”, especially when what I know are valid concerns about privacy and tracking are just brushed aside and it is suggested that it is something we just have to accept happens.

This may not be fair of me, but this is how I feel. I sometimes wonder if I’m actually seen as just an “Oh him again” except when it is convenient for them to see me as part of a “team.”

I do frequently share their links on Twitter and Tumblr. I do not do that because I am part of any “team” – I do that because I really like that company and feel loyalty to them. That loyalty to be honest is really waning. The things that are important to me do not seem to be important to them, and it seems I am treated much differently now that I am really poor. That last bit isn’t suggesting class discrimination, my own demeanor has changed since I have become poor and that could be why I am treated differently now. However regardless of the cause, the loyalty I feel to that company has been waning. But I still really like them.

It is possible to really like a company but not like one aspect of it, at least for me. Maybe for some people that is not possible.

The Republicans for example – they think it is impossible to like America but dislike many of the policies, and they call us America Haters when we speak out against the policies we do not like. I am not like them. I can really like something but still not like one or more aspect of it.

With respect to betraying trust, neither the blog post (now deleted) nor the tweet (now deleted) involved any information I was trusted with. Any random joe blow could have made the exact same post and tweet without any prior contact with the company, so I do not understand how it was a betrayal of trust.

But they clearly felt that way, and just because it does not make sense to me does not invalidate their feelings – which is why I deleted both the post and the tweet.

A quote I have seen many neurotypical people use:

An acquaintance merely enjoys your company, a fair-weather companion flatters when all is well, a true friend has your best interests at heart and the pluck to tell you what you need to hear. — E.A. Bucchianeri

That, or quotes like it, are commonly spread around but it seems that does not always apply and I can not figure out when it does and when it does not, this seems to be a case where it does not apply and I should not have had the pluck to tell them what they really need to hear yet so far really haven’t.

I was trying to be a true friend as it is so often defined and I do not understand the emotion it invoked.

Since I can not understand the emotion they felt, I can not empathize with it either.

And that is why autistic people often are seen as lacking empathy.

But it’s a two way street. They obviously don’t understand my emotion either and thus can not empathize with it.

Please remember that when hear people say autistic people lack empathy.

We don’t lack empathy, in fact we often have very strong empathy. But empathy simply is only possible when we understand the emotion.

And when you think we lack empathy, please understand we feel the same way quite often when our own emotions are not understood, when we are told our failures in society are our fault because we do not fit in to a world of people that are fundamentally and neurologically different than we are. That is something even many “autism experts” completely fail to understand and completely lack empathy for.

It is true that sometimes we do not understand the emotion of the neurotypical, but it is just as true that the neurotypical often does not understand our emotion.

Regardless I do not want to burn any bridges but the emotions I am building up over this are just too strong and I literally have no outlet. I can’t afford a therapist and my best friend is a PSO that I can not afford to call. I haven’t spoken to her since December. The only other people close to me always say the answer to problems are in the Bible, yet from what I read in the Bible, the answers it has they are politically opposed to. I literally have no one that I do not pay and right now I can pay, which means frustrations will come out in public and burn bridges even more.

So I have to stay away from that company, completely, or I will just make things even worse. Not my intent but that will be the result.

Tracking, Advertising, Yada Yada

Anyone who knows me knows that I have ranted and raved and bitched and whined about Internet tracking for years and years and years.

Perched colorful bird with a fish in its beak
Original Source: https://pixabay.com/en/bird-wild-world-animal-nature-3113835/

With the recent revelations about private user data tracked by Facebook being used improperly, it demonstrates exactly the kind of issue I have been warning about for years.

When it comes to web application security, there are some fundamental rules I try to live by:

A) Bake security in from the start. Do not try to address security as an add-on.

B) Trust can and will be exploited. Always validate when you can.

C) Security needs to be proactive. When it is only reactive, you are vulnerable until something happens to trigger the reactive measures.

The reason why I mention those three fundamental rules, it is impossible to have privacy without security. Any web application that is aims to keep user data private MUST make security a priority.

With respect to Internet Tracking, there is another fundamental rule.

If the data can be abused, it will be abused.

It is irresponsible to assume that data your web application allows a third party to track will not be used in ways that are harmful to your customers.

This is why it is very important to simply not allow third party trackers. At all. When you allow a third party tracker, you are allowing that third party to collect data about your users that not only can be abused, but sooner or later it will be abused.

The recent Facebook scandal – the only reason we know about it is because there was a whistle-blower. Had there not been a whistle-blower, well…

I can guarantee the same thing is happening at many more companies. We live in a capitalistic society where money has more importance than people. The data will be abused and it is being abused.

Web application developers need to develop web applications that do not use third party trackers, and more importantly, web masters need to stop deploying web applications that do use third party trackers.

Content Security Policy

Web masters need to deploy something called Content Security Policy (CSP).

With CSP, you can define precisely what domains what types of content referenced by your web platform are allowed to come from. Using CSP prevents the accidental loading of third party trackers, a very common problem for web sites that deploy web software updated without a packager between the upstream developer and the deployment.

When there is a packager, a person between your deployment and the upstream developer, these issues are often caught. These people though need to be paid to review the code, so when tools like Packagist (via Composer) and WordPress’ AutoUpdater came about allowing direct update from the upstream developer without needing to pay a packager, most companies jumped on it even though the result is that it allows the upstream developer to exploit the trust you have in them – because there is not someone verifying the integrity of the package.

That use to be how I made money but it is clear companies now would rather trust upstream developers than pay someone to verify. I have to accept that. That being the case, it is critical to employ Content Security Manager as a proactive security measure to protect your users when an upstream developer exploits your trust in them and sneaks trackers into updates.

For example, it is not uncommon when using Packagist or the WordPress updater to find out that the new version of some software or plugin contains trackers that did not use to be there. CSP will prevent those third party resources from loading in the browser of your users, protecting them from the tracking that results. In some cases it may break your web application, but it is better to have that broken so you can find an alternative that does not track your users than to sacrifice the privacy of your users.

The Advertiser Problem

Advertisers on the Internet are a massive problem with tracking, and with the Internet in general.

In the old days, advertisers did not have any data on the individual person viewing their advertisement. A magazine or a TV show would produce quality content to attract viewers and then the advertisers would pay for advertisements based upon market research showing how many of people from the demographic they are targeting read that magazine or watched that TV show.

That has all changed. Advertisers no longer have to care about the quality of the venue or even what the venue, they pay per click or they pay per view and the advertising agencies target the user based upon tracking data they collected on that user, not based upon the demographic expected to use that venue.

As a result, the quality of what is produced has been greatly reduced in general. Web sites do not have to create content that retains users like magazines and TV shows did, they only need to get the user to the site and they get paid.

This is why so much click-bait and poorly written articles full of keywords and SEO tactics exist. Quality that retains users is not what gets the revenue, tricking the user into clicking on a link to your page is what gets the views, and tracking of that user is what determines the advertisements they see.

If we address the track problem so it does not happen, then the quality of the Internet in general will increase because advertisers will once again look for sites that produce quality content for the demographic they want to market to.

Solving the Content Security Problem

While you can create a Content Security Policy right in your Apache .htaccess file or use PHP to send the header, that really is not ideal.

There are times when you will want the CSP to be adjustable.

For example, some users may be willing to be tracked by YouTube at your web site in exchange for the ability to watch YouTube videos other users shared there. The default policy should be to block those resources, but specifically allow the user to consensually opt-in to tracking if they do mind being tracked.

They still will be tracked, but it will be informed, voluntary, and at any time they can change their mind and decide they no longer wish to be tracked by YouTube and they can then opt back out of seeing the videos.

Just as an example, they may decide they want to see the videos on their home computer and be tracked there but not see the videos on their work computer or smart phone. A solution that allows the user to control if and when they are tracked would be very valuable.

I am going to develop a PHP class that does just this. It will allow a JSON configuration file for the base configuration (what remote hosts you always want white-listed – which should only be hosts you control and maybe a CDN with a very good reputation, like code.jquery.com for jQuery though I personally wouldn’t).

The CSP object created from that base configuration could then have other resources added, such as the domains that need to be white-listed for YouTube, either from additional JSON files or from methods that are part of the class.

That way your PHP could check the session data for the user and add those additional domains resources are allowed to come from when the user has specifically opted in acknowledging their use on that device will result in tracking.

I will start working on this class by this weekend.

https://github.com/AliceWonderMiscreations/ContentSecurityPolicy is the github where the work will be done. It will be a PHP class. Unfortunately it will require PHP >= 7.1 because 7.1 introduced some features I am really fond of, and I’m too poor to have the kind of development setup that makes it easy to work with the archaic versions of PHP that people shouldn’t be using anymore but often are what hosting providers have. None of my currently produced code works in 5.6 or older. Much of it works in 7.0 but I can not easily fix bugs when it doesn’t, so 7.1 and 7.2 is what I develop for.

Solving the Advertiser Problems

Advertisers are an important source of revenue for many websites. When solving the issue of user tracking, using advertiser platforms that track simply is not an option.

It will take longer, and I will not start right away, but I already have an idea formulating based upon my FileResource class.

That class by itself is just an abstract class, originally it was part of my ResourceManager project for JS/CSS resources but I immediately saw the benefit of that abstract class being used for many different things, so I split it out into its own basic package.

What I will create is a class (perhaps more than one) that will make it easy to serve various types of advertisements from banners to videos etc. that will make use of the FileResource abstract class both for adding the code to the web page (either at generation or by Ajax) that will allow websites to sell advertising that is locally served to advertisers who want their products and services advertised at your website.

It will include a means of counting how often an ad is served and how often it is clicked on in a way that anonymizes the user while preventing double counts. I may even go the extra mile and provide an easy means for e-mailing the summary of views and clicks to the advertiser in a fancy report once a month.

No github for that project yet, I am still mulling in my mind what it will do.

Financial Support

As long as I can, I will work on these and other projects intended to assist in making the Internet safer, but I may become homeless by the end of the year.

I need to find a way to get some financial support for what I am doing.

One of the problems with the current Internet, many webmasters would rather sacrifice the privacy of their users in exchange for “free” plugins and apps and services that do cool things. Those products are not really free, you are turning your customers into a product to be traded without their consent.

Please help fund the solution. My code for this will be free, simply because it takes an incredible amount of money to start a company and market such a solution. Money I just do not have. Nor do I have the social skills needed to woo venture capitalists.

paypal@domblogger.net if you are at all compelled to help.

Some code I have recently released as free software if you wish to look at the quality of what I produce:


SimpleCache

This is an abstract class intended to extended in PSR-16 compliant cache solutions. It does most of the hard work of a PSR-16 implementation, and includes some useful features such as cache key namespacing and AEAD encryption of the cached content and the ability to stagger the expiration during cache warming so that everything does not expire at the same time.

https://github.com/AliceWonderMiscreations/SimpleCache

SimpleCacheAPCu

Extends the above class for using APCu caching. This is the cache engine I personally use because for the kind of caching I do, it is very fast, faster than any other cache implementation I tried. The downside of the cache not surviving a server daemon restart I am willing to live by compensating with cache loading (intentionally pre-loading the cache).

https://github.com/AliceWonderMiscreations/SimpleCacheAPCu

SimpleCacheRedis

Extends the SimpleCache abstract class for using the Redis cache engine. I created this extended class at the request of someone who like the APCu variant but wanted something persistent, which Redis provides.

Unfortunately that person did not pay me. It’s okay, they may be poor like me, and I told them to contribute what they can afford if they can afford. I guess they couldn’t.

Would have only taken about an hour if I was familiar with Redis, but I had to learn about Redis to do it right, Redis does some things differently than APCu that my code had to adjust for.

https://github.com/AliceWonderMiscreations/SimpleCacheRedis

If you read this far, thank you for your time.

Behind Blue Eyes

The Who - Who's Next Album Cover

This song means a lot of different things to different people. That is one of the beauties of music, it allows for individual interpretation that helps us sort out our emotions.

 

This is my interpretation of this timeless song.

Behind Blue Eyes

Before I dive into the lyrics, I want to talk about the phrase “Behind Blue Eyes”.

The Who was a band of white dudes from Europe. Blue Eyes in European culture, for reasons that are not so pure, are often seen as a symbol of heritage that has social status value. Look at how common blue eyes are when products are marketed to upper middle class white Europeans:

cigarette advertisement featuring blue eyes advertisement with blue-eyed baby Shampoo advertisement with blue-eyed model

Blue Eyes symbolize social acceptance in European culture.

When The Who sings “Behind Blue Eyes” I take it that they are singing about the struggle to put on a front that is socially acceptable despite having feelings and emotions that are not. A skill I do not have.

The Lyrics

No one knows what it’s like
To be the bad man
To be the sad man
Behind blue eyes

That is an expression of frustration. He has to fit in, to keep the facade of social acceptance, but it is not what he wants, it is an inner struggle to be forced to try and be something he is not.

Some well-known examples of this are transgender people, if they express what they really are they are rejected as freaks so often they try to keep it bottled up inside and pretend to be what they are not. This is one of the reasons why suicide rates are so high among transgender people.

Another lesser known example is Autistic people. Autistics are frequently subjected to something called “Applied Behavior Analysis” that is promoted by many in the medical industry, that literally is a technique that wants to force us to hide who we are and make us change to suit what is acceptable to society, just like many want to force transgender people to live according to their assigned gender to fit better into society.

Rather than changing society to be accepting of people who are simply different, those who are different are forced to suppress who they are and hide “behind blue eyes”. This is why suicide rates are so high among autistics as well, 7-9 times the rate of “neuro-typical” people.

We aren’t killing ourselves because we are autistic, we are killing ourselves because the society we live in makes it very clear it is not okay to be autistic, and we have to pretend to be something else. That wears us down.

Those lyrics are not specific to transgender or autistic, the problem exists in general with anyone who isn’t the same as what the social norms demand of us.

No one knows what it’s like
To be hated
To be fated
To telling only lies

The lyrics here expand upon the frustration that is being felt. That I feel. What you really are is something that is hated by the society norms, so you are fated to live a lie if you want to survive in this world. When you no longer can live the lie, you die.

But my dreams
They aren’t as empty
As my conscience seems to be

I have hours, only lonely
My love is vengeance
That’s never free

We have dreams, we have passions, we do not want to become the evil that we are see ourselves becoming as a result of our dreams and passions constantly being crushed.

The crushing of our dreams and passions erodes us, takes away our conscious, we become evil inside and full of a desire for vengeance against those who force our dreams and passions to be crushed just because we do not fit into the world they built specifically to exclude us.

It’s a very lonely existence.

Vengeance becomes our passion, and that is a very heavy price to pay. We would much have our dreams but that just is not possible.

No one knows what it’s like
To feel these feelings
Like I do
And I blame you

A lot of people say they sympathize with us, but they refuse to do anything to actually change it. Things work for them and they don’t want to risk losing that.

They are part of the problem because they allow it to continue instead of rejecting it and demanding change.

They feel bad that people who are different are destined for poverty, destined to a life of constant rejection, but they perpetuate the problem by accepting the society and buying into and even profiting from the very system that is literally killing and squashing our ability to have dreams, taking away all our hope.

No one bites back as hard
On their anger
None of my pain and woe
Can show through

This is something I have personally experienced. I use to be a member of the Enchantrix Empire social network. I guess technically I still am. When I first joined, it was a different sort of place where people were more free to express who they are. Kink communities are often like that, because they see the pain that transgender people go through.

But that community changed and the things I expressed anger at were not the right kind of thing to express anger at in the community. If I was to remain there, I couldn’t let my pain and woe show through because doing so angered other people there. They wanted it to be a superficial community where talking about superficial “ooh baby that’s so sexy” was sufficient, don’t express anything that is controversial or shakes up the view. I would have had to “hide behind blue eyes” to remain there and as much as I loved it there, that was something I just could not do. If I couldn’t be me, then being there was toxic to me, which resulted in me being toxic to others.

Biting back on my anger was damaging me, I could not do any longer, so I had to leave the one place on the Internet that I loved more than anywhere else on the Internet.

I think what happened, as the economy continued to change and LDW raised their rates, less people in the lower social classes can afford their services so they started to leave the Enchantrix Empire leaving it as a place that was more for the upper middle class that financially benefit from things remaining the way they are and they don’t want to hear any opinions to the contrary, the poor are losers that they don’t want.

Also some key Mistresses (like Mistress Ann) who made the Empire fun left the empire, and many other Mistresses stopped coming to the Empire as much, but whatever the reasons, it no longer was a community where I felt I could be who I am.

To remain there, I would have to pretend to be someone other than who I am, not express any of my emotions, and pretend the superficial blue-eyed world was the be all end all. I could not do that.

But my dreams
They aren’t as empty
As my conscience seems to be

I have hours, only lonely
My love is vengeance
That’s never free

Repeated in the song, my earlier comments apply.

When my fist clenches, crack it open
Before I use it and lose my cool
When I smile, tell me some bad news
Before I laugh and act like a fool

Rage poisons us, this is a plea to help tame the rage that results from what we are feeling. We want vengeance, we want to act out violently against the world. At least I do.

Yet at the same time it goes against the very core of who we are and what we believe, yet we are poisoned and lust for it, and want to take pleasure in seeing that lust fulfilled.

That part of the song is a cry for help, to help us keep from letting our rage take over and win, for that would destroy us even further and take our evil to a point of no return where we would no longer be what we are but instead become the very thing we hate – taking pleasure in acts that harm others.

Sons of Anarchy, that’s what happened to Jax Teller, and when he saw that’s what happened to him – he left this world.

And if I swallow anything evil
Put your finger down my throat
And if I shiver, please give me a blanket
Keep me warm, let me wear your coat

Continuing the cry for help.

Putting your finger down someone’s throat causes a gag reflex and regurgitation. It is easy when full of rage to get taken in by evil desires. I believe this is what happened with Che Guevara. I believe he started with good intentions and wanted justice in the world, but he swallowed something evil that poisoned him as a person.

People like me, full of rage, are at risk of that. Those lyrics are a plea to help keep us from going down that path.

And a plea for comfort, because comfort is the only thing that can help us prevent our rage from getting to the dangerous point where it fundamentally changes who we are.

No one knows what it’s like
To be the bad man
To be the sad man
Behind blue eyes

 

AWonderPHP Projects

Okay whenever I finish something code-wise and feel satisfied, this Joan Jett song (cover) goes through my head:

As I mentioned in an earlier post, I have started cleaning up some of my personal PHP classes and getting them on Packagist for composer install.

More than just cleaning up the code, I have been making them conform to standards (I fucking hate coding standards but some people care more about how many spaces you have than what your code actually does) and writing proper unit tests and cleaning up possible errors that vimeo/psalm finds, etc (that tool ROCKS btw)

Here’s a list of what I’ve released in the past few days, and what they do:

SimpleCacheAPCu / SimpleCacheAPCuSodium

Travis CI Build ResultsThis is my interface to the APCu cache engine. I made three major changes to my class to get it ready for public consumption.

A) I ported it to be PSR-16 compliant. If you already are using a PSR-16 compliant caching class, this works as a drop-in replacement for it.

B) I added encryption support via the libsodium wrapper for PHP. The “value” part of your key => value pairs can now be encrypted with a quality modern AEAD cipher suite. The real benefit though is not just with the encryption, but the decryption. You see, cache poison attacks are not possible unless the attacker gets your secret because any cache injection attacks will not decrypt using the 32-byte secret and thus be treated as a cache miss.

C) I split the non-APCu stuff into a separate package, so if APCu is not your caching engine of choice, it is relatively easy to extend what I split off to work with the caching engine of your choice.

The current (as in today) release of SimpleCacheAPCu is 1.2.0 – named “I Got No Answers”.

There are a lot of PSR-16 implementations out there, but none of the others I looked at offer encryption.

SimpleCache

Yes, very similar name to what is above. It is an abstract class that has most of the logic behind what is above, but is agnostic to the cache engine used. If you do not use APCu but use something else, you can extend this abstract class to use the cache engine of your choice. Feel free to look at what the APCu implementation does, it does not require much code.

The API reference at API.md also should help get you started.

The current (as in today) release of SimpleCache is 1.0.0 – named “Androgynous”.

The abstract class provides most of what is needed for a PSR-16 interface compliant cache class, and also provides the libsodium encryption stuff.

FileWrapper

This is the class largely inspired by Princess Andi, or rather, by an issue I found on her blog where password protected content was being leaked because of the piece of shit that wordpress is and how the Yoast SEO optimizer works.

This is a full feature PHP file server, you can use it to do actual checks on stuff before serving files to the requesting client – and even serve different files depending upon conditions.

It supports partial content requests so it works well for serving HTML5 media. It intelligently handles requests for cache life. It sniffs MIME types if needed. It even has the ability to minify JavaScript and CSS on the fly.

This class is what I use on Naughty.Audio to make sure I only serve audios to those who have verified they are adults, so it is well tested.

It does not yet have any unit tests written for it, that is going to be difficult because I have to emulate client / server responses, but it is possible and I will do it.

The current (3 days ago) release of FileWrapper is 1.1.1 – named “Do You Wanna Touch Me?”

FileResource

This class actually does not do very much, it is the beginning of a much larger concept, the ability to manage third party resources within a web application as objects that can be configured apart from the web application.

This class defines an abstract class intended to be extended for more specific use cases, such as JavaScript or Media files.

The current (3 days ago) release of FileResource is 1.0.0 – named “Crimson and Clover”

The real beauty of this though is how it will be used by my ResourceManager project, which does not yet have a release but it does have a github:

https://github.com/AliceWonderMiscreations/ResourceManager

That is what will make it easy for web applications to use third party JS/CSS resources the right way. Most currently do not.

Alice Out.

Gender Identity and Alice

All my life I’ve identified as male but I’m not quite male, or rather, I do not fit what society expects a male to be. Growing up in an Evangelical household, Male is what I was. Those were my parts. But I was different than other males.

Mars and Venus sex symbols joined together

I thought maybe I was just more in touch with my feminine side than other men, but I that didn’t explain everything.

When I was young, in the bathtub I use to sometimes tuck my genital organ in such a way that it looked like a vagina because I was curious what I would look like if I was a girl.

I remember one telling mom and dad I wanted a doll for Christmas, they thought it was a phase because I was bullied in school and thought I was trying to make friends with the girls who played with dolls because the boys rejected me. Honestly I do not remember what my motive was for wanting one.

In the boy scouts when we did skits, a lot of the skits would have a female character for comedic effect and I would always volunteer to play that role because to me it was fun to pretend to be a girl, and when done for comedic effect it seemed to be socially acceptable.

When I first got into hacking, I used the handle “Living Dead Girl”. Now I use the handle Alice.

Yet despite those things I still identified as a male, a boy.

I do not feel like I am a woman, so I do not believe the term transgender applies to me. There are people assigned “male” at birth who truly are women. They do not just identify as women, I use to say they identified as women but now I believe that is a bit patronizing. They are women, the do not just identify as women. The term transgender I think is a better fit for them than it is for me, because I am not a woman.

I heard that song for the first time yesterday. I love Joan Jett, always have, but I admit I do not have any of her CDs and I had not heard that song before. Turns out it is a cover of a song by The Replacements. I like her version better.

Androgynous – Partly male and partly female in appearance; of indeterminate sex.

A light bulb went off in my head when I heard that song. That is what I am.

Gender is a social construct. I do not fit the social construct of either male or the social construct of female. I have characteristics of both. Outward appearance I do look male most of the time but I confess I do sometimes like to cross-dress and have the appearance of a woman. But outward appearance is just that.

What I am, what I feel like, is a mixture of both male and female. Perhaps more male than female, but that may be nurture opposed to nature that I still need to be freed from, I do not really know.

So What Does This Mean?

I don’t really know. Having the revelation clearly meant a lot to me, that song is musically not her best but it keeps going through my head, clearly the song and the revelation mean a lot to me.

I think maybe it will help me be at peace somewhat, but it does not change how I feel about myself, nor do I think it will change how I present myself.

I’m Michael in meat life, Alice online. I’m a He / Him unless someone refers to me as a She / Her which I never really had any issues with, I don’t really care what pronouns people use with me.

Maybe it will mean more in the future.

My younger sister is the only one in my family that I know would accept this revelation, I can’t disclose it to anyone else, but there’s a lot I can’t disclose to anyone else in my family, so that doesn’t change. I won’t disclose it my little sister because if I did it would risk it getting to my Mom and I don’t think she would take it well.

I guess it means I just keep being me.