Behind Blue Eyes

The Who - Who's Next Album Cover

This song means a lot of different things to different people. That is one of the beauties of music, it allows for individual interpretation that helps us sort out our emotions.

This is my interpretation of this timeless song.

Behind Blue Eyes

Before I dive into the lyrics, I want to talk about the phrase “Behind Blue Eyes”.

The Who was a band of white dudes from Europe. Blue Eyes in European culture, for reasons that are not so pure, are often seen as a symbol of heritage that has social status value. Look at how common blue eyes are when products are marketed to upper middle class white Europeans:

cigarette advertisement featuring blue eyes advertisement with blue-eyed baby Shampoo advertisement with blue-eyed model

Blue Eyes symbolize social acceptance in European culture.

When The Who sings “Behind Blue Eyes” I take it that they are singing about the struggle to put on a front that is socially acceptable despite having feelings and emotions that are not. A skill I do not have.

The Lyrics

No one knows what it’s like
To be the bad man
To be the sad man
Behind blue eyes

That is an expression of frustration. He has to fit in, to keep the facade of social acceptance, but it is not what he wants, it is an inner struggle to be forced to try and be something he is not.

Some well-known examples of this are transgender people, if they express what they really are they are rejected as freaks so often they try to keep it bottled up inside and pretend to be what they are not. This is one of the reasons why suicide rates are so high among transgender people.

Another lesser known example is Autistic people. Autistics are frequently subjected to something called “Applied Behavior Analysis” that is promoted by many in the medical industry, that literally is a technique that wants to force us to hide who we are and make us change to suit what is acceptable to society, just like many want to force transgender people to live according to their assigned gender to fit better into society.

Rather than changing society to be accepting of people who are simply different, those who are different are forced to suppress who they are and hide “behind blue eyes”. This is why suicide rates are so high among autistics as well, 7-9 times the rate of “neuro-typical” people.

We aren’t killing ourselves because we are autistic, we are killing ourselves because the society we live in makes it very clear it is not okay to be autistic, and we have to pretend to be something else. That wears us down.

Those lyrics are not specific to transgender or autistic, the problem exists in general with anyone who isn’t the same as what the social norms demand of us.

No one knows what it’s like
To be hated
To be fated
To telling only lies

The lyrics here expand upon the frustration that is being felt. That I feel. What you really are is something that is hated by the society norms, so you are fated to live a lie if you want to survive in this world. When you no longer can live the lie, you die.

But my dreams
They aren’t as empty
As my conscience seems to be

I have hours, only lonely
My love is vengeance
That’s never free

We have dreams, we have passions, we do not want to become the evil that we are see ourselves becoming as a result of our dreams and passions constantly being crushed.

The crushing of our dreams and passions erodes us, takes away our conscious, we become evil inside and full of a desire for vengeance against those who force our dreams and passions to be crushed just because we do not fit into the world they built specifically to exclude us.

It’s a very lonely existence.

Vengeance becomes our passion, and that is a very heavy price to pay. We would much have our dreams but that just is not possible.

No one knows what it’s like
To feel these feelings
Like I do
And I blame you

A lot of people say they sympathize with us, but they refuse to do anything to actually change it. Things work for them and they don’t want to risk losing that.

They are part of the problem because they allow it to continue instead of rejecting it and demanding change.

They feel bad that people who are different are destined for poverty, destined to a life of constant change, but they perpetuate the problem by accepting the society and buying into and even profiting from the very system that is literally killing and squashing our ability to have dreams, taking away all our hope.

No one bites back as hard
On their anger
None of my pain and woe
Can show through

This is something I have personally experienced. I use to be a member of the Enchantrix Empire social network. I guess technically I still am. When I first joined, it was a different sort of place where people were more free to express who they are. Kink communities are often like that, because they see the pain that transgender people go through.

But that community changed and the things I expressed anger at were not the right kind of thing to express anger at in the community. If I was to remain there, I couldn’t let my pain and woe show through because doing so angered other people there. They wanted it to be a superficial community where talking about superficial “ooh baby that’s so sexy” was sufficient, don’t express anything that is controversial or shakes up the view. I would have had to “hide behind blue eyes” to remain there and as much as I loved it there, that was something I just could not do. If I couldn’t be me, then being there was toxic to me, which resulted in me being toxic to others.

Biting back on my anger was damaging me, I could not do any longer, so I had to leave the one place on the Internet that I loved more than anywhere else on the Internet.

I think what happened, as the economy continued to change and LDW raised their rates, less people in the lower social classes can afford their services so they started to leave the Enchantrix Empire leaving it as a place that was more for the upper middle class that financially benefit from things remaining the way they are and they don’t want to hear any opinions to the contrary, the poor are losers that they don’t want.

Also some key Mistresses (like Mistress Ann) who made the Empire fun left the empire, and many other Mistresses stopped coming to the Empire as much, but whatever the reasons, it no longer was a community where I felt I could be who I am.

To remain there, I would have to pretend to be someone other than who I am, not express any of my emotions, and pretend the superficial blue-eyed world was the be all end all. I could not do that.

But my dreams
They aren’t as empty
As my conscience seems to be

I have hours, only lonely
My love is vengeance
That’s never free

Repeated in the song, my earlier comments apply.

When my fist clenches, crack it open
Before I use it and lose my cool
When I smile, tell me some bad news
Before I laugh and act like a fool

Rage poisons us, this is a plea to help tame the rage that results from what we are feeling. We want vengeance, we want to act out violently against the world. At least I do.

Yet at the same time it goes against the very core of who we are and what we believe, yet we are poisoned and lust for it, and want to take pleasure in seeing that lust fulfilled.

That part of the song is a cry for help, to help us keep from letting our rage take over and win, for that would destroy us even further and take our evil to a point of no return where we would no longer be what we are but instead become the very thing we hate – taking pleasure in acts that harm others.

Sons of Anarchy, that’s what happened to Jax Teller, and when he saw that’s what happened to him – he left this world.

And if I swallow anything evil
Put your finger down my throat
And if I shiver, please give me a blanket
Keep me warm, let me wear your coat

Continuing the cry for help.

Putting your finger down someone’s throat causes a gag reflex and regurgitation. It is easy when full of rage to get taken in by evil desires. I believe this is what happened with Che Guevara. I believe he started with good intentions and wanted justice in the world, but he swallowed something evil that poisoned him as a person.

People like me, full of rage, are at risk of that. Those lyrics are a plea to help keep us from going down that path.

And a plea for comfort, because comfort is the only thing that can help us prevent our rage from getting to the dangerous point where it fundamentally changes who we are.

No one knows what it’s like
To be the bad man
To be the sad man
Behind blue eyes



AWonderPHP Projects

Okay whenever I finish something code-wise and feel satisfied, this Joan Jett song (cover) goes through my head:

As I mentioned in an earlier post, I have started cleaning up some of my personal PHP classes and getting them on Packagist for composer install.

More than just cleaning up the code, I have been making them conform to standards (I fucking hate coding standards but some people care more about how many spaces you have than what your code actually does) and writing proper unit tests and cleaning up possible errors that vimeo/psalm finds, etc (that tool ROCKS btw)

Here’s a list of what I’ve released in the past few days, and what they do:

SimpleCacheAPCu / SimpleCacheAPCuSodium

Travis CI Build ResultsThis is my interface to the APCu cache engine. I made three major changes to my class to get it ready for public consumption.

A) I ported it to be PSR-16 compliant. If you already are using a PSR-16 compliant caching class, this works as a drop-in replacement for it.

B) I added encryption support via the libsodium wrapper for PHP. The “value” part of your key => value pairs can now be encrypted with a quality modern AEAD cipher suite. The real benefit though is not just with the encryption, but the decryption. You see, cache poison attacks are not possible unless the attacker gets your secret because any cache injection attacks will not decrypt using the 32-byte secret and thus be treated as a cache miss.

C) I split the non-APCu stuff into a separate package, so if APCu is not your caching engine of choice, it is relatively easy to extend what I split off to work with the caching engine of your choice.

The current (as in today) release of SimpleCacheAPCu is 1.2.0 – named “I Got No Answers”.

There are a lot of PSR-16 implementations out there, but none of the others I looked at offer encryption.


Yes, very similar name to what is above. It is an abstract class that has most of the logic behind what is above, but is agnostic to the cache engine used. If you do not use APCu but use something else, you can extend this abstract class to use the cache engine of your choice. Feel free to look at what the APCu implementation does, it does not require much code.

The API reference at also should help get you started.

The current (as in today) release of SimpleCache is 1.0.0 – named “Androgynous”.

The abstract class provides most of what is needed for a PSR-16 interface compliant cache class, and also provides the libsodium encryption stuff.


This is the class largely inspired by Princess Andi, or rather, by an issue I found on her blog where password protected content was being leaked because of the piece of shit that wordpress is and how the Yoast SEO optimizer works.

This is a full feature PHP file server, you can use it to do actual checks on stuff before serving files to the requesting client – and even serve different files depending upon conditions.

It supports partial content requests so it works well for serving HTML5 media. It intelligently handles requests for cache life. It sniffs MIME types if needed. It even has the ability to minify JavaScript and CSS on the fly.

This class is what I use on Naughty.Audio to make sure I only serve audios to those who have verified they are adults, so it is well tested.

It does not yet have any unit tests written for it, that is going to be difficult because I have to emulate client / server responses, but it is possible and I will do it.

The current (3 days ago) release of FileWrapper is 1.1.1 – named “Do You Wanna Touch Me?”


This class actually does not do very much, it is the beginning of a much larger concept, the ability to manage third party resources within a web application as objects that can be configured apart from the web application.

This class defines an abstract class intended to be extended for more specific use cases, such as JavaScript or Media files.

The current (3 days ago) release of FileResource is 1.0.0 – named “Crimson and Clover”

The real beauty of this though is how it will be used by my ResourceManager project, which does not yet have a release but it does have a github:

That is what will make it easy for web applications to use third party JS/CSS resources the right way. Most currently do not.

Alice Out.

Gender Identity and Alice

All my life I’ve identified as male but I’m not quite male, or rather, I do not fit what society expects a male to be. Growing up in an Evangelical household, Male is what I was. Those were my parts. But I was different than other males.

Mars and Venus sex symbols joined together

I thought maybe I was just more in touch with my feminine side than other men, but I that didn’t explain everything.

When I was young, in the bathtub I use to sometimes tuck my genital organ in such a way that it looked like a vagina because I was curious what I would look like if I was a girl.

I remember one telling mom and dad I wanted a doll for Christmas, they thought it was a phase because I was bullied in school and thought I was trying to make friends with the girls who played with dolls because the boys rejected me. Honestly I do not remember what my motive was for wanting one.

In the boy scouts when we did skits, a lot of the skits would have a female character for comedic effect and I would always volunteer to play that role because to me it was fun to pretend to be a girl, and when done for comedic effect it seemed to be socially acceptable.

When I first got into hacking, I used the handle “Living Dead Girl”. Now I use the handle Alice.

Yet despite those things I still identified as a male, a boy.

I do not feel like I am a woman, so I do not believe the term transgender applies to me. There are people assigned “male” at birth who truly are women. They do not just identify as women, I use to say they identified as women but now I believe that is a bit patronizing. They are women, the do not just identify as women. The term transgender I think is a better fit for them than it is for me, because I am not a woman.

I heard that song for the first time yesterday. I love Joan Jett, always have, but I admit I do not have any of her CDs and I had not heard that song before. Turns out it is a cover of a song by The Replacements. I like her version better.

Androgynous – Partly male and partly female in appearance; of indeterminate sex.

A light bulb went off in my head when I heard that song. That is what I am.

Gender is a social construct. I do not fit the social construct of either male or the social construct of female. I have characteristics of both. Outward appearance I do look male most of the time but I confess I do sometimes like to cross-dress and have the appearance of a woman. But outward appearance is just that.

What I am, what I feel like, is a mixture of both male and female. Perhaps more male than female, but that may be nurture opposed to nature that I still need to be freed from, I do not really know.

So What Does This Mean?

I don’t really know. Having the revelation clearly meant a lot to me, that song is musically not her best but it keeps going through my head, clearly the song and the revelation mean a lot to me.

I think maybe it will help me be at peace somewhat, but it does not change how I feel about myself, nor do I think it will change how I present myself.

I’m Michael in meat life, Alice online. I’m a He / Him unless someone refers to me as a She / Her which I never really had any issues with, I don’t really care what pronouns people use with me.

Maybe it will mean more in the future.

My younger sister is the only one in my family that I know would accept this revelation, I can’t disclose it to anyone else, but there’s a lot I can’t disclose to anyone else in my family, so that doesn’t change. I won’t disclose it my little sister because if I did it would risk it getting to my Mom and I don’t think she would take it well.

I guess it means I just keep being me.

The Future of PhoneSex

Woman in lingerie on bed with mobile phone
Image Source:

There is this vision I have. I would say “I have a dream” but I’m not fit to fill the shoes of the man who first said that…

When most guys think of phone sex, they get turned on by the hot fantasies of what they would like to do with the operator on the other end of the line if the relationship was in the realm of meat life.

Okay I confess I do too, but I’m not your typical guy, I get excited at thinking of ways to do the backend better than it is currently done, I mean the web services that exist behind phone sex.

Recently to that end, I have been thinking of better ways to serve content.

Age verification is very important, as is the ability to selectively serve content to customers who deserve something better.

There are lots of solutions to these problems, but what has been musing through my mind is the technical aspects of how the web application itself sees the files being served to the end user.

To that end, I have this very basic class that I think now has everything it needs:

It’s an abstract class that by itself does not do anything other than define what can be extended, but a lot can be extended it, and then elegantly served to the end user.

One of the purposes behind the class is to allow web applications to work with resources as objects, but another purpose behind the class is to make it easy to work with PHP as a file download wrapper, and there is a reason for that.

If you are a phone sex operator and you create a blog entry, you probably do not want that blog entry to be in a restricted members only area because your blogs are how you get indexed on search engines and find new customers with fantasies they want fulfilled.

So you might want to have three different versions of an image that accompanies the blog. One version would be a “safe” version that ends up in search engines, on twitter / tumblr, etc. when your page is indexed or shared. Because it has the naughty bits censored out, it won’t get into trouble or result in you being “shadow banned” or other penalties that sometimes happens when a bit of nipple is shown.

But when a user comes to your blog and verifies they are 18 years of age, you want the spicier version of the image shown. And when that user is a really good customer of yours or has paid a special tip, you may want it to be a high resolution version of the image they can download and enjoy in all its full glory.

That is relatively easy to do when you let PHP control which version of the file is downloaded. If the user does not have the “ageverified” session variable set, they get the tame version. If they do have it set, they get the spicy version. And if they have the “preferred_customer” session variable set, they get the ultra high resolution spicy version.

All three versions would have the same URL, it is PHP that determines which image is sent to the user based upon the user’s session ID.

It’s not hard to do, but standardizing a file resource object class will make it easier to do consistently across web applications.

I haven’t started on the image extension of the class just yet, right now I’m actually working on a JavaScript / CSS resource object extension of the class for safer serving of JavaScript and CSS that are hosted on a different server than the web application.

But images / videos / audios most certainly is in the back of my mind.

I’m already doing a similar thing with audios on Naughty.Audio only I am not using a standardized method for doing it, standardizing how I do it will have a lot of benefits and significantly lighten the database load because JSON files can just be created that are templates for the objects that are used when the APCu cached object is cleared from cache, so the database won’t need to be queried as often (the JSON will act as a cache of its own, and with SSD on servers it is very fast that way)

The class at that link may not look like much, but it is the foundation of something big.

Just thinking about my code being used to serve sexy content… damn, I’ll be in my bunk…

Phone Sex and Privacy

Most phone sex companies will tell you they take your privacy seriously. The unfortunate reality is that many actually do not.

Privacy Badger screenshot
30 potential trackers, THIRTY

What you see in that image is from an actual blog of a phone sex operator.

I would like to make it very clear that I have a lot of respect for many Phone Sex Operators, including the one where I took that screenshot.

Their job is to provide an erotic fantasy, not to be tech wizards that have an understanding of how the Internet works and how to truly make their sites private.

That should be the job of the dispatch company they are affiliated with, the company that takes a very large percentage of their per minute rate for the specific purpose of providing services like blog hosting.

It is the responsibility of those companies to provide a safe, secure, and private platform in exchange for their part of the money paid to the PSO but very often they do not.

How Tracking Works

There are actually many methods used to track users, but the most common method is the HTTP Cookie. This is a small piece of data stored by your browser behind the scenes and is associated with a specific domain.

FireFox display of cookies
Cookies from

You can see from that image that the cookie named __lc.visitor_id.6133871 contains the content 5143450495.3d12d709c6

That is a unique identifier that tells who I am. That is a legitimate thing for a website to do. The other cookies you see there I believe are related to whether or not I have given “stars” to certain posts, to prevent me from doing it again. A method of preventing the same person from jacking up (or down) the rating of a post, though a fundamentally flawed method that is easy to bypass.

Anyway, every single time my browser makes a request to it will send all of those cookies to their server with the request, so that their server can respond accordingly. The way uses cookies appears to be legitimate, although there is no way I can really know.

The problem is that many websites use the unique identifier to TRACK people and create elaborate profiles about them. Stalking, basically, and all without the users consent or knowledge. It all takes place behind the scenes, most people who use the Internet don’t have a fucking clue about cookies and how they work.

Please note that the blog the Privacy Badger screenshot was taken from was NOT – it was – again please note I have a lot of respect for her, it isn’t her job to be a tech guru. The platform her blog is running on is part of what comes out of the money she makes getting guys off, the company hosting the blog is the company that does not do a very good job with privacy.

So if I wasn’t at mayicum why did Privacy Badger have it listed?

Here is why:

A fucking Parental Advisory image on the page. There may be other triggers for that particular domain too, I’m not sure.

Because her blog contains an image (and possibly other things) hosted at, every time I visit her blog, my browser makes a request for that image, and part of making that request is sending all cookies my browser has stored from the domain. Another part of that request is an http_referer header telling what website embedded the resource my browser wants to load. That’s why Privacy Badger flagged it as a potential tracking cookie.

You’ll notice in my screenshot from Privacy Badger that I slid the slider to be Green, to let resources from be loaded when I visit her blog even though they look like tracking cookies to Privacy Badger.

That was a judgement call I made, that was not attempting to track me, but rather, it was just sloppy blog administration.

However her blog does contain many cookies that ARE trying to track me, from Google and Facebook and Amazon and Twitter and others. Those companies profit by tracking users and then selling the information to others. The information could be advertisers, potential employers, the government, anyone who is willing to pay them for the information.

Do you want you future employer to know you like to visit sissy blogs because a phonesex site allowed third party trackers that gathered that information and sold it? I sure as fuck don’t.

While there are things users can do to reduce tracking, the unfortunate reality is that tracking happens behind the scenes and is techy in nature, so most users do not know how to protect themselves from tracking and/or have a flawed concept of how to protect themselves from tracking.

And sometimes what we do to prevent tracking does not work.

For example, even though I dislike Google, I have a Google account because I need to use their webmaster tools to find issues with my sites that impact search indexing.

I subscribed to a Mistress’ blog at that same company, but that blog didn’t handle the subscriptions itself – it used a Google service to do so. Even though I was blocking the Google trackers on the site, after subscribing, I was redirected to a Google site to confirm my confirmation where my cookie identifying me to Google was NOT blocked (because it was their domain) so now Google knew both that I had been at that blog *and* an e-mail address, all now associated with my Google account.

I strongly believe it is the RESPONSIBILITY of adult content sites to protect their users from third party trackers.

But no matter how often I express that to phone sex companies, they never seem to give a fuck and they keep using third party resources that track their users.

What Phone Sex Companies Should Do

The first thing phone sex companies need to do is move all their domains to HTTPS using ciphers that support forward secrecy. With forward secrecy, the private TLS key isn’t used for the actual encryption, it is only used to validate to the client that the server is who they say they are. The client and server then negotiate a common private key using some really cool mathematics (it’s called Diffie-Hellman after it’s inventors, though several other mathematicians came up with the same concept independently at about the same time) which means that the encryption used between the server and client is intact if the server’s private key becomes compromised in the future.

Anyway, every phone sex website should use https with a server that gets a A or A+ rating from and does not contain any ciphers that do not support forward secrecy. The software to achieve that is free, in fact I package it for free with instructions at (My packages run on CentOS 7)

In addition to using https for ABSOLUTELY EVERYTHING, these companies need to have a policy that must be adhered to with respect to web applications and web application plugins.

Web applications and plugins to web applications that use third party resources should be absolutely forbidden. These third party resources (Google Fonts, Google Analytics, etc.) are where the privacy invasive trackers come from.

Most fonts on Google Fonts are FREE fonts you can host yourself without any third party trackers being involved. WordPress themes often include them, allowing Google to track everyone who visits your site that does not know how to block them.

I do not expect a PSO to know how to do that, but when I call a PSO – part of my money goes to a company that provides the blog services to them, and they SHOULD know how to do this. Not only should they know how to do this, but they should require it of themselves to do it. They put their customers at risk when they don’t because that tracking information can be and is used to HARM their customers.

I am getting really frustrated with how little they care about the privacy of their customers. They always say they do – which means they understand their customers want privacy, but then they fail to enact proper protocol on their servers to make sure their customers are not tracked.

When a company has lots of web sites, there are technical reasons why it is better to have static content (like the parental advisory image I referenced above) hosted at one site and embedded in lots of sites. It makes page loading much faster for customers who visit lots of their sites.

However what they really should do is have a dedicated host for static content that never uses cookies. That way cookies are never associated with that static content, and it won’t even have the appearance of being a tracker to privacy software.

Finally, phone sex companies should make sure their server logs to comply with the “Do Not Track” specification whether or not the client has sent the header saying they do not wish to be tracked.

If I Was A Rich Man

Yes, by embedding a YouTube video I just exposed you to tracking in addition to the tracking that happens at hosted sites. But you also are not paying me for adult content. Still makes me feel dirty.

If I was a rich man, I’d develop a blogging platform designed to prevent third party tracking (Content Security Policy is good for that but does not work with WordPress because WordPress is shit code, it really is)

Anyway, if I was a rich man, or at least not a poor man that currently can’t even afford a haircut, I would start a PhoneSex COOP with PSOs who care about the privacy of their callers, and I would make sure the tech back-end did what the existing phone sex companies do not seem to care about doing.

Maybe some day that will be reality, it is desperately needed.

What Callers Can Do

Install Privacy Badger, and use a VPN. That won’t guarantee tracking won’t happen (it often still will) but it will greatly reduce the tracking.

And bitch like a mother fucker when using privacy badger breaks a phone sex site (e.g. some use Google Captcha on forms, which is one of many ways Google tries to force their trackers on people – unlike Fonts and Google Analytics, a lot of sites actually break when the site requires Google Captcha and you block it)

Seriously, complain like a mother fucker to them, and don’t just do it in private – I’ve tried that and it doesn’t work. Call them out in public on Twitter etc. when their sites require you be tracked to function.

I will do it right now:

Not only is that site (for leaving phone sex reviews) served over standard HTTP (meaning your ISP can see everything you enter), but it requires you do not block Google because the form does not work when you block Google’s tracking cookies.

I complained about it in private MONTHS ago, and they still do not care to fix it.

Technical Knock Out

That’s what most people think about when they hear the term “TKO” – well, I do not know about most, but at least people familiar with the art of boxing.

“Still a man hears what he wants to hear and disregards the rest” — Meaningful lyrics.

Anyway, to me TKO means something else. It means “Trust No One” – okay, yes, that’s TNO but I always map the “No” in my mind to “Know” because “Know” comes from “Knowledge” and to me, “Trust” is what you do in the absence of “Knowledge” – You do not have to “Trust” when you actually “Know”. My mind makes these odd associations.

Anyway, one of the very first concepts of Internet Security I learned was the concept that trust can be and often is exploited. The less you trust, the better your security is.

But the way humans work, humans are social species and the way you become part of a group is to show people in that group you trust them and don’t need to verify what they say or their actions. Humans crave that kind of trust and are offended when you do not give it, and that cause insecurity to be the norm and causes social problems for me because it is a concept I have trouble with.

Social Engineering is the art of taking advantage the trust humans want to give each other as part of their desire to be socially accepted.

PHP Composer

PHP Composer is a method of installing web applications that is extremely popular and extremely dangerous because it is based highly on trust.

A web application will have what is called a “composer.json” file that lists other dependencies, some of which are optional features of PHP (e.g. the DOM extensions) but most of which end up being class libraries written by other random people.

When the composer install command is run, you are implicitly trusting every single package listed as a dependency.

Not only are you implicitly trusting every single package listed as a dependency, but you are trusting every package those dependencies list in their composer.json file. And every dependency they list in their composer.json file. And every dependency they list in their composer.json file.

You often end up with at least a dozen PHP libraries written by random people that are not listed in the web application’s composer.json file, they are dependencies of dependencies of dependencies.


There is no process of code review that is required for a package to be listed on packagist. There is no process of code review that is required for a package to be updated on packagist. The trust when you install something via composer is completely blind trust.

Packagist implicitly trusts those submitting packages without even the slightest verification of their actual identity let alone what their code does.

I hope I don’t have to explain how fucking dangerous this is.

We have all heard of the big media hoopla over Russian hackers tampering with our elections. This kind of thing isn’t shocking, it’s cake to do because modern Internet tech is extremely irresponsible.

When a programmer is being paid well by a state sponsor to write free software that does useful things, it is much needed money in an age where Google and Amazon and Facebook services are taking away the ability of programmers to otherwise earn.

So when offered money to create free useful software, of course programmers are going to take these offers. The programmer themselves may not even be the ones submitting these useful packages to packagist for composer install.

Then a few months later when something has become popular, it gets updated with the craftily constructed malicious code that often just looks like a bug if found, but is an intentional mechanism to allow remote code injection. An intentional flaw that allows serialized objects to be injected into the web application are a common method.

Do you really think the recently discovered serialized object injection attack and default SSH password in a Cisco security product were accidental? Wise up if you do. Serialized object injection is the latest trend, and a lot of the holes are intentional. The fact that the same product also had a default password makes it even smellier. That was Java, not PHP Composer, but it happens with Composer too – and there is no code review before publish.

But whenever I, Alice Wonder, point this out – I get a technical knock out.

People in tech like to think they are really smart and do not like it pointed out how fucking stupid they are being from a security point of view.

So because I don’t have the social skills to point out these serious flaws in a way that makes the other programmers continue to feel good about themselves, I end up on the outside.

And that is why I no longer want to be a part of this world.

Coming to Terms

Trigger Warning: This post talks about suicide.


That has been one of my favorite songs since I was in my early 20s, and I bought a Woody Guthrie CD (This is Arlo, his son, singing it. Woody wrote it)

I am not an immigrant, though my mother is (from Germany as a child, she came with her parents shortly after World War 2)

The song though has more application than just the atrocious way our country treats the poor immigrant workers from Mexico. That treatment is just a symptom of the way the economic elite in American Capitalism see the poor.

Like the immigrants in the song, I do not have a name to them. I do not matter to them. I only exist for them to extract money from, and when done extracting all they can, I am no longer of any use, and it is time for me to die. That time is close at hand.

I was nearly evicted just before last winter, and I barely avoided it. Unfortunately what safety net I had is now completely gone and things are not getting better.

I am going to become homeless and when I do, my already poor mental health state will only further deteriorate. I can’t live through that.

I have seriously contemplated committing a premeditated violent crime for no other purpose than going to prison, where I would at least get some medical care, of which I get none right now. Also in prison, the constant financial frustration and daily financial stress would no longer be an issue.

I would make sure the person had it coming to them, but unfortunately the reality is I just don’t have it in me to do such a thing. No matter what it would solve, I would not be able to bring myself to do it.

But I also can not watch myself continue to decline in mental health which will only hasten when I am homeless, so the only solution I will have is to leave this world.

Code Dump

I am going to be cleaning up a lot of my code and getting it up on github for others to use. For my own personal use, my code is not always very clean. The dirty parts don’t matter, they are only problematic if the classes are not understood by those using them, but that’s a lot of people.

The first such class of mine is already cleaned up and available:


I took my existing class for interfacing with APCu and cleaned it up to meet the PSR-16 standard. I also added encryption support to it, you can use it to encrypt what you are going to cache before you cache it, so that if a hacker gets a dump of your server memory (not an uncommon thing) what you have cached is encrypted with a 32-byte secret key using a modern state of the art cipher.

That’s the kind of thing I like to do, but that also is the kind of thing companies do not like paying people to do, because it isn’t eye candy they can profit from.


That class is a re-write of something I had been using for a few years. There was (seems she took them down, so I can talk about it now) an issue with Princess Andi’s blog where what she intended to be protected content was actually easy for anyone to get, so easy that in fact search engines even had it indexed.

She had some password protected images, but because of the shitty code behind WordPress, the SEO optimizer plugin gives away the link to the images, and WordPress will serve the images even to people who have not entered the password if they view the page source and look at the OpenGraph data – which is exactly what search engines do. Hell even sharing the pages on Twitter resulted in Twitter embedding the images in the tweet.

So I took an existing class I had for acting as a file wrapper for JS/CSS content, and rewrote the class to work with any kind of content – including multimedia with support for browser range requests (where the browser only requests part of the file at a time)

Anyway the way it would work, a .htaccess file would redirect requests for the image to a PHP wrapper that uses the class file. If the user has session data indicating the user has authenticated with the password, the images that are protected would be served. Otherwise it would serve something else. That would solve the problem.

The cleaned up version of the code at github needs further testing but the dirty version I personally use works very well, and I use it at to make sure the user has age verified before playing dirty content etc.

There are several other of my PHP classes I want to clean up before I’m homeless and then depart from this world, but the most important one isn’t written yet.

PHP Resource Manager

The way most PHP web applications handle resources (JavaScript, CSS, images, etc.) is just fundamentally wrong. Especially JS and CSS.

They bundle third party scripts into the web application so they become stale over time. You can go to many websites and have different web apps on the same fucking server all serving slightly different versions of jQuery and all out of date. It’s fucking ridiculous.

I’m creating a concept I call a FileResource object.

The base FileResource object is really just a base for more specific implementations to extend.

Basically a FileResource object will have within it the ability to craft the necessary URI for the web application to insert into its web pages.

So if a web application needs jQuery 3.1 or newer, it will ask the Resource Manager for jQuery 3.1 or newer and the Resource Manager will respond with a JavaScript extension of the FileResource object that contains everything the web application needs to build the script node when creating the web page.

The jQuery URI the FileResource object returns could be a copy of jQuery on the local server, a company server just for hosting scripts, or a CDN. Whatever the system administrator has configured.

One of the nice things about objects, they can (and often do) contain methods.

So for example with the example of password protected images, the ImageFileResource could have a method that takes the user’s session data as an argument – and give out the file location based upon the session data when serving the image.

This concept of mine will hopefully be coded and tested and released to github before I depart.

It’s not an idea I can make money from, the problem is that companies do not want to hire programmers anymore, they want canned solutions. So the only way I can make money from it is if I worked for one of the companies creating canned solutions and that is no longer a possibility. It was in my 20s and I did, but it is not in my 40s, they do not want to hire “old people” who have not “made it” by the time they are 40.

However, if I put the code on github, these companies that make canned solutions will likely incorporate it. They will never pay me for it, but they will use it.

This Resource Manager will be my last major contribution to the world.

Though it probably won’t get used much, web app developers that do make it in the world prefer easy over doing things the right way, and just bundling the resources in the app is easy so they will just keep doing that. Most of them.

But I will put out a solution that does it the right way before I leave.

The Problem

Here is an example of what causes me so much stress and pain:

my bank account
Really bad month for me

On the 12th I made a purchase that left me with 7.97 in the bank, February was a really really bad month for me, I mean really bad. I need a haircut and I can not get one, I need new shoes but I can not get them, I am eating once a day. I was hoping some funds would come in but they did not, and my safety net is completely gone now, that was eaten avoiding eviction just before winter.

Note the 7.97 balance. I have been eating oatmeal and rice, I have it.

The $12.00 they took out is the “poor tax” that Chase charges you if you do not have enough money going through your account. That caused me to become overdrawn, resulting in the overdraft fee when the $7.00 github payment was taken out.

But here’s the interesting thing:

Chase is crooked

That’s an e-mail I got from chase indicating the $7.00 fee for github was covered, and indeed knowing that $7.00 fee was coming out is why I was so careful to not spend anything when I had $7.97 left in the bank. My plan worked, or so I thought.

I knew the $12.00 charge for being poor was coming out too, but Chase can’t charge an overdraft for that and it always comes out after the monthly github payment.

But Chase in their evil greed to steal from the poor, even though they sent me an e-mail on the 24th indicating my github fee was covered, chose to reconcile the $12.00 poor fee on the 23rd resulting in the overdraft fee that put me way over.

That’s the way the wealthy treat the poor. If they can find a way to fuck us over, they will, and they do it constantly until there is nothing left to squeeze from us.

I can’t keep on living in this world anymore, the pain and stress of being poor is a daily pain and stress and it keeps getting worse and worse and worse and there is no path out of poverty for me. It doesn’t exist.

The only way to stop the pain is to stop existing myself.

My Problem with Employment

There are several reasons why I am not employable.

I am epileptic and it was not completely controlled by medication. That meant no drivers license, which immediately greatly reduces the employment opportunities.

It also means I have a tendency to hit my head (my seizures are big) and being a precondition, no insurance to cover the expensive ER visits when someone thinks they are doing me a favor by calling 911.

Hitting my head numerous times has resulted in short term memory issues, and it also has resulted in issues where I know exactly what I want to say or type but the pathway to get it from my brain and expressed does not work.

When I feel like I am going to have a seizure, I need to sleep or I do have one. That does not work well with employers. I can understand from their perspective why it would not work well for them, but as a result I am poor and will always be poor and just like the immigrant farm workers we pay shit wages to – I am worthless to the economic elite who only judge the worth of someone by how much money they can earn. And fucking Christians, Fucking Christians are the worst because they believe their wealth is because God blessed them so I must have done something to piss off God to not be blessed by him. Jesus wasn’t like that, but fucking Christians are like that.

Atheists are often far more Christ like than Christians.

I’m also autistic and that causes incredible problems with employment. I am not sociable, I don’t see things the same way others do, often am accused of having no sense of humor, and am prone to having meltdowns and people figure that out and do things to things to trigger them for their own amusement which results in me not working out as an employee.

I use to be able to work from home for shit pay but still work fixing bugs and issues people had but that’s all gone now, everything is cloud computing now and Google / Amazon / Facebook services, leaving nothing for people like me.

The message is loud and clear.

This isn’t a world I belong in.

I bought that Don McLean album after I heard “American Pie” on the radio when I was sick during a family trip to Yosemite.

Friends of the family had a cabin there, I ended up having strep throat and almost died (well not literally, the antibiotics worked well enough I only spent two days in the hospital) – but I was restricted to the cabin while family went and saw the scenes.

Anyway there was a radio, and I heard the song “American Pie” – I was 14 at the time, fell in love with the song, and bought the Don McLean album. Vincent though is the song on that album I fell in love with the most.

I get it. I am suffering for my sanity, and I can’t take it anymore.

I’m not an artist like Vincent, but my PHP code, I am cleaning that up and creating that resource manager (that will work much like PSR-4 autoloading for JavaScript and CSS) – that will be my art I leave the world with.

But I could have told you Alice, this world was never meant for one as beautiful as you.

Enjoy your capitalism.

It kills those who don’t fit in, and I hope you can find a way to change that.

But I can’t wait any longer for that change to happen, I don’t believe it ever will.