An update in point form

Jun. 25th, 2016 08:08 pm
[personal profile] alexbayleaf
1. Still alive and kicking. Living a quiet life. Slowly digging out from under the dark pile of crap that has been the last year or so.

2. I'm still checking in on DW every few days at least to follow those who are still posting here, especially those who access lock. I might not always comment but I am reading and appreciating the insights into your lives. Thank you :)

3. As you may have seen I am handing over Growstuff to people who are better able to look after it. Sad to let it go, but glad to be letting go of the guilt about not having the mental wherewithal to deal with it. Pretty much all my old personal websites/domains are also expired/gone. I'm glad to be leaving it behind.

4. Please note username change. While I hated being forced to use my birthname, I actually like my current name, and have been using it more often online of late. Feel free to refer to me as "Alex" when talking about me in the third person. Pronouns are still "they" or "she" - either is fine, though I aim for mostly being gender neutral when refering to myself.

5. I have a new blog, Spinster's Bayley, which more or less replaces the old "Chez Skud" blog, in that it's about domestic life, but is less just "random crap that I feel like writing about" but has a bit more intent around it. I'm tossing up whether to crosspost it here - feedback welcome. If you're interested in simple/sustainable/resilient living, homegrown and homemade stuff, and subjects of that variety, go take a look.

6. I also recently started blogging at Eat Local Ballarat about locally produced food in the Ballarat region. Don't imagine it'll be of much interest to people beyond this geographic area but if you're interested in local food or relocalisation in general, take a look :) Definitely won't be crossposting that one here, but of course there's the usual collection of RSS, newsletter, and social media for those who want to follow it.

7. I would welcome suggestions of any DWs that talk about simple living, or related topics (as above). Anyone got recs?

I've bought some more awful IoT stuff

Jun. 21st, 2016 03:13 pm
[personal profile] mjg59
I bought some awful WiFi lightbulbs a few months ago. The short version: they introduced terrible vulnerabilities on your network, they violated the GPL and they were also just bad at being lightbulbs. Since then I've bought some other Internet of Things devices, and since people seem to have a bizarre level of fascination with figuring out just what kind of fractal of poor design choices these things frequently embody, I thought I'd oblige.

Today we're going to be talking about the KanKun SP3, a plug that's been around for a while. The idea here is pretty simple - there's lots of devices that you'd like to be able to turn on and off in a programmatic way, and rather than rewiring them the simplest thing to do is just to insert a control device in between the wall and the device andn ow you can turn your foot bath on and off from your phone. Most vendors go further and also allow you to program timers and even provide some sort of remote tunneling protocol so you can turn off your lights from the comfort of somebody else's home.

The KanKun has all of these features and a bunch more, although when I say "features" I kind of mean the opposite. I plugged mine in and followed the install instructions. As is pretty typical, this took the form of the plug bringing up its own Wifi access point, the app on the phone connecting to it and sending configuration data, and the plug then using that data to join your network. Except it didn't work. I connected to the plug's network, gave it my SSID and password and waited. Nothing happened. No useful diagnostic data. Eventually I plugged my phone into my laptop and ran adb logcat, and the Android debug logs told me that the app was trying to modify a network that it hadn't created. Apparently this isn't permitted as of Android 6, but the app was handling this denial by just trying again. I deleted the network from the system settings, restarted the app, and this time the app created the network record and could modify it. It still didn't work, but that's because it let me give it a 5GHz network and it only has a 2.4GHz radio, so one reset later and I finally had it online.

The first thing I normally do to one of these things is run nmap with the -O argument, which gives you an indication of what OS it's running. I didn't really need to in this case, because if I just telnetted to port 22 I got a dropbear ssh banner. Googling turned up the root password ("p9z34c") and I was logged into a lightly hacked (and fairly obsolete) OpenWRT environment.

It turns out that here's a whole community of people playing with these plugs, and it's common for people to install CGI scripts on them so they can turn them on and off via an API. At first this sounds somewhat confusing, because if the phone app can control the plug then there clearly is some kind of API, right? Well ha yeah ok that's a great question and oh good lord do things start getting bad quickly at this point.

I'd grabbed the apk for the app and a copy of jadx, an incredibly useful piece of code that's surprisingly good at turning compiled Android apps into something resembling Java source. I dug through that for a while before figuring out that before packets were being sent, they were being handed off to some sort of encryption code. I couldn't find that in the app, but there was a native ARM library shipped with it. Running strings on that showed functions with names matching the calls in the Java code, so that made sense. There were also references to AES, which explained why when I ran tcpdump I only saw bizarre garbage packets.

But what was surprising was that most of these packets were substantially similar. There were a load that were identical other than a 16-byte chunk in the middle. That plus the fact that every payload length was a multiple of 16 bytes strongly indicated that AES was being used in ECB mode. In ECB mode each plaintext is split up into 16-byte chunks and encrypted with the same key. The same plaintext will always result in the same encrypted output. This implied that the packets were substantially similar and that the encryption key was static.

Some more digging showed that someone had figured out the encryption key last year, and that someone else had written some tools to control the plug without needing to modify it. The protocol is basically ascii and consists mostly of the MAC address of the target device, a password and a command. This is then encrypted and sent to the device's IP address. The device then sends a challenge packet containing a random number. The app has to decrypt this, obtain the random number, create a response, encrypt that and send it before the command takes effect. This avoids the most obvious weakness around using ECB - since the same plaintext always encrypts to the same ciphertext, you could just watch encrypted packets go past and replay them to get the same effect, even if you didn't have the encryption key. Using a random number in a challenge forces you to prove that you actually have the key.

At least, it would do if the numbers were actually random. It turns out that the plug is just calling rand(). Further, it turns out that it never calls srand(). This means that the plug will always generate the same sequence of challenges after a reboot, which means you can still carry out replay attacks if you can reboot the plug. Strong work.

But there was still the question of how the remote control works, since the code on github only worked locally. tcpdumping the traffic from the server and trying to decrypt it in the same way as local packets worked fine, and showed that the only difference was that the packet started "wan" rather than "lan". The server decrypts the packet, looks at the MAC address, re-encrypts it and sends it over the tunnel to the plug that registered with that address.

That's not really a great deal of authentication. The protocol permits a password, but the app doesn't insist on it - some quick playing suggests that about 90% of these devices still use the default password. And the devices are all based on the same wifi module, so the MAC addresses are all in the same range. The process of sending status check packets to the server with every MAC address wouldn't take that long and would tell you how many of these devices are out there. If they're using the default password, that's enough to have full control over them.

There's some other failings. The github repo mentioned earlier includes a script that allows arbitrary command execution - the wifi configuration information is passed to the system() command, so leaving a semicolon in the middle of it will result in your own commands being executed. Thankfully this doesn't seem to be true of the daemon that's listening for the remote control packets, which seems to restrict its use of system() to data entirely under its control. But even if you change the default root password, anyone on your local network can get root on the plug. So that's a thing. It also downloads firmware updates over http and doesn't appear to check signatures on them, so there's the potential for MITM attacks on the plug itself. The remote control server is on AWS unless your timezone is GMT+8, in which case it's in China. Sorry, Western Australia.

It's running Linux and includes Busybox and dnsmasq, so plenty of GPLed code. I emailed the manufacturer asking for a copy and got told that they wouldn't give it to me, which is unsurprising but still disappointing.

The use of AES is still somewhat confusing, given the relatively small amount of security it provides. One thing I've wondered is whether it's not actually intended to provide security at all. The remote servers need to accept connections from anywhere and funnel decent amounts of traffic around from phones to switches. If that weren't restricted in any way, competitors would be able to use existing servers rather than setting up their own. Using AES at least provides a minor obstacle that might encourage them to set up their own server.

Overall: the hardware seems fine, the software is shoddy and the security is terrible. If you have one of these, set a strong password. There's no rate-limiting on the server, so a weak password will be broken pretty quickly. It's also infringing my copyright, so I'd recommend against it on that point alone.
[syndicated profile] hypatia_dot_ca_feed

Posted by Leigh Honeywell

Content note for discussion of abuse and sexual violence.

In the last couple of weeks, three respected members of the computer security and privacy tech communities have come forward under their own names to tell their harrowing stories of sexual misconduct, harassment, and abuse committed by Jacob Appelbaum. They acted in solidarity with the first anonymous reporters of Jacob’s abuse. Several organizations have taken steps to protect their members from Appelbaum, including the Tor Project, Debian, and the Noisebridge hackerspace, with other responses in progress.

But Appelbaum isn’t the last – or the only – abuser in any of these communities. Many people are calling for long-term solutions to stop and prevent similar abuse. The authors of this post have recommendations, based on our combined 40+ years of community management experience in the fields of computer security, hackerspaces, free and open source software, and non-profits. In four words, our recommendation is:

No more rock stars.

What do we mean when we say “rock stars?” We like this tweet by Molly Sauter:

Seriously, “rock stars” are arrogant narcissists. Plumbers keep us all from getting cholera. Build functional infrastructure. Be a plumber.

You can take concrete actions to stop rock stars from abusing and destroying your community. But first, here are a few signs that help you identify when you have a rock star instead of a plumber:

A rock star likes to be the center of attention. A rock star spends more time speaking at conferences than on their nominal work. A rock star appears in dozens of magazine profiles – and never, ever tells the journalist to talk to the people actually doing the practical everyday work. A rock star provokes a powerful organization over minor issues until they crack down on the rock star, giving them underdog status. A rock star never says, “I don’t deserve the credit for that, it was all the work of…” A rock star humble-brags about the starry-eyed groupies who want to fuck them. A rock star actually fucks their groupies, and brags about that too. A rock star throws temper tantrums until they get what they want. A rock star demands perfect loyalty from everyone around them, but will throw any “friend” under the bus for the slightest personal advantage. A rock star knows when to turn on the charm and vulnerability and share their deeply personal stories of trauma… and when it’s safe to threaten and intimidate. A rock star wrecks hotel rooms, social movements, and lives.

Why are rock stars so common and successful? There’s something deep inside the human psyche that loves rock stars and narcissists. We easily fall under their spell unless we carefully train ourselves to detect them. Narcissists are skilled at making good first impressions, at masking abusive behavior as merely eccentric or entertaining, at taking credit for others’ work, at fitting our (often inaccurate) stereotypes of leaders as self-centered, self-aggrandizing, and overly confident. We tend to confuse confidence with competence, and narcissists are skilled at acting confident.

Sometimes rock stars get confused with leaders, who are necessary and good. What’s the difference between a rock star and a leader? We like the term “servant-leader” as a reminder that the ultimate purpose of a good leader is to serve the mission of their organization (though this feminist critique of the language around servant-leadership is worth reading). Having personal name recognition and the trust and support of many people is part of being an effective leader. This is different from the kind of uncritical worship that a rock star seeks out and encourages. Leaders push back when the adoration gets too strong and disconnected from achieving the mission (here is a great example from Anil Dash, pushing back after being held up as an example of positive ally for women in tech). Rock stars aren’t happy unless they are surrounded by unthinking adoration.

How do we as a community prevent rock stars?

If rock stars are the problem, and humans are susceptible to rock stars, how do we prevent rock stars from taking over and hijacking our organizations and movements? It turns out that some fairly simple and basic community hygiene is poisonous to rock stars – and makes a more enjoyable, inclusive, and welcoming environment for plumbers.

Our recommendations can be summarized as: decentralizing points of failure, increasing transparency, improving accountability, supporting private and anonymous communication, reducing power differentials, and avoiding situations that make violating boundaries more likely. This is a long blog post, so here is a table of contents for the rest of this post:

Have explicit rules for conduct and enforce them for everyone

Create a strong, specific, enforceable code of conduct for your organization – and enforce it, swiftly and without regard for the status of the accused violator. Rock stars get a kick out of breaking the rules, but leaders know they are also role models, and scrupulously adhere to rules except when there’s no alternative way to achieve the right thing. Rock stars also know that when they publicly break the little rules and no one calls them out on it, they are sending a message that they can also break the big rules and get away with it.

One of the authors of this post believed every first-person allegation of abuse and assault by Jacob Appelbaum – including the anonymous ones – immediately. Why? Among many other signs, she saw him break different, smaller rules in a way that showed his complete and total disregard for other people’s time, work, and feelings – and everyone supported him doing so. For example, she once attended a series of five minute lightning talks at the Noisebridge hackerspace, where speakers sign up in advance. Jacob arrived unannounced and jumped in after the first couple of talks with a forty-five minute long boring rambling slideshow about a recent trip he took. The person running the talks – someone with considerable power and influence in the same community – rolled his eyes but let Jacob talk for nine times the length of other speakers. The message was clear: rules don’t apply to Jacob, and even powerful people were afraid to cross him.

This kind of blatant disregard for the rules and the value of people’s time was so common that people had a name for it: “story time with Jake,” as described in Phoenix’s pseudonymous allegation of sexual harassment. Besides the direct harm, dysfunction, and disrespect this kind of rule-breaking and rudeness causes, when you allow people to get away with it, you’re sending a message that they can get away with outright harassment and assault too.

To solve this, create and adopt a specific, enforceable code of conduct for your community. Select a small expert group of people to enforce it, with provisions for what to do if one of this group is accused of harassment. Set deadlines for responding to complaints. Conduct the majority of discussion about the report in private to avoid re-traumatizing victims. Don’t make exceptions for people who are “too valuable.” If people make the argument that some people are too valuable to censure for violating the code of conduct, remove them from decision-making positions. If you ever find yourself in a situation where you are asking yourself if someone’s benefits outweigh their liabilities, recognize that they’ve already cost the community more than they can ever give to it and get to work on ejecting them quickly.

Start with the assumption that harassment reports are true and investigate them thoroughly

Over more than a decade of studying reports of harassment and assault in tech communities, we’ve noticed a trend: if things have gotten to the point where you’ve heard about an incident, it’s almost always just the tip of the iceberg. People argue a lot about whether to take one person’s word (the alleged victim) over another’s (the alleged harasser), but surprisingly often, this was not the first time the harasser did something harmful and it’s more likely a “one person said, a dozen other people said” situation. Think about it: what are the chances that someone had a perfect record of behavior, right up till the instant they stuck their hand in someone else’s underwear without consent – and that person actually complained about it – AND you heard about it? It’s far more likely that this person has been gradually ramping up their bad behavior for years and you just haven’t heard about it till now.

The vast majority of cases we know about fit one of these two patterns:

  1. A clueless person makes a few innocent, low-level mistakes and actually gets called on one of them fairly quickly. Signs that this is the likely case: the actual incident is extremely easy to explain as a mistake, the accused quickly understands what they did wrong, they appear genuinely, intensely embarrassed, they apologize profusely, and they offer a bunch of ways to make up for their mistake: asking the video of their talk to be taken down, writing a public apology explaining why what they did was harmful, or proposing that they stop attending the event for some period of time.
  2. A person who enjoys trampling on the boundaries of others has been behaving badly for a long time in a variety of ways, but everyone has been too afraid to say anything about it or do anything about other reports. Signs that this is the likely case: the reporter is afraid of retaliation and may try to stay anonymous, other people are afraid to talk about the incident for the same reason, the reported incident may be fairly extreme (e.g., physical assault with no question that consent was violated), many people are not surprised when they hear about it, you quickly gather other reports of harassment or assault of varying levels, the accused has plagiarized or stolen credit or falsified expense reports or done other ethically questionable things, the accused has consolidated a lot of power and attacks anyone who seems to be a challenge to their power, the accused tries to change the subject to their own grievances or suffering, the accused admits they did it but minimizes the incident, or the accused personally attacks the reporter using respectability politics or tone-policing.

In either case, your job is to investigate the long-term behavior of the accused, looking for signs of narcissism and cruelty, big and small. Rock stars leave behind a long trail of nasty emails, stolen credit, rude behavior, and unethical acts big and small. Go look for them.

Make it easy for victims to find and coordinate with each other

Rock stars will often make it difficult for people to talk or communicate without being surveilled or tracked by the rock star or their assistants, because private or anonymous communication allows people to compare their experiences and build effective resistance movements. To fight this, encourage and support private affinity groups for marginalized groups (especially people who identify as women in a way that is significant to them), create formal systems that allow for anonymous or pseudonymous reporting such as an ombudsperson or third-party ethics hotline, support and promote people who are trusted contact points and/or advocates for marginalized groups, and reward people for raising difficult but necessary problems.

Watch for smaller signs of boundary pushing and react strongly

Sometimes rock stars don’t outright break the rules, they just push on boundaries repeatedly, trying to figure out exactly how far they can go and get away with it, or make it so exhausting to have boundaries that people stop defending them. For example, they might take a little too much credit for shared work or other people’s work, constantly bring up the most disturbing but socially acceptable topic of conversation, resist de-escalation of verbal conflict, subtly criticize people, make passive-aggressive comments on the mailing list, leave comments that are almost but not quite against the rules, stand just a little too close to people on purpose, lightly touch people and ignore non-verbal cues to stop (but obey explicit verbal requests… usually), make comments which subtly establish themselves as superior or judges of others, interrupt in meetings, make small verbal put-downs, or physically turn away from people while they are speaking. Rock stars feel entitled to other people’s time, work, and bodies – signs of entitlement to one of these are often signs of entitlement to the others.

Call people out for monopolizing attention and credit

Is there someone in your organization who jumps on every chance to talk to a reporter? Do they attend every conference they can and speak at many of them? Do they brag about their frequent flyer miles or other forms of status? Do they jump on every project that seems likely to be high visibility? Do they “cookie-lick” – claim ownership of projects but fail to do them and prevent others from doing them either? If you see this happening, speak up: say, “Hey, we need to spread out the public recognition for this work among more people. Let’s send Leslie to that conference instead.” Insist that this person credit other folks (by name or anonymously, as possible) prominently and up front in every blog post or magazine article or talk. Establish a rotation for speaking to reporters as a named source. Take away projects from people if they aren’t doing them, no matter how sad or upset it makes them. Insist on distributing high status projects more evenly.

A negative organizational pattern that superficially resembles this kind of call-out can sometimes happen, where people who are jealous of others’ accomplishments and successes may attack effective, non-rock star leaders. Signs of this situation: people who do good, concrete, specific work are being called out for accepting appropriate levels of public recognition and credit by people who themselves don’t follow through on promises, fail at tasks through haplessness or inattention, or communicate ineffectively. Complaints about effective leaders may take the form of “I deserve this award for reasons even though I’ve done relatively little work” instead of “For the good of the organization, we should encourage spreading out the credit among the people who are doing the work – let’s talk about who they are.” People complaining may occasionally make minor verbal slips that reveal their own sense of entitlement to rewards and praise based on potential rather than accomplishments – e.g., referring to “my project” instead of “our project.”

Insist on building a “deep bench” of talent at every level of your organization

Your organization should never have a single irreplaceable person – it should have a deep bench. Sometimes this happens through a misplaced sense of excessive responsibility on the part of a non-abusive leader, but often it happens through deliberate effort from a “rock star.” To prevent this, constantly develop and build up a significant number of leaders at every level of your organization, especially near the top. You can do this by looking for new, less established speakers (keynote speakers in particular) at your events, paying for leadership training, creating official deputies for key positions, encouraging leaders to take ample vacation and not check email (or chat) while they are gone, having at least two people talk to each journalist, conducting yearly succession planning meetings, choosing board members who have strong opinions about this topic and a track record of acting on them, having some level of change or turnover every few years in key leadership positions, documenting and automating key tasks as much as possible, sharing knowledge as much as possible, and creating support structures that allow people from marginalized groups to take on public roles knowing they will have support if they are harassed. And if you need one more reason to encourage vacation, it is often an effective way to uncover financial fraud (one reason why abusive leaders often resist taking vacation – they can’t keep an eye on potential exposure of their misdeeds).

Flatten the organizational hierarchy as much as possible

Total absence of hierarchy is neither possible nor desirable, since “abolishing” a hierarchy simply drives the hierarchy underground and makes it impossible to critique (but see also the anarchist critique of this concept). Keeping the hierarchy explicit and making it as flat and transparent as possible while still reflecting true power relationships is both achievable and desirable. Ways to implement this: have as small a difference as possible in “perks” between levels (e.g., base decisions on flying business class vs. economy on amount of travel and employee needs, rather than position in the organization), give people ways to blow the whistle on people who have power over them (including channels to do this anonymously if necessary), and have transparent criteria for responsibilities and compensation (if applicable) that go with particular positions.

Build in checks for “failing up”

Sometimes, someone gets into a position of power not because they are actually good at their job, but because they turned in a mediocre performance in a field where people tend to choose people with proven mediocre talent over people who haven’t had a chance to demonstrate their talent (or lack thereof). This is called “failing up” and can turn otherwise reasonable people into rock stars as they desperately try to conceal their lack of expertise by attacking any competition and hogging attention. Or sometimes no one wants to take the hit for firing someone who isn’t capable of doing a good job, and they end up getting promoted through sheer tenacity and persistence. The solution is to have concrete criteria for performance, and a process for fairly evaluating a person’s performance and getting them to leave that position if they aren’t doing a good job.

Enforce strict policies around sexual or romantic relationships within power structures

Rock stars love “dating” people they have power over because it makes it easier to abuse or assault them and get away with it. Whenever we hear about an organization that has lots of people dating people in their reporting chain, it raises an automatic red flag for increased likelihood of abuse in that organization. Overall, the approach that has the fewest downsides is to establish a policy that no one can date within their reporting chain or across major differences in power, that romantic relationships need to be disclosed, and that if anyone forms a relationship with someone in the same reporting chain, the participants need to move around the organization until they no longer share a reporting chain. Yes, this means that if the CEO or Executive Director of an organization starts a relationship with anyone else in the organization, at least one of them needs to leave the organization, or take on some form of detached duty for the duration of the CEO/ED’s tenure. When it comes to informal power relationships, such as students dating prominent professors in their fields, they also need to be forbidden or strongly discouraged. These kinds of policies are extremely unattractive to a rock star, because part of the attraction of power for them is wielding it over romantic or sexual prospects.

Avoid organizations becoming too central to people’s lives

Having a reasonable work-life balance isn’t just an ethical imperative for any organization that values social justice, it’s also a safety mechanism so that if someone is forced to leave, needs to leave, or needs to take a step back, they can do so without destroying their entire support system. Rock stars will often insist on subordinates giving 100% of their available energy and time to the “cause” because it isolates them from other support networks and makes them more dependent on the rock star.

Don’t set up your community so that if someone has a breach with your community (e.g., is targeted for sustained harassment that drives them out), they are likely to also lose more than one of: their job, their career, their romantic relationships, their circle of friends, or their political allies. Encouraging and enabling people to have social interaction and support outside your organization or cause will also make it easier to, when necessary, exclude people behaving abusively or not contributing because you won’t need to worry that you’re cutting them off from all meaningful work or human contact.

You should discourage things like: semi-compulsory after hours socialising with colleagues, long work hours, lots of travel, people spending almost all their “intimacy points” or emotional labour on fellow community members, lots of in-group romantic relationships, everyone employs each other, or everyone is on everyone else’s boards. Duplication of effort (e.g., multiple activist orgs in the same area, multiple mailing lists, or whatever) is often seen as a waste, but it can be a powerfully positive force for allowing people some choice of colleagues.

Distribute the “keys to the kingdom”

Signs of a rock star (or occasionally a covert narcissist) may include insisting on being the single point of failure for one or more of: your technical infrastructure (e.g., domain name registration or website), your communication channels, your relationship with your meeting host or landlord, your primary source of funding, your relationship with the cops, etc. This increases the rock star’s power and control over the organization.

To prevent this, identify core resources, make sure two or more people can access/administer all of them, and make sure you have a plan for friendly but sudden, unexplained, or hostile departures of those people. Where possible, spend money (or another resource that your group can collectively offer) rather than relying on a single person’s largesse, specialized skills, or complex network of favours owed. Do things legally where reasonably possible. Try to be independent of any one critical external source of funding or resources. If there’s a particularly strong relationship between one group member and an external funder, advisor, or key organization, institutionalize it: document it, and introduce others into the relationship.

One exception is that it’s normal for contact with the press to be filtered or approved by a single point of contact within the organization (who should have a deputy). However, it should be possible to talk to the press as an individual (i.e., not representing your organization) and anonymously in cases of internal organizational abuse. At the same time, your organization should have a strong whistleblower protection policy – and board members with a strong public commitment and/or a track record of supporting whistleblowers in their own organizations.

Don’t create environments that make boundary violations more likely

Some situations are attractive to rock stars looking to abuse people: sexualized situations, normalization of drinking or taking drugs to the point of being unable to consent or enforce boundaries, or other methods of breaking down or violating physical or emotional boundaries. This can look like: acceptance of sexual jokes at work, frequent sexual liaisons between organization members, mocking people for not being “cool” for objecting to talking about sex at work, framing objection to sexualized situations as being homophobic/anti-polyamorous/anti-kink, open bars with hard alcohol or no limit on drinks, making it acceptable to pressure people to drink more alcohol than they want or violate other personal boundaries (food restrictions, etc.), normalizing taking drugs in ways that make it difficult to stay conscious or defend boundaries, requiring attendance at physically isolated or remote events, having events where it is difficult to communicate with the outside world (no phone service or Internet access), having events where people wear significantly less or no clothing (e.g. pool parties, saunas, hot tubs), or activities that require physical touching (massage, trust falls, ropes courses). It’s a bad sign if anyone objecting to these kinds of activities is criticized for being too uptight, puritanical, from a particular cultural background, etc.

Your organization should completely steer away from group activities which pressure people, implicitly or explicitly, to drink alcohol, take drugs, take off more clothing than is usual for professional settings in the relevant cultures, or touch or be touched. Drunkenness to the point of marked clumsiness, slurred speech, or blacking out should be absolutely unacceptable at the level of organizational culture. Anyone who seems to be unable to care for themselves as the result of alcohol or drug use should be immediately cared for by pre-selected people whose are explicitly charged with preventing this person from being assaulted (especially since they may have been deliberately drugged by someone planning to assault them). For tips on serving alcohol in a way that greatly reduces the chance of assault or abuse, see Kara Sowles’ excellent article on inclusive events. You can also check out the article on inclusive offsites on the Geek Feminism Wiki.

Putting this to work in your community

We waited too long to do something about it.

Odds are, your community already has a “missing stair” or three – even if you’ve just kicked one out. They are harming and damaging your community right now. If you have power or influence or privilege, it’s your ethical responsibility to take personal action to limit the harm that they are causing. This may mean firing or demoting them; it may mean sanctioning or “managing them out.” But if you care about making the world a better place, you must act.

If you don’t have power or influence or privilege, think carefully before taking any action that could harm you more and seriously consider asking other folks with more protection to take action instead. Their response is a powerful litmus test of their values. If no one is willing to take this on for you, your only option may be leaving and finding a different organization or community to join. We have been in this position – of being powerless against rock stars – and it is heartbreaking and devastating to give up on a cause, community, or organization that you care about. We have all mourned the spaces that we have left when they have become unlivable because of abuse. But leaving is still often the right choice when those with power choose not to use it to keep others safe from abuse.

Responses

While we are not asking people to “cosign” this post, we want this to be part of a larger conversation on building abuse-resistant organizations and communities. We invite others to reflect on what we have written here, and to write their own reflections. If you would like us to list your reflection in this post, please leave a comment or email us a link, your name or pseudonym, and any affiliation you wish for us to include, and we will consider listing it. We particularly invite survivors of intimate partner violence in activist communities, survivors of workplace harassment and violence, and people facing intersectional oppressions to participate in the conversation.

2016-06-21: The “new girl” effect by Lex Gill, technology law researcher & activist

2016-06-21: Patching exploitable communities by Tom Lowenthal, security technologist and privacy activist

2016-06-22: Tyranny of Structurelessness? by Gabriella Coleman, anthropologist who has studied hacker communities

We would prefer that people not contact us to disclose their own stories of mistreatment. But know this: we believe you. If you need emotional support, please reach out to people close to you, a counselor in your area, or to the trained folks at RAINN or Crisis Text Line.

Credits

This post was written by Valerie Aurora (@vaurorapub), Mary Gardiner (@me_gardiner), and Leigh Honeywell (@hypatiadotca), with grateful thanks for comments and suggestions from many anonymous reviewers.


On A Fraught Word

Jun. 21st, 2016 04:28 pm
[syndicated profile] sumana_feed

(This is a blog post specifically aimed at people who aren't in or from the United States and who have conversations with people from the US, especially online. Also, content note: I explain what lynching is and why it's a bad idea to joke about it, with examples.)

Sometimes when people are joking about vigilante justice, they might use the word "lynch," like "we ought to lynch so-and-so," and think it is a harmless and hyperbolic way of saying "we ought to punish them". As a person who likely (if you are reading this blog) cares about inclusivity and social justice, you probably should not use this term in this way. While some people certainly think it has that generic and benign meaning, in the US (the country whose history I know best), it mostly means white people getting together in mobs to kill black people -- for succeeding, for daring to buy houses or vote, or simply for anything deemed unacceptable by those angry racist mobs. It very rarely still happens here, but it was a more common occurrence not so long ago, such that the history and ramifications of this particular form of race-based terrorism are still very present in the American conscience.

In the summer of 1955, Emmett Till, a 14 year old black boy from Chicago, was spending the summer with family members in Mississippi, when he was suddenly accused of breaking the South's unwritten rules of interracial conduct by catcalling a white woman. He was abruptly apprehended by an angry white mob, tortured, and lynched. His mother asked for him to have an open-casket funeral, so people could see the extent of the battering and butchery, and newspapers around the country published the photos. This raised the consciousness of Americans across the nation and helped to spur the movement for civil rights in the United States.

More recently: in the 1990s, for the first time, a black man (Clarence Thomas) was appointed to be a US Supreme Court justice. Anita Hill, an accomplished black female lawyer and Thomas's former employee, came forward and publicly stated that he had sexually harassed her. This accusation, and the subsequent televised judicial hearings, were a watershed moment that brought the issue of workplace sexual harassment into widespread national debate. Thomas responded to the accusations by calling them "a high-tech lynching". Hill was alternately applauded and attacked; however, the hearings ultimately proved no obstacle for Thomas, as the legislature went on to confirm his appointment. Twenty-five years later, Justice Thomas still sits on the US Supreme Court.

I know the basic facts above from memory, and those of us who were raised in the USA basically know much of this stuff by heart as part of the history of hate crimes. So that's the kind of shit that we are reminded of when someone jokes about lynching, and why you probably just shouldn't do it around us.

(Thanks to Camille Acey for suggesting revisions that improved this piece. And thanks to the white person I spoke with on this point in private conversation; I adapted that conversation into this post.)

Celestia Wallpaper

Jun. 21st, 2016 08:55 am
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
celestia_v2_by_rawrnate
Source: http://rawrnate.deviantart.com/art/Celestia-v2-278922781

Summer Sun Celebration was yesterday, summer has arrived to the northern hemisphere, winter to the south. I had cake, I gave away swag. So much swag.

Three more wallpapers below the cut. )
[syndicated profile] adulting_feed


Resources:

• U.S.: 1-800-656-HOPE The National Sexual Assault Hotline can help get you in touch with local service providers and support. Run by RAINN
• U.S.: NotAlone.Gov
Supporting a loved one after sexual assault

Any good resources I’m missing, please mention in comments.

Code push imminent!

Jun. 18th, 2016 06:51 pm
[staff profile] karzilla posting in [site community profile] dw_maintenance
Reminder that I'm going to start working on tonight's code push in the next 30-45 minutes or so. I know you just CAN'T WAIT to use the larger icon filesize for your animated gif talents, so I'm going to start a bit earlier than originally planned, closer to 5:30pm PDT. I'll update this post when we're done!

Update: All done! Comment here if you notice any issues that need our attention.

Fluttershy

Jun. 17th, 2016 09:49 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
fluttershy_by_dennyvixen
Source: http://dennyvixen.deviantart.com/art/Fluttershy-613257420

In case you weren't aware that there won't be any new episodes for a few months, we've entered the mid-season break. There is no fixed date for the broadcast of episode 13, but chances are that it will be in September, like last year.

Autumn photography

Jun. 17th, 2016 09:38 pm
[syndicated profile] lecta_feed

Posted by Mary

Last year, inner west autumn in the rain:

Autumn leaves in Rozelle

This year, in the wake of one of the heaviest couple of days of rainfall I’ve ever experienced, and after such a warm autumn that the leaves in fact turn in winter, inner west autumn in the sun:

Autumn beyond autumn

Flutter

Shining

Security Through Obscurity

Jun. 17th, 2016 05:33 pm
brainwane: The last page of the zine (zine)
[personal profile] brainwane
I was at a conference, talking with some men, on our way to an informal group dinner. We started talking about what we were reading. One of them (white, US American) and I started talking about comics; we both like comics. I said something enthusiastic about Saga.

He then stated a disclaimer: that he knew he was a bit of a snob, and that if someone asked him if he knew about/read something fairly popular, fairly mainstream, he sort of internally sighed a bit; he preferred pretty offbeat stuff. It seemed like he wanted to prevent bad feelings down the line by forestalling me from asking "have you read [superhero thing]" or "have you read [current critics' darling]" and triggering impatience. I asked if I'd just done that thing, by mentioning Saga, and he said, no, it was fine.

I asked: "So, what's your favorite Amar Chitra Katha?"

There were at least a few seconds of silence, solid eye contact and silence, before he said that he did not know what that was.

So I, pleasantly, told him about the comics I'd read in childhood, made by Indians for many decades, featuring Indian fables, mythology, history, and legends. We then talked about, for instance, Greek and Norse mythology in Marvel/DC mainstream comics, and so on. He mentioned that it did seem like new Indian comics lines were starting up. He did not ask how or where to get ACK comics, or how to spell Amar Chitra Katha so he could learn more.

He didn't say anything explicitly acknowledging my indier-than-thou move (and I didn't either). I wonder whether he noticed it. I will usually prefer enthusiasm over status play, but I do have a few dominance displays in my toolbox and on occasion I will use them.

Code push tomorrow!

Jun. 17th, 2016 11:06 am
[staff profile] karzilla posting in [site community profile] dw_maintenance
We are planning to do a code push around 32[*] hours from now, at approximately 6pm Pacific time on Saturday.

Here's a partial list of changes that will go live with this push, apart from the usual minor tweaks and bugfixes:

  • Icon size limit raised from 40kb to 60kb.

  • Fixed the "hook: enddata returned false" error when uploading multiple icons.

  • Posting DW links on Facebook will now use the "Swirly D" logo for the link image.

  • Added seven new color variants on the popular "Teeny Tinies" mood theme.

  • The user profile page now lists "Other Services" in responsive columns.

  • The user icons page no longer uses "(Default)" in the alt text for every icon.

  • Improved non-ASCII character support in plain text email notifications.


We'll update again to let you know when the code push is in progress!

[*] I had a computer check my math this time, because it was almost wrong again. YAY COMPUTERS.
[syndicated profile] lecta_feed

Posted by Mary

At an engineering training with Greg Sabo in my first week at Stripe, he showed a cute trick: using a shell command to generate two random words when testing.

For example, every time I reconfigure my mail server, I send a distressing number of emails in this style:

echo "Testing" | mail -s "Mary Test 1" mary
echo "Testing" | mail -s "Mary Test 2" mary
echo "Testing" | mail -s "Mary Test 3" mary

(I usually lose count around Test 4, for the record.)

Likewise, in testing the Stripe create charges API function, one might run this from the documentation:

curl https://api.stripe.com/v1/charges \
-u sk_test_BQokikJOvBiI2HlWgH4olfQ2: \
-d amount=400 \
-d currency=usd \
-d source=tok_189fCj2eZvKYlo2CjCzCPbk5 \
-d description="Charge for test@example.com"

Wouldn’t those be both more fun and somewhat easier to find in mailboxes, logs and dashboards as, say, Mary test fan merinos and Charge for cellular ascendents respectively? It would be! Thanks Greg!

Implementation-wise, on very recent Ubuntu, the trick is to add something to your bash profile along the times of:

rw () {
cat /usr/share/dict/words | grep -v "'" | grep -v "[A-Z]" | shuf -n 2 | xargs echo
}

Background: shuf is a command that behaves like head and tail, only it returns a selected number random lines. I’m filtering out single quotes (grep -v "'") in its input so as to not unduly annoy xargs, and filtering capital letters (grep -v "[A-Z]") as a proxy for filtering out proper names.

From there:
$ rw
newscaster mucky
$ echo Mary test $(rw)
Mary test equitable rough

For systems without shuf installed, there’s a lot of potential solutions to shuffling a text file at Stack Overflow, this answer has a great roundup.

As a note of caution, you don’t want to run rw live in front of other people or send them the output unchecked; a random selection of 2 English words has some reasonable chance of being disgusting, offensive, strange, inappropriate, etc. Generate some memorable phrases privately in advance!

Slightly related: xkcd: Password strength.

Page generated Jun. 29th, 2016 09:50 pm
Powered by Dreamwidth Studios