A candid-ish peek into our lives. Our dining room table. Contents: one semi-complete Legend of Zelda anniversary jigsaw puzzle, various computer parts and tools, a pair of glasses, a 64 pack of crayons, zero space for dining.

This is me blogging, instead of fretting about various outstanding blog issues! Hello!

(I omit the fact that this is an attempt to test my freshly reflashed phone’s WordPress app’s ability to connect to our freshly launched website of course.)

The post But where do we dine? appeared first on Lousy Canuck.

Cloudflare is a reverse proxy service that protects hundreds of thousands of websites, The Orbit included, from attacks like DDoS, spam, brute force, and various other exploits. Without it, in the adversarial environment that the Internet happens to be for social justice oriented folks, we would be crushed under the weight of people desiring to silence us. So, they’re doing us a great service, and we are indebted to them.

HOWEVER.

Yesterday, after a major vulnerability was discovered in the Cloudflare plugin for WordPress, which could allow sites to be cross-site scripted (a method that might allow you to inject bad code into a site “from the side”), it seems as though they panicked and decided to encode *all* POST and GET data, which caused a major set of problems. People trying to edit posts found every non-alphanumeric character turned into an HTML entity (“:” instead of “:” for instance). Then those entities were being reencoded again (“:”).

Over and over and on and on, the posts were getting more and more corrupted. And that wasn’t the only thing that was busted — admins were being told they didn’t have permissions to access certain pages, because the links to those pages were having parts of themselves converted to HTML entities as well. End users could see the site, but admins were fully hamstrung. Greta was working on Steven Universe episode 8 and got stopped short, emailed me to find out what broke, and to my horror, the auto-updated plugin for Cloudflare was actually hampering my ability to do anything in the WordPress admin. I thought we were in serious trouble, but I tracked it back to the plugin which had just updated to version 1.3.21. I pulled out an older version from Sunday’s backups, 1.3.20, and the problem was resolved. Then I found out WHY they’d updated it, and apparently there are such hacks in the wild right now.

So. Rather than risk getting us hacked, when they quickly released 1.3.22 to fix how they broke half of WordPress, I let it install that version.

Overnight, they’ve since updated to 1.3.23 to fix how they send things back to Cloudflare to pre-detect spam. So they made a giant mess and they’re clawing back at it right now.

There’s a problem that several people are reporting presently, that they can’t post comments while not logged in by submitting their email addresses — because the email address never validates. Clearly this is because the Cloudflare plugin is trying to sanitize that variable as well, incorrectly. Other blogs are also having this issue, as seen here: ERROR: The email address isn’t correct. (4 posts) and here: ERROR: The email address isn’t correct. (3 posts). This problem isn’t just impacting The Orbit, but any WordPress site that uses Cloudflare.

But because of the terrible nature of what they’re fixing here, we kind of have to ride out this storm. I could try to implement my own bugfix for this, e.g. by removing email address validation, but that would have other negative impacts on the rest of the site.

For now, please log in to make comments. Sorry for the inconvenience. Hopefully they’ll fix this issue too, as soon as possible.

This is a disaster and it was entirely avoidable through proper QA of the plugin before it being released. The rapid fire nature of the plugin updates speaks to a sort of panic to address the initial vulnerability, which is laudable, but a lack of foresight as to what kind of impact specific changes might make to the rest of the service. Those of us who rely on the plugin should not be stuck choosing between being hacked, being entirely unprotected against DDoS and spam, or having people be able to comment.

UPDATE: they released an update which properly namespaces their variables and only sanitizes those variables, so things should finally be under control. This is why you don’t release plugin updates into production without testing.

Try again to comment, please, folks.

The post CloudFlare plugin breaks WordPress repeatedly appeared first on Lousy Canuck.

Since launch, there’ve been several reported issues with RSS, which I’ve scrambled to try to fix before they did too much damage. But, we keep getting new requests, because the theme apparently doesn’t do a very good job of keeping track of the links, so here’s what’s wrong presently and what I’m working on to fix it.

• Individual author feeds polluted with whole-network posts – originally, we had installed a plugin that served the feed from /feed for the whole network, but it turns out that it was too greedy and it also grabbed every author’s /feed URL as well. Caching RSS feed sites like Feedburner and Feedly grabbed what was in those lists, and kept them. Unfortunately, there’s not much we can do about this but wait for those to expire.
• As a side effect of this, the theme’s expectation that the front page blog list should be accessible at http://the-orbit.net/feed/, and WordPress treating that like its own blog, means that feed is empty. The whole-network feed is actually at http://the-orbit.net/network-feed/ and it serves content from every blog. I will set up an .htaccess rule to seamlessly redirect the top level feed to the network-feed URL.
• Once I’ve done the above point, I can change the link in the header on the front page to /feed/, thus making it more apparent that that’s the RSS feed as the CSS that provides correct iconography only auto-senses that specific URL.
• An SEO plugin was installed to help with Facebook linking not grabbing appropriate featured images. That plugin expects all the authors’ feeds to be at /feed too. Fixing the previous point will fix the front page.
• Some browsers don’t even care about the auto-sense URLs, so putting a prominent RSS feed icon in the top bar of every blog would be preferable. I’ll be doing that as soon as possible, as soon as other fires are quenched.

If anything else comes up, feel free to leave a comment or contact us via the contact form here.
Photo by thewritingzone

The post On the reported RSS issues appeared first on Lousy Canuck.

I’m irritated by this whole thing.

On the one hand, it’s interesting that this might be the first time where MEN are being targeted generally for revenge for sexual indiscretions, and that these indiscretions are actually far more indiscrete than taking nude selfies to share with consenting adults.

On the other, this hack is every bit as much of a violation for these men and women, though it seems mostly only the men are going to be targeted. It includes information about their fetishes, and it includes instances of every account that’s ever been created and since “deleted”-but-not-really. The hack of the information from the site’s database is horrid, and the intent from some quarters — political, anti-social-justice, etc — to pore through it to damn specific people over being in that database is really gross. It’s gross in the same sort of voyeuristic way that putting up revenge porn is gross, though maybe not gross to the same degree insofar as it’s damning them for, at best, THINKING of doing something unethical, rather than damning them for doing something totally normal and commonplace as sending nudies to consenting partners.

This amounts to an infidelity dragnet, and it’s bound to catch innocents who’ve only engaged in “thoughtcrime”, having CONSIDERED having an affair. People who had accounts at one time, but no longer. People who had accounts before even being married. Yes, the site is about married people looking to “cheat”, but I’m sure straight and lovelorn people have ended up signing up for accounts on Grindr before, so it’s bound to happen that people sign up for this site just looking to pull a date. Not to mention that poly folks could very well use this relationship-finder with the full knowledge of their partners. Or people who signed up to research the site, even!

Mind you, it is a bright line that I cannot cross, where I would never engage in any activity that anyone directly impacted by it — e.g. partners — would not consent to. I am an advocate of ongoing, active, informed consent, and abrogating that consent is gross and wrong. It is a breach of trust that absolutely could and probably should ruin relationships. An ethical thing to do on encountering this information about someone’s relationship is to tell them privately — not splash it all over the deep web and create searchable indexes so that 4chan can go digging for dirt on all their most hated Social Justice Warriors. Never mind that they’re the ones constantly claiming that feminists just hate sex (despite evidence to the contrary), giving them the narrative that proving they might want sex somehow makes them hypocrites.

And don’t even get me started on the fact that finally, FINALLY, Josh Duggar — who molested several of his sisters — is suddenly viewed as a bad guy because he had an account here. Admitted child molestation is not a less serious crime than planning on cheating on your wife with zero proof of follow-through.

Just an unstructured thought dump.

The post Thoughts on the Ashley Madison hack appeared first on Lousy Canuck.

Apparently, a bunch of folks are having a terrible time getting Batman: Arkham Knight for PC to work. It’s glitchy and unplayable to most. As a result, WB had it pulled from Steam until they could fix the bugs. They are also offering refunds.

Dear Batman: Arkham Knight PC owners,

We want to apologize to those of you who are experiencing performance issues with Batman: Arkham Knight on PC. We take these issues very seriously and have therefore decided to suspend future game sales of the PC version while we work to address these issues to satisfy our quality standards. We greatly value our customers and know that while there are a significant amount of players who are enjoying the game on PC, we want to do whatever we can to make the experience better for PC players overall.

Thank you to those players who have already given valuable feedback. We are continuously monitoring all threads posted in the Official Batman: Arkham Knight Community and Steam forums, as well as any issues logged with our Customer Support (http://support.wbgames.com/). If you purchased your copy of the game and are not satisfied with your experience, then we ask for your patience while these issues are resolved. If desired, you can request a refund at https://help.steampowered.com (Steam refund policies can be found here: http://store.steampowered.com/steam_refunds) or the retail location where you purchased the game.

The Batman: Arkham fans have continually supported the franchise to its current height of success, and we want to thank you for your patience as we work to deliver an updated version of Batman: Arkham Knight on PC so you can all enjoy the final chapter of the Batman: Arkham series as it was meant to be played.

I got the game for free with the laptop I just bought that has an Nvidia card that happened to be running a promotion. I encountered a bit of glitchiness when I first launched it, but I overcame that fairly quickly. Judging by reports, what I encountered may not be the only real issue at hand. Only a fraction of people seem to be complaining about what I was seeing. But what I did was fairly easy and fairly repeatable, from what I can tell.

The specific behaviour I saw was that when you launch the game, it would immediately minimize itself. Once minimized, if you click on the icon to bring it back up to the foreground, it would hiccup repeatedly to a black screen, exactly like this:

The solution for me was to use a gamepad, launch the game, hit Ctrl-Alt-Del to get to the security options in Windows. Choose Task Manager. You may have to do this more than once to get it to bring Task Manager to focus.

As soon as I managed that feat, suddenly the game in the background was running smoothly, with the Windows task bar and Task Manager in the foreground! Every time I clicked back onto the Batman window, though, it would revert to its buggy behaviour. So, I moved Task Manager out of the way, picked up my gamepad, and went into the graphics options, and tried selecting my current screen resolution (1920×1080), Windowed Borderless mode. Then I dared to click back into Batman — and it worked! It also works for subsequent launches. The issue appears to be with the fullscreen, and possibly with some bad window management as a result. It might be possible to induce this specific display mode through the command line launch options or some INI file, but I haven’t gone digging.

Seriously, if this turns out to fix all your problems, then it’s a shoddy implementation of windowing on Rocksteady’s third party PC porter’s fault, which should have been easily caught and (hopefully) easily fixed in QA — you DID do QA, right? It also only appears to happen with certain Nvidia cards, from all reports I’ve seen. And I’ve seen a number that report that over time, the game will eventually start crashing. I’ve only played through the first Batmobile AR mission, so I can’t tell if that’ll happen, but long-running games eventually crashing sounds a lot like memory management issues to me — some garbage collection isn’t being done, or something.

I still can’t get over the fact that this is a Batman game where you shoot tanks with missiles though. And where the first car you have to fire on actually does have a person in it, you make it flip, and it’s only through the grace of plot that the dude — a banged up wreck after being in a horrific missile-induced rollover — climbs out for you to interrogate.

The post Batman: Arkham Knight on PC pulled from Steam (and a possible fix?) appeared first on Lousy Canuck.

There are probably easier (or harder) ways to do this, but my back was up against a wall yesterday after a very important virtual machine was in a very bad state yesterday, after a series of hardware issues with the host, and basically one of those perfect storms of bad backup and bad host and bad VM happened.

Apparently, backups for this machine had been failing in a deceptive manner that didn’t clue us in that they were failing, and the host (VMware ESXi 5.0) was building new snapshots of the drive over and over again when Veeam tried to take a backup.

Worse, every time you tried to do a VMware level operation with the machine, it was complaining about the disks with something like “Error caused by file /vmfs/volumes/########-########-####-############/VM-Name/VM-Name-0000001.vmdk” and failing out. Little extra could be gleaned from SSHing into the host and checking dmesg, but it was plain the disk was being weird in a software way, not a hardware way. Luckily, the virtual machine itself could read the whole disk just fine, and it still ran just fine. So I was stuck with flaky hardware and no way to move the VM off of it.

But I was able to recover the VM by throwing this Hail Mary pass. Fair warning, this will probably take a lot of downtime. But it’s better than losing that very important VM altogether.

I’m sure there are better or worse tools to use than the Ubuntu 12.04 server iso that I had handy, but this worked just fine for my purposes. Feel free to suggest others — I know HJ Hornbeck is more partial to ddrescue than vanilla dd, but I don’t need any of those bells and whistles myself.

– Add identically sized drive(s) to VM
– Set to boot from BIOS on next boot
– Set CD to Client mode (or, if you have patience, upload ISO of CD for ubuntu 12.04 server to the datastore)
– Using console, mount ISO
– Set boot sequence to boot from CD first
– Save bios and boot from CD
– Pick recovery mode
– Enter your way through to where it wants to mount a root filesystem
– Pick “launch shell in installer environment”
– dmesg | grep sd — should show you your identical drives, one with partition, one without.
– dd if=/dev/sda of=/dev/sdb bs=4k conv=sync,noerror &
– Ampersand puts that task in the background so you can do this — to see progress, find the PID of the process you just launched via ps, then:
– kill -SIGUSR1 ####
– Number of records * 4096 = number of bytes it’s done so far. This is the closest to actual progress report I have been able to get.
– When it’s done, it’ll spit out the number of records again without you having entered a usr1 signal.
– Shut down the machine
– Take note of the SCSI connection, then remove the old drive (don’t delete it in case you need to recover or this didn’t work)
– Change the new drive’s SCSI port to what the old drive’s was
– Set to boot from BIOS again
– Change boot order back to usual
– Try booting the machine — it should work now
– Try migration, backing up, etc. — it should work now

I’m mostly adding this to the blog because, well, it’s all based on public knowledge, so why write out this procedure and only keep it at work?

The post VMware VM can't be cloned, moved or backed up? No problem. appeared first on Lousy Canuck.

You might have noticed that most of the work I’ve put into the blog lately has been to the end of promoting Geek Girl Con. This post is no different, save for a bit of complaining.

Honestly, I haven’t had much time for blogospherics lately, as work has had a series of disasters that I’ve had to mitigate, so I’ve been working my ass off. I’ve been venting my frustrations about current real-world events on Twitter in short form, because that seems easier to handle in the midst of jumping from one crisis to another with work, but the blog has lain fallow for too long, so I decided to cross-purpose a bit of work I did today. Why use something you’ve done once, when you can use it twice?

At Geek Girl Con, I’m going to be working in the DIY Science Zone, teaching a thing or two about randomness, especially as pertains to dice. I’ll be performing a few demonstrations of how humans don’t really grok randomness, including one where I’ll get people to draw fifty random dots on a piece of paper. I’ll then compare them to a better (though still not perfect) pseudo-random generator, a computer.

Then I’ll go on to talk about how this universe is deterministic and randomness really isn’t all that random no matter what we do to generate it, and pretend to be all smart and stuff. We’ll see how that works out.

I’ve written a little Python script to help with the first demonstration I mentioned above. Here it is. It uses the fairly standard Pygame init > run > terminate main loop you might see in other examples.

#Random dots 1.0
#By Jason Thibeault, 2014
#For use in demonstrations of randomness at Geek Girl Con

#Settable variables
numdots = 50

#Imports
import pygame
from pygame.locals import *
import random

#Defines
bg = None


def Init():
     global bg, screen
     pygame.init()

     infoObject = pygame.display.Info()
     WIDTH,HEIGHT=infoObject.current_w, infoObject.current_h

     bg = pygame.display.set_mode((WIDTH,HEIGHT), FULLSCREEN, 32)

     pygame.mouse.set_visible(False)


def Run():

     infoObject = pygame.display.Info()
     WIDTH,HEIGHT=infoObject.current_w, infoObject.current_h

     bgcolor1 = (255, 255, 255)

     # Create a bitmap for the dot
     bitmap = pygame.Surface((8, 8), pygame.SRCALPHA, 32)
     pygame.draw.circle(bitmap, (0, 0, 128), [4, 4], 4, 0)

     dots = ArrayDots(numdots)

     # Loop forever
     quitgame = 0
     while not quitgame:
         pygame.event.pump()

         # Fill background
         bg.fill(bgcolor1, (0, 0, WIDTH, HEIGHT))

         # Render dots
         for dot in dots:
             bg.blit(bitmap, dot)

         pygame.display.update()

         # Look for quit and mouseclick
         for e in pygame.event.get():
             if e.type in [pygame.QUIT]:
                 quitgame = 1
                 break
             elif e.type == pygame.KEYDOWN:
                 if e.key == 27:
                     quitgame = 1
                     break
             elif e.type == pygame.MOUSEBUTTONDOWN:
                 dots=ArrayDots(numdots)


def ArrayDots(num):
     arraydots = [None]*num
     infoObject = pygame.display.Info()
     WIDTH,HEIGHT=infoObject.current_w, infoObject.current_h

     for i in range(0,num):
         arraydots[i] = RandomDot(WIDTH,HEIGHT)

     return arraydots

def RandomDot(rangex,rangey):
     x,y = random.randint(1,rangex),random.randint(1,rangey)
     return [x,y]



def Terminate():
     pygame.mouse.set_visible(True)
     pygame.quit()


def main():
     Init()
     Run()
     Terminate()


main()

The post Busy, busy worker bee appeared first on Lousy Canuck.

My understanding of Brian Dunning’s cookie-stuffing scheme is fairly thorough at this point. I’ve read the articles in major news organizations about Dunning and Shawn Hogan’s scheme, and I happen to understand to a very high degree of fidelity the workings of the World Wide Web and cookies. So when I read the statement that he wouldn’t allow copying-and-pasting on, I balked. Not only at the lies, misdirection and obvious con-man level sophistry going on in the post, but that anyone who claims to have pulled off such a job might think that what they claim to have done is actually plausible.

Rebecca Watson has done a thorough job at deconstructing the statement for what it is: a great ball of chaff thrown up to confuse the radars of so-called skeptics who are evidently unable to recognize such tactics. But there’s some nuance I’d like to add, specifically because there are parts that appear to directly reference something I blogged about recently, which has bubbled up to very near the top of search results on the terms “Skeptoid” or “Brian Dunning”.

First, I’ll explain the lay of the land as I understand it from public news articles on this topic (such as this one from April 2013).

Shawn Hogan, eBay’s top affiliate, and Brian Dunning had each joined the eBay affiliate program in 2000 and 1999, respectively. They met in 2003 and became friends. In 2006, they evidently hatched a scheme while playing World of Warcraft to make a large number of referrals and thus generate a siginificant payout from eBay by using a technique called “cookie stuffing”. They would disseminate the stuffed cookies using website widgets, little gadgets a webmaster could install on their site intended to show something interesting like who in the world was loading that specific page in realtime.

This cookie-stuffing technique involves placing the user’s affiliate cookie — a tiny piece of data that is stored in a user’s browser and can be used to track pieces of information — on systems that happened to visit any website that had a chunk of code that Hogan or Dunning controlled; specifically, the widgets they’d offered for free acted as something of a trojan horse to spread their cookies far and wide. This cookie would report to eBay any time a web surfer thereafter visited eBay and purchased something, so that to eBay it would register as having been generated through Hogan’s affiliate link.

Under normal use, legitimate cookie setup allows for small businesses to link to things on eBay and, if the web user legitimately clicked through on that link and purchased an item, the small business would get a percentage commission or some other prearranged compensation. In Hogan and Dunning’s cases, people were not actually clicking through links to eBay’s site — they weren’t ever visiting eBay, they were only receiving the cookie. The stuffed cookie caused eBay later to believe that some percentage of web users’ purchases should be credited to Hogan’s or Dunning’s affiliate program. This functionality was clearly not the intended design of the program; those users did not actually go to eBay directly from their sites intending to buy something. They didn’t even touch eBay at all, save for being made to obtain the cookie.

Dunning had formed a company with his brother, Todd Dunning, in 2003, called “Kessler’s Flying Circus”. They were evidently the sole owners of the company, and not, as Brian suggests, “employees”. They went into affiliate marketing and made a very meager paycheck in referring people back to eBay — certainly no get-rich-quick model. In early 2006, near the beginning of the stuffing scheme, Todd attempted to rat out Shawn Hogan to eBay, but initial investigations chalked that up to rivalry between the two companies competing in the same space.

When Hogan ended up making huge amounts more than Dunning, because Hogan had figured out how to use an invisible single pixel link to jam a whole web request over to eBay without a user actually clicking anything, Dunning turned on Hogan. Dunning actively blackmailed Hogan to help him improve his own game, because Dunning couldn’t figure out how to reverse-engineer what Hogan had used in his own widgets.

Dunning also took specific steps to avoid detection, such as never installing cookies in the city where eBay’s or Commission Junction’s home offices reside, cloaking the cookie request in some Javascript so it wasn’t detectable to someone viewing the source code of the widget, and even avoiding stuffing a cookie on the same computer twice, because seeing more than one cookie on the same computer with their affiliate ID could raise some hackles at eBay.

In 2008, eBay was fed up with the deflection and lack of justification for the huge numbers he was driving; every time they’d asked Dunning or Hogan for more information on how they were driving so much traffic, they weren’t given satisfactory answers. They sued Dunning, Dunning and Hogan; discovery dragged out and two years later, they still hadn’t reached trial.

By 2010, investigators had finally figured out that 99% of the traffic that they were receiving from Dunning and Hogan’s scheme was illegitimate, ultimately only discovering this by correlating whether or not someone actually visited their webpage when they received a cookie with the suspected stuffers’ IDs. Why they didn’t do this previously, I could not fathom, except that from their standpoint, they saw hits rolling in and thought they were making a ton of cash from it, and so were blinded by the “success” of the program.

Knowing all of this, let’s highlight the lies in Dunning’s “statement”.

In about 2003 my company partnered with another to form “Kessler’s Flying Circus”

By “my company” you mean yourself; by “another” you mean your brother Todd. You had affiliate “companies” previously, which you disbanded (easy to do when you’re the owner and only employee!), and formed the new umbrella megacorp. Of two people. Holding all the same assets you held previously.

Affiliate marketing is where you place ads on the web, and if anyone clicks those ads and subsequently makes a purchase, you would get a sales commission of some kind.

Yes, that’s what affiliate marketing is SUPPOSED to be. You did an end run around the service, faking the whole part where you provide eBay with any actual service in exchange for their commission.

For our first few years we had very little success, making perhaps a few hundred dollars per month.

Probably because you were playing by the rules at first.

The money he made pre-scheme is important. I’ll come back to this.

But then, working in close association with eBay and with Commission Junction (the company that managed eBay’s affiliate program) we developed a pair of useful widgets: ProfileMaps, that showed a map of visitors to your MySpace page; and WhoLinked, a WordPress plugin that showed who has linked to your blog.

You actually did not vet the functionality of the code with eBay, as evidenced by their investigations, subsequent lawsuit, and your subsequent criminal indictment, and so your “working closely” involves, actually, all the little ways you tried to make it harder for them to detect what you were doing that I mentioned earlier.

You were making effectively no money doing things legitimately, as you’d just said; then you built a widget that overtly did absolutely nothing eBay-related, and that went viral. But it was doing something covertly: stuffing cookies onto the target computers. You admitted that your efforts prior to cookie-stuffing were not making you the sort of cash you were expecting. Then you were making gobs of money, suddenly and like through magic. All without actually delivering users to eBay the way any affiliate marketer might do legitimately — the service that eBay THOUGHT it was paying you for.

I was the second highest paid employee, and I did earn over a million dollars personally over 2006 and 2007 before taxes.

Then the first-highest paid employee must have been Todd Dunning, your brother. Since you were the one doing all the illegal stuff with cookies, what exactly was Todd doing to merit more pay, other than being in the know and trying to blow the whistle on Hogan? How MUCH more did he make, considering you were being sued for having made $5.3 million? That “over a million” represents AT LEAST 18% of all the earnings of Kessler’s Flying Circus from the entirety of the eBay cookie-stuffing scheme. How much more than a million was it, exactly? Could it have been 2 million? Two and a half?? That’s closer to what I’d expect, given all the operating costs and overhead of running a two-person company that builds web widgets and delivers ads on websites from inside your own home.

And the “clarifications” Dunning makes are priceless. To wit:

That I “stole millions of dollars”. Completely false. The vast majority of KFC’s earnings, over 90%, were never in dispute. My share of the unearned commissions was about a third of the $200-400K, on which I paid taxes. That doesn’t make it any less of a crime, but absurd exaggerations serve nobody.

Kessler’s Flying Circus made $5.3 million from eBay, in total. The government, in their wiretapping charges, stipulated that because they couldn’t actually determine what amount of money came directly from eBay from users that didn’t intend to get to eBay through another affiliate, and what amount was actually stolen from other legitimate affiliates (by having their cookie override it), they by all appearances lowballed to ensure a conviction. So, all parties agreed that at least $400,000 of the money Brian Dunning made from that program was stolen from eBay. It’s not that the rest of the money isn’t in dispute — it rightly is disputable. The problem is that doing the math on how much is actually “unearned” by the definition used here, specifically the users who counted as commissions were just people who happened to go to eBay and purchase something at some point after having visited a website that had one of Dunning’s widgets on it.

It beggars belief to suggest that 90% of the $5.3 million that Kessler’s made off of eBay actually came from either people legitimately clicking on an ad on one of Dunning’s sites, considering what Dunning admitted to making prior to the scheme, or resulted from people actually clicking on someone else’s affiliate ad but getting credited to Dunning instead. In the former case, that’s totally legitimate, but cap that at “a few hundred dollars a month” times twelve. In the latter case, I would count that as absolutely illegitimate, and totally disputable.

And further, “Operation Tripwire”, wherein eBay included a 1×1 pixel image of their own on the legit site in order to correlate stuffed cookies with actual pageviews, discovered 99% of the traffic sent with Dunning’s ID was illegitimate. The problem comes in cross-referencing whether people getting the stuffed cookie actually ever went on to buy something; whether they went on to buy something from someone else’s ad; or whether they actually bought something without ever clicking on someone’s ad at all. Because all of those numbers were fuzzy, the government lowballed. And that’s fine. There are some numbers that, without deep forensics and very careful logging that eBay obviously didn’t have in place, are impossible to suss out after the fact.

It DOES mean that the 15 month conviction is also a lowball, considering someone mugging a person and stealing a hundred bucks might get them five to ten years. White collar crime should absolutely get stiffer penalties than blue collar crime, in my estimation. Only in cases of violence should the latter be treated more sternly.

That any individuals were affected. Completely false. The only victim was eBay, and the nature of their loss was a reduced profit (due to paying unearned sales commissions) on new paying customers who had viewed one of our ads.

No, individual end-users who purchased from eBay were not impacted. It would not increase the amount they paid to eBay at all. However, individual rival affiliate marketers were almost certainly impacted by having their cookies overridden with your own. You stole some indeterminate amount of money from other affiliates, and some other indeterminate amount of money directly from eBay, and because those numbers are hard to suss out of the total $5.3 mil, the government just went with $400,000 and you and your lawyers agreed.

It’s all in the court records, Brian. Maybe you should read them. Given that you pled guilty to this, it might have been a good idea to know and understand exactly what you were pleading guilty TO.

A conspiracy theory that my nonprofit Skeptoid Media, Inc. was set up as some kind of shield to hide stolen millions. First, I never had millions in my possession; second, you cannot shield money from the feds. The federal government can seize anything at any time; there is no protection like there is in state cases (e.g., moving to a state that allows you to keep your primary residence). Skeptoid Media exists only for its stated reasons: producing free educational materials and STEM-focused informational and entertainment content, made available to educators and individuals worldwide, concentrating on critical thinking and scientific skepticism.

This is almost certainly referring to my earlier post on Dunning’s fraud, which to my knowledge is the first such post alleging that Skeptoid Media was converted into a non-profit during Dunning’s pre-jail eleventh hour, when he realized that it was all going to hell and he would face consequences for his fraud.

And it’s not what my post argued. My post argued that Skeptoid could not survive on its own with Dunning imprisoned, and so turning it into a non-profit was a good way to ensure it survived past him. And that, in and of itself, is a good way to do things; I’d rather skeptical outreach organizations actually have public accounting for their cash flow so we can scrutinize (some might say, skeptically!) what’s actually being done with our donations.

It further argued that because the civil suit was eventually dropped and eBay did not seize any funds from Hogan or Dunning, and because the FBI did not levy a fine against Dunning in sentencing, the $5.3 million that Dunning’s company made off of eBay comes with only one fine: fifteen months in white collar jail and three years supervised release. He’s effectively bought millions of dollars in exchange for a short stint in jail.

Regardless of how much of that money is actually usable by you or your (loving, beautiful, probably innocent, probably undeserving of this travesty) family, YOU are still getting off really goddamn easy here, Dunning. If the government had decided to seize $5,300,000, it would obviously bankrupt Dunning, because much of that money’s already been spent, either by him (paying mortgages, setting up college funds, paying off debt), or by Todd, or by Kessler’s Flying Circus in “overhead”. We also don’t know how much money Dunning directly contributed to Skeptoid. However much that was, I can virtually guarantee you that it’s touched tainted money. Unless Dunning did not use any of his own capital to seed Skeptoid, ever, and he’s taken very great care in maintaining his books, Skeptoid has almost certainly seen some of that money.

And it’s untouchable now. The money that Dunning has made, now that he’s convicted with no fine, and the civil suit is dropped, is untouchable. Some of it almost certainly went into Skeptoid. And we have no clue how much that is.

Unless the IRS decides to pay very, very close attention to Skeptoid, including a thorough accounting of all income prior to getting non-profit status, Dunning will have faced no monetary repercussions for his actions.

But given his status as a convicted felon, if you want to trust him with your money and donate to Skeptoid, you just feel free. That’s your lookout. We skeptics are only supposedly in this community in order to prevent fraudsters from taking your money under false pretenses; I don’t know what that might POSSIBLY have to do with THIS specific situation, do you??

That I’m a millionaire who has the gall to beg for donations. Please do not conflate the two. Donations that support the Skeptoid podcast go only to support Skeptoid Media, a good cause.

Welllllll… You DID just admit to making over a million dollars pre-tax during the one year your scam was running and you were still affiliated. That makes you a millionaire, even if you don’t have it in the bank. It’s language sophistry at its finest. We don’t have any way of knowing that you didn’t ever have a million useable dollars in the bank. You’d know better than I how high your bankroll actually ever climbed as a result of your misdeeds.

And you carefully and attentively pointed out that donations to Skeptoid only go to Skeptoid. That is secondary to the thrust of the complaint you’re rebutting here, being that we don’t know how much of your ill-gotten gains went to support Skeptoid too. People don’t like donating to people who are not in any sort of financial need. And even if there IS a financial need, people feel an odd sense of entitlement toward policing how that money gets spent, even if the plan is entirely laid out in advance and totally transparent. People especially don’t like donating to someone who claims to have a need, but turns out to have alternate means of funding that they hadn’t disclosed — like, oh, say, millions of dollars rolling in from defrauding a major corporation and everyone else in the same affiliate program as you. Beyond that, since your alternate means of funding was actually illegal, as evidenced by your going to jail for it, some people who’ve donated to your podcast might feel suddenly and understandably very put-out about having done so.

The piece de resistance of the piece, his sidebar about rescuing a Chinese family from a car rollover notwithstanding, is this throwaway in the “clarifications” bit:

Separately, I am not a millionaire and my family is under a huge amount of debt and has no savings at all, but working that out is our problem, not yours, and not Skeptoid Media’s.

You said earlier that you paid off your mortgages, and set up college funds, and were “just about to start saving”, implying your debts were paid off. So… pardon me if this seems a bit unsympathetic, but cry me a goddamn river.

Finally, I should note that while I once lamented the virtual radio silence the skeptical community has endured on the nature of Dunning’s fraud, I am heartened that Freethought Blogs and Skepchick are no longer the only blog networks who refuse to let this story get memory-holed. Hemant Mehta has some choice words for Brian Dunning as well.

The post The sophistry and revisionist history in Skeptoid Brian Dunning's statement appeared first on Lousy Canuck.

Today, Brian Dunning of the Skeptoid podcast and brand, blogger at SkepticBlog, was sentenced to 15 months prison and three years supervised release.

Barely anyone’s talking about it, though (except, obviously, us Social Justice Bullies who will inevitably be accused of crowing about this news).

But that’s not honestly surprising — prior to today’s sentencing, almost nobody in the skeptical community was talking about it save for a few lone voices, except to defend Dunning’s actions in those few pockets of distress. So I honestly shouldn’t have been surprised by this comment by MarshallDog at Skepchick, but considering I’m one of those few people who’ve mentioned his fraud, his pleading guilty, and his sentencing for wire fraud that netted him $5,200,000, I can’t help but feel some measure of distress that this “hero’s” misdeeds have gone virtually unnoticed.

I am really shocked. I hadn’t heard anything about this before. I have been listening to Skeptoid for years, and made small donations to the podcast before. I need to make damn sure that those payments aren’t still being made, though I’m almost positive I stopped a year ago.

In any case, being a peripheral member of the skeptical community it’s not that surprising I hadn’t heard this was happening. Still I hope I just missed the bulk of reporting. I’d hate to think skeptics were avoiding the issue just because of Dunning’s place in the movement. I’m really shaken by this. I want to trust that the people I admire are at the very least decent human beings. Now a voice I regularly listened to turns out to come from a criminal.

I feel unclean. I feel a strange desire to wash my ipod, but I’ll settle for just deleting the skeptoid episodes still within.

Your analysis, despite being peripheral, is not incorrect. Skeptics are avoiding the issue. Only us “bullies” have been saying a damn thing about it.

I really wish the skeptical community had not repeatedly defended Dunning’s actions, as though some level of skeptical outreach excuses gross fraud. The Halo Effect has no place in our communities, and we should be especially leery of anyone who argues for this sort of con-artistry in a community that prides itself on teaching people about others’ fraudulent claims. All the shade you throw at someone like Uri Geller for lying and taking people’s money under false pretenses is suspect if you also support a skeptic who lies and takes people’s money under false pretenses. Skepticism is theoretically a social justice cause, and seeing it undermined by such self-interested, greedy, amoral and oftentimes IMmoral scumbags is disheartening.

The prosecutors actually successfully argued for a harsher punishment than he’d get if he’d committed a break-and-enter. That’s good, not just from the perspective of letting the punishment fit the magnitude of the crime (arguably, stealing MILLIONS should be worth more jail time than, say, getting caught with an ounce of pot!), but also from the perspective of letting the punishment fit the mitigating motivation. White collar crime done with zero material necessity outside of general greed is orders of magnitude less understandable, to me, than being motivated by a direct need. It’s well possible that some of the $5 million he got from eBay came from legitimate referrals from his own site.

But most galling is not that he took that money from eBay, though the majority of that money almost certainly came from eBay directly — it’s that other people’s referrals might have gotten squished by these stuffed cookies, resulting in Dunning stealing money from other people who rightfully deserved it. He mostly defrauded eBay but also secondarily defrauded potentially hundreds or thousands of other small marketplaces on the internet.

Remember, the Skeptoid brand still exists — it was converted to a non-profit organization sometime after Dunning realized the hammer was about to come down on him. He was not levied any sort of fine, though, considering eBay dropped the civil suit, so the money used to seed the Skeptoid brand is almost certainly all tainted. I do not know what will happen with that money, but it’s possible that despite his jail time and supervised release, he’s getting off practically scot-free.

We deserve better. Don’t we? Or is the community PRIMARILY made up of such immoral scumbags, and only SECONDARILY by people who give a damn about the social injustice of being defrauded by woo-peddlers?

The post The virtual radio silence on Brian Dunning's fraud appeared first on Lousy Canuck.

Okay, seriously. I know that WWDC is a sales pitch moreso than a tech demo. But this supercut of superlatives tweaks every nerve I have as regards manipulative language.

There’s not a lot of actual innovation in their new iteration, that I can see, just a nice coat of paint slapped on the same old stuff. “This changes everything” was true when iOS first got introduced, but now it’s all “this keeps everything the same except for a prettier wastebasket.”

The post Why I distrust Apple, in one short video appeared first on Lousy Canuck.