How to Replace Patreon

What is Patreon?

Patreon is a “Drip Content” site, with membership features. It’s nothing new, they’ve simply rolled a few popular features of content publishing into a social package with few distractions and a catchy title.

Build Your Own

You can easily re-create all of the features of your Patreon page using a few easy plugins and WordPress. You will need hosting, but you can get that really cheap. This solution is not free, but if you make most of your income from Patreon support this is a good move for you.

WordPress + WooCommerce

First things first, you need to build a website. This is really easy. Sign up for some WordPress hosting someplace, and use one of the built in free WordPress themes or find one on the WordPress Repository.

Once that’s done, login and go to the plugins section of your administration dashboard. Search for WooCommerce and install it. WooCommerce setup is a bit complicated as there are a lot of options, but you’ll be focusing on “virtual” products so you don’t need to worry about shipping. Get your payment gateway configured (under Checkout settings), and you’ll be good to go. I recommend using Stripe as your payment gateway, you can find the Stripe extension for free at WooCommerce.com.

Subscriptions

The subscriptions plugin at WooCommerce.com is the best choice to use for this method, but it costs $200. However, you can get the exact same plugin for $35 from wpspring.com. You won’t get any official support for it, but it will work and it’s 100% legal.

Once you’ve installed the Subscriptions plugin, set up a few subscription products for your various membership levels.

Restrict User Access

The final piece of the puzzle is the Restrict User Access plugin. This plugin is free. It offers many different ways to restrict access based on membership levels.  One easy way is to create a tag on posts you want restricted, such as “Level One” or “Level Two”, then you can create access levels with access to specific tags.

There you have it

This is not a step by step tutorial, but these tools are very easy to use. If you would like help with putting this all together please feel free to email me.


UPDATE: COSTS

A few people have raised the concerns of costs or labor required to maintain a WordPress website. My intentions with this article are altruistic and not commercial, however because it can be difficult to find a good affordable solution for hosting I am going to plug my own service, https://pridetechdesign.com.

You can get a fully managed high quality VPS on Digital Ocean servers, pre-configured with WordPress, complimentary domain registration, full E-mail capability, enhanced security features, and 24/7 monitoring for trouble, for as low as $10/mo or $102/yr (15% discount for annual payments).

To keep your website and data secure there’s a number of very cheap maintenance plans available. Updates and Backups are $5/mo or $51/yr, while additional enhanced security and more vigorous backups are $15/mo or $153/yr.

This means that you can do everything I mentioned in the article above for $12.75 per month. Consider the 5% fees that Patreon charges and decide for yourself what is best.

How to build a Modern BBS

apple 2 computer showing bbs screen

Preface

After reading an article here about building a modern Bulletin Board System, and crafting my own brief response here about how the website already is a modern BBS, I decided I should write a short guide on how you can construct a modern equivalent of a BBS on the web using mostly free tools.

A computer & phone line

In the 1980s operating a BBS required a computer and at least one phone line. Back then a single phone line would cost $20 to $50 per month. Today, a phone line still costs a minimum of $20 a month (phone service is a racket!), but you don’t need to spend that much. For $5 per month you can rent a Virtual Server from Digital Ocean with a dedicated IP address. As far as quality and reliability are concerned Digital Ocean are the best in the marketplace, which is why I recommend them. The link I provide is a referral link which will give me credit toward my own hosting bill if you sign up.

Digital Ocean Hosting

Website Software

It is true that you could build a website from scratch so you don’t actually need to use this software but that takes a lot of time and you’d be re-inventing the wheel. That’s okay if you’re a developer and you’ve got a great idea for a wheel that nobody has thought of before, but otherwise I recommend using WordPress. It’s free and mature, as well as very easy to start using.

WordPress.org

Message Boards

In the 1980s, “Message Boards” are where people would post and discuss topics. Today we call these things “Forums” but they serve the same functionality. The best software for setting up a message board on a website is phpBB. Not only is it free, but it has a really excellent user interface that meets all of the common needs and is very intuitive. It is stand-alone software and it is loaded with features. Installation is pretty easy but configuration can feel a bit daunting. Just take your time and read the documentation and you should be fine.

phpBB

DOOR Games

One of the coolest features of a BBS in the 1980s was Door Games. These were computer games that ran externally from the BBS software. The term ‘door’ was a reference to how the BBS acts as a gateway to access these games. This technology has evolved in multiple ways and powers many of the advanced capabilities seen on the internet today.

There are many ways to run games on your website. Software such as Unity or HTML5 make it possible to build modern games for the browser. However because Nostalgia is a big part of this theme, I’m going to recommend EM-DOSBOX, which is a plugin that allows you to run actual DOS games from within a web browser. The Internet Archive uses this same software for it’s video game archive website.

EM-DOSBOX

Real Time Chat

In the 1980s operating a chat system on a BBS was extremely expensive. First most free BBS software didn’t support it well at all, so you probably had to pay for a commercial platform. Second, every user required their own phone line connection, so if you wanted a 10 person chatroom you had to pay for 10 separate phone lines. Today it’s so much easier and cheaper.

There’s a lot of ‘chat’ plugins available for WordPress. I am going to focus on Matrix.org and Riot.im. There isn’t an easy ‘plugin’ available to install these on your website, but you could use an iframe to embed a riot.im chatroom. The Matrix protocol is still very early in development and as time goes on you can expect there will be simpler and more elegant solutions for this purpose.

Matrix.org
Riot.im

Summary

So there you have it all of the tools required to build a modern “BBS” on the web, and with the exception of server rental all of it is free. You could, in theory, do all of this on your own server running on your home internet connection but that introduces some challenges such as DNS addressing. It’s up to you if that’s worth the $5 saved.

You might notice I did not include detailed tutorials on each piece of this puzzle. That is intentional. This post is meant to be a starting point for people interested in this sort of project. There are already dozens of specific guides and tutorials available for each of the things I’ve linked. This kind of project represents an adventure and learning about the software is part of that adventure. Also, detailed information like installation procedures are likely to evolve over time. So if you’re looking for help with phpBB or WordPress, just do a web search for tutorials on those subjects and you’ll find dozens.

I hope you found this article helpful or useful. I welcome any comments on how to improve my recommendations.

The website is the modern equivalent of a dialup BBS

Preface

Today I read a really cool and nostalgia article about the BBS, which stands for Bulletin Board System. BBSes were what the cool kids used to communicate online before there was a consumer internet. You can read that article here

I just had to comment, because BBSes played a significant role in my teenage life. I spent more time online than I did in the classroom. Seriously I failed several classes in high school because I never attended, I was at home playing Legend of the Red Dragon or responding to posts in the forums. I’ve included my response below:

My response

I think it’s awesome what you’re doing, I grew up on BBSes and I didn’t think they were weird at all, but everyone at school thought I was weird. Then the internet hit their living rooms and I don’t talk to those people anymore. Too busy getting paid $100/hr to build and support their websites.

While I love the nostalgia of this project, I think it’s worth noting that the “Modern BBS” is called a website. I know I know, ‘it’s not the same!’, believe me I get it. But from a purely end-user functionality standpoint, a website is exactly the same as a BBS, only improved.

Forums are handled by software such as phpBB (hands down the best UX in forums), you can play all sorts of web based games including dosbox classics with some java plugin, chat rooms are easy to embed especially with the new Matrix.org protocol, and of course we have various ‘wiki’ software to handle documents.

Best of all, an IP address is cheaper than a phone line ($5/mo droplets from Digital Ocean are the way to go) and the cheapest solutions can still handle 5–20 simultaneous visitors.

One of the things I always thought was really great about BBSes is how they empower “regular” people to organize and communicate ideas. Literally anybody can set one up, you don’t need a license or permit and the costs aren’t prohibitive. Websites are the same. We’ve been seeing the results of this anarchy for the past 30 years as corporations are no longer able to monopolize the distribution of information.

When I was a kid I ran my own BBS using the Renegade software. I had wicked ASCII art I found on pirate sites when you logged in, I forget what but it was probably a grim reaper or something. Now I have tailpuff.net and the first thing you see are high resolution full color graphics. It doesn’t tweak the nostalgia but it definitely is an improvement of the model first presented by the BBS.

How to Build a Modern BBS

I thought people might be interested in this idea, and so I decided I would provide some links to software and resources you can use to re-create all of the features of a BBS from your own blog website. These are not the only solutions, just my personal favorites.

Full disclosure: The Digital Ocean link is a referral link, if you sign up I will get credit toward my own hosting bill.

Is Uber using “software bugs” to steal money?

coiled snake with words "don't tread on me"

Preface

I sometimes order food from Uber Eats. It’s a pretty neat service. I especially like that I can see my food traveling through town to my door. Every delivery service should offer that. Tonight there was a huge problem tho.

Software “Bugs” or Fraud?

I visited the Uber Eats website and it offered me the option to rate past orders, those which I had not already submitted ratings for. I like to rate each order because the drivers get more business if they have 5 stars. I do not always tip. I used to, but this isn’t the place to explain why.

When using the Uber Eats website app to rate previous orders it takes you through a number of very simple screens. They ask for your rating for the driver, the food, and for an optional tip. They stress on the tip screen that it is optional. The tip screen only displays a number of pre-configured amounts, from $2 to $6, and does not offer a “custom amount” option. It also does not have a button for $0 or “Do Not Tip”. At the bottom of the screen are two links, “Skip” and “Continue”. Those exist on each page of this process.

It is very easy to click the wrong amount by mistake. There is no way to “unclick” the amount, you can change it but you can’t select $0 so if you did not intend to tip at all then it’s stuck. This happened to me on two orders. Naturally, I clicked ‘Skip’ at the bottom, which should have caused the selections to be ignored.

Instead, a few minutes after completing the rating review Uber sent me E-mail notifications “Thanking” me for my tips. I was mildly annoyed, and decided to E-mail their support people to have the tips refunded.

This is where it gets weird. I am going to provide the full details of my conversation with their support department, so you can see for yourself.

Sent by Simba L. on Sunday, November 19, 2017 at 0:48:39 AM

I clicked ‘skip’ on the tipping screen and it applied a tip anyway. This happened on two different orders when all I was trying to do was record positive ratings. Please undo the tip on this order.


Sent by Athenna on Sunday, November 19, 2017 at 7:32:39 AM

Happy to explain, Simba.

Thanks for bringing this to our attention. Sorry to hear about the difficulty that you encountered with the tipping option.

The easiest way to tip your delivery partner is through the app. Once your order is complete, you’ll be prompted to rate your delivery partner. Once you provide a rating, you’ll be given the option to add a tip.

You are free to tip and delivery partners are free to accept tips at any time. Giving cash directly to your delivery partner is also an option.

Unfortunately, we are unable to refund the tip amount once tipping is done since tipping is optional.

I understand how this situation caused a lot of trouble on your part. We want you to know that we have the details of the order and rest assured that we have properly documented everything. Please know that your feedback has been heard and this will surely help us in improving our overall UberEATS level of service.

You may also visit our help page at https://help.uber.com/en/eaters for more information.


Sent by Simba L. on Sunday, November 19, 2017 at 8:16:08 AM

Hello. Because the tip was the result of a bug in your software you will refund it completely. I will be issuing a fraud charge back with the bank. If your looking to get hit by a class action you’re on the right path.


Sent by Athenna on Sunday, November 19, 2017 at 8:26:07 AM

Hi Simba,

Thanks for writing in.

I understand the importance of getting your money back. However, once tipping is done, the tip automatically goes to the driver’s account and unfortunately, we do not have the means to get it back.

As much as we want to provide a refund for this tip, please be advised that we are bounded with policies that we need to follow. At this point, what we can do is to take note of your feedback for improvement.

Hope that you’ll give UberEATS another try. You may also visit our help page at https://help.uber.com/en/eaters for more information.


Intentional or not, that is fraud.

I told them in my next response to forward my request to their lawyers, and I then issued fraud charge-backs at the bank for both charges. I’m 100% sure I will get my money back, this isn’t about that.

They could have made different design choices in their web app. They could have recognized the issue in QA testing. It’s very easy to predict and re-produce. So it is not completely unreasonable for a person, especially someone with a background in web development, to conclude that they might have designed it that way on purpose.

That is shady on it’s own, to design an app so people will “accidentally” spend more money than they wanted, but to then refuse refunds when mistakes happen is absolutely fraud. The question is, was this an orchestrated effort by Uber to steal money, or was it the result of a poorly run corporation?

Buyer Beware

The Uber Eats app is pretty cool. It’s almost too cool not to use. But be alert for these things. This is actually the second incident I’ve witnessed of Uber stealing money, and each time getting a refund was like pulling teeth. If something like this happens to you, don’t let it slide because “it’s only 1 dollar” or whatever. Report every incident, and get your money back. Thievery has to be put to rest.

Linux: batch convert webp to png using ffmpeg

If you have some images in webp format, such as exported from Telegram’s “sticker” packs, and you want to convert them to standard png for use in other applications, I have written a small bash script which will convert all the webp files in a directory into png and then remove the webp files.

This requires that you have ffmpeg installed. If you don’t want the webp files deleted afterward just remove line 5.

If you find this useful let me know in the comments! I invite suggestions to improve upon it.

DMARC is not the solution to E-mail Fraud.

stacks of money

The latest craze in E-mail security appears to be DMARC. Let me preface my post by saying I use DMARC, I use SPF and I use DKIM. I understand that people are mostly up in arms about the importance of DMARC because of how many major organizations haven’t adopted it. I understand it’s importance.

Problems with DMARC

Here’s the issue as I see it. DMARC does not solve phishing E-mails. It doesn’t do much more than SPF already does, and it doesn’t solve trust or identity in E-mail.

DMARC requires compliance by the recipient server to function at all, and all it does is tell the recipient to reject, quarantine, or allow fraudulent E-mails, a feature that SPF already provides.

This prevents someone from sending email from “custserv@paypal.com” but it doesn’t do anything to prevent them from sending an email from “custserv@payypal.com” which is how a huge number of phishing attacks are launched.

Oh and DMARC gives you some forensic information on who is sending fake E-mails from your domain. Which is completely useless in a high traffic real world scenario because you can’t take any effective action against the perpetrators.

Key Pair Signing & Encryption, a Real Solution.

Meanwhile we have PGP/GPG signatures which would, if properly implemented, provide a user friendly means of identifying the sender of an E-mail and verifying the integrity of an E-mail. But these have been completely disregarded by nearly 100% of organizations as “too difficult” to implement. Seriously, why doesn’t GMAIL come with a ‘PGP’ button?

PGP is arguably easier to implement worldwide than SPF + DKIM + DMARC. All you need to do is create the functionality client-side to create keys manage keyrings and interact with key databases. Compare this with setting up 3 different inline mail verification tools on every E-mail server in the world plus a slew of DNS records which can instruct servers to pass fake E-mails along without notifying the end users at all of suspicion.

Why are we being sold this half-assed solution to E-mail fraud when the real answer has existed for decades and would be easier to implement? If someone can explain why DMARC is being treated as the holy grail of E-mail security I would really appreciate it.

GPG/PGP is “Too Hard” for End Users

Bullshit. The difficulty of PGP/GPG has nothing to do with the technology and everything to do with the lack of proper support in E-mail clients. End Users don’t need to understand the technology at all, they just need a button that creates a key and publishes it to public key databases. The process is no more complicated than adding people to the address book on your phone.

Paranoid Conclusion

Using keypairs to verify authenticity of E-mail comes with a bonus feature, they can be used to encrypt E-mail to the point that it is “uncrackable”. Adding the signing capability to a service like GMAIL would also make it a lot easier for users to encrypt their E-mail, which would destroy Google’s business model since they read all of your E-mail to gather data. This is probably the #1 reason why keypairs have been ignored, with the #2 reason being pressure from world governments.

Your Thoughts?

My paranoid conclusion is not the only possible scenario, I would love to hear the opinions of other internet security experts on this issue.

Some Good News

You can implement PGP/GPG in your own E-mail and start using it with your friends, family and colleagues right away. And you should.  Visit the Electronic Frontier Foundation website to find some simple step by step tutorials for all platforms.

My Public Key: https://tailpuff.net/keys/

Cloudflare’s “Keyless SSL” Feature violates trust and privacy.

SSL exists to ensure Privacy and Trust

SSL serves two purposes. Privacy and Trust. Both purposes are equal. Privacy means it encrypts your traffic, this ensures that packet sniffers on a public network can’t view your credit card number when you purchase something on Amazon. Trust means when you visit Amazon.com, you know that the responding server is actually Amazon.com

Without both Privacy and Trust, SSL is useless.

If you compromise either privacy or trust, the SSL certificate becomes completely worthless. Now your activities are at risk of being compromised, which is precisely what SSL exists to protect against.

KeyLess SSL violates both Privacy and Trust.

Cloudflare’s new feature “Keyless SSL” violates both privacy and trust. This dubious service operates by decrypting 100% of your web traffic between the server and Cloudflare’s network. That means Cloudflare can view your credit card numbers. All that is required is a Cloudflare employee to hide malicious code in their traffic inspection function and they could steal thousands or millions of credit card numbers in an hour.

Browsers should Declare all Cloudflare traffic “Insecure”.

The solution is simple. If SSL traffic comes from Cloudflare, one must assume that it has been decrypted and inspected during transit. This means it is not secure. Web Browsers need to declare this to the user. Traffic that comes from Cloudflare websites should be flagged as insecure, regardless of the SSL status.

System Adminsitrators: Disregard “Reputation” when fighting SPAM

Envelope with an @ symbol

Preface

A number of companies offer a service where they provide “reputation” scores for various domains and IP addresses based on reports of SPAM originating from those networks. These “reputations” are meaningless however, and E-mail Server Administrators should completely disregard them, for a number of reasons.

One: False Reporting

Probably the most significant issue is that the majority of E-mail reported as SPAM, does not actually fit the definition. SPAM is clearly defined as Unsolicited Bulk E-mail. The first requirement is it must be unsolicited. If you do business with a company, you sign up on their website or you order a thing or you just send feedback to an E-mail address of theirs, you have opted in to receive E-mail from that company. Under the rules of the CAN-SPAM act that company has to include in it’s marketing E-mails a link which allows you to easily unsubscribe from those newsletters, but because you initiated contact with that company it is by definition not “Unsolicited”.

The second requirement is that the E-mail has to be bulk E-mail. This means it has to be sent to a lot of people, and is not targeting specific individuals or businesses. If you post a comment on a website forum about gardening, and another reader of that forum builds a mailing list which includes your name and then sends you individual marketing information about his gardening products, that is not SPAM. It may be unsolicited, but it does not qualify as bulk, because he is targeting you as an individual.

Most users don’t understand these requirements. The average person in our society believes that SPAM is any E-mail they don’t explicitly want to receive. And they will often click the “SPAM” button in their E-mail clients when they should instead be clicking the “Unsubscribe” button in those E-mails. For this reason, the vast majority of SPAM reports, which “reputation scores” are based on, are false.

Two: Maintenance

It is practically impossible for the operators of reputation lists to maintain those lists with anything resembling accuracy. A lot of spammers will rent cheap servers from legitimate providers (those with a zero tolerance for abusive customers such as spammers), send millions of SPAM emails from their cheap server, and then when they get booted off they order a new server under a new identity. A lot of SPAM is also sent using servers which have been compromised because their owners are not keeping them secure. The result of this is that the IP addresses of those servers or even their parent networks get a lower reputation. Digital Ocean is a great example, they have a strict zero tolerance policy toward SPAM, but Outlook.com will often block entire subnets of the Digital Ocean IP range, because of the momentary behavior of a few unrelated servers on their network. The people selling these “reputation” lists are not checking up on individual IPs every week to see if the SPAM has stopped or if the operators of those IPs have been booted off the network. The information is almost always going to be outdated.

Three: It hurts legitimate businesses

One of the greatest things about The Internet is how it empowers any person to create small businesses from nothing. It’s extremely cheap to set up a website and start operating a business. It is extremely frustrating when you are a small business owner, to discover you can’t email one of your customers because they use Outlook.com for their E-mail, and you use a respectable hosting provider who just happens to be blocked by Outlook.com’s idiotic reputation list.

Four: There are better ways

There is an accepted “best practice” for E-mail Server Administrators to deal with the threat of SPAM. E-mail which is suspicious should be shuffled into a “Junk” folder in the recipient’s inbox, where it can still be reviewed. There are a number of tools available to help identify suspicious E-mail. A sender’s DNS information should include an SPF record, which tells recipients which IP addresses are authorized to send E-mail on behalf of that domain name. It should include a DKIM public key, which is used to verify the authenticity of each individual E-mail by comparing it against the DKIM signature which should be in the headers of all outgoing E-mails, and it should include a DMARC record which instructs recipients on precisely what steps should be taken when an E-mail fails either the SPF or DKIM tests. These methods are effective at identifying the majority of SPAM. For example any SPAM sent from hijacked servers is going to fail both the SPF and DKIM tests.

In addition to this, there are public “Blacklists”. Unlike “Reputation Lists”, the publically maintained domain blacklists are actually trusted. They contain lists of Domains which have contributed obscenely to the SPAM problem. Furthermore there are steps which can be taken to have a domain removed from a blacklist. It’s possible to check the status of your domain name and see if it is on any of the public blacklists, because they are not commercial services. Reputation Lists are commercial products and so a provider of those services is not necessarily going to let you see your own score unless you pay them, which makes it impossible for a domain owner to petition for changes. On top of this, some “Reputation Lists” are known to take bribes to “whitelist” your domain name. The public and trusted blacklists cannot be paid off.

Conclusion: Reputation Lists are garbage

So to summarize, if you are an E-mail Server Administrator, do not use “Reputation Scores” to identify SPAM. Use Blacklists, ensure that your server is performing tests against SPF and DKIM, and following recommended behavior in DMARC records. Configure your server to label suspicious E-mails as potential SPAM, and dump those into a “Junk” sub-folder of your users’ Inbox. Encourage your users to try the “Unsubscribe” link instead of reporting an E-mail as SPAM.

If you try SPAM filtering methods which are too aggressive, you are going to lose users. As an E-mail Server Administrator, your first priority is to ensure that 100% of legitimate E-mails sent to your users are reaching their destination. Everything else is secondary, and if you can’t provide that then your users are going to find someone else who will.

Google’s “NoCaptcha ReCaptcha” product is slave labor.

US Flag - Distress

Google are Crooks.

Google has been in trouble over their ReCaptcha product in the past, and they are bound to face the fire again. Their “NoCaptcha” service advertises itself as being user friendly, by presenting users’ with a single check box they click to pass the test. However it very rarely works like this, especially if you use any sort of adblocker or privacy protecting addons in your web browser. Most of the time it presents the user with a photograph, or a series of photographs, in a 16 square grid. It then asks the users to click on each square which matches a specific description.

If you don’t answer the captcha to Google’s satisfaction, the challenge becomes more annoying. For example after clicking a square you might have to wait for that square to reload. The time it takes that square to reload is adjusted by Google, based on how much they “trust” you. So while some users might only have to click 3 squares, others might have to click 6, and wait for as many as 10 seconds for other squares to reload. And then when you perform the tasks they demand and you click ‘verify’, it will often start the entire process over again, for no explicable reason as you answered everything correctly.

What is really going on?

What is actually going on here? Is the system broken? No. What is happening is Google has a massive database of images, billions and billions of images, and they are using the unpaid labor of millions of computer users to add digital tags to those images. “This Image contains a Car” or “This Image contains a Mountain” and so on. The entire system is automated. On it’s rosy surface it would appear as if the labor of those users is being used to improve the captcha system, but that’s not what it’s for. It exists to force millions of users to do the work that Google is required by law to pay people to perform.

This is slavery.

This is slavery. We haven’t tolerated slavery in this nation in nearly 300 years, but Google thinks they can get away with anything they want because they think the world depends on them. It doesn’t. We don’t need their stupid search engine, there are a number of 100% equally useful search engines such as Bing and DuckDuckGo, in fact some have found those engines provide better results for their searches. We don’t need their free E-mail service, as there are countless providers of that same type of service, none of whom use it to spy on their users the way Google has done for years. The truth is Google does not provide ANY valuable services to the world, and they are raping the information market in new and disgusting ways to make a quick profit.

Stop Google.

It’s time we put a stop to it. A class action lawsuit should be raised against Google again for their “NoCaptcha ReCaptcha” service, and the FTC needs to step in and force them to stop.