All that is wrong with the world…

January 28, 2010

Stupid uses of English

Filed under: Issues...the world...etc.. — Tags: , , , , , , , , , , — allthatiswrong @ 5:49 pm

Stupid uses of English

It really annoys me when people use words in stupid ways, or invent new words for no reasons. I don’t mean incorrect uses of words due to ignorance, or where words are commonly used with a commonly accepted meaning different from their dictionary definition. No, what annoys me is when people use words deliberately incorrectly because of some political reason, because of willful ignorance or because they think it’s clever or cute.

This is by no means an exhaustive list, and I doubt many people will find it interesting although some may find it informative. I am making this list largely for my own benefit; I am curious to see if a pattern emerges as I add words over time, as I find it curious that some words quite annoy me while others do not bother me in the least.

So without further ado, my list and justifications of why certain words or their uses annoy me.

  • Chillax – There is absolutely no need for this word! It is a blending of Chill and relax when both words already mean the same thing. It is not a portmanteau since the two words already have the same meaning.
  • The Human Condition – I’m not entirely sure why this annoys me. I guess it’s because being human is not a condition….nothing is gained by saying “Human Condition” over simply saying “being Human”. Everything that makes humans unique emotionally or physically is already implied by the word Human. There is nothing that defines us as Human Beings which can be said to be a symptom of a condition.
  • USian instead of American – This is just retarded. It seems to be used by people who have a problem with the USA, and want to seperate the USA from the other countries in the Americas. There are at least to problems with this. Firstly, the USA is the only country where it’s denizens are referred to as Americans. When referring to Americans it will be obvious who is being referred to. Secondly, the only possible argument for using USian instead of American is to remove ambiguity which isn’t accomplished at all. There are two countries on the North American continent with “United” and “States” in their countries names. So when referring to USians, are people referring to people from the USA, or people from the United Mexican States? It’s always stupid to invent new words because you have a dislike of someone or something to the point you won’t even use the word.
  • Homophobia – A word that should actually mean having a phobia of people with a same sex attracted. According to Wikipedia the word originated in 1969 to refer to heterosexual men who feared men may mistake them for being homosexual. These days the word is commonly used to refer to anyone who dislikes or disproves of homosexuals, the thinking being that in this enlightened day and age homophobia must be the only explanation if someone disproves of homosexuality. This is stupid..there may be many valid reasons for people to dislike homosexuality, none of which require a fear of homosexuality to justify that dislike.
  • Occam’s Razor – A principle which states “entities must not be multiplied beyond necessity” leading to a conclusion that the simplest explanation is the best one. Unfortunately this has been adopted by most people to mean the simples explanation is the correct one, where arbitrary definitions of simple are used. As an example take a scenario where you have cheese and a mouse in a room unobserved for 5 hours. If the cheese had somehow ended up resembling a face or intelligent pattern most people when applying Occam’s razor would conclude that a human made the pattern, rather than the mouse. In this case those people would be using the word simple incorrectly when they actually mean likely. It may be more likely that a human snuck in made a pattern as a joke, however it is not simpler as the sneaky human is an additional variable. The Skeptics Dictionary has a more thorough explanation.
  • Strawman argument – People seem to misuse and accuse people of this all the time. I gues they heard it on teh itnernets and couldn’t be bothered to look up what it actually meant. A Strawman argument is responding to a new different argument than the one made and passing it off as the opponents original argument. Not simply dismissing a point or making a new claim. You can see many examples of Strawman arguments and false accusations of such in the comments of my OpenBSD article.
  • Ad Hominem – Often when someone insults someone in an argument they get accused of making an Ad Hominem attack. An Ad Hominem attack is not any argument that directly or implicitly insults an opponent, it is an argument that attempts to prove its correctness through insults an opponent. That is a big difference. I can insult someone as much as I like and as long as I also attack their argument then I am not making an Ad Hominem attack – I’m just being a jerk.
  • Racist – Wow this word gets misused. Racism refers to negative discrimination of people due to their race. It is a lot more complex than that with all the underlying reasons and consequences and such, but in a nutshell that’s what it is. However, far too many uber-PC people seem to think even pointing out that people look different is racist. For example, using the color of someones skin to differentiate them out of a group. This is not negative discrimination at all, it is just an easy way to identify people out of a group, the same as using someones gender or body type. Another example may be imitating stereotype for comedic effect such as Eddie Murphy playing an asian guy in Norbit. There was nothing racist about that at all, anymore than Dave Chappelle playing a white news reporter. A more recent absurd example is Atlanta having to rename their yellow line to the gold line because some people in the Asian community considered it offensive. These examples can be racist if they were used to negatively discriminate or deliberately offend people but by themselves they are harmless unless people decide to make a big issue out of it.
  • Troll – This also gets thrown around on the net simply because people disagree. A troll is someone whose primary motivation is to obtain a negative response out of people, often by being deliberately controversial or provocative. I think it is a shame that these days it is all too common for anyone with an unpopular idea to be labeled a troll, no matter how well it may be presented or supported.
  • Third world countries – People tend to use the term “third world” to refer to developing countries which is incorrect. The term third world arose during the Cold War to refer to countries that remained non-aligned or neutral to capitalism . Thats pretty much it. Using third world to refer to any of the countries that are still developing or not as stable as the countries in Western Europe or the Anglosphere is incorrect and quite possibly offensive. Many countries today are far to complex to simply be categorized under the first/second/third world system. Simply referring to them as developed or developing makes far more sense.
  • Geek – This is an interesting word. Back in the day it was an insult, but nowadays it seems to be a badge of pride. Something that used to be limited to computing and maybe technology in general, at some point people tried to take it back as a hip word. A good example of this is Harry on Aintitcool, where he never misses an opportunity to remind everyone how he is a film geek and talk about geeks as a collective group as though they were family. The thing is when people try to use the word this way it is perfectly synonymous with hobbyist or enthusiast. Those words tend to work much better than a poor attempt to take back a word that you were bullied with in high school.
  • Tween – According to Wikipedia it describes a child between the ages of 8 and 14. Why? After 12, they are teenagers. Before teenagers, they are children. Teenagers tend to have stuff in common, as do children. 8 and 14 year olds tend to have almost nothing in common. A false word for a false demographic. If you really need to talk about children who are not quite teenagers than preteen has always been fine, and will continue to be.
  • Homepathy – A lot of people seem to use this word think it is roughly synonymous with naturopathy. This is not the case – homeopathy refers strictly to the idiotic practice of dilution various substances in water to the point where none of the original substance remains and claiming that the resulting water can cure various ills, even cancer. It’s dangerous and should be illegal, yet in the US some universities offer degrees in it while getting federal funding. Something I just don’t understand.
  • Hacker – Whenever a media story reports about computer criminals the people who have been around since the 60’s tend to jump in and try to point out that a hacker is nothing related to computer security bur rather someone who likes tinkering and employing lateral thinking. Well, sorry guys, the war is over and you lost. The primary meaning of the word hacker is now related to computer security and there is no going back. It is the definition understood by most people and the definition in the dictionary cements it. This isn’t to say the other definition can’t still apply, but to say the primary definition is wrong just shows an ignorance of how language evolves.

I also find it interesting that certain uses of phrases or words do not annoy me. For example, when people use the word literally to mean something figurative people get annoyed because they say the word literally is being used incorrectly. This is incorrect however as the word literally has been used as an intensifier since the 17th century. People also get annoyed at the phrase “begs the question” being used to mean raises the question. I don’t see a problem with this as while this usage came about due to not understanding what the term originally meant, I see little proble with the phrase having a second meaning synonymous with raises the question. Finally I think it is interesting whenever people get upset about the phrase “I could care less” when people get all huffy ans assert that it can’t possibly make sense and that it is simply wrong. Well, it is certainly wrong in a logical sense, but it isn’t hard to see that most people are using “I could care less” in a sarcastic sense, which is absolutely fine. I suppose this doesn’t annoy me because it is obvious how the people using the phrase mean it, with the new meaning being commonly accepted and self-evident.

Update 1 – October 13th 2010

Updated to add points about geek and tween

Update 2 – February 28th 2011

Updated to add points about homeopathy and hacker
Update 3 – August 20th 2011

Update about begs the question and I could care less.

January 26, 2010

Family Guy is complete trash – American Dad is awesome

Filed under: Entertainment — Tags: , , , , , , — allthatiswrong @ 5:37 am

Family Guy is complete trash. I don’t know how people can consider it anything other than that, and yet it is consistently one of the top rated shows on Fox. Family Guy is in fact popular enough that it was brought back from cancellation, and was able to spawn several DVD movies and a spin-off show. As much as I am aware that humor is an extremely subjective experience and that a persons entertainment choices do not always reflect who they are as people, I can’t help but think that the majority of people who enjoy family guy are below average intelligence.

The typical Family Guy episode has little or not plot and no interesting characters to speak off. It isn’t many shows that have characters as one dimensional and flat as those of Family Guy, and for a cartoon that is saying something. Peter and Chris have been made so retarded that is does not even resemble human anymore, and exist simply as a plot device to accelerate the various gags. The show generally consists of nothing but pop culture references and time fillers. Peter fighting a giant chicken for an extended period of time as a once off thing. When every episode has up to two minutes of Peter laughing in a retarded way or other characters farting or puking or such, it becomes a bit much. I genuinely don’t understand how people can watch that crap. I wouldn’t be surprised if it were the same people that enjoy most reality shows.

When South Park satirized Family Guy in 2006 it was 100% accurate in it’s criticisms, as is often the case. In the Cartoon Wars episodes, it is discovered that the Family Guy writers consist of manatees. Manatees that randomly nudge “Idea Balls”, balls with a single name, place or object printed on them, into a machine which then comes up with a gag. The example used in the South Park episode contained the words “Laundry” + “Date” + “Winning” + “Mexico” + “Gary Coleman” which manifested as a clip of Lois asking Peter to do the laundry, from which Peter recalls winning a date in Mexico with Gary Coleman.

There is also the claims that critics of Family Guy make – that they have plagiarized much of their material, especially from The Simpsons. I don’t know how true this is, certainly The Simpsons have been around for a very long time and it would be hard not to do an original storyline that may resembles a Simpsons episode in some way. Yet, most other animated shows manage not to imitate The Simpsons as numerously as Family Guy has seemingly done. It is important also ti separate show concepts from actual plot points. Many shows can be accused of copying another’s formula, i.e. The Simpsons can be said to have borrowed from The Flintstones which in turn can said to have borrowed from the The Honeymooners.

An interesting case is Stewie resembling the comic book character Jimmy Corrigan. I can get making a character who is a genius self aware baby. Even making Stewie matricidal could be put down to a coincidence. However with Stewie even resembling Jimmy Corrigan in appearance, it becomes harder to dismiss as simple coincidence. I don’t think Seth MacFarlane necessarily consciously stole this character, but considering this is just one example of the show lacking in originality I think it is highly likely that Stewie was at least subconsciously inspired by Jimmy Corrigan.

American Dad on the other hand is amazing. I really, really do not understand how people think that American Dad are basically are the same show. What nonsense. Yes, at an abstract level they are similar as both are cartoons with a non human family member, but that is about where the similarities end. The primary characters of Family Guy are so retarded that it is impossible to relate to them. At least with the characters from American Dad they are caricatures of real life stereotypes that people can relate to. More importantly, American Dad has a plot – unlike Family Guy, which to quote South Park simply has one interchangeable joke after another with no relevance to the plot.

This is where see the main difference. No one could seriously make the claim that American Dad was written by manatees. The show has had some very original plots and jokes, no doubt helped by the interesting setup of working for the CIA and having access to all kinds of technology. I can only guess that the people who claim American Dad and Family Guy are the same show are oblivious to plots and have a blank mind until some sort of throwaway joke inevitably appears. Which is a shame.

Additionally, American Dad has Patrick Stewart on the cast as American Dad’s boss. How cool is that?

One thing I did notice that was slightly annoying was that Rogers nose stopped being an issue. In the earlier seasons it was hard for Roger to leave the house because he obviously did not look human, a large part of which was his lack of a nose. This actually inspired many plot points, such as one where Roger picks a fake nose that ends up with him being mistaken for Kevin Bacon. Lately this hasn’t mattered, with a mustache and glasses or a dress and a wig sufficing. I wonder why such things are forgotten…a change in writing staff perhaps? No matter.

In conclusion, Family Guy is complete trash without original or interest plots or characters and much of the time of episodes being dedicated to Peter laughing for extended periods – simply to bypass the time. American Dad is purely a plot based show with original and relatable characters and clever and relevant jokes. If you have not seen the Cartoon Wars episodes of South Park I highly recommend them, if not for the fair criticism of Family Guy(critics and fans are equally represented) then for the argument it makes against censorship.

January 24, 2010

A criticism of CouchSurfing and review of alternatives

Table of Contents

Introduction
Free Accommodation
The “CouchSurfing Spirit” and Super-Hippies
Problems with CouchSurfing
……..Fraud and illegal behavior
……..The Verification Scam
……..Privacy Concerns
……..References and the lack of a dispute resolution process
……..Censorship
Alternatives
……..Hospitality Club
……..GlobalFreeloaders
……..BeWelcome
……..Tripping
……..Crashatmine
Conclusion
References

Introduction

For the last six years I have been traveling a lot, being in a different place every few months. Early on when I started my travels I was made aware of GlobalFreeloaders, and at a later stage CouchSurfing and Hospitality Club. The concept behind these sites has is referred to as hospitality exchange. The general idea behind hospitality exchange sites or communities is that when you visit a country, you find a host you think you will get on with and stay with them, instead of at a hotel or hostel, the advantage being that you get to save some cash while getting a more accurate taste of the culture as opposed to what most tourists get or perhaps want to see. Hospitality exchange sites have a long history starting with the Servas Open Doors association founded shortly after WW2. This was the first true hospitality exchange program with the goal being to help build understanding and peace. Servas is certainly the oldest hospitality exchange community, and is the most official with it being recognized by the UN. Membership is taken a bit more seriously with an interview being required before being accepted to join.

Before the internet was as popular as it is, there were other sites that offered hospitality exchange although it was arguably not the main focus. Examples would be student exchange programs and hitchhiking communities. In 2001 or so the first of the current hospitality exchange sites launched, which was the start or an irreversible trend. Now thanks to the internet anyone could join and find people to host or stay with and due to the larger network of people references could be left which would work as a form of verification. Currently there are three primary hospitality exchange sites with a fourth still in development. While each of these sites share the same basic principles they tend to have many important differences in practice. CouchSurfing is certainly the most popular and well known of these services with some 1.7 million members to its name. CouchSurfing also has the nicest website and has gotten the most media coverage, however it also has many disadvantages that people may not be aware of. In this article it is my goal to give my experiences with Couchsurfing while listing many of the serious problems that have plagued CouchSurfing almost since its inception, in detail, while providing as many references as possible. I hope to raise people’s awareness and so that they will be aware of the risks of using CouchSurfing and perhaps petition for the truth and a change in policy. I also review the other hospitality exchange sites and why I consider them to be preferable and will try to encourage their use since they do not have any of the problems attributed to CouchSurfing.

Free Accommodation

There can be no question that one of the things all of these hospitality exchange sites have in common is free accommodation. One of the most common reasons people use these services is to save money by staying with a host for free. Meeting people, hearing about their travels and making lasting friendships is an awesome opportunity that is possible through these kinds of sites, however for most people it is not the primary goal but more of a positive consequence. This is of course true only for people traveling, for people hosting it truly is about meeting new people and learning new things or perhaps reciprocating to the community. If most of the people who use these services could afford to stay in Hotels for much of the time, they would probably meet up for coffee instead of staying on peoples couches.

Not everyone will use these sites for the purpose of free accommodation but the majority of people surfing do, at least to varying extents. I myself look for free accommodation first and foremost and anything I get after that such as a great cultural experience or a friendship is an amazing extra. There are some people on CouchSurfing however that completely deny that they use these sites for free accommodation. I suppose for some people this is true, however for the majority that state this it is very clearly not. There are people on CouchSurfing who blatantly deny that they are using the site for free accommodation, despite the fact that as unemployed students they would not be able to do their world travels if it were not for the charity of the people hosting them. They may have chosen to travel to meet new people and be exposed to new cultures, but if it were not for the free accommodation provided through CouchSurfing, they would be homeless in the street.

One rather blatant example of this was a guy who claimed that using the site for free accommodation was very wrong and not at all what it was about. It was interesting to see after he had a problem accessing his account that he completely freaked out because he wouldn’t have anywhere to stay. These people are the same type I described below – Super-Hippies. There is no shame in acknowledging that the reason people use these sites is for free accommodation. It does not have to be the primary reason, but to deny it all together is just wrong. Traveling in different countries with limited budgets that don’t take accommodation into account while saying it is not important and then furiously messaging 20 people a day to make sure they have somewhere to stay? Is there any other word to describe this behavior other than hypocritical? Unfortunately I have met many CouchSurfers like this (not a majority) and it only seems these people are unique to the CouchSurfing community.

One of the most disconcerting things about CouchSurfing is the pressure to hang out with people when you would not otherwise want to do so. Not in a positive way as in talking to people you would not normally talk to and gaining new insight, but rather a pressure for people who simply don’t get along to pretend they like and are interested in learning more about each other. Every user is encouraged to fill in their profile with as much detail as possible not unlike a MySpace page. The majority of these details have absolutely no relevance to requesting to stay on someone’s couch for a few days either from a hosting or surfing perspective. This is actually enforced in some ways with quite a few people stating that they will not even consider hosting you unless your profile is substantially filled out. Didn’t list your favorite movies and books? Then forget it. It is this need and want to know everything about people that strikes me as being so very hypocritical and fake. If you want to get to know someone then talk to them when they arrive; don’t use their lists of favorite movies and books or philosophies and political opinions as the only indicator.

The level of emphasis that these different sites place on free accommodation is perhaps where they differ most. For CouchSurfing while free accommodation exists as a point, it is not at all defined by it and it may well be a minor point. There are a great many people on CouchSurfing who are using the service to save money even if they don’t say so. For GlobalFreeloaders the emphasis is without a doubt on free accommodation. This is evident in the lack of profiles and general philosophy of the people on the site. Instead of checking out individual profiles, you mass mail the people in any city you think may like to host you, and anyone interested gets back to you. Personally, I find this to be a whole lot more honest and refreshing than the somewhat forced “let’s be friends!” philosophy pushed by CouchSurfing. For Hospitality Club the emphasis seems about equal to that of seeing new cultures. I have not had a chance to use BeWelcome or Tripping however at a glance they seem to have a similar philosophie to Hospitality Club.

Meeting new people, sharing a new culture, seeing the parts that tourists tend to miss out on; these are all amazing benefits of hospitality exchange programs. For many people on these sites money is tight, and free accommodation which allows them to save money so they may keep on traveling is an amazing advantage. There should be no shame in admitting that this is a part of the reason you use the site, even if it is not the priority. To deny it completely is just dishonest except for a minority of cases.

The “CouchSurfing Spirit” and Super-Hippies

Sometimes on CouchSurfing there will be a reference made to something referred to as the “CouchSurfing Spirit”. This spirit is consistently described as something unique to CouchSurfing, and something the other hospitality exchange sites lack. The “CouchSurfing Spirit” is defined then as the idea of trusting people you have never met, letting them into your house or entering theirs and sharing in their life and culture while being generous, open minded and hospitable. The thing is, this “CouchSurfing Spirit” does not exist! At all. The people who talk about the CouchSurfing spirit are the same people that completely reject the notion that the CouchSurfing project has anything to do with free accommodation, rather that it is about making new friends and being exposed to new things. The other hospitality exchange sites are simply more honest in acknowledging that free accommodation is a major if not primary aspect of the service. Wanting to see the sides of countries and cities most tourists miss out on is in no way unique to CouchSurfing, but is common to all of the hospitality exchange sites. It doesn’t matter which way the “CouchSurfing Spirit” is described, it always refers to basic human trust and altruism. I have had people on GlobalFreeloaders and Hospitality Club offer to take the day of work and drive for hours to come and get me from an airport, all who are on that site for free accommodation – at least in part. Did these people not have the spirit? I have also found people on CouchSurfing who didn’t want me in the house if they weren’t there and were not interested in sharing anything; did these people have the spirit?

What the “CouchSurfing Spirit” seems to refer to in practice in a close-minded, naïve and unrealistically optimistic outlook on life. Without exception, every single person I have met (a considerable number) who claims to have this spirit is under the impression that the spirit they believe defines the site has also been a Super-Hippie. These are the type of people who preach open-mindedness while having firmly made up their minds about the other hospitality exchange sites without ever having used them, and will dismiss any criticisms of CouchSurfing as being due to a bad experience, even if they have considerably less experience with the site then the person making the criticisms.I don’t think it is a question that this subset of the CouchSurfing community exists regardless of if my views of them have any credibility. Despite my views, I do not mean for the term “Super-Hippie” to be insulting, I just feel it is an accurate term that perhaps these people would even agree with. There is nothing objectively negative or offensive about the term hippie, and Super-Hippie refers to an exaggerated version of the hippie stereotype.

These people tend to have an unshakable and ultimate faith in the pure goodness of their fellow man. They say that they appreciate each and every person for who they are, no matter their faults because everyone is different and you can learn something new from everyone. These people might be the real deal but all too often they will be saying how much they like you and appreciate your viewpoint while obviously getting pissed off and frustrated, and preaching how open minded they are while completely dismissing your input if you point out that current science contradicts their Super-Hippie philosophies. Coincidentally, these are the same people who tend to organize the community events and encourage the spirit and so are becoming the ‘voice’ of CouchSurfing – if they are not already. Probably at least 2/3rds of the active CouchSurfing member base would be just as at home on BeWelcome or GlobalFreeloaders as on CouchSurfing. Indeed, many members are on all the sites. The people who go on about this spirit are the minority, but they are without a doubt the most vocal as their events and opinions tend to get media coverage and thus, in a way, characterize CouchSurfing. These particular members are not indicative of the larger community although they likely soon will be.

I cannot stand these people. I can’t stand willfully ignorant people. I can’t stand fake or phony people. I can’t stand blatantly hypocritical people. I can’t stand liars. These people may not mean to be these things intentionally, but it doesn’t change that they are. The “CouchSurfing Spirit” does not exist except in the minds of close-minded people who like to pretend that the reason they all use the site has absolutely nothing to do with free accommodation. Bullshit. Some of these people activley discourage or will not tell other people about CouchSurfing because they don’t share the same Super-Hippie views. I have made many great friends on CouchSurfing and I like to think the people who have hosted me have also gotten something positive out of it, yet if it were up to these Super-Hippies I would never have been admitted to the site. Super-Hippies are the types of people who believe almost anything they are told. Their entire view and understanding of the places they travel to is based on what people tell them. They entirely lack the capacity to think critically and see that one persons experiences are likely not representative of their entire country or city. These are the types of people that will assume that if the windows where they stay are double glazed, all the windows in that country or city will be double glazed. If the kebabs they purchased tend to come with chili sauce, then typically all the kebabs have chili sauce. While it is great to be open-minded and want to learn as much as you can about new cultures and places, it is even more important not to limit your knowledge to assumptions based on your personal experiences. Keeping an open-mind requires critical thinking, and not simply accepting everything people say at face value. I just can’t understand people who would take a single view as authoritative rather than developing the skills to assess what they are told critically.

Too many of these people want to be involved in every aspect of your life as soon as they meet you. Hanging out constantly, doing the same activities together under pressure…many profiles actually say if you stay with this person they will expect you to join them in all of their daily activities. Wanting to see and experience local culture is one thing, having to shadow someone out of a feeling of obligation is quite another. If I go to visit rural Texas I may want to see cattle farms and farm life, and would be happy to help with chores but I wouldn’t expect that all my free time would expected to be spent doing as farmers do. I like to explore on my own, see what the community and society have to offer and have interesting experiences. There is nothing better than knowing you can come home to someone friendly while in a strange city and share a meal and interesting conversation. That has to happen naturally however. Far too many people, mostly Super-Hippies – try to force this issue. Their profiles will be amazingly filled out and expect the same of you. When I look to stay with people, I don’t expect to have to share my life story, I just want to know that we will get on OK, and if any friendship develops it will be amazing, because it happened naturally. Learning everything you can about people from their profiles and 20 questions and sharing activities is not the way to make friends. It can make for interesting experiences many of which might be positive, but why try to force the issue? Why not just meet up and let things happen naturally? What kind of person actually stipulates they anyone they host must join them in all of their daily activities while staying?

Personally I feel these people are only damaging the hospitality exchange communities and don’t tend to help society in general. Such blatant hypocrisy and close-mindedness will only hold back these exchange programs and more generally. If you preach that you want to learn and experience new things, than that also means being able to challenge your core beliefs. It doesn’t just mean being willing to try a new food which is what many take it as. To those of you that meet this criteria do yourselves a favor, educate yourselves. Engage in debate and try and back up your viewpoints, don’t simply dismiss anyone who questions them. Engage in debate and actually learn new things about yourselves and others, and most of all be honest. As amazing as you consider the world to be, it has layers that you have not even imagined that you are missing out on while you continue to limit yourselves.

I don’t know if this belongs in this section but it seems appropriate. It is important to note that many CouchSurfing members cannot handle any criticism of the project at all. They have a lot of love for their community and oppose anyone who would ask questions or demand answers. This is a shame, as most of the time these people raise valid points and just get attacked by the more rabid members. It is yet another example of supreme close-mindedness.Yes the community may be great and you may have had amazing experiences, this doesn’t mean their isn’t cause to investigate or report certain behaviors and actions.This devotion is somewhat errie and almost implies a certain dependence on CouchSurfing, as though they could not cope if it were taken away. The organization and community need to be open to criticism because it is the only way to move forward and grow. If things continue as they are then CouchSurfing will come to resemble a cult rather than an amazing open community they they believe themselves to be.

Problems with the CouchSurfing organization

The CouchSurfing service is plagued by problems that most people are perhaps not aware of. These problems range from defrauding and scamming users, illegal behavior, gross violations of privacy, a complete lack of any real appeals or dispute resolution process and censorship. Many of the members were so frustrated that the OpenCouchSurfing was started as a result. A plea for an open and transparent organization without all of the secrecy and deception that plagues the current incarnation of CouchSurfing. Also interesting is a small list of people stating why they refuse to volunteer for CouchSurfing. Searching around the web will yield many stories of negatives experiences with CouchSurfing, not with bad hosts or guests but with CouchSurfing directly such as deleting peoples accounts for no reasons while silencing critics and illegal behavior. One interesting question to ask of those who advocate the CouchSurfing Spirit – do you think the following behaviors and actions of the organization what the community believes to be the spirit? Please keep that question in mind while reading ahead. There seems to be a very large gap between what the users know and understand and the organization itself. This has to stop.

Fraud and illegal behavior

CouchSurfing have engaged in much questionable behavior almost since their inception as an organization. The most obvious and perhaps controversial of these behaviors is their management of donation money, and the fact that they have referred to themselves as both a charity and as a non-profit organization in the past misleading many people. They state that being a non-profit is essential to their mission and guiding principles, and that they rely entirely on the voluntary donations of members. I have no issue with them being a non-profit, but for them to have received charity status is crap. CouchSurfing is not a charity, in any sense of the word except legally. They do not directly provide any services or do any charitable actions; they merely offer a service so people can offer charity to each other. They are the enabler for people to provide charitable services, they do not provide any charitable services themselves. CouchSurfing should have their charity status revoked after a full investigation of what the charitable services they actually provide is performed and they are shown to only offer a website, and use donation money to pay for rent and food of staff members.

A problem at the moment is that CouchSurfing is a currently registered charity organization and they may have obtained this status status on false grounds by misrepresenting the organizations role in the community, and that the organization is not compliant with the various reporting and disclosure requirements for charities. As per a message on a CouchSurfing mailing list, CouchSurfing was due to file a tax return in 2009 along with an independently conducted financial audit. This is required to be made public yet four months later nothing has been released. The problem with CouchSurfing not releasing the information as they are required to is it becomes difficult for people and organizations to verify that the donation money that people give in good faith is being used in a responsible way. Given that all of CouchSurfing’s behavior indicates they have something to hide and the fact that the organization can not be said to do any charitable work I think this is the most likely situation. In which case as above I think a full investigation should be conducted before the organization is allowed to continue soliciting donations. Later on in the same CouchSurfing thread I linked to above, a rough analysis of CouchSurfing’s legitimacy as a charity organization is performed by Margaret using the Charity Navigator methodology as a guide. According to Margaret’s calculations 69.87% of the donation money CouchSurfing receives allegedly goes to administrative costs involved with running the website (suuuure) which going by Charity Navigator’s guidelines would place CouchSurfing squarely in the runaway category.

It is also important to to mention that from 2003 – 2007 CouchSurfing’s structure as an organization was illegal. The reason for this is that Casey had himself listed as CEO as well as the chair of the Board of Directors. This arrangement is illegal under New Hampshire law and so any donations taken during this time and any contracts CouchSurfing entered into may not have been valid. If it turns out that charitable donations of time and money made to CouchSurfing when it did not exist in the correct form legal are invalid, then CouchSurfing should be made available for any loss suffered as a result. Based on the evidence I have seen and what is publicly available, it appears the only reason CouchSurfing is looking to be a charity/non-profit org is to get tax exempt status. That’s it. To keep living a certain lifestyle funded by a deceptive verification scheme without ever having to pay taxes. Casey Fenton (the founder and leader of CouchSurfing) has to either clear up these misconceptions or be held accountable.

Regardless of the credibility of CouchSurfing’s charity status it appears that the legal requirements have not always been met, and were even knowingly and willing broken. Quoted from a message by user Pickwick : “New Hampshire law does not allow the chairman/president of a charity to be an employee at the same time. So when Casey as chairman/president signed his own employment contract he violated that law, and for this reason alone the contract may be invalid.“. There is no question that Casey is an employee of CouchSurfing, receiving a salary of some $70k per year. Casey also seems to be without a doubt the leader and president of CouchSurfing. When Casey was on the Board of Directors and also an employee, then this was illegal. Not only was this a violation of law this would also be a case of Casey committing perjury. The implications of this are significant, as all employment contracts would be invalid, all contracts and legal agreements would be invalid, further laws would have been violated etc…

Of note are the application forms originally submitted by Casey to get nonprofit status. It is evident in the original filing (the first link) that Casey was listed as the President, Treasurer, Secretary and head of the Board of Directions in violation of NH law. I don’t believe that their have been any ramifications for CouchSurfing having an illegal structure for four years. The second link shows the reasons CouchSurfing used to obtain charity status. CouchSurfing is organized exclusively for charitable, religious, educational and scientific purposes? I think not. To internationally network people and places, create educational exchanges, raise collective consciousness, spread tolerance and facilitate cultural understanding? This is more acceptable, however out of those that are actually obtainable CouchSurfing is not the facilitator. They offer a website which enables others to organize such exchanges and offer charity without having any direct involvement themselves. Looking at the CouchSurfing Terms of Service, they state that “Many in-person meetings are held by groups of interested members and are not sponsored or organized by us.”. If RedCross ran a website that enabled volunteers to help those in need without doing charity work themselves or putting their donation money to good use, would people still support them and give donations so readily? Lastly the second form states that “No part of the net earnings of the organization shall inure to the benefit, of or be distributable to its members, trustees, officers, or other private persons…”. Well a quick look at CouchSurfing’s financial information shows that not being honored.

This really needs to be properly and thoroughly investigated. There are some very serious and obvious discrepancies that need to be sorted out. The financial statements and registration information made available through the organization and the website do not match those provided to the New Hampshire authorities. What exactly is going on? The most recent financial information has not been made available when it should have been and it is now almost a quarter later. At least some people before have been disillusioned, with CouchSurfing even being reported to the New Hampshire District Attorney in 2007. I am unclear what the outcome of this was, and suspect the investigation is ongoing.

Now, to examine the financial information. It is important to note here that despite a legal obligation to do so, the financial records for 2009 have not been released, so I will be going by the records for 2008. The net income for 2008 was $ 128,455.55. The total income was $788,297.70, with $783,977.23 coming from contributed donations. This can be read as the income from the verification process. Somehow, a not for profit organization that boasts about having a virtual office managed to spend the majority of this income, despite not paying to organize events(the members organize these out of pocket) and not having an office. Looking at the expense, the aside from salaries, the majority of the rest of the money goes towards travel, rent and food. Those four expenses account for more than a third of the total income, with nothing to show for it.

A not for profit organization or charity should not be using income to provide food and rent for its members, and doing so does not qualify them as a charity. Since CouchSurfing provides the food and rent expenses for members, their salaries should be adjusted accordingly to reflect they have no cost of living. There are numerous messages on the CouchSurfing mailing lists pointing out that the income has not been reported as is legally required, and that the income seems to be used for alcohol and drugs and not anything of actual value or related to work. Almost every way you look at it, it appears the contributed income is being used to perpetuate the lifestyle of Casey and friends rather than being put back into the organization. In fact at the moment Casey and his friends are all living in a sharehouse in Istanbul with the donation money paying for their food and travel. They don’t do any work, at least not that anyone has ever seen evidence off and get to lay around each do doing what they like. Clearly this is not how the people who donated money to CouchSurfing expected their donations to be used. There have been several allegations by volunteers and members that at collectives and CouchSurfing meetings there are dedicated “sex rooms”, something that was also mentioned in Bryan’s resignation letter. It is worth mentioning here the leaked minutes from a 2009 meeting of the CS staff. Nothing pertaining to CouchSurfing is discussed or how things could be improved. Instead ways to have more fun are discussed and given a priority. The suggestions for improvement include more pillow fights and to give each other more massages. The general managers only goal is to “find knobs to twiddle”. This is where people donation money is going. A search through the CourchSurfing mailing lists(as well as some of the discussions I have linked to) will show discussions on this point. Given how they conduct their meetings I don’t find that idea hard to believe, when in fact the notion should be absurd. To quote from the CouchSurfing About page: “CouchSurfing’s non-profit status legally mandates that all resources must be spent directly on achieving the mission”. This does not seem to be the case and I doubt that anyone who made a donation would approve of this.

Even so, the remaining net income does not seem to be being used in any meaningful way. Having it as an emergency fund is not good enough. There are problems that could be fixed, and this is where the money should be going. The rest of the expenses are dubious as well. The salaries for staff in 2008 more than doubled than the amount in 2007, despite the amount of staff not increasing. What did increase was the amount of contributed income which was also more than double than the amount in 2007. The greatly increased salaries for staff seem to correlate with this. Somehow the verification and postage expenses are more than $34,000. In 2007 the expense was only $10,000. Considering the user base has not tripled from 2007, and the costs of postcard production and mailing have not tripled, why have the expenses tripled? The cost for servers is some $50k, while hosting is a separate some $20k. Both of these expenses are not necessary…it does not cost $50k for servers where you would not have to pay for hosting, and it is doubtful the cost for hosting is $20k. Given how closely the expenses seem to use up the total income, I genuinely believe that these financials are doctored. I would expect expenses to increase somewhat with a user base, but not by the shown percentage when there has not been any additional work or staff intake. How can this not be considered suspicious?

Much of the material on the website appears to be written generically to satisfy authorities or investors without having any real relevant to how the organization actually works or what it is said to represent. No heart has gone into writing these texts and it is quite likely most people never read them. They have not been updated in a long time and no not reflect reality, but boy do they look good on paper.

The CouchSurfing Staff page(now mysteriously removed..) stated that “large salaries aren’t what it takes to find and retain talented team members. Instead, we’ve designed a system that gives our staff intangible rewards that can’t be found elsewhere”. Yet, the salaries are large, and they get salaries in addition to free rent, food and travel. There are numerous reports on the CS mailing lists that states that no works seems to be done at collectives. Nevertheless, this is the official development process of CouchSurfing, i.e. there isn’t one. Another point to consider is the treatment of volunteers. Again, there are many, many messages on the mailing lists with volunteers resigning because of the poor treatment they receive. CouchSurfing seems to recruit people with a genuine enthusiasm for the ideal, and secure in the knowledge that there seems to be a near infinite pool of volunteers to recruit from has no motivation to reward them or treat them with a basic level of respect. These are the people who mostly make CouchSurfing function, and they receive absolutely nothing for their work. Which is fine, it’s kind of what being a volunteer means, but they certainly should not have to put up with being dismissed and disrespected for all the hard work they put in. I have not talked about CouchSurfing’s treatment of volunteers in detail here but a cursory search will reveal many stories of woe which fit a recurring pattern.

Another point that is quite interesting is that CouchSurfing was pretending to be a charitable organization, a 501(c)(3) back in 2004. 501(c)(3) status is important for many reasons. It is what all charity organizations should eventually seek and shows that the charity has been vetted by the IRS and has been audited. CouchSurfing has already been rejected in their application for 501(c)(3) status, if and they do not gain this status soon they will be unable to remain as a charity in North Hampshire. This means CouchSurfing will no longer be able to accept donations or sponsor volunteers as they current do. There is a good discussion of CouchSurfing’s 501(c)(3) status on the Brainstorm: Redefined group. CouchSurfing claiming to be a 501(c)(3) was originally pointed out on the OpenCouchSurfing website which linked to archive.org. Now, for some reason, CouchSurfing has denied archive.org to archive the contents of the CouchSurfing website. There is absolutely no sound reason for CouchSurfing to do this, as archive.org is a free service and actually benefits the internet community in many ways. The only reason to do this, is because they do not want people to see what they used to say on their site, before the project was more famous. We can just add this to the pile of actions taken by CouchSurfing showing them to be deceitful and untrustworthy.

CouchSurfing as a charity organization should be working to further its cause, and doing charitable things(of which feeding its employees does not count). As a charity they have certain legal obligations which have apparently thus far not been met and may have been willfully violated. More than this they have a duty to the tens of thousands of people who gave donations and became verified in good faith not to abuse their donations. The organization has a duty to responsibly disclose its financial information and to ensure that its organizational structure including the board of directors meets the legal requirements. This may mean Casey and friends have to sacrifice their lifestyle of no work and travel, but it is the ethical and legal thing to do. I genuinely hope that a lot of the accusations that have been made are wrong and that there are perfectly good explanations for everything. Personally I think this is unlikely, and I hope to see the Organization and Casey be made accountable for their illegal actions and failing the community.

The Verification Scam

The CouchSurfing verification system is a scam and nothing more. It is fraud – plain and simple, and CouchSurfing should be held accountable for this. Both BeWelcome and Hospitality Club provides verification of all user accounts for free, and actually verify that users are real people (although not that they are trustworthy, which is impossible). There have been many untrustworthy people on the site who use the faulty verification system to their advantage to pose as trustworthy individuals. One recent and extreme example of this is the rape incident that occurred via CouchSurfing. Now obviously this is a problem that could affect any of the sites. The difference here though is how the other sites would react to the problem and how CouchSurfing reacted to the problem. It seems that the victim reported the offender to CouchSurfing in March, who chose not to react and left the profile enabled for many months until August. That really is unacceptable, and at the least an investigation should have been conducted. I am aware that the offenders profile was not verified, however if CouchSurfing cannot bother to remove the offenders when people actually report issues then how can they be trusted to vet new members of the community? There is an interesting discussion with more links on the OpenCouchSurfing website.

The verification system is completely useless as all it does is process a credit card payment and send a postcard. There is absolutely nothing stopping me from staying at someone’s house and using a stolen credit card sent to my hosts address. Unless that $25 charge is reported as fraudulent I will have been considered verified. Otherwise I could legally use a prepaid credit card at an address I was staying at and be considered verified? The system verifies nothing and scams users, however since it makes money for CouchSurfing it is treated as a priority. To quote from a volunteer who felt he had to resign because of the dishonesty: “The push to hit up members within their first few hours of joining is an attempt to raise funds, not to make the system safer. Period. It’s for money.” Casey wrote a statement as a follow up to Bryan’s resignation letter, a copy of which and subsequent discussion can be read here. To then quote from the CouchSurfing Terms of Service : “Because user verification on the Internet is difficult, we cannot and do not confirm each user’s purported identity.”. That seems reasonable and may be fine, except for the fact that every new user is pressured after joining and logging in to pay for verification, and informed that “Getting verified means that CouchSurfing has checked your identity and confirmed your location. It allows members of the community to feel more confident hosting you or surfing with you.”. Quite different from the reality and very obviously false and misleading. This is obviously fraud, the only question is whether or not it is intentional.

This is clearly wrong as CouchSurfing is charging for this service they should actually have a responsibility to provide a service. I genuinely hope they get taken to court at some point. Their verification system is nothing more than a way to enforce a mandatory donation veiled hidden under a false sense of security to suck in new users who are excited by the idea of hospitality exchange. People who don’t know any better will assume the CouchSurfing staff have actually done some verification, when all they have done is successfully process a credit card payment. I think the vouching system CouchSurfing has is far superior to their verification system and should be expanded, rather than defrauding naive users out of their money. It costs nothing ans is far more reliable than the verification system they try to push on everyone. Unfortunately at the moment it is very limited given the amount of members CouchSurfing has. It is also interesting to note the the verification fee is charged on a sliding scale. Oddly enough this does seem to have good intentions behind it, with the only problem being it is treated exactly like a donation rather than the safety measure it purports to be. If verification is going to be charged on a sliding scale then it should be based on the incident rate of countries that would affect travelers, not the countries PPP which is meaningless to individuals.

It is also prevalent on CS that some younger people will only host people of the same sex. This can be quite frustrating when someone agrees to host you and then has to rescind that offer because their roommate won’t host people of the opposite gender. There is nothing open minded or inviting about such a backwards attitude and it has no doubt developed because of the people that try to use CouchSurfing just as a dating or sex site. If the verification or reference system were worth anything, this attitude would probably not have developed on CouchSurfing, going by the fact it seems almost non-existent on the other hospitality exchange sites.

Privacy Concerns

One of the most disappointing things about CouchSurfing is their privacy policy. Their terms of service are remarkably abusive, granting CouchSurfing complete control of all of your private messages, photos or any uploaded contents for any use whatsoever, for the rest of everyone’s lives. It is bad enough that CouchSurfing will take control of your data this way, but what’s worse is that there is absolutely no warning or notification at all. If I upload photos to any site, I expect to retain control over them unless that is an unreasonable expectation, depending on the site. For a site like CouchSurfing, it is not at all an unreasonable expectation, yet they have unreasonably defied it.

What is more is that you have no ability to remove content once it is uploaded. There is absolutely no way to permanently delete messages sent on the site. People may have every expectation of privacy, when sending private messages to other members, yet there is no way to delete these messages and ensure that they remain private. It may be acceptable to retain messages for a fixed amount of time for legal reasons, but there is no reason CouchSurfing needs to retain your messages from 5 years ago. I have to wonder with all the financial fraud going on with CouchSurfing, if data is being collected just so it can be sold at a decent price.

I am aware of at least one instance where this became a problem. There was a user accused of stealing from a host who may or may not have done so. This user had a great many positive references and just this one negative reference. Despite no police report being filed, this user’s account was deleted. There was no right of appeal; the word of the user who made the claim was accepted regardless of any evidence. Now this user was left with his photo and name appearing in search engines accusing him of a crime, with no recourse to defend themselves. It was only by making legal threats under the DMCA and contacting CouchSurfing’s hosting provider that the damaging material was able to be removed.

If people have a problem with a user breaking the law they should go to the authorities, not sully their reputation with lies on a social networking site. I don’t blame CouchSurfing for the fact that some people will do this, however I do blame them for condoning and allowing this behavior. If CouchSurfing deletes a profile, then they should delete the profile in its entirety. Simply barring access to it and allowing for people to leave whatever references they likes is bad situation which basically amounts to slander. I have heard of many variations of this happening and it needs to stop.

The privacy page has obviously not been updated since it was originally written as it still refers to Netscape Navigator as a primary browser. Is this further evidence of money not being spent properly? Surely with the some $20k that goes toward legal expenses they could make sure to have an updated Privacy Policy? The Privacy policy states that “If a user’s personally identifiable information changes (such as your zip code), or if a user no longer desires our service, we will endeavor to provide a way to correct, update or remove that user’s personal data provided to us.”. This obviously contradicts the experiences of the people above, and more importantly contradicts the terms of service where information will be retained perpetually. If this a further example of fraud and misleading people, or just incompetence?

When a user on the site who does not know any better uses the site to send or delete a message, or upload a photo, they have a reasonable expectation that their message will be deleted or their photo will not be abused. I’m sure many people would be surprised and rightfully angered if they realized they had no way to delete messages, and that any photo they uploaded could be used any way CouchSurfing desired, against their wishes. At least a warning that you sacrifice all control when uploading a photo would be nice.

References and the lack of a dispute resolution process

Another large problem is the current referencing system. If it were left alone then it would be useful, as people would be able to judge a person based on the references left to them. As it stands however it is all but useless, as the ambassadors and volunteers will remove the negative references that any of their friends ask them to. Likewise if you are a new member with none or very few references and wish to leave a negative reference for an established member, it is almost a certainty that your reference will be removed while their negative reference will be allowed to remain. Despite all the talk of an open community this is the exact type of behavior that keeps it closed and untrustworthy.

There is a quite recent example of the problem I am describing here. In this situation a user with many positive references and an excellent track histories profile was deleted without any chance for appeal, and without bothering to hear both sides of the story. There is one idiot ambassador in New York, Rachel, who tends to delete profiles of anyone her friends ask her to, so I wouldn’t be surprised if she was at fault here as well. There is also a good example here as well as an interesting discussion about account deletions on CS. Basically the policy CS has in place is not to delete an account unless they have some notification from the police. To quote from the FAQ on member disputes: “If we receive a police report about another member, we are obligated to remove them from the community.”. This does not have to be a police report nor does there have to have been an actual investigation – all they require is that the authorities were contacted in some form. This policy shows all signs of being in place to protect CouchSurfing, not the members who invest time and money in the site. With the current policy anyone could go to the authority’s and file a complaint, true or not and this would be sufficient to have their account removed. There are a great many users who have almost all negative references and are a bane on the community, but people with many good refereces can be removed simply because someone made a nonsense complain to a police mediator? This is not acceptable – a community as large and dedicated as CouchSurfing’s deserves a proper dispute resolution process with a right of appeal.

Another good example of this is Thomas the Australian who was based in Edinburgh for a while who I am sure many people are familiar with. Thomas was verified and had many positive references. Thomas would tell anyone and everyone they could stay, because he was hoping to get many good references for an upcoming trip around Europe. When these people turned up and were turned away because he had nowhere for them to stay, or every girl got sick of him trying to have sex with them, they rightfully left a negative reference. However because Thomas was verified, and had positive references he managed to get these negative references removed. Here this faulty cash based verification has replaced the more natural and accurate personal reference validation system. If Thomas’ many, many negative references had rightfully remained then people would have stopped wanting to stay with him and having their trips ruined as a result. The cash verification system would have shown to be as useless as it is. This behavior is just unacceptable. How can anyone trust this site if all it takes is a convincing lie to get someone’s profile removed? How can anyone expect to take the site seriously without any kind of appeals or dispute resolution process? For a site with almost 2 million users that really is unacceptable, especially when many of them have probably paid something towards the site. The most recent example is from the 30th April. A female CouchSurfing member in Iceland had her profile deleted due to a misunderstanding, despite being verified and having a great many positive references and being vouched for. I contacted Sabrina who confirmed that she was not contacted or given any warning, and given no opportunity to give her side of the story and try to resolve any misunderstandings. To be so invested in a community to just be removed at a moments notice without any sort of due cause should not be acceptable. Sabrina’s account has actually been restored a few days later, in large part I believe because of the pressure my article has generated.

I also hate the hypocrisy of the current reference system that exists in part. Such a huge emphasis has been placed on the current reference system that people are encouraged to leave overly positive references for each other, even if they only talk for a few minutes. Collecting positive references has become some sort of obsession for a lot of users on the site. With positive references being handed out freely just for saying hello, and negative references removed as long as you know the right people how is the current system to be trusted at all?

There is no avenue of appeal. It is completely CouchSurfing’s right to run their website and community however they like. However simply kicking people out of the community for no other reason than because a high ranking member dislikes someone is just lame. This has happened in many instances, with accounts being instantly deleted without explanation, without any avenue for people to defend themselves or tell their side of the story. All it takes is one member to be friends with any of the volunteer admins and an account can be removed. Any community as large as CouchSurfing should have some sort of decision checking in place rather than simply allowing people to be kicked out for no reason. If I put time and effort into a community and get attached to some of the members of that community, I would like to think that my position is somewhat safe – which is reasonable.

Much of the community feels the same way and there have been calls for a long time now for a transparent and democratic organization. I don’t think that the organization has to be democratic to work but it certainly should be open and transparent, even more so if it is allegedly operating as a charity. A necessary part of having an open and transparent organization would be a trustworthy dispute resolution process. The current system of one person make an emotional opinion after hearing one side of the story isn’t sufficient, not for an organization approaching two million members. All parties must have the opportunity to present their case and the opportunity for appeal. However, CouchSurfing has consistently ignored the calls for these or similar measures to be implemented, which is another reason the alternative sites are so much more attractive.

Censorship

Recently in December 2009 one of the prominent CouchSurfing ambassadors decided to resign, citing many of the problems and dishonesty of the organization as reasons he felt he could not continue. In his original post he outlines many of the problems with the volunteer system, the abuse of funds, the useless verification system and the reference bias that exists.

This post above was basically deleted, with people being told it was moved to the Ambassadors Private section of the site while Ambassadors were unable to access the message. Only due to people’s outcry and the damage already done was the message restore. It is however a fantastic example of the organizations behavior. A great many more messages and people are removed if the organization does not like what they have to say, and all too often they get away with it.

Alternatives

There are three alternative hospitality exchange sites to CouchSurfing, each of which differ in significant ways while still sharing the same basic principles. I have had extremely positive and quite negative experiences with each of these websites including CouchSurfing, all of which had to do with the particulars of the person I decided to stay with. It is always important to note that the particular experiences you have with the people you host or stay with from one site are likely not indicative of the rest of the people on that site.

One point about all of these sites with the exception of BeWelcome is that they are all under the control of a single individual, or a very small group of people. CouchSurfing is under the near exclusive direction of Casey, while Veit runs Hospitality Club and Adam looks after GlobalFreeloaders. I don’t actually have a problem with this, except in the case of CouchSurfing – only because they are less than honest about it. If the project is going to be run by a single individual then do so, don’t pretend you have a legally composed board of directors who oversee things and make decisions for the good of the community.

Some of these sites are more in line with my own views and philosophies than others, but none of them force any view on you and you can meet people of all types on each of the sites. I tend to prefer the people on GlobalFreeloaders as in my opinion they are more down to earth, but then I have had great experiences with Hospitality Club and appreciated people who were excited to share their culture without forcing it.

One interesting thing to note is the age demographics for the different projects. CouchSurfing has a user base with about 70% in the 18 to 29 range(coincidently the ideal super-hippie age), while the rest of the projects have a far more diverse member base. While I generally do prefer to stay with people closer to my age, it is always a pleasant surprise to learn from someone quite a bit older, or teach someone quite a bit younger or vice versa. I somewhat feel this is less of a possibility with CouchSurfing as despite all their talk of meeting different kinds of people, it is the most vocal CouchSurfing members that are serving to recruit like-minded people.

What is interesting about each of these sites is that their popularity differs by region. CouchSurfing is consistently popular everywhere, simply because people hear about it more often. GlobalFreeloaders seems slightly more popular or equal to CouchSurfing in many cities in Australia and the UK. When I was in Greece a few years ago, Hospitality Club was without a doubt the most popular. Looking at the BeWelcome countries list they seem to be most active in Western Europe, with France and Germany alone account for almost a third or their entire membership base. I think it would be interesting to try and work out if there is any reason for this or if it is just dumb luck.

Hospitality Club

Hospitality Club was the first of the current hospitality exchange sites to launch in 2000. There had been other sites offering hospitality exchange before, but none of which were purely hospitality exchange focused as the current sites are. The site currently has 328629 members and has a very active volunteer base. Hospitality Club seems closer in spirit to GlobalFreeloaders then CouchSurfing while still allowing for more detailed profiles and people to be messaged individually. The web interface is very simple and gets the job done, although does seem out of date when compared to the newer sites.

The profile pages on Hospitality Club are quite detailed, allowing for a photo, residence and contact information as well as a short section on hobbies and interests. The majority of the profile is information that is relevant to staying as someone’s guest or meeting them, with the personal information being an indication rather than a life story as it is encouraged to be with CouchSurfing. One thing I would like to see added is that profiles become deleted or inactive if they have not been used for six months or so. If someone is not actively hosting or surfing then it doesn’t make sense to contact them, and at the moment that can be hard to establish.

The advanced search function of Hospitality Club works OK, but is nowhere near as flexible as the CouchSurfing search. It allows for you to search 3 fields at a time from a long list of fields, such as street, name, birthday…basically any of the fields in a users profile. This works well enough for finding specific users, but for searching potential hosts it’s pretty horrible. The way Hospitality Club interface is designed, it works much better to browse by country as users are listed with a short description. However, due to the lack of a mass mail option it can be tedious to contact users and establish if they are able to host you and if they would like to or not.

Hospitality Club does not have a reference section as such, but simply a comment section that can serve the same purpose. It works fine and can give people an idea how people perceive a particular person, without being divided into positive and negative references, as we have seen the problems that that creates. One thing I did notice was the password reset form, which is just a horrible design. You have to remember both your username and email address…if you forgot either one the form will not work, and you will have to wait several days to hear back from a volunteer.

One excellent feature of Hospitality Club has is that every registration is verified by a volunteer. This means that everyone on the sites is a real person with a real address. What’s more, you don’t have to pay anything to prove that you a real human being. Imagine that. Having said that, it was quite frustrating trying to sign up without a permanent address. Whoever was checking my input would not respond and I kept getting sent back a standard form reply regardless of what message I posted. I ended up putting an address I no longer used, so obviously the verification process does nothing more than satisfy the Turing Test. Honestly however, I think that is sufficient, with the members themselves bearing some responsibility for who they decide to trust.

Hospitality Club also has a unique feature in that there is a field for passport verification when you send a message to stay with someone. I’m not entirely sure what asking for the passport number is meant to do, and if someone is using a fake passport it will do absolutely nothing. However, in years of using the service and stay with people I have never once had anyone ask to check my passport. What might work better is if as part of the free verification process (which could go for the other sites as well), is if you must submit a scan of your passport or other ID upon joining. It is not a privacy concern, as no additional information is being provided, just authentication of information already supplied.

An interesting bit of side trivia is that when Hospitality Club initially launched they actually tried to merge with the GlobalFreeloaders project, thinking it would be better to have one large project. Personally I am glad they stayed separate and that a project like GlobalFreeloaders exists.

Hospitality Club also provides a very basic forum for members to post on although in general this does not seem to be very active. If Hospitality Club updated their website and had some more modern features and a nicer interface I think it would be a main contender against CouchSurfing and BeWelcome. While it may have a dedicated volunteer base it is inevitably going to be outpaced by the alternatives due to the easier to use interface and added functionality. I would like to see all of the websites become more popular and the different communities evolve and interact, but if Hospitality Club does not update their site I feel the prettier alternatives will replace them, simply because people tend to be superficial and the prettiest site will win.

It is important to note that many people have accused Hospitality Club of censoring information, specifically for a while removing any references to CouchSurfing or BeWelcome. Another main criticism is that everything is controlled by Veit, although I don’t think this is a necessary a bad thing. I have personally never had any such experiences when using Hospitality Club, so I cannot comment too much. I will however point out the OpenHospitalityClub website and allow people to make up their own minds.

GlobalFreeloaders

GlobalFreeloaders was the second hospitality exchange site to launch after Hospitality Club in 2001. GlobalFreeloaders currently only has 74455 members, calculated from here. That page also shows the different registered members per country, which is interesting to see. No doubt one of the reasons GlobalFreeloaders has the smallest user base is due to the simple interface and lack of media attention. In a world dominated by flashy websites and Web 2.0 GlobalFreeloaders seems out of date. Considering that the site works perfectly and the member base is considerably down to earth and friendly, I think it is fine just the way it is.

In my opinion GlobalFreeloaders is the most honest of all the hospitality exchange sites in some ways. It is a no fuss and no frills service that offers exactly as the name implies. An easy way to find people to stay around the world with for free. Along with this comes all the benefits of any of the hospitality exchange sites, but the emphasis is clearly on free accommodation. I really do like this site, and have made many great friends through it. One thing I do feel is an advantage of GlobalFreeloaders is that when friendships happen, they tend to happen naturally. Rather than reading MySpaceesque profiles and stay with people you think you might like GlobalFreeloaders encourages the type of friendships that occur by talking to them, not just liking the same things or having the same opinions.

One of the very best features unique to GlobalFreeloaders is the ability to mass-mail the people in a given city. The way the interface works, you read a short description of each person and check the box next to the name if you would like to try and stay with them. At the end you write a message which is sent to everybody you checked, and the interested people write back. It is a very simple system and works amazingly well. The other sites only allow for individual messages at the moment, while many people on CouchSurfing expect a individually tailored message.

This is simply ridiculous. In many cities there may be at a minimum, 50 people available to host that you think you will get along with. Are you really supposed to write a unique message to each of these 50 people? There are only so many ways you can rephrase your introduction and ask to stay with someone. Besides, nothing is gained over the mass mailing approach except that people get to feel a bit special. Some people may point out that if you are going to stay with a person then you should take the time to write an individual message. Nothing is preventing you from doing this with the mass mailing system, as it is only the initial “are you free to host” message which is sent. When people reply back a private conversation is started and people can get to know each other this way.

I really would like to see this system adopted as it saves a lot of time and cuts to the chase, without losing any of the advantages of private messaging. For those that have a problem with this an opt-out option could be made available. This really is the best of both worlds, as the people who prefer to mass mail the initial message are probably going to get on better with the people who don’t mind receiving a mass mailed message and wouldn’t get on with the people that need to feel extra special.

BeWelcome

BeWelcome seems to be a very promising alternative, with the potential to deliver a service with the good qualities of the CouchSurfing interface without the invasive terms of service or fraudulent and abusive behavior that has come to define the CouchSurfing organization. BeWelcome promises democratic decision making and financial security – quite the opposite of the other hospitality exchange sites .BeWelcome only has about 8000 members at the present time, however looking at their stats page this number seems to be doubling roughly every year. BeWelcome was originally started by disgruntled Hospitality Club volunteers and was later joined by members of the OpenCouchSurfing project. There is quite a good history of how BeWelcome started on the BeWelcome’s History of BeVolunteer page. As with CouchSurfing and Hospitality Club several serious allegations have been made against BeWelcome, although BeWelcome is kind of unique in that the allegations mainly comes from a rival hospitality exchange site. Since BeWelcome forked from Hospitality Club it did not leave the best impression with some Hospitality Club members and the BeWecome.info page exists to tell a different side of the story. As above I have no personal experience and so cannot really comment on the situation but by providing links to the various sites people can make up their own minds. One thing I will note is that on the BeWelcome.info page the website design and code is considered stolen despite the fact that all code is open source. Is there any technical reason Hospitality Club cannot still make use of the code?

Like Hospitality Club each new user account is verified by volunteers. This service is provided for free, and it actually verifies that it is a real person opening the account, and that they are who they say they are to an extent. This is a great advantage in that it is considerably less likely that there will be spammers or significantly untrustworthy people on the site. Of course it is not failsafe, but it is far, far better than verifying anyone who has access to a credit card.

The entire BeWelcome interface is very snappy, looking very aesthetically pleasing while being simple and clean. I really like the BeWelcome profile page for users. It is very simple, clean and effective. You can see a photo, accommodation offered, contact information and languages. There is also a comments system similar to that of Hospitality Club which lacks the positive and negative classifications that the CouchSurfing system has. This is a good thing. The extra functionality that the BeWelcome site offers really is quite impressive with support for a photo gallery, blog posts, a fully featured forum and trip organizer all of which are nicely tied into individual profiles.

The BeWelcome search is also very good. The advanced search allows for options like gender, minimum and maximum ages, how active users may be, and what type of accommodation if any they offer or if they are available to meet for showing around or a coffee or such. It also allows for sorting the results by various criteria such as last login or newest members. What I find amazing is that almost all of the functionality of the CouchSurfing search is replicated here in a much simpler and cleaner interface. The BeWelcome search page provides access to everything you would need to find hosts or guests while being remarkably simple and easy to use.

While GlobalFreeloaders and Hospitality Club have their own advantages, control of the projects rest with a few people. I don’t necessarily see a problem with this at all, however having an open community where changes can be voted on and implemented also has its own advantages. Out of all of the hospitality exchange sites, BeWelcome is the only service to promise this and it will be interesting to see how it develops.

Tripping

Tripping is the newest of the hospitality exchange websites having only launched in December of 2009. Despite this I feel that Tripping is the most interesting and promising of all the hospitality exchange sites. It has a very nice interface and feature set despite only being in beta, and best of it is completely fresh – It isn’t tied to any of the existing networks. The reason I feel this is a good thing is because the other sites have all mostly had their own political scandals and interactions with each other which can give a bad impression and subtract from getting things done. Tripping is completely independent and growing fast without any of the infighting or politics which have held back the other hospitality exchange sites from unleashing their full potential. They currently have approximately 2000 members and appear to be growing fast.

Tripping does not currently have any kind of verification system as with CouchSurfing and Hospitality Club, although this is not a bad thing. A verification system in the style CouchSurfing implements is pointless except as a fund-raising exercise. Having additional checks such as including your passport number with requests as Hospitality Club provide little additional protection in practice. The best way form of verification for any hospitality exchange community is to allow the community to vet their members. Tripping facilitates this quite well with members being able to leave references to each other that can be marked as positive, negative or neutral similar to the CouchSurfing system. Tripping has also implemented an innovative confidential rating system. What this means is that if someone has a bad experience they can report their experiences or the person involved without fear of consequence. The rating will not be publicly available which helps to protect against false reports. Tripping will take all reports seriously and will investigate each one. I am unsure what type of dispute resolution Tripping has in place, however I think it is likely that all people involved in a dispute would be able to state their side of the story without fearing a random and not necessarily justified account deletion. I actually hope that Tripping modifies their current system to just having a comment system for profiles without weighting in order to avoid the sycophantic attitude towards references on CouchSurfing recurring, where they are treated as a commodity to be exchanged rather than a useful indicator of someones trustworthiness. The confidential ratings system is sufficient for dealing with troublemakers, while avoiding all of the problems associated with CouchSurfing’s system.

Tripping is also implementing the TripSafe program. The idea behind TripSafe is to eventually have a 24 hour hotline available to help Tripping members in emergency situations. If someones host doesn’t show up or is behaving inappropriately then they can contact the hotline and Tripping members will do their best to help. At the moment the program exists just as a contactable email address, although this will eventually be expanded as the site and community grow.

The Tripping website is very aesthetically pleasing and efficient, embodying everything that is positive about Web 2.0. I especially liked the signup page as an introduction to the site. It was very short and to the point in a good way, and had an option to identify yourself as a nomad. As someone who travels a lot and doesn’t always have a permanent residence that is quite a nice feature to see. The impression I got from the site straight away is that it is very simple and easy to use which is exactly how such a site should be. Tripping also has a very nice forum section with different forums for places and topics. As the site expands I have no doubt such basic features as chat and a photo gallery will be added – and I can’t wait. I was also very impressed with the Tripping profile pages. It shows a photo that fits neatly in with the rest of the page, as well as short sections for basic info such as occupation and hometown and room for a personal description or list of places visited. The profile page has tabs so you can see a persons references, photos or friends. It states very clearly if you are available to host people or not, as well as your Tripping rating – although I am unsure what this refers to. Overall very intuitive and easy to navigate without having to give your whole life story.

The Tripping search function is very simple and efficient, allowing you to search by gender, age, location, name and to limit results to members with a photo. You can filter by recent activity, join date, age, name or country. This is a very simple search that works quite well for finding hosts. Tripping does not currently have an advanced search function, although I can’t really think of any functionality that is missing from the basic search. The search results show the members photo, gender, age and if they are available to host or not. It would be nice to have the ability to limit searches to people definitely available to host or not, but this is not essential. As with BeWelcome almost all the search functionality available in CS is available but in a much simpler and efficient interface. The one feature I do hope Tripping adds is the mass mail feature. It would be ideal to be able to check many similar people who may be available to host to see if they are interested, rather than having to contact them all initially with the same basic request.

Tripping is currently in beta which means they are still developing their website and community, and people are still joining. For a brand new site and community they are doing remarkably well, and I am excited to see where they will be a year from now. The site is very active with contests and charity work. A recent example is Tripping organizing aid for people stranded due to the recent volcanic activity in Iceland. It’s nice to see an organization actually coordinating this effort with the money they have, as with CouchSurfing where people do the work and the organization gets the credit.

I asked a query about Tripping using the contact form and got a reply in less than 24 hours, which was a very nice surprise. This may be due to Tripping being quite young and so it is easier to respond to individual requests, however given the existence of the TripSafe program I think it is likely fast responses to suers questions or problems will be a priority. I really am excited about what Tripping represents, which is an opportunity to be the most comprehensive CouchSurfing site out there. It’s a chance to do everything right this time, and to be everything that a site like CouchSurfing should have been. It’s definitely one to keep an eye on.

Crash at mine

I saw reference to this on the OpenCouchSurfing website, however I could not find any information on the project and it does not seem to exist in any meaningful way. It was said to be in development parallel to the BeWelcome project. From the name it sounds like it may have more of an emphasis on free accommodation in the same vein as GlobalFreeloaders, which I think would be a great thing. The more community and people orientated people could stick with BeWelcome and people more interested in saving some money and doing their own thing, while both groups would be part of a larger overall community.

Conclusion

Despite my criticisms of CouchSurfing I have had absolutely amazing experiences through the site and have met terrific people through there. It’s a certain subset of the community I have a problem with, and to a far larger extent the actions of Casey and the organization itself. While I may not be able to stand Super-Hippies, I can always ignore them. I can’t ignore watching people think they are paying for a service and giving to a good cause and just watch them be taken advantage of. Due to the lack of transparency and legal questionability it is hard to recommend CouchSurfing at this time. Unfortunately sometimes that is hard to do because the massive user base is just too attractive. In which case at least be careful how you use it. If you upload photos, upload photos with someone else in them who didn’t agree to the Terms of Service. Exchange and communicate via E-Mail or IM almost as soon as making contact through CouchSurfing. Don’t pay for CouchSurfing verification at all, and rely on references. Just say hi to someone at a gathering and you’re sure to get quite a few. If at all possible, use the other sites until the numerous issues that plague CouchSurfing are resolved. I really hope that it won’t be too long before I can make a follow on post celebrating the fact that all of the issues have been resolved, and I can happily recommend the site to everyone.

References

  1. http://www.servas.org – Servas Open Doors
  2. http://www.couchsurfing.com – CouchSurfing
  3. http://www.hospitalityclub.org – Hospitality Club
  4. http://www.globalfreeloaders.com – GlobalFreeloaders
  5. http://globalfreeloaders.com/memberlocations.php – GlobalFreeloaders members and locations
  6. http://www.bewelcome.org – BeWelcome
  7. http://www.tripping.com – Tripping
  8. https://www.tripping.com/about/help/volcano – Tripping organizaing aid for those stranded due to the Icelandic volcano activity
  9. http://www.walletpop.com/blog/2010/04/20/travelers-stranded-by-volcano-creatively-cope-with-lengthening-d/ – An article mentioning people getting help from Tripping while stranded due to Iceland’s volcano activity.
  10. http://www.opencouchsurfing.org – OpenCouchSurfing
  11. http://wiki.opencouchsurfing.org/en/One_page_OpenCS – A list of volunteers and their problems with CouchSurfing
  12. http://www.opencouchsurfing.org/2008/02/15/john-casey’s-style-indirect-manipulative-pulling-strings-from-behind-the-scenes/ – Interesting comments from a former volunteer about the organization and Casey’s influence.
  13. http://www.opencouchsurfing.org/2007/09/23/the-casey-fenton-show/ – Evidence of CouchSurfing pretending to be a 501(c)(3)
  14. http://www.opencouchsurfing.org/2009/12/01/verification-team-leader-resignation – The resignation letter of a volunteer, attacking Casey and the organization
  15. http://blog.steinwachs.net/index.php/2010/03/15/couchsurfing_a_terms_of_service_review – An interesting review on the CouchSurfing Terms of Service
  16. http://www.lonelyplanet.com/thorntree/thread.jspa?threadID=1840044 – An example of someone experiencing the worse side of CouchSurfing
  17. http://www.couchsurfing.org/group_read.html?gid=1906&post=3916983 – An example and discussion of CouchSurfing’s account deletion policy
  18. http://www.couchsurfing.org/mdst_faq.html#complaint – The CouchSurfing FAQ for member disputes
  19. http://www.couchsurfing.org/group_read.html?gid=7621&post=4446104 – A copy of Caseys statement in reply to Bryan’s resignation letter, and a subsequent discussion with many people calling out the organization for being the sham that it is. That entire thread in fact is worth reading as it shows many members being fed up with the constant lies.
  20. http://www.couchsurfing.org/group_read.html?gid=7621&post=5423780 – Margaret explains CouchSurfing’s current charity and legal status on the Brainstorm: Redefined group in response to my original article
  21. http://www.couchsurfing.org/group_read.html?gid=7621&post=5423780#post5521000 – Margaret talking about Charity Navigator and calculating CouchSurfings rating as per the Charity Navigator methodology
  22. http://www.charitynavigator.org/index.cfm?bay=content.view&cpid=33 – The methodology Charity Navigater uses to evaluate charities, and which Margaret used above.
  23. http://www.couchsurfing.org/group_read.html?gid=7621&post=4446104#post4450387 – A post from someone pointing out how useless verification is and the legal questionability of CouchSurfing’s actions.
  24. http://www.couchsurfing.org/group_read.html?gid=7621&post=3926698#post4434383 – A detailed post talking about the legal concerns about the Board of Directors.
  25. http://www.couchsurfing.org/group_read.html?gid=7621&post=4446104#post4461122 – A post talking about the way donation money is used to buy beer.
  26. http://www.couchsurfing.org/group_read.html?gid=7621&post=3926698 – A post showing the frustrations of volunteers and their continued resignations.
  27. http://www.couchsurfing.org/group_read.html?gid=429&post=628471#post630656 – A message talking about CouchSurfing’s violations of New Hampshire law
  28. http://www.couchsurfing.org/group_read.html?gid=429&post=430011 – A message talking about illegal behavior and notifying the NH DA
  29. http://www.couchsurfing.org/group_read.html?gid=7621&post=3966676 – A discussion about CouchSurfing’s 501(c)(3) status on the Brainstorm: Redefined group
  30. http://www.couchsurfing.org/group_read.html?gid=512&post=5590686 – A very recent example about a members profile being unjustly deleted

Update 1 – April 8th 2010

I have substantially rewritten and expanded the article giving far more details on the criticisms of CouchSurfing as well as providing references where possible. I have also written more in-depth reviews of the alternative hospitality exchange sites.

Update 2 – April 12th 2010

I updated the article just to fix links that were corrupted due to non-latin quotation characters corruping the markup.

Update 3 – April 23rd 2010

I have updated the article to correct CouchSurfing’s status as a charity organization and to incorporate Margaret’s Charity Navigator results. I have also corrected the origin history of BeWelcome as diverging from Hospitality Club rather than being an initiative of OpenCouchSurfing and corrected the fact that Hospitality Club was the first of the mainstream hospitality exchange sites, not GlobalFreeloaders. I also reviewed Tripping as an alternative hospitality exchange site as I was not aware of it when I originally rewrote the article a few weeks ago.

Update 4 – April 25th/26th 2010

I have updated the article again – hopefully for the last time. I have made miscellaneous spelling and grammar corrections and added a review of Tripping, corrected the origin history of BeWelcome as well as including information on the allegations against Hospitality Club and BeWelcome. I also added more information to the fraud section based on Margaret’s postings in the Brainstorm: Redefined thread. I have added links to the original forms filed for CouchSurfing’s nonprofit status as well as further criticisms of the verification system. I also added a disclaimer about the term Super-Hippies, quotes from the CouchSurfing Terms of Service, information on the rape that happened via CouchSurfing, mentioned the “sex rooms rumor and added senteces mentioning the extended functionality of BeWelcome, Hospitality Club and Tripping. Lastly I added further information and an example regarding CouchSurfing’s account deletions policy and subsequent behavior.

I would also like to make a disclaimer. I did not post my article on any of the CouchSurfing groups – I had no need to. I had enough people searching for things regarding CouchSurfing who were finding my article that made it consistently one of my most popular. I don’t know who posted the article to the CouchSurfing group but I thank them, as it resulted in a lot more traffic and an interesting discussion as a result.

I noticed that on one of the groups someone referred to my use of the term Super-Hippies as an ad hominem attack.; I think this person needs to read my Stupid uses of English article.

I also found it interesting that many people were simply dismissing my article as someone who had had a bad experience and needed to vent. I think that this is just sad. I make several points in the article and I have a pretty clear divide between my opinions and the facts I present. To dismiss what I say because you simply dislike what it implies or what the truth may be is the exact behavior I attack in my article as being a problem in the CouchSurfing community. Just because someone does not like something does not mean they don’t have valid reasons to attack it – how does that line of thinking even make any kind of sense? I have to wonder if the people who defend CouchSurfing as soon as anyone says anything remotly bad about it are just suffering from horrible confirmation bias. They have invested either time or some amount of money in the site, and can’t allow anything to threaten their current view of the site. For some of these people the cost of even considering the site is not what it appears far outweighs the benifit of being able to continue thinking positive thoughts, and that’s just fucked up.

Most of the CouchSurfing groups had some very interesting discussions and input, and it was interesting see what everybody thought. While many people did not agree or felt I was wrong on some points they did so in a mature way or gave counter-arguments. Unfortunately this cannot be said for the New York group. The New York group acted in a very childish manner simply dismissing what I say and resorting to attacking me personally.

The worst thing about the New York group was that the general attitude can be summed up by one of the posters in that discussion: “I wouldn’t care if the founder of CS uses all of the money from verifications to buy cocaine. What I do care about are the amazing friends I’ve made from this website.” It saddens me that people cannot see what is wrong with that line of thinking. It seems that as long as everyone gets something good out of the site they don’t care how many other people get conned or disadvantaged. It is amazing how people can appear so selfless and trusting but when push comes to shove, it is shown they are only interested in what is good for them. Which is just a shame.

Update 5 – April 30th 2010

I have updated the article to include a reference to yet another case of an account being deleted without any due cause or process, despite this member having done nothing wrong, being verified and vouched for and having a great many positive references. This was mentioned on the Iceland CouchSurfing group on the 30th of April. A few hours after I updated this page with a link to the thread an ambassador posted a response stating that while it was regretful what had happened, fair warnings had been given months in advance and the safety team certainly does not remove accounts without really investigating things first. Going by everything that I have seen and heard, I find this really hard to believe. The person who started the thread is adamant that the user was not adequately warned or given a chance to tell her side of the story. Regardless of if the account removal was justified or not the user should have been able to give her side of the story. It would be nice to ask the member howself if she had a chance to give her side of the story and if she felt she had been warned or not. This example shows again why there is a need for proper dispute resolution available to CouchSurfing users. At the moment it is not enough to simply take the word of CouchSurfing that they thoroughly review all cases and give warnings given their past behaviours and everything else weighing against them.

Perhaps it is time to start a CouchSurfing Watch or something….

Update 6 – May 2nd 2010

I have modified the article to reflect the fact the the last example of an account being deleted is no longer accurate, as the account has been restored. I know that this is not the normal behavior for when an account gets deleted and I would like to think that part of the reason this happened is because my article has generated some pressure. It is worth noting that I contacted Sabrina herself( the owner of the deleted account) who stated that she had received no warning and her account was simply deleted. After creating a second account to try and explain the situation, this account was removed also. If I had not written this article, then I think it would be unlikely that Sabrina’s account would have been restored.

I also added a link to the allegation of “sex rooms”, updated the details of the rape incident with a more specific timeframe and removed the contest refer request for Tripping.

Update 7 – May 4th 2010

I have given a link to Casey’s reply to Bryans resignation latter directly after where I mention it in the article text. I removed the link from the OpenCouchSurfing website titled “Why sponsoring CS doesn’t work”. The account given as an example is available for viewing here and is clearly not verified at all. I could have sworn it appeared to be when I included it but it clearly is not now.

I also posted a single message to the Europe group on CouchSurfing. Many people have been creating fake profiles to post my account, and I was sick of the allegations that it was me. I have posted a response to some of the claims made against me, and used the opportunity to correct some misconceptions about myself or my intentions and to respond to some of the negative claims made on the groups in general.

January 23, 2010

Yeerks and the Goa’uld – Similarities just coincidence?

Filed under: Entertainment — Tags: , , , , — allthatiswrong @ 4:57 am

When I was younger, I loved reading the Animorphs series of books by K.A. Applegate. They were basically about a group of young teenagers who were given the ability to morph into any animal to combat an invading alien force. The invading aliens were called Yeerks and were distinct in a number of ways. They were described as a type of slug, which would enter a host from the ear and take over complete control of the host, having access to the hosts memories and personality, and being able to masquerade as the host in every way.

I did not start watching Stargate SG1 until 2007, where I immediately noticed a similarity between the Goa’uld and the Yeerks. The Goa’uld were also a parasitic type of slug, which would enter a host and take control while having full access to the hosts personalities and memories.

There are some important differences between the two aliens. The Yeerks can only survive in a host for 3 days at a time, after which they must go to a special pool where the host body is temporarily imprisoned, and the Yeerk will reengergize by absorbing Kadrona rays in a special pool. A Goa’uld by comparison has no such need to leave a host body once in place, and can survive as long as the host in nourished. Appearance wise, a yeerk is described as being a small gray slug about six inches long, which flattens out and encompasses a host brain. A Goa’uld instead seems to attack mainly to the spine, and specific parts of the brain, and resembles a type of snake more than a slug.

A Goa’uld also will heal faster, and make the host stronger than it otherwise would have been. They also have the ability to make the hosts eyes glow while speaking in an unnatural voice the host would be unable to speak in otherwise. It is also important to note that the Goa’uld were shown to only be able to take control of humanoid aliens, while Yeerks were able to take control of anything that had a single large enough brain.

There is also an interesting para rel between the Yoort and the Tok’ra. In SG1, the Tok’ra are a separate faction/species from the Goa’uld, who have evolved/chosen to be symbiotic rather than parasitic. They only take hosts who are willing to take them, taking advantage of having a constant companion and access to a lifetime of knowledge. Similarly, the Yoort in Animorphs were a separate faction or subspecies of the Yeerks who had evolved to be symbiotic with another species, the Isk, to the point where one can not live without the other.

Animorphs premiered in June 1996 while Stargate SG1 followed a year later, premiering in July 1997. The similarities and timing of both of these types of aliens seems like it could be more than just coincidental. The Goa’uld were not mentioned, referenced or even implied in the movie, and were created purely for the spinoff TV show. There seems to be more differences than similarities between Yeerks and the Goa’uld, although I can not help wondering if the creators of SG1 drew their inspiration from Animorphs. All the more likely, there is a far more famous and common precedent in literature, and I am just not aware of it.

January 20, 2010

The insecurity of OpenBSD

Filed under: Security — Tags: , , , , , , , , , , , , , , — allthatiswrong @ 11:29 pm

Table of Contents

Introduction
Secure by default
Security practices and philosophy
No way to thoroughly lock down a system
The need for extended access controls
Extended access controls are too complex
Conclusion
References

Introduction

Firstly, I would to apologize for, and clarify the title of this article. I wanted to use a title which would hold attention and encourage discussion while remaining true to the argument I make. I certainly don’t mean to imply that OpenBSD is a horribly insecure operating system – it isn’t. I do however need to highlight that OpenBSD is quite far removed from a secure operating system, and will attempt to justify this position below.

To start, we must clarify at a bare minimum what a secure operating system can be considered to be. Generally, this would be taken to mean an operating system that was designed with security in mind, and provides various methods and tools to implement security polices and limits on the system. This definition cannot be applied to OpenBSD as OpenBSD was not designed with security in mind and provides no real way to lock down and limit a system above standard UNIX permissions, which are insufficient.

Despite this OpenBSD is widely regarded as being one of the most secure operating systems currently available. The OpenBSD approach to security is primarily focused on writing quality code, with the aim being to eliminate vulnerabilities in source code. To this end, the OpenBSD team has been quite successful, with the base system having had very few vulnerabilities in "a heck of a long time". While this approach is commendable, it is fundamentally flawed when compared to the approach taken by various extended access control frameworks.

The extended access control frameworks that I refer to are generally implementations of MAC, RBAC, TE or some combination or variation of these basic models. There are many different implementations, generally written for Linux due to its suitability as a testing platform. The most popular implementations are summarized below.

  • SELinux is based on the FLASK architecture, is developed primarily by the NSA, and ships with some Linux distributions by default, such as Debian and Fedora. SELinux implements a form of MAC known as Domain and Type Enforcement.
  • RSBAC is developed by German developer Dr. Amon Ott, and is an implementation of the GFAC architecture. RSBAC provides many models to choose from such as MAC, RBAC and an extensive ACL model. RSBAC ships with the Hardened Gentoo distribution.
  • GRSecurity is not primarily an access control framework, but a collection of security enhancements to the Linux kernel, such as JAIL support, PID randomization and similar things, as well as having an ACL and RBAC implementation.
  • AppArmor is a simple yet powerful MAC implementation, which relies on pathnames to enforce policies. Relying on pathnames is a weaker approach than that used by the above frameworks; however this is considered acceptable because it is easier to use. AppArmor ships with and is enabled is versions of Ubuntu and OpenSUSE.

There are other simpler implementations such as SMACK and Tomoyo which are officially in the Linux kernel, as well as implementations for other platforms such as TrustedBSD and Trusted Solaris. Each of these access control frameworks provide for additional security to be setup when compared to what can be done with OpenBSD by default.

Secure by default

OpenBSD is widely touted as being ‘secure by default’, something often mentioned by OpenBSD advocates as an example of the security focused approach the OpenBSD project takes. Secure by default refers to the fact that the base system has been audited and considered to be free of vulnerabilities, and that only the minimal services are running by default. This approach has worked well; indeed, leading to ‘Only two remote holes in the default install, in a heck of a long time!’. This is a common sense approach, and a secure default configuration should be expected of all operating systems upon an initial install.

An argument often made by proponents of OpenBSD is the extensive code auditing performed on the base system to make sure no vulnerabilities are present. The goal is to produce quality code as most vulnerabilities are caused by errors in the source code. This a noble approach, and it has worked well for the OpenBSD project, with the base system having considerably less vulnerabilities than many other operating systems.

Used as an indicator to gauge the security of OpenBSD however, it is worthless. The reason being is that as soon as a service is enabled or software from the ports tree installed, it is no longer the default install and the possibility of introduced vulnerabilities is equal to any other platform. Much like software certified against the common criteria, as soon as an external variable is introduced the certification, or in this case the claim can no longer be considered relevant.

It is important to note also that only the base system is audited. The OpenBSD ports tree is not audited, and much of the software available in the ports tree is several releases behind current versions, meaning that there is a strong possibility that software will be obtained from outside of the ports tree. Given that a default install of OpenBSD has all network services are disabled by default, it is very likely that software will be installed or a service enabled if the server is going to be used to actually provide any kind of service.

Since the majority of attacks are not against the base system but against software operating at a higher level actively listening over the network, it is likely that if an OpenBSD machine were attacked, it would be through such software. This is where OpenBSD falls down, as it provides no means to protect from damage in the event of a successful attack.

Providing a default secure configuration is an important practice, and one that is employed by the majority of operating systems these days. OpenBSD followed this practice in the early part of the last decade when most other operating systems did not bother, and for that the OpenBSD team should be praised. While it is a good practice it is specious at best to take this as a measure of the actual security OpenBSD provides.

It should also be noted that the OpenBSD team uses a different definition of security vulnerability, limited to vulnerabilities that are allow for remote arbitrary code to execute. While most people may consider a DOS attack or local privilege escalation problems to be vulnerabilities, the OpenBSD team disagrees. If we use a more generally accepted definition of security vulnerability, OpenBSD suddenly has a far greater number than two remote holes in the default install a heck of a long time.

Security practices and philosophy

The OpenBSD team seems very reluctant to actually admit security problems and work towards fixing them. One such example is this CoreSecurity advisory from 2007. Instead of working and testing to see the extent of the damage that could be caused by a particular vulnerability, they prefer to dismiss and assume arbitrary code execution is impossible until pushed by Core releasing proof of concept code to show otherwise. This is similar to behavior observed by many corporations. Unfortunately this seems to be typical behavior rather than an exception going by the various mailing list threads when a vulnerability is reported.

OpenBSD was never designed with security in mind. OpenBSD was started when Theo de Raadt left the NetBSD project, with the goal of providing complete access to the source repositories. The focus on security came at a later stage, along with the “secure by default” slogan. As noted above, a secure operating system is not synonymous with a lack of vulnerabilities, and certainly not with a lack of vulnerabilities limited to the base install. This should be contrasted with the various extended access control frameworks, which despite being patches to an existing project, were designed from the ground up with a focus on security.

OpenBSD by itself contains a feature set similar in comparison to the GRSecurity patch for Linux without the ACL or RBAC implementation. GRSecurity and the Openwall project actually pioneered many of the protections that occurred later in OpenBSD such as Executable Space Protection, chroot restrictions, PID randomization and attempts to prevent race conditions. OpenBSD is often credited with pioneering many advances in security when this is not the case. OpenBSD tends to add protections much later, and only when absolutely necessary as they continue to erroneously believe that eliminating vulnerabilities in the base system is sufficient.

It is also odd that for a project that claims to be focused on security, sendmail is still their MTA of choice and BIND is still their DNS server of choice. Sendmail and BIND are old, and they both have atrocious security records. To look through OpenBSD’s security history, many of the vulnerabilities can be attributed to BIND or Sendmail. Why would anyone choose these programs for a security focused operating system, when far more secure alternatives designed from the ground up to be secure are available? Examples might include Exim or Postfix and MaraDNS or NSD.

It is interesting to compare OpenBSD to its cousin, FreeBSD. While FreeBSD does not claim to have a focus on security, it is in fact a far more secure operating system than OpenBSD due to its implementation of the TrustedBSD projects work. FreeBSD implements proper access control lists event auditing, extended file system attributes, fine-grained capabilities and mandatory access controls which allow for a system to be completely locked down and access controlled as necessary to protect against users or break in attempts.

Despite the TrustedBSD codebase being open and available for OpenBSD to implement or improve, they reject it simply because they consider it to be too complex and unnecessary. Even if the OpenBSD team did not want to implement extended access controls they could implement proper auditing through the OpenBSD project, which they still reject as unnecessary.
It is no wonder then that when governments or organizations look for a secure operating system, they look to systems that have proper access control lists and auditing, something OpenBSD is not concerned about. A good example of this is China choosing FreeBSD as the base of their secure operating system, as OpenBSD was considered insufficient to meet the criteria.

The library calls strlcpy and strlcat should also be mentioned here. These library calls were developed by Todd Miller and Theo de Raadt as a way to eliminate buffer overflows by ensuring strings are always null terminated. However this approach is controversial, and can actually result in further problems and security vulnerabilities than they solve. While they may have their place, they should certainly not be relied on, and doing so shows a poor understanding of computer security.

No way to thoroughly lock down a system

This is the main problem with OpenBSD, and what prevents it from being able to be considered a secure system. No matter how quality the codebase or how free of vulnerabilities, there is no sufficient way to restrict access other than with standard UNIX permissions. OpenBSD team leader Theo de Raadt has openly stated that he is against anything more powerful such as MAC being implemented which is a shame. There is no good reason to avoid implementing extended access controls when the greater security and control they provide is irrefutable.

OpenBSD does offer some basic protections to protect a running system, namely the chroot functionality, chflags and securelevels. The chroot implementation is a secure version much improved over the standard UNIX chroot, but still far lacking when compared to a proper jail implementation such as that provided by FreeBSD. The consensus among OpenBSD developers and community is that you can achieve the same result using chroot and systrace. Which means they rely on a third party tool to implement a secure design that is present by default in FreeBSD, NetBSD and numerous other unices.

Securelevels are an interesting concepts and they do help with security somewhat. Securelevels can only be increased not decreased on a running system. The higher levels prevent writing to /dev/mem and /dev/kmem, removing file immutable flags, loading kernel modules and changing pf rules. These all help to restrict what an attacker can do, but do absolutely nothing to prevent reading or changing database records, obtaining user info, running malicious programs etc. These protections do absolutely nothing to stop information leakage. Making files immutable or appendable only is a poor option when contrasted with the ability to prevent reading and writing/appending to only specific users or processes.

The OpenBSD project and community had access to a tool for policy enforcement named systrace. Systrace is a third party tool developed by Niels Provos, and has never been embraced by the OpenBSD team. Systrace lacks the versatility of a proper MAC implementation, and had similar weaknesses to AppArmor since it relies on pathnames for enforcement. Systrace is a form of system call interposition, which has been shown to be insecure.

The only software even close to a MAC implementation is rejected by the OpenBSD team, and is insecure. Despite this, systrace is still maintained and offered/recommended by the community as the preferred way to sandbox and restrict applications. Given this obvious deficit, it would seem even more prudent for OpenBSD to make use of the TrustedBSD project.

This is the main reason why OpenBSD is unable to offer a secure environment in the event an attacker is successful. Instead of implementing a form of extended access controls and ensuring the system is secure even in the event of a successful attack, they prefer to remove as many vulnerabilities as possible. This approach is naïve at best and arrogant at worst.

The need for extended access controls

The main argument against OpenBSD is that it provides very limited access controls. OpenBSD attempts to remove the source of vulnerabilities by producing quality code, and has such faith in this approach that very little is provided to deal with a situation when a machine is exploited, and root access obtained. Perhaps inevitably. It is this lack of access controls and protection mechanisms that prevent OpenBSD from being the secure system it is often credited as being.

It is also the reason the aforementioned frameworks such as SELinux and RSBAC have an inherent security advantage over any OpenBSD machine. Due to the use of some sort of MAC, RBAC, TE or other advanced access control used by these frameworks, a level of control is possible above that in traditional DAC systems. With a traditional DAC system, the user has complete ownership over their files and processes, and the ability to change permissions at their discretion. This leads to many security concerns, and is the reason most attacks can be successful at all.

When a computer is hacked regardless of if it is due to a drive by download targeting an insecure browser on a user’s computer or a targeted attack exploiting a server process, the malicious process or user will inherit the access of the browser or process that was attacked. The prevalence of the DAC architecture throughout most operating systems is still the primary cause of many security issues today. With many server processes still running as a privileged user this is a large concern.

It is also something that is hard to fix without changing to a different design paradigm. Many of the technologies that were developed to help prevent attacks such as privilege separation; executable space protection and process ID randomization help, but are not sufficient for a majority of cases. This is why the need for an extended access control framework is present. With the use of something like SELinux or RSBAC, the significance of individual user accounts or processes as an attack vector is decreased.

With these systems every single aspect of your system can be controlled to a fine grained level. Every file, directory, device, process, user, network connection etc can be controlled independently allowing for extremely fine grained policies to be defined. This is something that simply is not possible with current DAC systems which include OpenBSD .

As an example of what is possible with extended access controls, it a web server process running as root could be set to only have append access(as opposed to general write access available in a DAC system) to specific files in a specific directory, and to only have read access to specific files in a specific directory. If some files need to execute, then that file itself (or the interpreter if a script) can be restricted in a similar way. This alone would prevent web site defacement and arbitrary code execution in a great many cases.

On present systems using DAC if a targeted attack is successful and access to the root account is gained, there is nothing the attacker cannot do. Run their own malicious executables, alter files etc. This is why OpenBSD is necessarily less secure than any system making use of advanced access control frameworks, and also why OpenBSD is not a secure system. While OpenBSD has many innovative technologies that make it harder for an attacker to gain access, it does not provide any way to sufficiently protect a system from an attacker who has gained access.

It is possible for example to restrict something like perl or python with extended access controls. On OpenBSD if a user or an attacker has access to perl or python, then they can run whichever scripts they like. With extended access controls, it is possible to restrict only certain scripts to have access to an interpreter (and additionally make those scripts immutable), and prevent the interpreter from running at all unless called by those specific scripts. There is no equivalent fine grained granularity on OpenBSD.

Another way in which extended access controls can help is to protect against users. Even on a desktop system there is a significant security advantage. At the moment most malware requires or tries to obtain root privileges to do damage or propagate. What most people don’t realize is that even malware running as a normal user can do significant damage as it has complete access to a users files under the current DAC model. With some form of MAC, if a user decided to demonstrate the dancing pigs problem and run an untrusted piece of malware, it could be restricted from having any access to a users files or being able to make network connections.

Even windows implements a form of MAC – Mandatory Integrity Controls. While not terribly powerful, and not used for much at the moment, it still provides increased protection and allows for more security than an OpenBSD box can provide. If even Microsoft can understand the need and significance of these technologies after their track record, why is OpenBSD the only project still vehemently rejecting this technology?

Extended access controls are too complex

Some people are of the view that extended access controls are simply added complexity, which increases the scope for vulnerabilities without providing any meaningful additional security. This position makes little sense. While it is true that adding extended access controls increases complexity, the meaningful increase in security cannot be denied. There are plenty of examples of exploits being contained due to such technology…exploits that would have allowed full access to the system if OpenBSD had been the targeted platform.

It has also been said such systems only serve to shift the attack point. Instead of attacking a particular piece of software, they simply have to attack the access control framework itself. This is simply a myth. While the frameworks themselves can be attacked and even possibly exploited, the increase in security far outweighs any risk. The extended access control framework can be extensively audited and made secure while allowing policies to be enforced. Having one relatively small section of code that is easily maintained and audited and responsible for maintaining security is not a decrease in security, but an increase.

Ideally, a proper extended access control framework would also be formally verified, as I believe is the case with SELinux and RSBAC, based on the FLASK and GFAC architectures respectively. This basically means that these systems have been mathematically proven to meet all of their specifications, making it extremely unlikely that it will be possible for the systems to fail in an unexpected way and be vulnerable to attack.

In almost 10 years, there have been no vulnerabilities reported for these major systems that allowed the framework to be bypassed. The times when there has been a problem, it has been due to poor policy. The example everybody likes to mention is the cheddar bay exploit that Brad Spender(author of GRSecurity) made public in July 2007. It’s true that this exploit allowed for disabling SELinux, but this was due to a stupid policy that allowed 0 to be mmaped for the purposes of allowing WINE to work. Only the RHEL derived distributions were affected. This is not a valid example of the framework being vulnerable, and it certainly does nothing to discredit the technology as a whole.

Due to limitations of certain hardware platforms, it is possible that with the right kernel level vulnerability, an extended access control framework could be subverted. These cases however are quite rare, and with the use of technologies like PaX they become even more unlikely to succeed. In fact, as of writing this article, I am not aware of example of an extended access control being able to be successfully subverted to the contrary. There are however, examples of extended access controls successfully protecting against certain kernel vulnerabilities such as SELinux preventing a /proc vulnerability that could lead to local root.

Some of these frameworks have been criticized for being too complex, in particular SELinux. While I don’t think this is entirely justified, as the SELinux team has made great progress with making this easier with tools such as setroubleshoot and learning mode, I can understand it may be a valid concern. Even so it only applies to a specific implementation. RSBAC, which is just as powerful as SELinux has far clearer error messages and is much easier to craft a policy for. Other implementations such as that of GRSecurity are far simpler yet again. The point here is that the technology is powerful and should be embraced as the added security advantaged is undeniable.

If complexity and user unfriendliness was the main concern the OpenBSD team had then they could still embrace the idea while making the implementation simple to use and understand Instead, they flat-out reject the idea, believing antiquated Unix permissions are more than enough. Unfortunate in this day and age this is no longer the case. Security should not be grafted on, it should be integrated into the main development process. This does not mean patching in protections for specific attacks along the way which is the approach favored by the OpenBSD team. The OpenBSD approach has resulted in a very impressive and stable fortress built upon sand.

Conclusion

While the implementation of various policy frameworks will mature and grow as needed, OpenBSD will remain stale. With a refusal to implement options for properly restricting users or a system in the event an attacker does gain access, the OpenBSD system will be considered a less reliable and trustworthy platform for use as a server or user operating system.

Extended access control frameworks should not be considered a perfect solution, or the be all and end all of security. There are still many situations where they are insufficient such as large applications that necessarily require wide ranging access to properly function. Even so, the level of control these frameworks provide are the best tools we have to secure systems as best we can.

It is interesting to note that even with Linux not really caring about security and having a non disclosure policy, things still end up being more secure than OpenBSD because of the presence of extended access controls. Being able to restrict access in such a powerful way which reinforces that simply trying to eliminate all bugs at the code level while noble, is an inferior approach.

As much as I am disappointed with the fix silently without disclosure approach to security the Linux kernel project has taken since Greg K-H took over, and having to rely on sites like xorl.wordpress.com to learn about security problems that were fixed, Linux is the only real project making progress with testing and improving extended access control frameworks. With continued development and support the implementations will become easier to use and the problems eradicated until such technology is common, as it should be.

OpenBSD cannot be considered a secure system until it makes some effort towards facilitating locking down a system with more than the standard UNIX permissions model which has been shown to be insufficient, and stop discounting the possibility that a system will be secure because all bugs have been removed. While well intentioned and accurate to a small extent, it is ultimately meaningless if even just one vulnerability is present.The OpenBSD team consists of highly skilled programmers who have an interest in security and have shown excellent skill at auditing code and identifying and fixing vulnerabilities in software. Unfortunately, they have shown no interest in extending OpenBSD to implement extended access controls as almost all other operating systems have done, leaving their system inherently more vulnerable in the event of a successful intrusion. The OpenBSD serve a useful role in the community, similar to dedicate security analysts or advisors, and for this they should be celebrated.

Note: I am aware that many people use OpenBSD for nothing more than a router, and for this it indeed ideal. For the use of a router, extended access controls would not provide much benefit. I wrote this argument however because many people seem convinced that OpenBSD has suerior security in all instances and including as a network server or user operating system. I became tired of reading these comments and people simply dismissing extended access controls as too complex and not providing any real security.

References

 

  1. SELinux – http://www.nsa.gov/selinux
  2. RSBAC –http://www.rsbac.org
  3. GRSecurity – http://www.grsecurity.net
  4. AppArmor – http://developer.novell.com/wiki/index.php/Apparmor_FAQ
  5. The TrustedBSD Project – http://www.trustedbsd.org
  6. Core Security OpenBSD Advisory – http://www.coresecurity.com/content/open-bsd-advisorie
  7. Marc Espie talking about security complexity and calling MAC security theater- http://thread.gmane.org/gmane.os.openbsd.misc/129217/focus=129371
  8. Theo de Raadt stating that MAC should not be included in OpenBSD – http://www.eweek.com/index2.php?option=content&task=view&id=30680&pop=1&hide_ads=1&page=0&hide_js=1
  9. An older similar argument on the OpenBSD misc mailing list – http://kerneltrap.org/OpenBSD/SELinux_vs_OpenBSDs_Default_Security
  10. A simple argument now out of date, that makes a similar argument without going into detail – http://www.seifried.org/security/os/20011107-openbsd-linux.html
  11. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools – http://www.stanford.edu/~talg/papers/traps/abstract.html
  12. Exploiting Concurrency Vulnerabilities in System Call Wrappers – http://www.watson.org/~robert/2007woot/20070806-woot-concurrency.pdf
  13. Bob Beck talking about systrace – http://thread.gmane.org/gmane.os.openbsd.misc/160797
  14. China chooses FreeBSD as basis for secure OS – http://blogs.techrepublic.com.com/security/?p=1682
  15. An example of SELinux preventing an exploit on RHEL 5 – https://rhn.redhat.com/errata/RHSA-2007-0960.html
  16. Dan Walsh talking about SELinux successfully mitigating vulnerabilities – http://danwalsh.livejournal.com/10131.html
  17. The start of the thread where Brad Spender’s Cheddar Bay exploit is introduced and discussed – http://thread.gmane.org/gmane.comp.security.dailydave/3905
  18. Details on the SELinux policy that allowed for the Cheddar Bay exploit – http://eparis.livejournal.com/606.html
  19. SELinux preventing a kernel vulnerability from succeeding – http://lwn.net/Articles/191954/
  20. A second example of a vulnerability that SELinux prevented, due to the users not having the required socket access- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0127
  21. A Phrack article detailing the ways current security frameworks can be exploited, and how to prevent against this – http://www.phrack.com/issues.html?issue=66&id=15
  22. A primer on OpenVMS security, a highly secure OS designed with security in mind at every level – http://www.blacksheepnetworks.com/security/resources/openvms/
  23. Presentation introducing Strlcpy and strlcat – http://www.usenix.org/events/usenix99/millert.html
  24. Start of a mailing list thread where strlcpy and strlcat are discussed and criticized – http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html

Update 1 – January 23rd 2010

I have updated the article to talk about the benefit of formal verification, and address the possibility of an EACL framework being bypassed with a kernel vulnerability.

Update 1 – April 23rd 2010

I have updated the article to reflect the correct status of the Openwall project (i.e. not abandoned), thanks to a comment by Vincent.

The Silver is the New Black Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 75 other followers