We found a new hosting facility that will allow us more freedom.
It will be few days until we move servers again, but as of now, don't worry about your stories.
We found a new hosting facility that will allow us more freedom.
It will be few days until we move servers again, but as of now, don't worry about your stories.
Hearty congratulations, Laz.
I'm sure this is at least as much a relief to you as it is to the authors affected.
You've handled this whole situation with grace, a touch of good humour, and a calm (if slightly exasperated) manner. I'm not sure I'd have done as well as you have in similar circumstances.
Kudos a plenty to you for that. And well done for finding a solution.
Does SOL have a category for this? ;)
In the category of "Best Erotic Webmaster" there is only one contestant. He get my vote.
Thank you.
That's a mighty relief and we're grateful to you for going the extra mile.
AJ
So happy to hear this, and hope that it's not short-lived.
Is it OK to restore stories that were modified, or should we wait?
when everything is working as expected.
Is there a Clitorides category for Optimist of the Year? You'd get my vote. :)
Outstanding! Thanks! (Now I just need to review all my stories and add back the mt and ft tags.)
Congrats thats great news ๐๐, thank you for the hard work you put into resolving this issue
Whew! I started trying to modify my stories, but had to just give up as in most of them the story is exactly that they're adolescent but empowered! So well done and thanks :)
Laz
Great news. Thank you for all the awesome effort you put into making this the best story site on the internet.
RickM
Doesn't affect any of my stories, but I'm glad to see that things seem to be working out favorably. I appreciate all the work that Laz puts into this site.
So does this mean we can put back some of our stories that have underage characters in them?
So does this mean we can put back some of our stories that have underage characters in them?
In theory, I'd say 'yes', but I'm waiting until the new guidelines are published.
Yes, but wait few days until I get everything working correctly. I'll make an announcement.
We found a new hosting facility that will allow us more freedom.
Out of curiosity, can you tell us where the new servers will be located?
Out of curiosity, can you tell us where the new servers will be located?
The IPs are behind Cloudflare.
storiesonline.net. 35 IN A 104.26.1.141
storiesonline.net. 35 IN A 104.26.0.141
storiesonline.net. 35 IN A 172.67.72.54
NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
Which isn't relevant to what I was asking.
Sure it is. That the IPs are with CloudFlare means the location of the actual servers is hidden, and you probably shouldn't expect an answer.
Sure it is. That the IPs are with CloudFlare means the location of the actual servers is hidden, and you probably shouldn't expect an answer.
The physical location is still relevant if you want to know what nation's/jurisdiction's law would apply to the hosting provider/servers.
I'm not looking for a street or network address.
The physical location is still relevant if you want to know what nation's/jurisdiction's law would apply to the hosting provider/servers.
I'm not looking for a street or network address.
I understand, but even knowing that could be enough to trigger action by some NGO. Let them fight CloudFlare or GoDaddy (Cayman Islands) to get the info; it's not easy short of a Court Order.
I understand, but even knowing that could be enough to trigger action by some NGO.
I disagree.
Knowing the country tells you nothing about what company is hosting the servers.
And the kind of whisper campaign SOL just faced, they need to what company SOL is using for server hosting but they don't need to know anything at all about where the server farm is located.
And the kind of whisper campaign SOL just faced, they need to what company SOL is using for server hosting but they don't need to know anything at all about where the server farm is located.
I disagree. Any piece of information can be the thread on which to pull to find the company. It's simply better to keep it all behind CloudFlare and let them deal with the morons. They're very effective at doing so.
I agree with Michael... at no part of this conversation is transparency going to help you.. it just shows you opponent your weak points. Make them work for it, give up nothing for free... based on their existing attack vector so long as you fall withing a small window of parameters... you are guilty of something or another.
Well, let's say we learn the servers are housed in Canada. That's already all the information the NGO would need. Because there are only, like, seven companies who offer small-scale server housing in Canada. That's one afternoon on the phone to let all of them know: "There's this guy, here's his name, he's suspected of hosting child porn! If we find out you'Re hosting his stuff, we're gonna move against you".
And, just like that, we're back where we started Saturday.
So, no, please stop asking.
So, no, please stop asking.
I only asked once, and Lazeez can answer or not as he sees fit. However, I will not stop defending the question as long as other people continue to attack me for asking it.
I will not stop defending the question as long as other people continue to attack me for asking it.
Well, aren't you the freedom fighter. Only problem is, nobody is attacking you, and certainly not for asking a question. We are arguing against answering the question you are asking, pointing out how dangerous it would be to indulge you, and politely asking you to stop tempting fate.
Only problem is, nobody is attacking you, and certainly not for asking a question. We are arguing against answering the question you are asking
I disagree with your arguments and yes, I view claims that I am doing something wrong by doing so as attacking me.
What you are asking me to stop is not asking the question, but arguing against your arguments why asking the question should not be answered.
Security by obscurity is an illusion.
Security by obscurity is an illusion.
First of all: No, it's not. You have a peeping-tom sitting in the tree in front of your bedroom window? Get fucking curtains. Problem solved.
Second of all: Nobody has claimed SOL would be "safe" if he keeps the location of his new hoster secret. What we are arguing, and what I have demonstrated in my earlier comment, is that publicly announcing the hoster's location would make it unnecessarily easy for anyone wanting to launch another smear camapin to directly target SOL, and Lazeez as a person.
Yes, people absolutely can call every single server housing provider on the planet to warn them about SOL... but are you really expecting anyone to do that? Announcing the country would narrow that down to an afternoon activity.
P.S.: Believing that disagreeing with you constitutes personal attacks is, frankly, cringy as fuck. Grow up. Now, see? THAT was an attack.
Believing that disagreeing with you constitutes personal attacks is, frankly, cringy as fuck.
I don't believe that disagreeing with me constitutes a personal attack.
I believe that saying I am doing something wrong, something that I need to stop by responding to your disagreement is a personal attack.
Yes, people absolutely can call every single server housing provider on the planet to warn them about SOL... but are you really expecting anyone to do that?
Yes, I believe that the kinds of people who engage in these kinds of whisper attacks are motivated enough to do that.
Announcing the country would narrow that down to an afternoon activity.
If that's true, do you really believe that doing it globally would take more than a month?
You have a peeping-tom sitting in the tree in front of your bedroom window? Get fucking curtains. Problem solved.
That's not security by obscurity, it's a physical barrier. It's not equivalent to hiding the location of the hosting provider.
An equivalent response for your peeping tom example would be attempting to keep which bedroom you use secret while leaving all the curtains open.
Security by obscurity is an illusion.
This is one of those useful pithy statements that is often drastically overstated and misused.
Everything you use a password for is 'security by obscurity'. Your password list is 'obscure', and that's the only thing that creates 'security'. Yes, passwords suck, we all know that, but not having them sucks more.
Public keys are the same thing. Your private key is secure because it is obscure. Let it get loose and no more security. The entire SSL/TLS system is based on the obscurity of the signing keys of the certificate providers.
Now, if I have a wide-open no-password ssh backdoor on my router on port 67890 (not a real port number, by definition), that's the sort of 'security by obscurity' that's an illusion. Only the port number - easily discovered by a sequential probing attack - is obscure. SSH is not obscure, not do I have any other security mechanism.
On the other hand, if I put an ssh server on port 67890 that only works with SSH key access, and I've kept my private key obscure, that's reasonably secure. Any access path is more secure than no access path, but there are reasons one might wish to be able to connect to their router remotely.
Now, in this case, we're at a judgment call. Yes, there is a relatively small set of potential hosting companies. It's not entirely clear to me that Laz is using a 'small' hosting company, and there are big international hosting companies with not unreasonable rates offering Canadian hosting presence. But there are only so many targets.
Naming the hosting provider is definitely less secure than not naming the hosting provider. How much less secure is a judgment call, and it's up to Laz to decide if it's worth providing that information.
And, heck, maybe he's hosting it out of another country entirely and pretending it's in Canada. How would we know? There are countries whose laws would effectively amount to 'go pound sand' if anyone went after them for underage material, after all.
Naming the hosting provider is definitely less secure than not naming the hosting provider. How much less secure is a judgment call,
As to how much less secure in this specific case, I think the difference is negligible. And people telling me I'm doing something wrong by responding to their arguments the other way is not in any way convincing.
and it's up to Laz to decide if it's worth providing that information.
Exactly. And technically, my original question wasn't even where are the new servers are located, but whether that was something Lazeez would/could share.
Everything you use a password for is 'security by obscurity'. Your password list is 'obscure', and that's the only thing that creates 'security'.
The security you get from passwords is and always has been minimal. It's like locking a screen door.
This is why for decades, companies have had rules requiring we change passwords regularly (90 days is typical).
But companies are moving away from this paradigm in favor of two factor authentication.
Even my bank has gone to TFA for customer facing on-line banking. Every time I log in to the on-line banking, they text my cell phone with a code I have to enter on top of the password.
This is why for decades, companies have had rules requiring we change passwords regularly (90 days is typical).
They finally figured out what I (and most security professionals have known for ages) โ forcing regular change of a good, complex password that has never been used for another site actually decreases security. At some point, the person uses a pattern or writes it down. I saw this repeatedly during my career.
A long, randomly generated, non-reused password should only be changed in the event of some kind of breach or leak.
Passkeys are better, but nothing beats two-factor where the code is generated by a device in your possession. That prevents the completely insecure email recovery feature from being abused. SMS codes are not secure, nor are 'magic links' in email.
A strong password with two-factor (from a controlled device) is the best we can do at this point. Passkeys are very good when implemented correctly, but current implementations are lacking (in portability, in being cross-browser, cross-platform, etc).
I saw this repeatedly during my career.
I've lived it. I suck at remembering long complex passwords.
I've lived it. I suck at remembering long complex passwords.
Bitwarden, 1Password, etc, are your best friends! You only need to remember one complex passphrase to unlock your gobbledygook passwords such as: 5k3vo7*qc7HalqmIe3GSVf2$
(Not one I ever have or will use, but generated by Bitwarden)
Bitwarden, 1Password, etc, are your best friends! You only need to remember one complex passphrase to unlock your gobbledygook passwords such as: 5k3vo7*qc7HalqmIe3GSVf2$
(Not one I ever have or will use, but generated by Bitwarden)
I use Keypass for work. The client has moved away from Keypass for official stuff, but it's still available for install so I set up a personal Keypass database.
Even my bank has gone to TFA for customer facing on-line banking. Every time I log in to the on-line banking, they text my cell phone with a code I have to enter on top of the password.
I hope for you something more is required to transfer funds. Almost any decent hacker if he know your GSM number can read your SMS. That's the worst kind of 2FA security.
I hope for you something more is required to transfer funds.
Yes. They track what devices you access your account from and there are extra steps if you access your account from a new device.
An MS windows update can be enough to trip the we don't recognize this device process.
the thing with sms tfa is that with a cellclone they would have the same emi and sim codes so the bank would not know that there is another client getting the axact same sms as you are getting. now any one capable of cloning your cellphone, you can assume would also be able to spoof your homenetwork and bingo you are broke. like others have said the best available 2fa is a local device that provides a code based on a obscure code key that is only known by the people who build the security measures. btw i know a bit about security both physical and digital as the physical was my old job and the digital my last job.
the thing with sms tfa is that with a cellclone they would have the same emi and sim codes so the bank would not know that there is another client getting the axact same sms as you are getting.
The we don't recognize this device goes by a different process not via cell phone and sms. And they don't have my PC.
Agreed. App and browser-based 'same device' fingerprinting relies on a wide range of factors and is surprisingly accurate. As long as the device ID itself is transferred securely (SSL/TLS or the equivalent), it's very hard to clone, even given identical hardware. Even harder if they're going to the extent of storing something in the device's secure storage (unlikely on a PC, entirely possible on a phone).
That counts as 'something you have' in the 'something you know, something you have' security model. Your device becomes a key itself, and no other 'identical' device will do to replace it.
The security you get from passwords is and always has been minimal. It's like locking a screen door.
I have more than a bit of a quibble with this. The security you get from bad passwords is and always has been minimal. A properly generated, unique, sufficiently random password, combined with a decent (non-observable) presentation method, is considerably more secure, at least on par with a physical house / car key.
In fact, a physical key is also exactly 'security through obscurity'; if you know the cut pattern, you can open the lock. Padlock codes are 'security through obscurity'. That doesn't mean locking your house or padlocking your bike / storage unit / whatever is 'locking a screen door'. Obscurity does fairly well when what's obscure is complicated and not easily guessed. Obviously, it's not perfect, but if 'security through obscurity' were useless, we would all just leave our houses unlocked. Most of us don't do that.
Yes, good TFA is considerably better than a password alone. No question about it. SMS is not particularly 'good TFA', but it's better than no TFA, if only marginally. Against a motivated actor, it's much more like that locking that screen door, but most actors aren't all that motivated.
As already noted, password rotation rules are (fortunately) going the way of the dodo. They're marginally useful for people who use the same password on every site, because they lower the risk of a breech at one site later triggering a breech at a second, but using the same password on every site is locking that screen door.
Even my bank has gone to TFA for customer facing on-line banking. Every time I log in to the on-line banking, they text my cell phone with a code I have to enter on top of the password.
FWIW, banking in the UK has shown that a password followed by a cellphone code is actually less secure than two separate passwords.
AJ
Everything you use a password for is 'security by obscurity'. Your password list is 'obscure', and that's the only thing that creates 'security'. Yes, passwords suck, we all know that, but not having them sucks more.
Thank you, it's about time someone actually verbalised this.
It's not just passwords: any form of authentication is 'security by obscurity' by definition - it relies on partitioning the interactors between those who can provide the authentication token and those who cannot.
The rest, as @Michael Loucks points out, follows.
Now we may go back to our regularly scheduled content scare.
The point I agree with is that mere obscurity is not security. See my comment about ssh ports. Even with a password or key exchange, ssh is not particularly more secure when run on a nonstandard port - it's easy to do a port scan.
Putting a chain on your bike but not activating the code lock is insecure 'security through obscurity'. Activating the code lock is more secure 'security through obscurity'. Using a code lock with more digits is stronger 'security through obscurity'. In every case, the security is based on something obscure (the cable looking like a lock, the cable being locked, the cable being locked with a harder-to-guess code). You can bypass it entirely by cutting the cable, obviously, but that's a known failure mode.
The phrase was and is entirely valid within the domain of attacks it's meant to cover. If the 'obscure' thing is easily guessed or bypassed, mere obscurity does little. If the obscure thing isn't easily guessed or bypassed, and remains obscure even under an attack (e.g. network sniffers, perhaps at the ISP level, etc), it does plenty.
In the end, every security model has to have a way to get access. Otherwise, you might as well destroy whatever you're securing. So, as you said, every security model has some form of obscurity. Your fingerprint / retinal scan / face map / whatever is 'obscure'. If it's not obscure, anyone can reproduce it and that means of security is gone. Your TFA code generator is obscure. Clone it, and that's gone. Your safe deposit box key is obscure. Copy it, and someone might well get access to your stuff. And so on, and so forth.
However, I will not stop defending the question as long as other people continue to attack me for asking it.
With all due respect, I don't see how any of the earlier responses can be construed as an attack. There is nothing inherently aggressive about suggesting that answering your question might harm others.
While I understand and to some degree share your curiosity, the information is simply none of our business.
There is nothing inherently aggressive about suggesting that answering your question might harm others.
There is something aggressive about saying I need to stop responding to their suggestions.
They get to disagree with me, but I don't get to express any disagreement with them.
They get to disagree with me, but I don't get to express any disagreement with them.
The fact that this thread includes over 30 exchanges and at least 10 separate posters (none of whom has demanded your silence) would seem to belie your claim.
However, if you truly feel you have been oppressed, it is not for others to deny it.
The fact that this thread includes over 30 exchanges and at least 10 separate posters (none of whom has demanded your silence)
From Sarkasmus at 3/31/2025, 1:02:19 PM
So, no, please stop asking.
You are wrong when you claim that no one has demanded my silence on this issue. And I never repeated the question. Sarkasmus was complaining about me responding to criticism of the question.
Yeah, I've been on the internet long enough to know all the stories of people who got identified and doxxed based on the most inconspicuous info they unintentionally leaked.
To prevent this crap from happening again, they should just keep quiet about it. I'm gonna assume it's in a jurisdiction that aligns with Canadian law, otherwise they wouldn't host it.
People knowing would just start this all over again
They would have to know what company is hosting the servers, not what country the server farm is located in.
Going either way, knowing one does not inevitably lead to the other.
Relief is right! Well done, that man, for finding a way out of that minefield.
I'm late to this party and would appreciate clarification about stories with settings in middle- and high-school; summer camps of all sorts; and coming-of-age. These have inherently under-18 participants. Are we going to have a desert for these characters, as in everyone now has to be in college or above or else working fulltime. I'd appreciate hearing from you. Thanks, Pete
I'm late to this party and would appreciate clarification about stories with settings in middle- and high-school; summer camps of all sorts; and coming-of-age.
Don't worry. Everything is going back to the way it was.
I think people should think long and hard about how they approach ages in stories in the future.
SOL has a stay of execution for now, but the site is on this NGO's radar. They've done it once, they can do it again.
I think people should think long and hard about how they approach ages in stories in the future.
The problem is that there are artistically valid and interesting stories that involve lower age limits. That doesn't mean you need explicit sex - you absolutely don't! - but the word 'explicit' is lacking in definition.
If two 14-year-olds (totally age-appropriate and legal) meet and fool around, that's a reasonable story to tell. It's reality, it happens. And it matters a great deal if the 'fooling around' is e.g. first base, second base, third base, or a home run. It also matters which partner gets to which base - the bases, by themselves, don't give you that. A story where a girl engages in oral sex with a guy but the guy refuses to return the favor is very different from one where he dives right in, and that information needs to be communicated to the reader.
Now, nothing I wrote there is even vaguely 'explicit' in my book, and I don't see a problem with the story saying (in prettier language), 'I went down on him but he wouldn't go down on me, so I was a bit miffed with him.' That's not 'explicit'. There's nothing descriptive; it's 'tell not show'.
But some NGO will inevitably decide that's explicit, too, by their definition.
The problem lies in letting third parties with no legal standing dictate what art is acceptable. In reality, that will happen, but it's not something to give in to without a serious fight.
I will repeat my earlier 'Huzzah!'
Thank you, Lazeez, for your hard work and for finding a solution. It is greatly appreciated!
Wonderful news. Thanks for your diligence.
But now I have a problem. I was modifying a story for the character's age. In doing so, I made other changes that make the story better. But I have no way of merging those changes with the original version (which I thankfully kept on my external hard drive I use for backup). This is why I don't read my old stories. LOL
I would post the revised versions with the same title as the original followed by something indicating it's slightly different than before.
Thanks for the great work.
One thing this episode has taught me; Download any story I like right away so I don't lose it in the middle. I had two stories that I was in the middle of that got pulled by the authors. I generally don't start a story until it is complete.
Agree. For some time now, I've kept a copy of the stories I enjoyed reading. Looks like it was a good choice.
Thank you.
I've been looking for a replacement story platform for my stories that can't be fixed, and was unable to find anywhere suitable. Nothing was a simple and quick to load as this site.
It seems some authors have already removed some of their stories. Will they be notified that it is now OK to post? What about the stories that were already automatically deleted by you?
We found a new hosting facility that will allow us more freedom.
It will be few days until we move servers again, but as of now, don't worry about your stories.
Very, very glad to hear this.
Lazeez,
I bet the site took a financial hit. Put up one of those yellow banners on the home page asking for donations and how to donate. I can't give much but if everyone pitched in five or ten dollars it would help. Do you Canadians still take USD?
I'm only 4 months into a 1 year membership, but I am thinking of renewing now before there is a tariff placed on it. And as support of the site.
Congratulations!
However (and not to be Debbie Downer), might it not still be a good idea to continue the clean-up measures sparked by the previous scare, if only as a prophylactic measure? If nothing else, this incident has shown that freedom is fungible.