Auditing Software Programs

1Audit's auditing software programs are designed to simplify and enhance the entire audit process, offering a range of tools to manage audits efficiently. These programs help in planning, scheduling, and executing audits while ensuring compliance with regulatory standards. With features such as automated data collection, document control, task management, and real-time reporting, the software helps streamline workflows, improve collaboration among audit teams, and minimize errors. Cloud-based access ensures that audit files are secure and accessible from anywhere, improving overall audit efficiency and accuracy.For more information, visit Website: https://1audit.com/

Diploma in Taxation 

A Comprehensive Guide to Smart Contract Auditing: Best Practices and Strategies

In the rapidly evolving landscape of blockchain technology, smart contracts have emerged as a transformative tool, automating and securing digital contracts without intermediaries. However, their reliance on immutable code leaves them vulnerable to vulnerabilities that can cause significant financial losses and reputational damage. Smart contract auditing plays a crucial role in mitigating these risks by systematically reviewing code for potential flaws and vulnerabilities. This comprehensive guide explores the best practices and strategies involved in smart contract auditing, emphasizing the importance of thorough review processes, secure coding practices and proactive risk management. By understanding and implementing these principles, developers and stakeholders can enhance the security, reliability and trustworthiness of their smart contracts in decentralized applications (dApps) and blockchain ecosystems.

Understanding Smart Contract Audits

What is a Smart Contract Audit?

A smart contract audit is a thorough examination of the code and functionality of a smart contract to identify potential vulnerabilities, bugs or security risks. It aims to ensure that the smart contract behaves as intended, securely manages assets and complies with specified business rules and regulatory requirements. Audits are typically conducted by specialized firms or teams with expertise in blockchain technology and security practices, using both automated tools and manual review processes to assess the contract's codebase.

Key Objectives of Smart Contract Audits

The primary objectives of Smart Contract Audits include:

Security Assurance: To identify and mitigate security vulnerabilities such as reentrancy, overflow errors or logic flaws that could be exploited by malicious actors.

Functional Accuracy: To verify that the smart contract executes its intended operations correctly, adhering to specified business rules and ensuring accurate handling of transactions and data.

Risk Mitigation: To reduce the risk of financial loss or disruption by addressing potential weaknesses before deployment, thereby enhancing trust among users and stakeholders.

Compliance and Standards: To ensure that the smart contract complies with industry best practices, regulatory requirements and any applicable standards for security and reliability in blockchain applications.

Differences Between Code Audits and Formal Verification

While both are essential components of smart contract validation, code audits and formal verification differ in their methodologies and scope:

Code Audits: Involve a comprehensive review of the smart contract's source code to identify potential vulnerabilities and ensure adherence to best practices. Auditors typically rely on automated tools and manual inspection to detect bugs or security issues.

Formal Verification: Involves mathematically proving the correctness of a smart contract's code against specified properties or requirements. This rigorous process uses formal methods to verify that the contract behaves as intended under all possible conditions, offering a higher level of assurance but often requiring specialized expertise and computational resources.

By understanding these distinctions and integrating both approaches where appropriate, developers and stakeholders can effectively enhance the security, reliability and functionality of their smart contracts in blockchain applications.

Common Smart Contract Vulnerabilities

Overview of Typical Vulnerabilities:

Smart contracts, despite their promise of security and automation, are susceptible to several common vulnerabilities that can be exploited by malicious actors. Some of the most prevalent vulnerabilities include:

Reentrancy: This vulnerability occurs when a contract calls an external contract before completing its own state changes. If not properly managed, reentrancy can allow an attacker to repeatedly call back into the contract, potentially manipulating its state and causing unexpected behavior.

Integer Overflow and Underflow: Smart contracts often handle numeric values for calculations and storage. Integer overflow happens when a number exceeds its maximum value and wraps around, while underflow occurs when a number becomes negative due to subtraction beyond zero. These conditions can lead to unintended consequences, such as incorrect calculations or unexpected behavior.

Unchecked External Calls: Smart contracts may interact with external contracts or addresses. If these interactions are not properly validated and checked for potential malicious behavior, they can introduce security vulnerabilities, such as unauthorized transfers of assets or manipulation of contract state.

Logic and Design Flaws: These vulnerabilities arise from errors in the logic or design of the smart contract. They can include incorrect assumptions about user behavior, inadequate access control mechanisms or failure to handle edge cases properly, potentially leading to unintended consequences or exploitation.

Real-World Examples of Smart Contract Failures Due to Vulnerabilities:

Several notable incidents have highlighted the consequences of smart contract vulnerabilities:

The DAO Hack (2016): Exploited a reentrancy vulnerability to drain approximately $50 million worth of Ether from The DAO, a decentralized autonomous organization on the Ethereum blockchain. This incident led to a hard fork in Ethereum to recover the funds, highlighting the impact of smart contract vulnerabilities on blockchain communities.

Parity Wallet Bug (2017): A vulnerability in the Parity multi-signature wallet contract resulted in the freezing of hundreds of millions of dollars' worth of Ether. This bug was due to a flaw in the contract's initialization code, demonstrating the critical importance of rigorous auditing and testing in smart contract development.

Integer Overflow Bugs: Various smart contracts have been vulnerable to integer overflow and underflow bugs, leading to unexpected behavior and potential loss of funds. These incidents underscore the need for robust testing and validation of numeric operations in smart contracts.

By understanding these common vulnerabilities and learning from past incidents, developers and auditors can take proactive measures to mitigate risks and enhance the security and resilience of smart contracts in blockchain ecosystems.

Best Practices for Smart Contract Development

Secure Coding Principles for Smart Contracts:

Implementing secure coding practices is crucial to mitigate vulnerabilities and enhance the resilience of smart contracts. Key principles include:

Input Validation: Validate and sanitize all inputs to prevent unexpected data manipulation or exploitation.

Minimize Complexity: Keep smart contracts simple and minimize the number of operations to reduce the risk of introducing bugs or vulnerabilities.

Avoid External Calls During State Changes: Limit or eliminate external calls during critical state changes to prevent reentrancy attacks.

Use Safe Math Libraries: Utilize libraries that provide safe arithmetic operations to prevent integer overflow and underflow vulnerabilities.

Access Control: Implement access control mechanisms to restrict functions and data access to authorized entities only.

Use of Established Libraries and Frameworks:

Utilizing well-established libraries and frameworks can significantly enhance the security and reliability of smart contracts. Benefits include:

Security Audited Code: Libraries and frameworks that have undergone rigorous security audits are less likely to contain vulnerabilities.

Community Support: Established libraries often have a large community of developers who contribute to bug fixes, improvements and security enhancements.

Code Reusability: Reusing trusted code reduces the likelihood of introducing new vulnerabilities and accelerates development timelines.

Importance of Documentation and Comments:

Comprehensive documentation and well-commented code are essential for maintaining and securing smart contracts. Reasons include:

Understanding Contract Functionality: Clear documentation helps developers and auditors understand the intended behavior and logic of the smart contract, reducing the risk of misinterpretation.

Facilitating Audits: Detailed comments and documentation assist auditors in identifying potential vulnerabilities or areas of concern during the audit process.

Enhancing Code Maintenance: Good documentation simplifies future updates and modifications to the smart contract, ensuring continuity and minimizing errors.

By adhering to these best practices, developers can significantly improve the security, reliability and maintainability of smart contracts, contributing to a safer and more robust blockchain ecosystem.

Preparing for a Smart Contract Audit

Initial Code Review and Testing Phases:

Before engaging an external audit, it’s essential to conduct thorough internal reviews and testing:

Internal Code Review: Perform a meticulous internal review of the smart contract code to identify and resolve obvious errors and vulnerabilities. Involve multiple team members to ensure diverse perspectives and catch issues that a single developer might miss.

Automated Testing: Use automated testing frameworks to conduct unit tests, integration tests and end-to-end tests. Ensure that the tests cover all possible scenarios, including edge cases, to verify the contract behaves as expected.

Manual Testing: Complement automated tests with manual testing to explore unusual or unexpected interactions and user behaviors that automated tests might not cover.

Simulation and Mock Environments: Use simulation tools and mock environments to test the contract in a controlled setting that mimics the live blockchain environment. This helps to identify potential issues related to transaction ordering, gas consumption and network interactions.

Setting Audit Goals and Expectations:

Clearly defining the scope and objectives of the audit is crucial for a successful engagement:

Define Scope: Identify which parts of the codebase need to be audited. This could include specific smart contracts, libraries and integrations with external systems.

Set Security Priorities: Establish key security priorities, such as preventing financial loss, ensuring data integrity and maintaining user trust. This helps auditors focus on the most critical areas.

Communicate Expectations: Provide auditors with detailed information about the contract’s intended functionality, business logic and any known risks or concerns. Clear communication ensures that the auditors understand the contract’s purpose and the specific aspects to scrutinize.

Timeline and Deliverables: Agree on a realistic timeline for the audit process and define the expected deliverables, such as detailed reports, risk assessments and remediation recommendations.

Choosing an Audit Firm or Team:

Selecting the right audit firm or team is crucial for a thorough and effective audit:

Experience and Reputation: Choose a firm or team with a proven track record in smart contract auditing. Look for auditors with experience in your specific blockchain platform and technology stack.

Independent and Unbiased: Ensure that the audit firm is independent and has no conflicts of interest that might compromise the integrity of the audit.

Technical Expertise: Assess the technical expertise of the audit team. They should have deep knowledge of smart contract development, blockchain security and the latest vulnerabilities and attack vectors.

References and Case Studies: Request references and review case studies of previous audits to gauge the quality and thoroughness of the firm’s work.

Communication and Collaboration: Choose auditors who are communicative and willing to work collaboratively with your development team. Effective communication is essential for addressing issues and implementing recommendations promptly.

By carefully preparing for the audit, setting clear goals and choosing the right auditors, you can significantly enhance the security and reliability of your smart contracts, building trust with users and stakeholders.

Conducting a Smart Contract Audit

Steps Involved in the Audit Process:

Conducting a thorough smart contract audit involves several key steps to ensure comprehensive review and identification of potential vulnerabilities:

Initial Assessment: Review project documentation, including specifications and design documents, to understand the contract's intended functionality and security requirements.

Code Review: Perform a detailed review of the smart contract codebase, examining each line for vulnerabilities such as reentrancy, integer overflow, logic flaws and unchecked external calls.

Automated Analysis: Use automated security analysis tools to scan the code for common vulnerabilities and potential issues, such as security linters, static analyzers and symbolic execution tools.

Manual Review: Conduct manual inspection of critical parts of the codebase to identify complex vulnerabilities that automated tools may overlook, including edge cases and interactions with external systems.

Testing: Execute a series of rigorous tests, including unit tests, integration tests and scenario-based tests, to validate the contract's behavior under various conditions and ensure it meets functional requirements.

Risk Assessment: Evaluate identified vulnerabilities based on their severity and potential impact on the contract and its users. Prioritize vulnerabilities for remediation based on the assessed risks.

Reporting: Prepare a comprehensive audit report detailing findings, including identified vulnerabilities, their potential impact and recommendations for mitigation. Provide clear and actionable guidance for developers to address the identified issues.

Tools and Techniques Used in Audits:

Auditors employ a variety of tools and techniques to conduct smart contract audits effectively:

Automated Security Tools: Utilize tools such as MythX, Securify and Slither for automated vulnerability scanning and analysis.

Manual Review: Employ manual inspection techniques to scrutinize critical parts of the codebase and identify nuanced vulnerabilities.

Symbolic Execution: Use symbolic execution tools like Manticore to explore and analyze possible execution paths of the smart contract code.

Gas Analysis: Evaluate gas usage and optimize contract efficiency to minimize transaction costs and potential vulnerabilities related to gas limits.

Peer Review: Engage in peer review sessions among auditors to validate findings and ensure thorough coverage of potential vulnerabilities.

Collaboration Between Auditors and Development Teams:

Effective collaboration between auditors and development teams is essential for a successful audit:

Clear Communication: Maintain open and clear communication channels to discuss findings, clarify requirements and address concerns promptly.

Feedback Loop: Establish a feedback loop where auditors provide regular updates and interim findings to the development team, allowing for timely resolution of issues.

Knowledge Sharing: Share insights and best practices between auditors and developers to enhance understanding of security principles and improve future development practices.

Remediation Support: Provide guidance and support to developers during the remediation process, including verifying fixes and validating the effectiveness of security enhancements.

By following these steps and leveraging appropriate tools and techniques, auditors and development teams can collaborate effectively to enhance the security, reliability and trustworthiness of smart contracts in blockchain applications.

Mitigation Strategies and Best Practices

Strategies for Addressing Identified Vulnerabilities:

Once vulnerabilities are identified through audits or testing, it's crucial to implement effective mitigation strategies. These may include applying patches or code fixes to eliminate vulnerabilities, enhancing access controls and re-evaluating contract logic to prevent exploitation. Regular security updates and proactive monitoring can help maintain the integrity of smart contracts and mitigate emerging threats.

Importance of Emergency Response Plans:

Having a well-defined emergency response plan is essential to quickly and effectively address security incidents or breaches in smart contracts. This plan should outline procedures for incident detection, containment, mitigation and recovery. Clear communication channels and roles/responsibilities assignments ensure swift action during crises, minimizing potential damages and maintaining user confidence.

Implementing Updates and Version Control:

Implementing updates and maintaining version control are critical for managing changes and improving the security of smart contracts over time. Version control systems, such as Git, enable tracking of code modifications, facilitating collaboration and auditing. Regular updates should be accompanied by thorough testing and validation to ensure compatibility, functionality and security integrity throughout the contract's lifecycle. This approach helps mitigate risks associated with outdated or vulnerable code, promoting a robust and secure smart contract environment.

Post-Audit Considerations

Reporting and Communicating Audit Findings:

Prepare a detailed audit report outlining identified vulnerabilities, their severity levels and recommended actions for mitigation.

Clearly communicate findings to stakeholders, including developers, project managers and stakeholders, in a transparent and understandable manner.

Provide actionable recommendations for addressing vulnerabilities and improving overall smart contract security.

Re-Auditing and Continuous Monitoring:

Schedule periodic re-audits to reassess the smart contract's security posture and identify new vulnerabilities or risks that may have emerged since the initial audit.

Implement continuous monitoring solutions to detect anomalous behavior or potential security incidents in real-time.

Stay updated with the latest security trends, best practices and regulatory requirements to maintain a proactive approach to security.

Regulatory Compliance and Legal Implications:

Ensure compliance with relevant regulations and legal frameworks governing smart contracts, cryptocurrency transactions and data protection.

Consult legal experts to navigate regulatory requirements specific to your jurisdiction and industry.

Address any legal implications arising from audit findings or security incidents promptly and transparently to mitigate legal risks and maintain regulatory compliance.

Conclusion

In conclusion, smart contract auditing is an important process to ensure the security, reliability and trustworthiness of blockchain-based applications. By systematically reviewing and testing smart contract code, developers can identify and mitigate vulnerabilities that could lead to financial loss or breach of user trust. It is essential to implement best practices such as secure coding principles, thorough auditing and effective communication between auditors and development teams. Additionally, post-audit considerations such as continuous monitoring, re-auditing and compliance with regulatory requirements are important to maintain the integrity of smart contracts over time. By prioritizing security at every stage of development and beyond, stakeholders can foster a safer and more resilient blockchain ecosystem for all users and participants.

Audit Management System

1audit offers a comprehensive Audit Management System tailored to meet your organizational needs. Their cutting-edge software streamlines external audit reviews, ensuring compliance with industry-leading standards. Experience seamless management of audit processes with advanced features designed for efficiency and accuracy. Elevate your auditing procedures with customizable workflows, real-time tracking, and robust reporting capabilities. Trust 1audit to optimize your audit management practices, enhance productivity, and uphold audit standards effortlessly.

Demon-haunted computers are back, baby

Catch me in Miami! I'll be at Books and Books in Coral Gables on Jan 22 at 8PM.

As a science fiction writer, I am professionally irritated by a lot of sf movies. Not only do those writers get paid a lot more than I do, they insist on including things like "self-destruct" buttons on the bridges of their starships.

Look, I get it. When the evil empire is closing in on your flagship with its secret transdimensional technology, it's important that you keep those secrets out of the emperor's hand. An irrevocable self-destruct switch there on the bridge gets the job done! (It has to be irrevocable, otherwise the baddies'll just swarm the bridge and toggle it off).

But c'mon. If there's a facility built into your spaceship that causes it to explode no matter what the people on the bridge do, that is also a pretty big security risk! What if the bad guy figures out how to hijack the measure that – by design – the people who depend on the spaceship as a matter of life and death can't detect or override?

I mean, sure, you can try to simplify that self-destruct system to make it easier to audit and assure yourself that it doesn't have any bugs in it, but remember Schneier's Law: anyone can design a security system that works so well that they themselves can't think of a flaw in it. That doesn't mean you've made a security system that works – only that you've made a security system that works on people stupider than you.

I know it's weird to be worried about realism in movies that pretend we will ever find a practical means to visit other star systems and shuttle back and forth between them (which we are very, very unlikely to do):

https://pluralistic.net/2024/01/09/astrobezzle/#send-robots-instead

But this kind of foolishness galls me. It galls me even more when it happens in the real world of technology design, which is why I've spent the past quarter-century being very cross about Digital Rights Management in general, and trusted computing in particular.

It all starts in 2002, when a team from Microsoft visited our offices at EFF to tell us about this new thing they'd dreamed up called "trusted computing":

https://pluralistic.net/2020/12/05/trusting-trust/#thompsons-devil

The big idea was to stick a second computer inside your computer, a very secure little co-processor, that you couldn't access directly, let alone reprogram or interfere with. As far as this "trusted platform module" was concerned, you were the enemy. The "trust" in trusted computing was about other people being able to trust your computer, even if they didn't trust you.

So that little TPM would do all kinds of cute tricks. It could observe and produce a cryptographically signed manifest of the entire boot-chain of your computer, which was meant to be an unforgeable certificate attesting to which kind of computer you were running and what software you were running on it. That meant that programs on other computers could decide whether to talk to your computer based on whether they agreed with your choices about which code to run.

This process, called "remote attestation," is generally billed as a way to identify and block computers that have been compromised by malware, or to identify gamers who are running cheats and refuse to play with them. But inevitably it turns into a way to refuse service to computers that have privacy blockers turned on, or are running stream-ripping software, or whose owners are blocking ads:

https://pluralistic.net/2023/08/02/self-incrimination/#wei-bai-bai

After all, a system that treats the device's owner as an adversary is a natural ally for the owner's other, human adversaries. The rubric for treating the owner as an adversary focuses on the way that users can be fooled by bad people with bad programs. If your computer gets taken over by malicious software, that malware might intercept queries from your antivirus program and send it false data that lulls it into thinking your computer is fine, even as your private data is being plundered and your system is being used to launch malware attacks on others.

These separate, non-user-accessible, non-updateable secure systems serve a nubs of certainty, a remote fortress that observes and faithfully reports on the interior workings of your computer. This separate system can't be user-modifiable or field-updateable, because then malicious software could impersonate the user and disable the security chip.

It's true that compromised computers are a real and terrifying problem. Your computer is privy to your most intimate secrets and an attacker who can turn it against you can harm you in untold ways. But the widespread redesign of out computers to treat us as their enemies gives rise to a range of completely predictable and – I would argue – even worse harms. Building computers that treat their owners as untrusted parties is a system that works well, but fails badly.

First of all, there are the ways that trusted computing is designed to hurt you. The most reliable way to enshittify something is to supply it over a computer that runs programs you can't alter, and that rats you out to third parties if you run counter-programs that disenshittify the service you're using. That's how we get inkjet printers that refuse to use perfectly good third-party ink and cars that refuse to accept perfectly good engine repairs if they are performed by third-party mechanics:

https://pluralistic.net/2023/07/24/rent-to-pwn/#kitt-is-a-demon

It's how we get cursed devices and appliances, from the juicer that won't squeeze third-party juice to the insulin pump that won't connect to a third-party continuous glucose monitor:

https://arstechnica.com/gaming/2020/01/unauthorized-bread-a-near-future-tale-of-refugees-and-sinister-iot-appliances/

But trusted computing doesn't just create an opaque veil between your computer and the programs you use to inspect and control it. Trusted computing creates a no-go zone where programs can change their behavior based on whether they think they're being observed.

The most prominent example of this is Dieselgate, where auto manufacturers murdered hundreds of people by gimmicking their cars to emit illegal amount of NOX. Key to Dieselgate was a program that sought to determine whether it was being observed by regulators (it checked for the telltale signs of the standard test-suite) and changed its behavior to color within the lines.

Software that is seeking to harm the owner of the device that's running it must be able to detect when it is being run inside a simulation, a test-suite, a virtual machine, or any other hallucinatory virtual world. Just as Descartes couldn't know whether anything was real until he assured himself that he could trust his senses, malware is always questing to discover whether it is running in the real universe, or in a simulation created by a wicked god:

https://pluralistic.net/2022/07/28/descartes-was-an-optimist/#uh-oh

That's why mobile malware uses clever gambits like periodically checking for readings from your device's accelerometer, on the theory that a virtual mobile phone running on a security researcher's test bench won't have the fidelity to generate plausible jiggles to match the real data that comes from a phone in your pocket:

https://arstechnica.com/information-technology/2019/01/google-play-malware-used-phones-motion-sensors-to-conceal-itself/

Sometimes this backfires in absolutely delightful ways. When the Wannacry ransomware was holding the world hostage, the security researcher Marcus Hutchins noticed that its code made reference to a very weird website: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Hutchins stood up a website at that address and every Wannacry-infection in the world went instantly dormant:

https://pluralistic.net/2020/07/10/flintstone-delano-roosevelt/#the-matrix

It turns out that Wannacry's authors were using that ferkakte URL the same way that mobile malware authors were using accelerometer readings – to fulfill Descartes' imperative to distinguish the Matrix from reality. The malware authors knew that security researchers often ran malicious code inside sandboxes that answered every network query with fake data in hopes of eliciting responses that could be analyzed for weaknesses. So the Wannacry worm would periodically poll this nonexistent website and, if it got an answer, it would assume that it was being monitored by a security researcher and it would retreat to an encrypted blob, ceasing to operate lest it give intelligence to the enemy. When Hutchins put a webserver up at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, every Wannacry instance in the world was instantly convinced that it was running on an enemy's simulator and withdrew into sulky hibernation.

The arms race to distinguish simulation from reality is critical and the stakes only get higher by the day. Malware abounds, even as our devices grow more intimately woven through our lives. We put our bodies into computers – cars, buildings – and computers inside our bodies. We absolutely want our computers to be able to faithfully convey what's going on inside them.

But we keep running as hard as we can in the opposite direction, leaning harder into secure computing models built on subsystems in our computers that treat us as the threat. Take UEFI, the ubiquitous security system that observes your computer's boot process, halting it if it sees something it doesn't approve of. On the one hand, this has made installing GNU/Linux and other alternative OSes vastly harder across a wide variety of devices. This means that when a vendor end-of-lifes a gadget, no one can make an alternative OS for it, so off the landfill it goes.

It doesn't help that UEFI – and other trusted computing modules – are covered by Section 1201 of the Digital Millennium Copyright Act (DMCA), which makes it a felony to publish information that can bypass or weaken the system. The threat of a five-year prison sentence and a $500,000 fine means that UEFI and other trusted computing systems are understudied, leaving them festering with longstanding bugs:

https://pluralistic.net/2020/09/09/free-sample/#que-viva

Here's where it gets really bad. If an attacker can get inside UEFI, they can run malicious software that – by design – no program running on our computers can detect or block. That badware is running in "Ring -1" – a zone of privilege that overrides the operating system itself.

Here's the bad news: UEFI malware has already been detected in the wild:

https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/

And here's the worst news: researchers have just identified another exploitable UEFI bug, dubbed Pixiefail:

https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html

Writing in Ars Technica, Dan Goodin breaks down Pixiefail, describing how anyone on the same LAN as a vulnerable computer can infect its firmware:

https://arstechnica.com/security/2024/01/new-uefi-vulnerabilities-send-firmware-devs-across-an-entire-ecosystem-scrambling/

That vulnerability extends to computers in a data-center where the attacker has a cloud computing instance. PXE – the system that Pixiefail attacks – isn't widely used in home or office environments, but it's very common in data-centers.

Again, once a computer is exploited with Pixiefail, software running on that computer can't detect or delete the Pixiefail code. When the compromised computer is queried by the operating system, Pixiefail undetectably lies to the OS. "Hey, OS, does this drive have a file called 'pixiefail?'" "Nope." "Hey, OS, are you running a process called 'pixiefail?'" "Nope."

This is a self-destruct switch that's been compromised by the enemy, and which no one on the bridge can de-activate – by design. It's not the first time this has happened, and it won't be the last.

There are models for helping your computer bust out of the Matrix. Back in 2016, Edward Snowden and bunnie Huang prototyped and published source code and schematics for an "introspection engine":

https://assets.pubpub.org/aacpjrja/AgainstTheLaw-CounteringLawfulAbusesofDigitalSurveillance.pdf

This is a single-board computer that lives in an ultraslim shim that you slide between your iPhone's mainboard and its case, leaving a ribbon cable poking out of the SIM slot. This connects to a case that has its own OLED display. The board has leads that physically contact each of the network interfaces on the phone, conveying any data they transit to the screen so that you can observe the data your phone is sending without having to trust your phone.

(I liked this gadget so much that I included it as a major plot point in my 2020 novel Attack Surface, the third book in the Little Brother series):

https://craphound.com/attacksurface/

We don't have to cede control over our devices in order to secure them. Indeed, we can't ever secure them unless we can control them. Self-destruct switches don't belong on the bridge of your spaceship, and trusted computing modules don't belong in your devices.

I'm Kickstarting the audiobook for The Bezzle, the sequel to Red Team Blues, narrated by @wilwheaton! You can pre-order the audiobook and ebook, DRM free, as well as the hardcover, signed or unsigned. There's also bundles with Red Team Blues in ebook, audio or paperback.

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/01/17/descartes-delenda-est/#self-destruct-sequence-initiated

Image: Mike (modified) https://www.flickr.com/photos/stillwellmike/15676883261/

CC BY-SA 2.0 https://creativecommons.org/licenses/by-sa/2.0/

Syzygy Podfic Project Auditions - Second Round!

Are you interested in voice acting, but intimidated by the prospect of a large role? Did you consider auditioning for the Syzygy project before, but didn't because of time constraints? Are you just finding out about this project now and wishing you had discovered it sooner so you could be a part of it?

Well, you're in luck, because the Syzygy Podfic Project is in need of extra voices to fill out our cast! There are dozens of minor roles that are perfect for anyone hoping to dip their toes into voice acting in a large project!

Find the audition information here!

Make sure to only submit the form once you are confident in your recording! Only the first submission will be accepted, so take your time and get the best take you can before submitting!

Tips for recording your audition:

Record in a small space that's insulated - a closet can work very well, as the clothes can minimize the echo and avoid too many outside sounds.

Make sure you are the proper distance from your microphone - this can take some testing and trial and error!

Have your microphone resting on a flat surface, don't attempt to move it while recording.

Don't be afraid to do multiple takes and only pick your favorite ones!

Audacity is a free audio recording software that is very intuitive for a beginner to use, if you're looking for a recording program.

Feel free to send an ask if you have any questions!

@tsseventhub @sanders-sides-events

i think one of the fundamental problems with the word "techbro" is that it has multiple meanings, some of which contradict each other.

the original term brogrammer referred to programmers who act in a very stereotypical masculine way, as a pejorative. the word "techbro" was sometimes used as a synonym for this. this is why the word "bro" is there, because it's a comparison to frat bros. this is also the only sense mentioned on the wikipedia page. this is also the sense i see the least usage of on tumblr; it was really more of a thing back in 2012-2013 or so.

people also use it to refer to people who are pushing the latest fad; web 3.0, blockchain shit, NFTs, LLMs, whatever. this usage does not require that the person actually knows anything about programming. some of these people genuinely believe in what they're advocating for, some of them are just hopping onto the latest money-making thing. this is the y combinator set.

a third usage is to refer to people who are very into self-hosting, and "own your hardware" type stuff and don't understand that computing is a compromise and not everyone wants to spend all their effort getting stuff to work. this is the rms type. unlike the second definition, this one requires the person to have fairly deep technical knowledge. theoretically you could have someone who doesn't know a lot about computers but is real big into this kind of stuff, but in practice that never happens.

(i'm broadly sympathetic to this type; i avoid music streaming and sync all my music using open-source software, that sort of thing. the "techbro" part, in theory, comes when they look down on others for not making the same choices. of course, the line between "you're looking down on me" and "you're arrogant for simply believing that you're right" is thin.)

in particular, sense-2 and sense-3 "techbros" have very opposite beliefs! one wants to run everything "in the cloud", the other wants to run everything locally. one wants to let chatgpt run your life, the other hates the idea of something they can't audit be that important. both tend to be very "technology will save us" types, but the way they go about that is very different. one makes very sleek-looking but extremely limited UI, the other will make ultra-customizable, ultra-functional UI that's the most hideous and hard-to-use thing you've seen in your life.

and so you can see here the problem: what can we actually say about "techbros" that's meaningful, other than "techbro is when i don't like someone who likes technology"? if a word isn't used as a self-descriptor, but only as an insult, what stops it from becoming broader and broader until it loses all usefulness?

Hello everyone. We would like to inform you that, for the time being, we will keep our auditions for joining our production team open. We are still currently looking for a third editor to join our project. This means that you will be working with our Editor Manager, Indi, as well as our Editor, Rokneer.

Your job in the project would include the following:

Editing in the new audio lines,

Trim episodes according to the Script Organiser's notes

Handling the selection and insertion of both new music and sound effects

In your application, please provide the following:

The name/s you go by,

Your Pronouns,

The best email to contact you for callbacks,

Two to four sentences on why you're interested in joining the project,

What software/s you use

There is a preference for Movavi 2022 or Premiere, as those are the software our current editors use. However, other software will be accepted, provided there is no watermark. Both prior experience with editing and a willingness to learn will be factored in when looking over applications,,

Clips of your prior editing work, up to three examples

They can be included in the email, in a linked Google Drive, or linked YouTube videos

While you would be working as an editor, it is also expected that you aid in script writing like all current project members do, voice acting isn't required, though if you wish to, we are more than happy for you to.

For those of you who may want to join this project for just script writing and voice acting, worry not, we will eventually be hosting auditions for just those in the future.

To apply, please contact us at [email protected]. Having an email you're comfortable sharing with our Manager, Prism is required for both applications and script writing.

The reason for the latter is due to us doing all our script writing on Ellipsus, a program that only allows writing collaborators to be added to a document if they are added via email.

Any questions can be directed through the NinjaStop Tumblr.

We hope you'll consider joining us!

hi prince! what microphone & editing software do you use for your audios? i’m considering getting into recording some and was going to use Audacity but i’m not sure if there’s a better alternative plus I like the way your audio sounds.

Definitely answered this before, but I use a blue yeti microphone and the audio program I use is audacity, it's free, you don't need anything more complex or expensive. And all indo I'm audacity is noise removal to get rid of background noise and fuzz and i always do it twice.

I do also use Adobe audition for vocal effects that idk how to do in audacity like the robot oe ghostly effects on orpheus, achilles, mettaton and more. (don't want to say they're not possible in audacity because for all I know there's a fanmade plug in that does this stuff).

AUDIO EDITOR APPLICATIONS OPEN

We are in need of audio editors at every skill level to reach out and lend their hand to this project. If you are interested in applying, we are accepting applications here! We would happy to accept participants on board.

APPLICANT REQUIREMENTS

Adobe Audition or other quality software-editing program.

Must be at least 18 years of age.

Regular access to communication on Discord.

Audit Management System Software

The "Audit Management System Software" in 1Audit is designed to support and simplify the audit process. It allows for seamless management and monitoring of audit files anytime and anywhere. With features like document control, collaboration, professional compliance, and cloud-based access, it ensures efficient task management and secure document storage. The software helps streamline audit workflows by automating essential processes, managing user permissions, and supporting communication among audit teams, ultimately improving the audit's accuracy and effectiveness.

Hey! It's A Great Time To Review Your W4! and other fun tax things they don't seem to be teaching in school. (detailed explanations in the read more)

Disclaimer: These are super basic basics. I'm not an expert. I've just seen a lot of people get hit hard and it really sucks.

Don't throw away your income documents.

Keep copies of your returns.

File every year you have an income.

File even if you're going to owe.

Amend your return if you realize there's something wrong on the original.

There's a statute of limitations on refunds.

They can use your refund for certain debt.

There are programs so you don't get dinged for your joint filer's debt.

You can request a rush on the basis of extreme hardship.

You can request a waiver for penalties/interest on late payments.

Know the basics for your area. Due diligence, right?

If you have a business, please be careful.

Review your W4.

Keep your contact info up to date.

If they send a letter, response immediately.

If you don't hear anything in 4 weeks, call/message/visit a local office.

You can file directly with the IRS now, and some states.

If you use tax preparation software/service, double check everything.

If you're expecting a refund triple-check your bank info.

If you're making a payment, triple-check it goes through.

Don't wait til the last day to make a payment.

Consider getting a registered online account with the IRS and/or your state.

Take several deep breaths.

(↓ more details ↓)

Don't throw away your income documents. W2s, 1099s, anything that shows income and/or withholding. How long? Forever.

Keep copies of your returns, in formats you can easily access. Highly recommend a hard copy as well as digital, or at least available offline. How long? Forever. (I know there are statutes of limitations, but I don't trust that)

File every year you have an income. Honestly might want to file even if you don't - you can put all zeroes. If you should have filed and didn't, they can make an educated guess, and you might not like it. If you owe, they can add failure to file/failure to pay penalties that can really add up.

File even if you're going to owe. You can set up payment plans, if needed. If you don't file, the penalties and interest are insane.

Amend your return if you realize there's something wrong on the original. Audits aren't just for comedic effect on sitcoms, and as above, the penalties and interest are insane.

There's a statute of limitations on refunds. For the IRS, it's "3 years from the date you filed your federal income tax return, or 2 years from the date you paid the tax". States vary.

They can use your refund for certain debt. Child support, student loans that aren't on a plan, overpayment of benefits, traffic tickets…

There are programs so you don't get dinged for your joint filer's debt. They take longer to process, but you will be able to keep your refund even if your joint filer's refund is used to pay a debt.

You can request a rush in cases of extreme hardship. Eviction, medication, feeding children. It's not a guarantee, but you can ask.

You can request a waiver for penalties and interest on late payments. Again, not a guarantee, but you can ask.

Know the basics for your area. You don't have to be an expert, but the basics: Which forms to file, filing dates, how extensions work, if there are city/county taxes that need to be filed separately, if you need to make estimated payments…

If you have a business, please be careful. all of the above plus more. It can get so messy, and so hard to clean up.

Review your W4. Make sure you have the right amount coming out. Do you want to owe, get a refund, get close to zero? Make an informed decision and make sure your W4 reflects that. Highly recommend checking again in a few months, sometimes HR can be shifty bastards.

Keep your contact info up to date. If they need more info, they won't hunt you down. This includes if you move after you file. Phone number isn't as important, but address is.

If they send a letter asking for information, respond immediately. They will either not process the return, or make an educated guess based on what they have. Even if it's just to say "Hey, I can't get this document because _", they need something. Also - getting a letter doesn't necessarily mean there's something wrong. With electronic filing, they don't get images of your W2/1099, and they want to double check. Or there's an address/filing status change they want to be sure of. Or maybe you had an identity theft situation in the past. Or or or. Or maybe you are a "fraudster"!

If you don't hear anything in maybe 4 weeks, call/message/visit a local office. Sometimes things happen. A letter was sent but was returned. A manual review was stalled and just needed a nudge. Sometimes the return didn't show up at all. Also - when/if you contact them, please be civil. The person who answers the phone has so little control over any of this. A polite, "Hey, just wanted to make sure everything's good" will go a long way.

You can file directly with the IRS now, and some states. In some cases, you can even port your info from IRS to state, saving you the trouble of re-entering a bunch of stuff. Best, you can be sure it actually was received.

If you use tax preparation software/service, double check everything. Make sure the numbers look reasonable, make sure you know where their fee is coming from, make sure you know where your refund is going (like to a pre-paid card or your own bank), make sure you know FOR SURE if they are scheduling a payment on your behalf. Sometimes it's not obvious, and this can result in double-payments or worse. Mostly, make sure the return is accepted. Get it in writing. Don't wait two months to ask, when they are closed for the season.

If you're expecting a refund triple-check your bank info. If something changes with your bank info after you file, call.

If you're making a payment, triple-check it goes through. I mean so you don't double-pay. If you paid online, make sure you got a confirmation number. If you don't, call. Don't assume it didn't work and pay again. Even if you figure it out before it hits your bank, there's nothing the revenuers can do to stop it.

Don't wait til the last day to make a payment. If something goes wrong, if the check is lost in the mail or the bank is acting fucky, it will go badly. Preparation software is evil about scheduling the payments for the last minute.

Consider getting a registered online account with the IRS and/or your state. You can track your return, and also see letters before they're mailed, see past info, send messages, make payments, check on payment status, update info. Yes, the websites aren't great, but it gives you a little more control.

Again, not a Tax Professional in any way. Just don't want anyone to get fucked by Surprise! Tax Shit!

Congress is moving closer to putting US election technology under a stricter cybersecurity microscope.

Embedded inside this year’s Intelligence Authorization Act, which funds intelligence agencies like the CIA, is the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act, which would require penetration testing of federally certified voting machines and ballot scanners, and create a pilot program exploring the feasibility of letting independent researchers probe all manner of election systems for flaws.

The SECURE IT Act—originally introduced by US senators Mark Warner, a Virginia Democrat, and Susan Collins, a Maine Republican—could significantly improve the security of key election technology in an era when foreign adversaries remain intent on undermining US democracy.

“This legislation will empower our researchers to think the way our adversaries do, and expose hidden vulnerabilities by attempting to penetrate our systems with the same tools and methods used by bad actors,” says Warner, who chairs the Senate Intelligence Committee.

The new push for these programs highlights the fact that even as election security concerns have shifted to more visceral dangers such as death threats against county clerks, polling-place violence, and AI-fueled disinformation, lawmakers remain worried about the possibility of hackers infiltrating voting systems, which are considered critical infrastructure but are lightly regulated compared to other vital industries.

Russia’s interference in the 2016 election shined a spotlight on threats to voting machines, and despite major improvements, even modern machines can be flawed. Experts have consistently pushed for tighter federal standards and more independent security audits. The new bill attempts to address those concerns in two ways.

The first provision would codify the US Election Assistance Commission’s recent addition of penetration testing to its certification process. (The EAC recently overhauled its certification standards, which cover voting machines and ballot scanners and which many states require their vendors to meet.)

While previous testing simply verified whether machines contained particular defensive measures—such as antivirus software and data encryption—penetration testing will simulate real-world attacks meant to find and exploit the machines’ weaknesses, potentially yielding new information about serious software flaws.

“People have been calling for mandatory [penetration] testing for years for election equipment,” says Edgardo Cortés, a former Virginia elections commissioner and an adviser to the election security team at New York University’s Brennan Center for Justice.

The bill’s second provision would require the EAC to experiment with a vulnerability disclosure program for election technology—including systems that are not subject to federal testing, such as voter registration databases and election results websites.

Vulnerability disclosure programs are essentially treasure hunts for civic-minded cyber experts. Vetted participants, operating under clear rules about which of the organizer’s computer systems are fair game, attempt to hack those systems by finding flaws in how they are designed or configured. They then report any flaws they discover to the organizer, sometimes for a reward.

By allowing a diverse group of experts to hunt for bugs in a wide range of election systems, the Warner–Collins bill could dramatically expand scrutiny of the machinery of US democracy.

The pilot program would be a high-profile test of the relationship between election vendors and researchers, who have spent decades clashing over how to examine and disclose flaws in voting systems. The bill attempts to assuage vendors’ concerns by requiring the EAC to vet prospective testers and by prohibiting testers from publicly disclosing any vulnerabilities they find for 180 days. (They would also have to immediately report vulnerabilities to the EAC and the Department of Homeland Security.)

Still, one provision could spark concern. The bill would require manufacturers to patch or otherwise mitigate serious reported vulnerabilities within 180 days of confirming them. The EAC—which must review all changes to certified voting software—would have 90 days to approve fixes; any fix not approved within that timetable would be “deemed to be certified,” though the commission could review it later.

A vendor might not be able to fix a problem, get that fix approved, and get all of its customers to deploy that fix before the nondisclosure period expires.

“Updates to equipment in the field can take many weeks, and modifying equipment close to an election date is a risky operation,” says Ben Adida, the executive director of the vendor VotingWorks.

Some vendors might also chafe at the bill’s legal protections for researchers. The legislation includes a “safe harbor” clause that exempts testing activities from the prohibitions of the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, and bars vendors from suing researchers under those laws for accidental violations of the program’s terms.

There is also a funding question. The SECURE IT Act doesn’t authorize any new money for the EAC to run these programs.

“I hope Congress accounts for the necessary funding needed to support the increased responsibilities the EAC will take on,” says EAC chair Ben Hovland. “Investments in programs like this are critical to maintaining and strengthening the security of our elections.”

Meanwhile, the bill’s prospects are unclear. Even if it passes the Senate, there is no sign of similar momentum in the House.

This week, we spoke with four federal-government IT professionals—all experienced contractors and civil servants who have built, modified, or maintained the kind of technological infrastructure that Musk’s inexperienced employees at his newly created Department of Government Efficiency are attempting to access. In our conversations, each expert was unequivocal: They are terrified and struggling to articulate the scale of the crisis.

. . .

“This is the largest data breach and the largest IT security breach in our country’s history—at least that’s publicly known,” one contractor who has worked on classified information-security systems at numerous government agencies told us this week. “You can’t un-ring this bell. Once these DOGE guys have access to these data systems, they can ostensibly do with it what they want.”

. . .

Given the scope of what these systems do, key government services might stop working properly, citizens could be harmed, and the damage might be difficult or impossible to undo. As one administrator for a federal agency with deep knowledge about the government’s IT operations told us, “I don’t think the public quite understands the level of danger.”

. . .

These systems are immense, they are complex, and they are critical. A single program run by the FAA to help air-traffic controllers, En Route Automation Modernization, contains nearly 2 million lines of code; an average iPhone app, for comparison, has about 50,000. The Treasury Department disburses trillions of dollars in payments per year.

Many systems and databases in a given agency feed into others, but access to them is restricted. Employees, contractors, civil-service government workers, and political appointees have strict controls on what they can access and limited visibility into the system as a whole. This is by design, as even the most mundane government databases can contain highly sensitive personal information. A security-clearance database such as those used by the Department of Justice or the Bureau of Alcohol, Tobacco, Firearms and Explosives, one contractor told us, could include information about a person’s mental-health or sexual history, as well as disclosures about any information that a foreign government could use to blackmail them.

Even if DOGE has not tapped into these particular databases, TheWashington Post reported on Wednesday that the group has accessed sensitive personnel data at OPM. Mother Jones also reported on Wednesday that an effort may be under way to effectively give Musk control over IT for the entire federal government, broadening his access to these agencies.

. . .

With relatively basic “read only” access, Musk’s people could easily find individuals in databases or clone entire servers and transfer that secure information somewhere else. Even if Musk eventually loses access to these systems—owing to a temporary court order such as the one approved yesterday, say—whatever data he siphons now could be his forever.

With a higher level of access—“write access”—a motivated person may be able to put their own code into the system, potentially without any oversight. The possibilities here are staggering. One could alter the data these systems process, or they could change the way the software operates—without any of the testing that would normally accompany changes to a critical system. Still another level of access, administrator privileges, could grant the broad ability to control a system, including hiding evidence of other alterations. “They could change or manipulate treasury data directly in the database with no way for people to audit or capture it,” one contractor told us. “We’d have very little way to know it even happened.”

. . .

Musk’s efforts represent a dramatic shift in the way the government’s business has traditionally been conducted. Previously, security protocols were so strict that a contractor plugging a non-government-issued computer into an ethernet port in a government agency office was considered a major security violation. Contrast that with DOGE’s incursion. CNN reported yesterday that a 23-year-old former SpaceX intern without a background check was given a basic, low tier of access to Department of Energy IT systems, despite objections from department lawyers and information experts. “That these guys, who may not even have clearances, are just pulling up and plugging in their own servers is madness,” one source told us, referring to an allegation that DOGE had connected its own server at OPM. “It’s really hard to find good analogies for how big of a deal this is.” The simple fact that Musk loyalists are in the building with their own computers is the heart of the problem—and helps explain why activities ostensibly authorized by the president are widely viewed as a catastrophic data breach.

-----

“‘Upgrading’ a system of which you know nothing about is a good way to break it, and breaking air travel is a worst-case scenario with consequences that will ripple out into all aspects of civilian life. It could easily get to a place where you can’t guarantee the safety of flights taking off and landing.” Nevertheless, on Wednesday Musk posted that “the DOGE team will aim to make rapid safety upgrades to the air traffic control system.”

Even if DOGE members are looking to modernize these systems, they may find themselves flummoxed. The government is big and old and complicated. One former official with experience in government IT systems, including at the Treasury, told us that old could mean that the systems were installed in 1962, 1992, or 2012. They might use a combination of software written in different programming languages: a little COBOL in the 1970s, a bit of Java in the 1990s. Knowledge about one system doesn’t give anyone—including Musk’s DOGE workers, some of whom were not even alive for Y2K—the ability to make intricate changes to another.

. . .

Like the FAA employee, the payment-systems expert also fears that the most likely result of DOGE activity on federal systems will be breaking them, especially because of incompetence and lack of proper care. DOGE, he observed, may be prepared to view or hoover up data, but. . . it doesn’t appear to be prepared to carry out savvy and effective alterations to how the system operates.

. . .

But DOGE workers could try anyway. Mainframe computers have a keyboard and display, unlike the cloud-computing servers in data centers. According to the former Treasury IT expert, someone who could get into the room and had credentials for the system could access it and, via the same machine or a networked one, probably also deploy software changes to it. It’s far more likely that they would break, rather than improve, a Treasury disbursement system in so doing, one source told us. “The volume of information they deal with [at the Treasury] is absolutely enormous, well beyond what anyone would deal with at SpaceX,” the source said. Even a small alteration to a part of the system that has to do with the distribution of funds could wreak havoc, preventing those funds from being distributed or distributing them wrongly, for example. “It’s like walking into a nuclear reactor and deciding to handle some plutonium.”

. . .

DOGE is many things—a dismantling of the federal government, a political project to flex power and punish perceived enemies—but it is also the logical end point of a strain of thought that’s become popular in Silicon Valley during the boom times of Big Tech and easy money: that building software and writing code aren’t just dominant skills for the 21st century, but proof of competence in any realm. In a post on X this week, John Shedletsky, a developer and an early employee at the popular gaming platform Roblox, summed up the philosophy nicely: “Silicon Valley built the modern world. Why shouldn’t we run it?”

More at the link.

The coup has already happened, and we lost.

Audit Management Software

Explore 1audit, a robust audit management system designed to streamline external audit processes. With their cutting-edge application, effortlessly conduct external audit reviews and ensure compliance with precision. Simplify your audit workflow and enhance efficiency with their comprehensive audit solution. From planning to reporting, 1audit empowers organizations to optimize their auditing procedures, mitigate risks, and drive excellence in governance. Elevate your audit experience today with 1audit.

LAMONT BERKELEY for The Yasmine's Desire by @aniraklova

Age: Young Adult

Traits: Geek, Hot-Headed, Outgoing

Aspiration: Computer Whiz

Career: Software engineer/Tech Guru (he'll be unemployed in-game though)

Likes: Purple, Discussing Interests, Discussing Hobbies, Deep Thoughts, Programming, Electronica Music, Hip Hop Music, Funny Sims, Comedy, Spirited Sims, DJ Booth Music, Video Gaming, Cerebral Sims, Stories, Jokes, R&B Music, Hard-working Sims, Optimistic Sims

Dislikes: Tween Pop Music, Blues Music, Malicious Interactions, Arguments, Rascals, Potty Humor, Pranks, Deception, Pessimistic Sims, Ranch Music

Lamont is a classy guy from Evergreen Harbor who dedicates pretty much his entire time to technology. When he's not busy working as a software engineer, you can bet he's playing or developing video games. He likes all video games, but his favorite genre is science fiction. He loves anything sci-fi and if it's a game that expands or appeals to his scientific knowledge, he'll make sure he plays it. Being a video game enthusiast doesn't mean that Lamont doesn't just sit around in his apartment, however. He's actually a quite outgoing guy and loves a good party, especially if there's a DJ. He has no problem going up to someone and striking up a conversation, especially if they seem to like anything tech-related. However, his shortcoming stems from the fact that he's quick to anger. He loves good vibes and positivity, but he's pretty strict about it and it takes very little negativity to cross his line. While he may like jokes, only a certain type of humor appeals to him, as he hates pranks, mischief, and insults. He just doesn't understand the appeal of this type of humor, especially when others tell him "can't you take a joke?" Sorry, but he just doesn't like it. Lately, Lamont has been feeling that his life has been a little stagnant lately, so he wants to try and meet new people, but not just for a friend, but for a potential lover. So when he heard that a new show called "The Yasmine's Desire" was accepting auditions, Lamont couldn't help but throw his hat in the ring. Will Lamont be the one for Yasmine?

Private DL if chosen