"But real people can take hours to reply."

"But nobody can write my kinks the way I like."

"It's hard to find real people to rp with."

Look I've been rping for over ten years and I know how hard it is to find a long term partner who writes the way you want but all I'm hearing is -

"Instant content stolen from real people directly benefits me so I don't care."

and you wonder why it's getting harder and harder to find real people to talk to and rp with? Maybe because people are all turning to these bots, or because they no longer trust writing with people who might use what they want to train an AI?

The only way to become more comfortable writing with people is to develop yourself, keep putting yourself out there and you can and will forge some really great friendships including kinky friends. It will be worth it. You can also just write for and with yourself.

It's actually depressing that Dead Internet Theory seems more likely nowadays as selfish people simply refuse to put in the effort to become artists and writers and connect with living beings in favour of Instant Content Right Now with no thought about artists likelihoods, who is being exploited to create that content etc

It might be harmless fun in essence and on an individual level, even beneficial to a small time creator or easier for a personal project but it's indicative of a much wider issue and it's the entitlement that really gets me.

In the modern world, it often seems like it’s harder than ever to accomplish your goals.

It seems like everyone has already done the thing you want to do — that your idea is already out there, that your niche is beyond saturated.

Want to start a blog? You’re up against a million rivals. Thinking about starting a podcast? So is everyone else and their mom. Hoping to write a book? With the advent of self-publishing, you’re not only up against authors approved by major publishing houses, but anyone, anywhere, with a laptop. Want to become a YouTube star? Better hope you get noticed next to the thousands of other folks uploading new videos every day.

There’s seemingly a million graphic designers, a million wannabe filmmakers, a million other, probably more qualified candidates gunning for the same job you want.

And that’s just in the marketplace. In your personal life, the competition can feel equally fierce. In the days of yore, you were just competing against people in your college or church to win the attention of a lady. Now you’re up against every Tom, Dick, and Harry on Tinder. The dating marketplace hypothetically stretches beyond your community to encompass your whole state, maybe even the whole country.

Yes, in both economic and personal spheres, demand seems high, and resources seem scarce. It’s enough to make you decide to give up and not try in the first place.

Yet this feeling of scarcity is just an illusion, a myth.

In truth, there’s never been a more opportune time to live. Not only because it’s never been cheaper and easier to write a book, share your art, or start a business, but because the average person’s ability to execute on the basics has never been in such short supply.

While opportunities to achieve your goals aren’t as scarce as you think, there are areas where true scarcity does exist: in common sense, in social skills, in manners, in reliability. There’s a dearth of people who know, or have the will, to do the stupidly easy stuff to be charming and successful.

Let me give you just one example. Both off the air and on, guests of my podcast will tell me, “I can tell you actually read my book before this interview and I really appreciate that. It’s so rare.” I don’t bring this up to toot my own horn, but rather to point out how ridiculous it is that this might even be something worthy of mention! An interviewer reading someone’s work before asking them questions about it would seem like the barest of bare minimum job requirements — a prerequisite rather than something above and beyond. And yet the majority of podcasters aren’t even taking care of this most basic of basics.

There are tons of people doing what you want to do, but how are they executing? In 90% of cases, not as well as they could be.

That’s your opening. And such openings are absolutely everywhere.

To take advantage of opportunities, people typically concentrate on stuff like building up their resume — going to the best school or getting the right internship. And certainly, these things can help.

But what’s missed is that it’s often doing stupidly easy stuff that’s going to allow you to make friends and land your dream job. It’s doing the stupidly easy stuff that almost no one else is doing that can most readily set you apart from the pack, and up for success.

What is some of that stupidly easy stuff? Below you’ll find a (non-exhaustive) list of the things it’s hard to believe people don’t do more often, and which have a huge ROI because most people can’t be bothered.

1. Send a thank you text when you get home from a nice party/date. In my opinion, this is the #1 easiest and best way to be a more charming texter. Yet almost no one does it. When someone has you over for dinner, or you take someone out on a date, once you part ways, they typically worry a bit as to whether or not you had a good time. And a party host wants to know their effort to throw the shindig was appreciated. So even if you thank your date/host in person at the end of the evening, once you get home, shoot them a confirming text saying, “Thanks again for the delicious dinner. We had such a good time!” Trust me on this, it’s stupidly, stupidly charming.

2. Write handwritten thank you notes, always and often. When an occasion was especially nice, instead of sending a text, write the person a handwritten thank you note and stick it in the mail. And send handwritten thank you notes for anything and everything else. Received a gift? Thank you note. Job interview? Thank you note. Someone helped you move? Thank you note. Someone went to bat for you at work? Thank you note.

Thank you note writing has become such a lost art, and receiving snail mail is so delightful, that sending handwritten appreciation has become one of the most effective ways to set yourself apart from the pack.

3. Edit your emails/texts before sending. No one ever catches all of the spelling and grammatical mistakes contained within their communications, but giving your texts and emails a couple reads before you hit send will tighten things up. These “clean” missives significantly contribute to making a winning digital impression.

4. Know how to make small talk. We spend so much time behind screens, that when we finally meet people face-to-face, our conversation can often be awkward and stilted. But being comfortable with small talk opens a tremendous amount of doors; sure, it starts out with the superficial, but it’s the on-ramp to deeper discussions — the pathway to relationships with potential lovers, new friends, and future employers. Fortunately, once you know the simple methodology that makes small talk flow, it’s easy to master.

5. Don’t be a conversational narcissist. Related to the above. The only kind of talk many people know how to make these days, is about themselves. Someone who knows how to listen and ask good questions comes off as stupidly charming.

6. Don’t look at your phone during a conversation. In an age of scattered attention, a person who can concentrate their attention on you, and fight the urge to look at their phone while you eat or talk — someone who can make you feel like the most important person in the room — is a charmer par excellence.

Can’t seem to pry yourself away? Check out our complete guide to breaking your smartphone habit.

7. Dress well for a job interview. You don’t have to show up to a job interview in a three-piece suit (unless the position calls for it); overdressing can make as poor a first impression as under-dressing. But showing up dressed just one notch above what current employees at the company wear will immediately set you apart from many other candidates. Well-shined shoes, a pressed shirt, and good hygiene will help too.

8. Come to a job interview prepared to ask questions of the interviewer. Whenever we post this article on “10 Questions to Ask in a Job Interview,” HR folks always weigh in with how “amazed” they are at the number of candidates who stare blankly when asked at the end of an interview, “Do you have any questions for us?” Know some questions to ask going in.

9. Take a woman on a real date. In a landscape of “What’s up”? texts and non-committal hang outs, taking a lady on a real date puts you head and shoulders above other suitors. What constitutes a real date? Watch this video and remember the 3 P’s: Planned, Paired Off, and Paid For.

10. Offer a sincere apology when you mess up. My generation seems to struggle with saying “I’m sorry” when they make a mistake. Numerous times I’ve had my order messed up at a restaurant, and when I bring it to the attention of the waiter or manager, they just shrug, say “Okay,” and fix it, without saying, “I’m sorry about that.” Then the other day an order of mine got messed up, and the manager took a totally different tack — comping my whole meal and bringing me a free dessert. That kind of treatment is so rare, it was unbelievably winning. I even found the manager after my meal to tell her so, and let her know I would specifically make an effort to return because of her gesture.

As it goes in the restaurant biz, so it goes with everything else. Most of your fellow employees will just say “Okay” when an error is brought to their attention. Offering a sincere apology that demonstrates you take responsibility and understand where you messed up and how it affects the company, will easily set you apart (so will immediately trying to make it right and preventing it from happening again).

And in your personal life, apologizing when you stumble is stupidly endearing. You’ll probably mess up again, and often with the same issue, but even when you can’t completely overcome your flaws, showing you’re at least completely aware of them goes a long, long way.

11. Follow through. I get a lot of emails from guys who want to do something with the Art of Manliness, like write a guest article or strike up a business partnership. They are excited! They are passionate! They are…MIA. They never follow-up or follow-through on their idea. I’ve often wondered what happens between their excited initial email, and their descent into silence. But whatever it is, it can easily be avoided by those committed to following through.

12. Be reliable. No quality today can more readily set you apart from your peers than reliability. Doing the follow-through just mentioned. Showing up on time (and just plain showing up). Meeting deadlines. Managing expectations and not overpromising. Promptly responding to emails. Keeping your word.

Are freelance graphic designers, artists, video/audio editors, app developers, programmers, contractors, etc. a dime a dozen? Surely. But a reliable creative professional or handyman? A pink unicorn. If you couple talent and skill with reliability, it’s stupidly easy to dominate your competition and your niche.

When you survey the economic and dating markets, they can seem incredibly oversaturated. Demand seems high and resources seem scarce. But when you take a closer look, you’ll find that while there are plenty of people all grasping after the same thing, there are only a few executing well on the attempt. Setting yourself apart isn’t complicated or hard; it often involves simply doing the stupidly easy stuff that everyone else overlooks.

Their obtusity is your gain; see through the myth of scarcity, take care of the basics, and the world is your oyster.

Hope is the Pioneer

Truly, I feel that I can’t say this enough but despite its flaws, StarPre has been such a wonderful season for me in so many ways.

And perhaps the most important one is what this final episode wanted to tell us.

Hope is what paves the way to the future.

Immediately starting with Yuni getting her planet and people back.

She’s been through so much to reclaim her home and her efforts are finally rewarded.

However, it is so important to remember that this miracle didn’t come about because she tricked the universe behind the mask of an idol or that she used her skills to steal from others whatever she needed to achieve her goal, without a care for who she harmed when she did.

The revival of the Planet Rainbow can’t be credited to the mysterious powers of “Twinkle Imagination” either, which Yuni willingly gave up in the end even though keeping it for herself would’ve fixed her planet in a blink.

Rather, the miracle was brought on by Yuni letting go of her prejudices and opening her heart to those who truly respect and accept her for who she is.

This led to Yuni finding the strength within her to be able to forgive Aiwarn, the person who caused her the most pain, which then helped Aiwarn realize the error of her own ways and show sincere remorse by aiding Yuni in finding a cure for the petrification of the Rainbownians.

Had Yuni continued only on the path of a phantom thief, distrusting everyone around her and only relying on herself, who knows how much longer it would’ve taken her to get here? Or if it would’ve been possible for her to reach it at all?

But the point is, Yuni outgrew what would’ve held her back. She threw away what limited her (resentment, suspicions, hostility) and instead chose to cooperate with others to save what was most important to her.

And she succeeded.

Then we have Lala, who’s gone back home after the battle.

No longer is she the neglected scorn of her community or the unfavorite within her household.

The fact that she wants to get back to work right away in order to help better Saaman, the reaction her parents give on not wanting her to leave so soon and that they were even making onigiri to eat together (!!) speak volumes of how gigantic a change her planet is undergoing.

An extremely good change, at that.

Saamanians are no longer overly relying on technology, even though it provided them with so much convenience before.

It’s not just about “Lala style” being the new trend.

Everybody wants to be able to walk on their own two feet now. Regardless of how harder it’ll be for them, at least they can live more freely this way.

They want to live freely like what Lala has learned to do, like what Lala is teaching them how to do.

People don’t have to be assigned and divided by aptitude evaluations anymore. They can chose what they want to do and what they want to be of their own will.

Had Lala not left Saaman in hopes of finding something better for herself, been influenced by her time on Earth and brought back that experience to share with her people, can we say Saaman could’ve removed their attachment to the system they made as the crux of their society?

I don’t think so.

Lala and Yuni’s world are changing, evolving, because they let themselves wish for something even better than what they could’ve imagine.

Yes, them. The girls whose imaginations were stated by the 12 Star Princesses to be even stronger than theirs, the creators of the universe itself!

And that’s just the beginning.

Fast forward several years later, MICHELLE OBAMA has become president of the USA!! HELL YEA, BABY!!! (๑˃̵ᴗ˂̵)و

Sorry, I just needed to say that, hee~ :D

Now back to the real important stuff...

The first girl we hear, not see, is post-timeskip is Elena.

And just by that, we already know she not only accomplished her dream of becoming a translator like her mom but she’s gone above and beyond by becoming the person tasked with the job of interpreting foreign news for the entire country of Japan!

What. An. Honor.

Seriously, an international broadcast of a monumental event happening for the nation and she’s at the forefront of that crew covering it. Such an incredibly happy and proud moment, one that other countries want to share their congratulations and well wishes for and Elena is the one chosen to help do just that.

Elena is helping bring smiles on so many fronts like the brilliant sun she is.

Her, a biracial woman of color.

Simply. Amazing. *claps* x3

Then of course, we have our beautiful moon.

Madoka, too, has reached taller heights.

Like her father, she’s become the leader of a very important force, fulfilling and continuing the esteemed Kaguya legacy as she’s always been expected to.

Unlike her father, however, whose (previous) job as a government official was to search for, expose and expel aliens, Madoka is now the head of a project that’s the first, but crucial, step to establishing connections with worlds beyond Earth.

In other words, proactively engaging and forming friendship with the aliens.

And in the face of her father, now Prime Minister, she is nothing but composed and confident.

In her team, in their efforts, in herself.

Again, so different from the Madoka at the beginning of the season who couldn’t even smile from the bottom of her heart until her friends taught her how.

Now she’s out there breaking down barriers in hopes that they can reach even further, to create more relationships like her own. Relationships that can bring so many benefits to Earth and still withstand even the distance of space.

Short-term goals, long-term goals. There’s still so much for Madoka to do.

But when you look at her expression, you can tell that she is nothing but sure in her ability to make them a reality.

That positive outlook not only shaped her but also, I believe, changed her father as well.

For once, it’s Madoka who’s teaching him instead of the other way around.

To not think so restrictedly and to let things come into their own potential rather than controlling them.

If it weren’t Madoka rebelling against him those years ago so that she could find her own way to become the person she is, I doubt things could’ve turned out as well as they did, including him becoming Prime Minister and smiling proudly at her, no less.

Madoka has achieved so many things and will go on to do even more and he’s incredibly proud of her.

Next, the star that never stopped shining, Hikaru.

Let me just say that becoming an astronaut at a major space program must not be an easy feat.

Getting selected to be part of the crew who gets to go space, even more so.

But if we know anyone who can do it, it’d be Hikaru.

Hikaru who’s so passionate about the things she loves, who fervently admires space more than anyone, who wants to know all about the unknown there is to discover out there.

Hikaru, who has a promise to keep with her best friend who’s waiting for her.

Did we expect any less of her?

Certainly not.

She’s made it and she’s coming back to space!

Light years away, said best friend is still waiting but also searching for ways to get back to Earth.

During that time, Lala also climbed ranks of her own, becoming an inspector-of-sorts for the Starscape Alliance and traveling among planets, checking their conditions and reporting them back to her superiors. Making sure the cosmos are in order and so on.

Fortunately, she is not alone as she has Yuni to share her feelings with since they fought alongside together before. 

The two Cures from other worlds.

It’s nice to have someone who understands you in that way, which is why I have at least one reason to be glad that Yuni was integrated into the team as the mid-season Cure.

As for Yuni, I suspect she seldom leaves her planet and has her own busy schedule on trying to make it more habitable to live in.

Thanks to Aiwarn, who may or may not have taken up permanent residence there (and really rocking that haircut), it’s no longer just a possibility anymore and the prospects are growing day by day.

Although I still can’t say I care much for her, I think it’s super nice the Rainbownians have welcomed her among them as Aiwarn had always wandered as a lost child in need of a home and the lack of one is probably why she became so vile and unstable in the first place. With that no longer a concern, she can put her brains to better uses.

On another note, there is no indication whether or not Planet Rainbow has joined the Alliance themselves but I’m pretty certain Lala’s been specially assigned to communicating with them anyway (thanks to her friendship with Yuni) so at least the relation is much more amiable than it was before, even if Rainbow chose to remain independent.

In short, everything’s well on this side of the universe.

A fact further supported by the Notraiders having a planet of their own to call home.

And what a beautiful star it is.

Everything’s flourishing and in bloom. A far cry from their previous headquarters which was perpetually dark and barren.

The facts that the Notraiders themselves made this planet beautiful through their own teamwork and that it was the Starscape Alliance who gave them this planet make it exceptionally more heartwarming in hindsight.

Because remember, these poor souls didn’t have a place to belong. Their previous homes either were destroyed or rejected them.

And then they had their sense of loss twisted and manipulated by Ophiuchus, resulting in them doing bad deeds.

For that, one would expect them to be thrown in jail, maybe even for life. But instead, they’re forgiven and sympathized with.

One would probably expect that they’d want revenge on Ophiuchus as well but instead of chasing after her, they focused all their energy and efforts into making a home for themselves.

Rather than punishment, a second chance. 

Rather than destruction, creation.

So exactly what point am I trying to make here?

Well, I believe that word “hope” means so much more than what we think it really is.

Hope is not just simply having aspirations and dreams. It’s not the good to counter the “evil” of despair.

Hope is something even broader, more difficult, more terrifying and of course, more magnificent than its basic definition.

It’s a sentiment we all share for wanting see a better tomorrow. 

A tomorrow where we can have more than what we have today.

Like the world becoming more innovative, more progressive.

More peaceful and forgiving.

Supportive, understanding and accepting.

Kinder and closer together than we are now.

But tomorrow is also full of unknowns, doubts and questions.

What if it’s not worth it?

What if the world won’t let me be what I want to be?

What if I’m rejected or shunned? What if no one accepts me?

What if I get hurt?

That fear will always be there and it’s indisputable there’ll come a time when you will get hurt because no one lives without being hurt, after all.

From that, you’ll learn what anger, sadness and misery feels like. It’ll either make you want to hide or lash out to protect yourself. It’ll feel like everything’s stopped at that point and you’re stuck there, not knowing what to do next.

But still, there’s always a choice for you to make.

You can decide whether to stay as you are or try to move again.

That is not to say those feelings of helplessness will be invalidated if you choose the latter. Nor does it mean you shouldn’t have felt them in the first place or give up on your cautions entirely.

Rather, it’s because you have those feelings that you can move on from them. To shed them for something better and greater.

“I may be afraid but I don’t want to be afraid forever. I want to face the world with my head held up high.”

“I’ve been hurt and I don’t think I can forgive. But there is something that means even more to me than that.”

“If nobody wants me, if there’s no place for me, then I just have to make a place for myself to be who I am!”

Hope is not guaranteed success.

It won’t always give you the results you want, no matter how strongly you wish for it, and may even bring you down worse than you thought it would.

But without hope, without imagination, then there is no future or possibilities. There is only nothing.

It’s because there’s imagination that worlds and universes can exist. It’s because there is the unknown that we have the desire to know more and become more than what we are now. It’s because there’s hope for us to cling onto that we can always strive to move forward.

All it boils down to is whether or not you’ll let your hopes be hindered by whatever blocks your path.

Be it hesitations, criticism or negativity in any form.

But once you overcome that, the outcome may be even more kirayaba than you could’ve ever imagined.

That’s all, folks! Thanks for reading! :)

Tiamat’s Wrath, by James S.A. Corey

It’s been a while since I finished, and I’m still A MESS (and, apparently, not the only one). So this is not going to be coherent in any way, just me rambling about what stood out to me in those 541 pages of pure stress.

I’m tagging it as spoilery, but still: CAREFUL, SPOILERS! (also, long)

Alright. No way around that: the first sentence messed me up badly. I’m pretty sure that’s never happened to me, having a character die on me in the very first sentence of a book (not even the first chapter! The prologue, ffs!). And technically not even that, she’s been dead for a while, I just learned about it now. The thing is, I expected something like this to happen at some point, I was already dead scared for her in Persepolis Rising once it had sunk in that we’d just done a time jump of several decades, but I thought we’d get her death on screen, if only because she’s been such an influential character over the last seven books. It feels odd to just have her gone, without drama and fanfare. My guess is that, besides being really old at this point, she also didn’t have much energy left because of her failure to protect Sol system against the Laconians and the feeling of powerlessness and inevitability that came with Laconian rule. With the political center of the galaxy moving to Laconia, she probably lost most of her influence, and I think that takes a heavy toll on a born politician and decades-long power broker such as Chrisjen Avasarala. So it makes sense that she’d just... die (and it certainly sets the tone for the rest of this bloodbath of a novel).

Once I got over the initial shock, I also came to appreciate the way her death (or rather, her being dead) is written. I liked that we got a tiny peek into her relationship with her granddaughter that doesn’t sentimentalize her, but gives an interesting inside view into her worldview. The quote on her tomb broke my heart:

“If life transcends death, then I will seek for you there. If not, then there too.”

I loved every single word of the tiny snippets of information we got about her relationship with Arjun back in book 5 (or 6?), when it became ever clearer that he’d just disappeared, never to be found again, like millions of others on Earth. So to see that she still misses him, and that the fact that she never even found his body still haunts her... It breaks my heart, but it’s also really sweet. It says a lot about her personality (determination was her second name) and it shows this soft side of her that nobody around her ever got to see. But even though she mostly came of as mean and ruthless to other people, it’s nice to see that she had a positive impact on their lives (and that it’s acknowledged!). It so often happens that once a character is dead, they’re never mentioned again, and certainly never mourned. I appreciate it a lot that this didn’t happen here, that it’s pointed out several times how even in death she’s helping the other characters deal with their situation, especially in the few Holden POV chapters. I’m really grateful that her memory is being honored, especially since it’s honored by characters imagining her bossing them around, which I’m pretty sure she would have liked.

Second, I like the view on humanity that’s presented here, in the series in general but especially explicitly in this book. I’d argue that it’s actually quite positive, despite all the power-hungry,conscience-proof narcissists like Duarte and Inaros and Errinwright and Mao and Cortázar and... Yes, they exist and they naturally have a lot of tools to screw things up, which is only realistic, but they’re presented as outliers. The rest of humanity is messy, and unruly, and sometimes has an impressive ability to ignore paradoxes, but it is also capable of empathy and mercy, and most people can find the strength to stand up for what’s right when it matters. I think the best summary of this philosophy is found in a monologue from Emma:

“Easy to make rules. [...] Easy to make systems with a perfect logic and rigor. All you need to do is leave out the mercy, yeah? Then when you put people into it and they get chewed to nothing, it’s the person’s fault. Not the rules. Everything we do that’s worth shit, we’ve done with people. Flawed, stupid, lying, rules-breaking people. Laconians making the same mistake as ever. Our rules are good, and they’d work perfectly if it were only a different species. [...] I’ll die for that. [...] I’ll die so that people can be fuckups and still find mercy.”

What she’s saying is that our general aversion to rules gets us into a lot of trouble, but it also gives us flexibility, and therefore the capacity for mercy even if we’re perfectly certain that a person screwed up. She’s also saying that it’s important to stand up for that, to not just care about one’s own tiny bubble and put every terrible thing that happens down to “guess they had it coming”. Because it’s not as easy as that.

I also love this quote because it’s one of the strongest statements of what’s actually wrong with Laconia. Several characters, in this book and the last, point out that it’s really hard sometimes to not loose track of why Laconia’s version of authoritarian rule is actually terrible, and I gotta admit that I agree. Sometimes, on paper, the whole organising principle just seems so... sensible. There aren’t any graphic descriptions of bloody massacres like when Eros got infected with the protomolecule or when Inaros dropped the asteroids on Earth. Even the actions that are clearly atrocious, like Trejo destroying Pallas or the protomolecule “production” in the pens, are described in a way that feels very surgical, almost hygienic, so that you loose sight of what’s actually happening. I’m pretty sure that that’s deliberate, that the authors want their audience to slip into this mindset of “are they really that bad?” every now and then in order to make the audience see that authoritarian regimes aren’t only bad when they have obvious bloodstains on their hands. They’re actually bad all the time, and even more dangerous when they’re not that obvious. When the arbitrariness that most of us associate with dictators is replaced by a set of rules so strict that you gotta slip up some time, and once you do there’s no fixing your mistake. Plus, the absolute confidence (read: hubris) in their own decisions that often comes with this specific kind of dictator makes them immune to any kind of outside opinion, which, as this book clearly demonstrates, leads to some astonishingly short-sighted decisions and a whole lot of very dangerous complications. So all in all, I think this book does a pretty good job at exposing the nature of authoritarian regimes, from the system of distributed (read: lack of) responsibility that comes with a strict chain of command and their complete lack of accountability or checking for logical errors, to the treacherous allure that some of them might have.

Third, I love the way the romantic relationships are written. I’m usually not a big fan of romance because I think in most cases the romance is more a necessity that comes with the medium than an actual gain for the plot, but I love these. Probably because at this point, all the romantic relationships have been an established fact in the couple’s lives for a few decades now, and they give me this feeling of being... settled, in all the best ways. It can be exciting to watch a new relationship being formed, and I love slow burns to death, but once the new couple gets together my excitement normally fades away pretty quickly. Apparently there’s only a limited number of ways to introduce conflict in such a situation (and no, it can’t come from the outside and the rest of the plot for... reasons), and usually the new couple is way too busy with sudden attacks of irrational jealousy, a dark secret in the past, the do-they-really-love-me-agony etc. for me to enjoy this relationship that I’ve been rooting for for so long. Especially since it’s usually a problem that the couple could solve by having a long and honest conversation, but for REASONS that’s not an option and... I digress. So I like established relationships because they generally don’t come with that particular brand of drama, which means that there’s space to actually focus on the couple itself or on (gasp) the plot. This whole series does that pretty well - I already mentioned that I adore Chrisjen and Arjun as a couple - and in this book there is a lot of it. Naomi and Holden, obviously, and Elvi and Fayez, and for me also Drummer and Saba, although he doesn’t show up on stage at all and she does so only briefly, so in their case it’s more of an aftereffect of Persepolis Rising that’s exacerbated by him dying.

I don’t know how to put this into words exactly, but I love that these relationships are so stable (and by that I don’t mean boring). The fact that it has been an important part of the characters’ lives for so long doesn’t mean that they don’t express their love anymore, that they don’t think about each other with affection, that they don’t worry about the other or miss them. There’s lots and lots of fluff, if you want to put it that way. But most of all, they provide what a committed relationship is actually supposed to provide: an anchor, a sense of belonging, stability, mutual understanding, acceptance... without taking away the characters’ agency, identity or personal freedom. It’s most visible in Elvi and Fayez, where Elvi is the one with the important job, the long hours and high security clearance, and Fayez just supports her through all of the awfulness. He doesn’t pry, he doesn’t pick a fight with her for never being home, and he doesn’t reproach her for not eloping with him in the end because he can see that this is important for her. And while we don’t get his POV, I’m pretty sure that he’s not just swallowing his anger or feeling unfulfilled in his clearly supporting role - he just has his priorities straight, and No. 1 on that list is Elvi. Which is what a healthy relationship should look like.

And I think the same goes for Naomi and Holden. As painful as it was to watch her mourn him over almost one and a half books, I think it might be good for their relationship. He’s always been the one in the spotlight, not because he wanted it so badly but because he’s naturally good at it, and she was the one in the shadows (of her own volition, I need to add). I think that the events of this book, with her rising to the very top of the resistance movement and putting her logistical brilliance to work, will add a whole new layer to their dynamic. She’s now finally in a position where she might be able to prevent at least some of these situations that trigger his instinct of running head first into danger for the good of others. I don’t think she’d try to pull rank on him, but she has a bit more control over circumstances now so that she’d at least be able to do the whole rushing into danger thing together, and it puts them on more equal footing, hierarchically speaking. That’s never been an issue in their relationship per se, but it has been a factor in the way they interact with others both as a couple and as individuals. He often deferred or at least conferred with her, but Holden was the one other people addressed first, and that’s going to be different in the next book.

In the same vein, this book also made my shipper heart both glad and utterly devastated at the same time because there’s so much Alex-Bobbie-content. I’m not sure if you can actually call it shipping - I never wanted them to be an item romantically, but I think they’re one of the best examples of a queerplatonic relationship that’s out there. It’s canon that they never slept together, probably never even kissed, and it’s still made abundantly clear that they’re each other’s person. Alex stating that he intents to grow old with Bobbie (I think that was book 7? I’m not crying you’re crying); Bobbie worrying all the time about Alex’ safety and that he feels like he’s missing out on things like being with his son because he’s out fighting Laconia with her; the fact that he’s the only one who can get to her when she would have punched anybody else - I don’t know, they do more for me than any of the romantic couples, and I already said how much I love those. Bobbie and Alex share all of the positive traits that the romantic relationships have, but their bond is presented in a much less conventional format. It says that relationships not based on romance and/or sex can be just as lasting, committed and loving as romantic relationships, and I need to hear that more often.

Which, of course, made it all the more devastating when Bobbie died. It made sense for the narrative - with Clarissa dying at the end of Persepolis Rising, and Bobbie now, we’re down to the original Roci crew, and it solves the captaincy confusion that was part of the problem in Persepolis Rising. And I guess it also made sense for her character in that it’s a fitting death for her - it shows off all of her best personality traits from her loyalty to her crew and her convictions to her military genius, and it’s just generally badass. It still makes me very sad, though, because it’s the end of this beautiful bond that my ace ass needed, and watching Alex grieve is heartbreaking. I love Alex to pieces, he has such a caring soul, and those scenes after the battle against the Tempest where he’s working himself half to death over his grief and guilt while knowing perfectly well that he’d have killed the entire crew by trying to save her - those were absolutely awful. But as much as my heart bleeds for him, Bobbie dying also brought me one of my favourite moments for him as a character and for Naomi and Alex as a family, namely when he returns to the Roci and talks to Naomi about what it’s like to have lost Bobbie. It goes like this:

“[Naomi] ‘I am so sorry about Bobbie. I cried for a whole day.’ Alex looked down and away. His smile shifted invisibly into a mask of itself. ‘I still do sometimes. It’ll take me by surprise and it’s like it’s happening again, for the first time,’ he said. ‘Thinking about Jim does that to me.’

This direct comparison between Naomi losing her lover and Alex losing Bobbie is, to me, the ultimate confirmation that their relationship was just as loving and committed as the main romance of the series. Plus, Alex freely admits that he cries a lot, which is, of course, a normal reaction, but also such a good example of a healthy kind of masculinity that he shares with Fayez, for example. Their partners taking point is not presented as a sign of them being incompetent, unimportant or “emasculated” because it doesn’t take away from their personality in any way. It just shows that they have different, equally admirable strengths that form part of their personality - not their gender identity.

Process for Successful Drawings – Caricature Essentials

This is an example by Court Jones based on his video on Shape Design and Facial Features caricature lesson.

***

I figured a good way to end the course is with a caricature of Stan the Man himself, Mr. Prokopenko.

Stan’s likeness is a little tricky. It could go many different ways. Even with his heavy eyebrows and manly stubble, he still has kind of a baby face. So to help me out, I decided to use the Spirit Animal technique to come up with the exaggeration. After some thought, I’ve determined that Stan’s Spirit Animal is… a beet.

Now I know what you’re thinking, it’s just because he’s Ukrainian and I’m stereotyping. And that’s not true at all. Stan is actually a huge fan of beets. Every time I see him at lunch, he’s enjoying pickled beets or beet salad or just a big ole’ bowl of borscht. His favorite song is Beat It. The man is beet-crazy! If you see him at a convention or out on the street, feel free to just give him a handful of beets. He’ll eat them raw.

Thumbnail Sketch

Of course Stan’s large cranium and thin neck coincidentally worked really well with the beet shape. So I begin with some thumbnail sketches, to try and figure out how to make Stan’s face work on this beet. I soon realize his features should sit low on his head, because his forehead and hair take up more real estate than on the average person. I think the concept here is a good start. But the features aren’t executed in a way that’s accurate to him. So I end this one and try sketching from a different angle.

For this second sketch, I maintain the same basic concept of the inner beet spirit, but I thicken the beet-neck just a bit at the top. I also like the idea of really small features set into a large wide head. It’s funnier. This one is working much better than the first sketch. Although I’m not a fan of straight-on views. I prefer more dynamic angles that allow me to show the three-dimensional quality of a face. So I move on to a photo with a more interesting angle.

Again, I try to maintain the beetroot proportions for the head shape and then place the features on top of that. In this thumbnail sketch, I’m able to draw a more dynamic angle which I push even further to give it more visual interest. And there’s even a slightly sassy expression on his face that I try to make more obvious in my sketch. Because of the interesting angle and expression, I feel like this is the one that I can take to the next stage. The likeness needs some work, but that’s what the rough sketch is for.

Rough Sketch

I begin the rough sketch by tracing directly over the thumbnail. I use some simple guides to align the features in perspective on the head. And I slow down a bit to give more attention to each feature. More time than I allowed in the thumbnail sketch phase anyway. One of the distinctive traits about Stan that isn’t strictly physical is the darkness around his eyes. His eyes are heavy-lidded, but also a slightly darker tone than the rest of his face. So I try to indicate that in my rough sketch.

At this point, it feels pretty good, but I’m not entirely sold on the likeness yet. Something I’ve learned about likeness is that it’s usually easier to see with the use of light and dark values, rather than with just lines. I could continue crosshatch shading to darken the values, but for the sake of speed, I add some more shading with a large brush. It’s pretty rough and simple, but I think it does add some visual information to define the likeness which wasn’t there before, like the volumes of the forehead and cheeks. When I squint down and blur my eyes, I really see it. So It’s just enough to confirm that I’m on the right track even if it’s not perfect yet.

Abstraction

For this next stage in developing this caricature, I flip the rough sketch over to better see any structural problems and then draw a Reilly Abstraction on top of it. The rhythm lines of the Abstraction are drawn from one side of the head to the other to help check if things are lined up or if they need to be moved. Some features, like the eyebrows, are going to be asymmetrical, so I allow for that and look for unintended distortions and asymmetries. I discover that the ear I drew on the rough sketch was too low. But for the most part, everything else was in a good spot. Even if all the features are determined to be well-placed, these geometric rhythm lines are most helpful because they act as an idealized template of Stan’s head – sort of a cleanser, washing away the rough lines of the earlier sketch, so that I can trace much more nicely designed shapes and features in the right locations at the next stage.

Oh, and besides the ear being too low, the Abstraction helps me figure out that the head would look better if the forehead was more bulging in front.

Final Sketch

After a quick check, I flip it back around, dim down the Abstraction and begin my final linear drawing on new layer, tracing over the Abstraction, but with much more attention to the exact shapes of the contours and features and also to the quality of my lines.

This lesson is all about drawing caricatures with special attention paid to the visual design. As I’ve said, a good exaggeration and likeness is not enough. To draw at a professional level, you need to slow down and spend time creating a refined look or visual design. It doesn’t have to be realistic and based on anatomy, like my work. You can draw abstractly or simple and cartoony. But whatever it is, you need to figure out what you want the finished style to be and then keep working on this until you’ve achieved that look. Tracing over the previous drawing is a great way to do that.

Now, the problem with being the judge of your own progress is that while you’re learning, your artist’s eye may not be able to see all the flaws that a more experienced artist may see. As you continue your studies, your eye will improve, followed by your hand’s ability to make the right marks. But during this time is when it’s important to have a teacher, mentor or at least another artist at a higher level of development help you and let you know where you can improve. Eventually though, you’ll be able to look back on your older work and wonder why you missed all those drawing problems the first time around.

With my linear lay-in finished, I now add the soft edges. Wherever a form transitions from a light to dark value, that transition will be either a hard, firm, soft or lost edge. Once those transitions are all in, I finally start to add the values, which is the final stage of this drawing.

I always seem to have the most success in a drawing or painting when I work on a middle grey background. In the premium version of this course, I demonstrate shading drawings with different strategies. On my David Bowie caricature, I shade on a white background, which shows how it negatively affects my perception of the values on the face. Working on a white background prevents me from shading as darkly as I should because the bright white fools my eyes into thinking a value I use on the face is darker than what it really is. A light-middle grey, as I’ve used here, sets me up right in the range of what Stan’s caucasian flesh tone already is. So even before I begin, I’m in the right value range.

Most of the time in a realistically shaded portrait like this is spent working in the middle range of values. Or the halftones. The dark accents and bright highlights are fun and give the drawing more visual punch. But they wouldn’t work if the the middle values aren’t properly figured out and correctly placed first. The meat of the portrait is in the halftones. They are what’s going to sell it to the viewer. And the halftones are usually all within a very narrow range on the value scale. So there’s not much room for error. If you shade the halftones with too much contrast, the subject will look shiny or metallic. If you don’t have enough contrast, the portrait will look dull and flat. And if you don’t shade and cover the shapes evenly, you may get spotty or streaky effects where bits of light or dark peek through your strokes. So make sure you’re using the right tool for the job.

Most of the Photoshop brushes I’m using to shade here are very subtle brushes already. One stroke from them doesn’t cover much because they have heavy textures applied to them. I have to keep on adding stroke on top of stroke to lay down a value. It’s similar to using very light pressure with a hard charcoal or graphite on a rough paper. In fact, I think my main brush here is called “Shady Graphite” by Kyle Webster. It comes standard with the latest version of Photoshop. But you can find or even create similar brushes in other painting apps.

Also, it probably goes without saying, but when shading a drawing or painting, use the largest brush for an area that you can. You want to be able to cover broad areas with less brush strokes. But to get hard edges or for textures like the hair and stubble you’ll need a smaller brush. But those should be used sparingly, lest you end up with a streaky and sketchy rendering. Most of your time in a drawing like this will be spent using large brushes.

Some final bits of advice to create professional quality caricatures with a strong sense of design are: First and foremost, keep working on it until you can’t make it any better. Push yourself to draw and paint like the people you admire. If you get to the end and aren’t sure if it’s a success, get up, walk away and come back to look at it with fresh eyes. Or flip it in reverse one more time to examine it backwards. If there are any structural problems, they’ll be much more obvious. If you can correct those problems, then do so. If there are just too many problems to fix, you may need to go back a few steps and start again from your rough sketch or Abstraction.

dark souls

an analysis of every game in the dark souls series by a big fan, but not a fan-boy. someone who isn't so clouded by toxic competitiveness and false pride that they can't see the obvious flaws. a sorta guide for the average person so they can enjoy all the great things souls has to offer, while avoiding the substantial amount of garbage that 95% of players will genuinely hate.

tl;dr - play ds3 or bb first. they’re the best and most fair. maybe watch playthroughs of others to see if you can handle the series’ flaws. a more detailed, WAY longer write-up is underneath the readmore cut! - souls games from best to worst - 1. dark souls 3 GOOD: best souls, best action, great aesthetics, best mixture of everything series did right, best starter game, most fair, least issues. BAD: broken early game co-op due to smurf invaders ruining it for everyone. still has issues that are in every souls games like no offline pausing and artificial difficulty. 2. bloodborne GOOD: fresh new take on souls, made the action better, fair difficulty, souls for people who don’t care about tolkien fantasy, another great starter souls. BAD: confusing multiplayer, shorter than most souls, aesthetic direction limited variety of everything, “chalice dungeons” suck. 3. dark souls 2 GOOD: co-op is the BEST in all of souls, fixed many difficulty and balancing issues brought in by ds1, not a miyazaki game but that can be a good thing sometimes. BAD: without co-op is probably worse than demon’s tbh, rigid laggy combat, kinda linear compared to ds1, not a miyazaki game and you can tell. 4. demon’s souls GOOD: really started it all and deserves the credit, short but sweet, weirdly happy but still evil aesthetics, feels like a fun set of obstacle courses, many ways to mitigate the difficulty. BAD: horrible co-op, confusing mechanics, comparatively too short, almost level-based which takes away from exploration, “world tendency” isn’t great, still very rough around the edges. 5. dark souls 1 GOOD: best aesthetics/music/characters/world/lore of any souls, originated souls exploration, plenty of secrets and replayability, HUGE game, the fan favorite, the deepest levels of masochists will love the abuse from this game, an exploit in all versions to “cheat” and help mitigate the bullshit. BAD: almost not worth playing due to insane cheapness and difficulty right from the start, the fanbase of ds1 is so toxic and horrible and elitist i have to include it, “ornstein and smough”, “curse”, even the world exploration is frustrating in this one, i have never labeled a game as “abusive” until now, is so broken that i have to include a cheat as a fix. 6. dark souls 2 on ps4 GOOD: a remixed version of ds2 that manages to feel very different, way better visuals and 60fps, potential for co-op paradise with ability to play through all of ds2 with 3 friends simultaneously (i wanna try thisss). BAD: worst souls, least fun single player of the whole series by far, most of the balance and fairness brought in by vanilla ds2 is gone, literally patched balanced bosses to break them and make them artificially unfair, feels like a sloppy ds2 fanmod made by a ds1 purist, combat seems even laggier than the original, as much as i hate on ds1 at least it was a fully original game, just go play the other versions unless you’re desperate.

THE READMORE

this will kinda be in order of release. one last thing to note before starting the series is that souls IS inherently cheap and unfair by design. even avoiding most of the worst parts and doing extensive research won't save you from all of it. the concept of souls is that wasting your time retrying parts isn’t enough of a punishment for errors. the creators wanna really hurt you. and they refuse to include difficulty settings! but imo some of the pain is worth it tho, because the storytelling, world exploration, and aesthetics might be better than any game in the last ten years. and highly competitive, “i wanna prove myself” types will eat this gameplay up. this is like if castlevania symphony of the night and silent hill had an incredible but problematic baby.

demon's souls: GOOD! a gorgeous, tough, medium-sized game that really started it all. rough around the edges, but so cool! don't skip this one. this is like your favorite band right before they hit it big. it's still hard, but a lot of the difficulty can be dealt with by choosing an overpowered starting class (royal), and grinding for levels and healing items. the aesthetics are through the roof. it's somehow a happier game than any other souls, which makes it stand out imo! sadly no expansions for this game. i'd have loved more!

there's some bad stuff for sure though. like having to keep track of inventory carry weight. and other things that became staples of the souls series but are really horrible design. like inability to pause even offline. plentiful cheap traps and "gotcha" guess and check mechanics everywhere. super easy to accidentally attack an npc and literally break an entire playthrough. horrible autosaving. confusing awful multiplayer. forced invasions by (usually) smurf players who aren't looking for a fair fight. i'd say "play this one offline" but sadly the servers just went down for good so you don't really have a choice anymore.

it's also comparatively short. maybe a third the size of ds1. maybe even less. and the whole "world tendency" mechanic is just... so so confusing. meaning most players will miss out on a ton of content. it was a cool idea, but it just kinda didn't work with how they did it. too much research required for too little reward. in it's defense, that made the whole game feel very mysterious? idk even with the issues it's still a fav.

dark souls 1: TERRIBLE! i have a lot to say about this one. it's a bit sad, because truth be told this has THE best style and THE best lore and THE best music THE best characters and THE best world design of any souls. aesthetically, this is the pinnacle. it's also a HUGE game with tons of replayability and hidden stuff everywhere. it even has dlc that's really really cool! as far as world exploration goes, this had my favorite part in any souls game ever ("under the tree").

BUT... you have to actually play the game to see all that, and that's the problem. it's just not fun to play unless you're an insane masochist and don't value your time. they kicked up enemy numbers like crazy, made the ai way smarter, REMOVED grinding for health items, and made grinding for levels not that effective at all. everything in this game is tedious work. escapism that's harder than real life? no thanks. there's artificial difficulty walls everywhere you turn, usually in the form of bosses.

seriously the bosses in ds1 are the worst. think of a normal tough game. take that difficult last boss fight. imagine you're now fighting three of those final bosses simultaneously (stun-lock included). now imagine that fight is at the start of the game. and that's the benchmark of ds1's bosses. they aren't ALL that impossible, but a lot of them are. there's this one particular boss fight, "ornstein and smough", that is by far the most misplaced, unfair, stupid boss fight i've ever seen in any game ever. whoever developed it is truly a moron. i almost forgot about the “curse” status effect! about half way into the game, you’ll run into this. it requires an expensive and rare consumable item to deal with it. it’s very easy to miss these until it’s too late. why am i bringing this all up? because not only does curse kill you almost instantly, you respawn with half your health missing until you heal it. imagine all your hard work leveling, all gone to waste from just a single status effect. and this is before teleporting between bonfires was just a part of souls games from the start, so even if you figure out where to go to heal it, you still need to slog through some of the worst areas with half max health to get to them. and then there’s always the risk of getting cursed again when you go back? big issue, because most likely where you’re at in the game the curse removing items aren’t unlimited. bad bad bad bad baaad design.

but, thankfully, there's a way around all these issues. kinda. CHEAT! there's an exploit that lets you consume boss souls an unlimited amount of times even on consoles. it still takes a while to do. it's not instant god mode. on the contrary, the game is still super hard even if you're over-leveled. by doing this, ds1 will feel more fair, like the other souls games. you'll have way more fun.

i NEVER cheat in games normally, but cheating in ds1 takes a bad, horribly flawed game and fixes it. you may hate cheating, but this is more like ripping off an evil casino or like the mob without taking any risk, since the game is so so so unfair to begin with. if you don't wanna cheat, i'd say play the first parts and then watch a playthrough of the rest. the deepest levels of toxic elitist souls fanboys absolutely WORSHIP this game. don't listen to them. even the creator himself has moved away from a lot of this games bullshit.

dark souls 2: GREAT! those same souls fanboys i just mentioned? hate this game. because it's noticeably easier. because it made co-op viable. because their impossible game was suddenly moderately more accessible to everyone else. it's still super tough, super cool, super beautiful. the original creator may have stepped down from this one to do bloodborne, but it's still DEFINITELY souls. and it's an overall better game than ds1 by a long shot simply because your ticket to fun doesn't come at such an unreasonable cost. oh and omg they added back grindable healing items! they also removed the STUPID tutorial area/mandatory boss fight before you can level that every other souls has. and just a lot of the other player-unfriendly changes made between demon's (des) and ds1 have been sorta reversed.

it might seem weird but, since the game is comparatively unpopular, it keeps the majority of toxic soul elitists from playing. the kind of people who get off smurf invading so they can bully others? to stomp new players so they can feel misplaced joy in their otherwise pathetic, purposeless existences? yeah not really here thank god! most invaders are regular people looking for competition, and usually even have a good sense of humor.

outside of that making online totally do-able in this one, it makes online co-op really fairly easy. in comparison to des and ds1, i mean. it's still unintuitive silly bullshit, but imo in this one it's SUPER worth it. amazingly fun! get a good friend. play through the entire game together! a++++. just make sure to keep that soul level similar to each other!!!

there are bad things tho. the single player isn't nearly as good as cooping through the whole thing. the aesthetics aren't quite as good as ds1. the exploration is kinda worse. the gameplay feels weirdly sluggish sometimes too. it's just insanely tanky. people that wanted "dark souls 2: more dark souls 1" would be a bit put off by this bc it was more like how ds1 was to demon's souls. unconnected in lore. imo i kinda liked that but... still. it's biggest flaw was it's lesser story/lore polish compared to the other games.

oh, and while the dlc zones (THREE whole big dlc this time!) are pretty cool, the bosses are just crazy tough to the point of not being fun. still worth getting the dlc for the awesome levels, but the bosses were disappointing in their frustration.

dark souls 2 ps4: THE WORST! this is a sorta weird one, but it deserves it's own little analysis. theoretically, this should've been really cool. a tougher, remixed version of ds2 with dlc included and better graphics/framerate. tbh the game IS beautiful. some if the little touches and changes, while subtle on the surface, completely change how you path through the entire game. it's what "zelda oot master quest" WISHES it could be. also, theoretically, you can play co-op with up to three other people this time (was two before)! neat!!

*should have been neat. because their "remixed enemy placement" really just added way more way tougher enemies. made everything insanely harder. certain bosses that were tough but fun before now just devastate you with no explanation. imagine a shoddy fanmod made by a ds1 fanboy "to fix the casual play". that's what this feels like.

ds2 rode a fine line between cheapness and fairness before, but now all the balance is gone. frustrating annoying bullshit. if you're that kind of ds1 masochist i mentioned before, this is the ds2 for you. everyone else should stay the fuck away. just replay the ps3 version again. i suspect the reason it's like this is they balanced it around the ability to have 3 people helping you at all times? which is idiotic. bc the co-op was a way to compensate for the super hard bosses and invasions. but if you then raise the bar like that, it'd make any single player parts totally unfair. which is exactly what happened. btw i only played the dlc on ps4 and not on ps3, so maybe that's why i was wishy-washy about it?

had they included both the original enemy arrange of ds2 WITH this one, it woulda been cool. but as it stands now it's a much worse version of ds2 for more money. no thanks.

bloodborne: AMAZING! it's so odd to me. people kinda ignored des compared to ds1. they didn't like how ds2 was it's own thing compared to ds1 (see a pattern???)... but then the most drastically different souls game comes out, and almost everyone unifies and loves it. but i'm not complaining, i love it too!

suddenly super fast paced action in comparison. jrr tolkien replaced by hp lovecraft. a smaller game with more polish. it's great! some of the reactionary gameplay was traded for rewarding aggression and risk. but truth be told, that made the game easier. imo bb was the easiest souls game at that point by far. might still be?

but that's not a bad thing, because souls games are so inherently hard and cheap, that the "easiest" souls ends up being the most balanced and fun. the gameplay is just so much more responsive and better than any souls ever came close to being. as much as i missed shields, it was just better. no more slow responses. gameplay feels more like an action game "should".

tho there are a few flaws here too. there are still a few unfair bosses. not like ds1 or ds2dlc... but just the same, they kept up the annoying trend of moderately difficult and insanely interesting/fun world navigation, but with bosses as disproportionately difficult brick walls in your way of the game you really wanna play. the co-op was the most confusing souls co-op yet, to the point i've never even done it (thus could be all on me but still).

there's a whole big (technically optional) chunk of the game called "chalice dungeons", which should've been this amazing roguelike maze of seemingly endless exploration. think souls meets diablo. but it ended up more like the most boring (and often cheap) repetitive thing you've ever done in a souls game. the assets uses to make the random dungeons were too few and so every dungeon felt kinda the same. and they locked a bunch of REALLY good content behind this dungeon slog. i'd say use em for a bit of grinding and then ignore em completely.

my last little complaint, and i'm torn on this, is actually something i praised before. the aesthetics. in all other souls, even though it was "knights n dragons", there was a TON of variety. bright, beautiful locations. dark, evil places. alien landscapes. bizarre abstract things. legend of zelda. silent hill. but in bb, it's mostly just dark. everybody wears edgy black. it's all the same. the weapons and outfits are way more limited. it's more focused for sure, but there's just... less of everything. but souls is a confusing complicated nightmare of gear management, so this might be a good thing to some people.

dark souls 3: THE BEST! this is it. the best souls. they combined the greatest parts of every souls game into one. the amazing combat of bb, but with all the customization and variety of the other souls. the good kind of lore that was in ds1. it's actually the lore sequel to ds1 that everybody wanted, all while being it's own thing as well. there's even a weird aspect of navigation simplicity like des had? oh and it's possibly the easiest souls yet. they even removed soul memory to make co-op way easier! just everything is more intuitive.

a wide variety of aesthetics and locations. a "best of souls" while having it's own unique things. the "weapon abilities" feature is great. everything was polished and optimized. if this truly is the last souls game they'll make, then they went out on the highest note.

okay but now here's the flaws, lol. the removal of soul memory, while it should have made co-op simple and fixed it in comparison, it actually created a whole new HUGE issue. it made things so so easy for smurf invaders. in the earliest areas, you can't take more than a few steps in co-op before some loser with a obv troll name pops into your game and takes almost no damage whatsoever. you won't beat them. they're cheating.

smurfing via high end gear to this level is cheating. there's no other way to look at it. nobody would call an ant vs an elephant a fair fight. so to save time and resources that you need to play online (it's complicated), you have the host disconnect. and then you try again. it's tedious. i'm sure it's made countless new players just give up on co-op completely, and maybe even the whole game. souls smurfs are all so pathetic like i genuinely wish they would find a way to ban them. this is the biggest issue.

another thing is it's sorta linear. maybe even more so than ds2. it's not awful like i think there are more branches than bb but still it's definitely no ds1 in that regard. there are also a few cheap bosses. "nameless king" (optional), "sister" (end dlc thus optional), and "dlc dragon" (forgot his name but double optional). i also think "dancer" (mandatory) is a bit bullshit, but it's also really cool so...

the first dlc, while looking very cool, is kinda tiny and lackluster. it does have amazing npcs/lore... but as stated before, the final boss of it is awful. souls boss formula at it's worst. the second dlc is MUCH better, with maybe my favorite end bossfight in all of souls. it's so hard, but fair. they made the garbage secret bossfight in this dlc thankfully optional. oh and the dlc itself is beautiful and large. and very fitting in regards to lore.

it's kinda hard to not mix in good with the bad on this game. i genuinely love it. most of the typical souls bullshit is easier to avoid, but it doesn't take anything away from the good parts. if you played one souls game, play ds3.

well that's it. srry if it was too long. tried to make it as short as i could. i'm sure i forgot a few points, but i'll rant about this stuff even more extensively in my ds3 letsplay i'm sure. thanks for reading! hope it helped people interested in getting into souls!!

An Essay Concerning Grammar for the Aspiring Writer

I’ve seen an attitude spreading in the writing community lately. It is degrading on many levels to the writing industry as a whole and particularly to editors. This attitude is the belief that you don’t need to have good grammar to write. It is patently false and I will explain why now.

Firstly, we must examine what writing is meant to do. Writing of any type is a means of communication. We use it to express ideas on the page. Now what does grammar have to do with this? Grammar is the rules of the road so to speak. It is the foundation upon which you build. So shoddy grammar makes for poor communication. Poor grammar can cause your point to become muddled.

Take antecedents. If you say, “Sally hit Jen, and she regretted it,” your reader will become confused. The antecedent for “she” in this case is Jen. However, it doesn’t make sense why Jen would regret being hit. It makes far more sense for Sally to regret the strike, yet what you have written does not communicate that. This is just one example. There are many others such as tense changes making the timing unclear or incorrect forms of words causing issues. These all weaken your writing as you no longer are able to convey your message without confusion. No one wants to be confused and have to reread your writing in order to comprehend it.

Now, I can hear some protesting “But this author says you don’t have to be perfect at grammar to be a writer!” To which I will say, yes, he’s correct in a way. You can break the rules and still be a good writer. Shocking, I know. The issue is that you must know the rules first in order to break them. What do I mean? Simple. In order to use this writing technique, it must be done with a purpose like I just did above with the fragment. I did it to emphasize the word and to be an example. I had a purpose to it. But if you do not understand the rules in the first place, you have no hope of choosing the proper time to break them. Instead of enhancing your writing, poor grammar will weaken your writing as it will come across as ignorance or laziness instead of competence. Not to mention, it will draw the attention to the errors instead of to your skill with the pen. Remember, the nail that sticks out is the one that is beaten down first.

Specifically, run-ons will always weaken your writing, never strengthen it. The problem with run-ons and comma splices is they can always be broken into smaller, stronger sentences. When you break them, they also become easier to read and more impactful to read. No longer does the reader start questioning where the end of this sentence is. He can focus on what is happening instead of the glaring mistake.

Now let’s talk about why you need to fix it now while you’re still newer and earlier in the story rather than later. I share this from personal experience: it is easier to do it now than wait. If you wait, you will only create more work for yourself. Run-ons and comma splices require you to rework sentence structures entirely, forcing you to rewrite entire sections to fix one error sometimes. If you’re particularly egregious on these types of cascading errors, this could entail completely scrapping your work and starting over anew. I’m sure you’re already going, “But… I do this all the time. I’ve written six chapters and they’re all ten pages apiece. That’s sixty pages to rewrite!” Yes, you are correct. It’s a daunting task sometimes to admit that you must scrap everything and start fresh. But it is better and easier to fix these bad habits now when there is less on the page than to plough ahead and create an even larger amount of work.

Stopping and fixing errors now is better not only for the amount of work, but also because you will start to recognize patterns. You may find that you split infinitives constantly or always forget to place commas after certain dependent clauses. This will allow you to course correct early on and keep an eye out in the future for this. This way, when you go through a day’s writing to proofread for major errors, you can also look for these repetitive pitfalls and fix them. Not only that, but if you keep these in mind as you write, you will catch yourself before you commit them and eventually you may even find you have broken the habit. You’ve created less proofreading for yourself, improved your ability to communicate, and saved yourself time all at once. All because you took the time to consider good grammar.

It is time now to shift away from writing as communication, and focus on it more as an industry. Many want to write. Many try to enter this industry; many fail. Writing is a competitive industry. In a way, you are in an arms race of talent. Who can improve their talent and make it stand out the best? Thousands submit their works yearly to publishing companies and yet out of these thousands only a dozen or less actually manage to get published. Why? Simply put, writing is about outshining others and gambling chances. The only way to be noticed is to show the company you are worth investing time and effort into your work. This means you must show promise as a writer.

However, as I showed earlier, poor grammar can get in the way of your talent and communication abilities. You have hamstringed yourself before the race even began. When others have worked hard and put their best forward, you’ve left your glaring grammatical errors in your piece. Yours is difficult to read due to its errors, while the others have polished their pieces to near perfection. Would you rather read something hard to comprehend or something easy to comprehend? I prefer the latter, and most companies will as well. Minor and occasional issues are fine. But every other sentence being a run-on or comma splice? These are unacceptable.

This isn’t the only issue though. If you’re submitting to a publisher, the companies are run by professionals. Poor grammar is not only crippling your writing. It’s actively spitting in the face of a publisher when they see it. Grammatical errors come across as unprofessional. It conveys laziness as it seems you didn’t even try to polish this manuscript or take a second look at it before submitting. Bad grammar can indicate that you either have a lack of beta readers or at best, that you ignore their advice. Considering proper grammar is taught in schools, it also comes across as you being unwilling to learn and grow. Both of these mean that you cannot stomach critique, and thus any advice they might have to make you publishing quality is wasted. If you are too lazy to take it, it does them no good. If you are too stubborn to admit flaws, it does them no good. Why should they bother working with you if you can’t do the basics required of the job? Into the trash with your manuscript.

You don’t get an editor from a company when you submit your piece. You get an editor once the company has decided you are worth the gamble required to sell your book. An editor is there to help you take the final steps to get to a professional quality of manuscript. The company has to sink time and money into preparing your book for publishing. There’s no guarantee it’ll get the money back either. Books flop frequently, and the publisher can only have so many flops before they shut down. Sending in an error-ridden manuscript is like showing up to an interview to be a lawyer’s intern in a bikini and flip flops. You have come to the company poorly prepared and unprofessionally attired. Why should they bother with you? On an aside: you can hire an agent who will do the hard work of shopping for a publisher for you. Unfortunately, they too check your manuscript for grammar issues and may refuse the job if your piece is need of serious grammatical revision.

Not to mention, this attitude of “My future editor will fix it” is disrespectful to editors. They have better things to do than attempt to fix your grammar. Their job description is not “teach poor writers grammar.” That is your English teacher’s job and no one else’s. Your editor will likely have several other projects they’re working on in addition to yours. If they have to spend all their time correcting your grammar because you didn’t bother to put in the extra effort to correct it personally, you are wasting your editor’s time and effort. Your beta can at times fill in the role of grammar teacher, but it should not be his primary role to go through your works and point out your egregious number of run-ons. Finally, it is not your critics’ jobs to teach you how to fix your errors. It is one person’s job to learn how to fix your grammatical errors: yours.

Not to mention an editor won’t coddle your feelings. They will critique you, and it won’t be gentle. You will be expected to take their critiques as a professional and not throw a fit or defend your choice. If you are showing an inability to accept a random stranger’s critique without losing your cool now, how can you think “Oh, I’ll be able to handle it then.” You have none of the tools, none of the experience, none of the grace to handle it any better then because you have refused to develop them now. The time to build up that ability is now when you’re still learning to write, not later down the road. Stop procrastinating and start learning to turn off your insta-rage and listen.

Critique comes whether you are ready or not. If you are posting something to the public for them to read—even a first draft, you are saying to anyone who reads it, “This is what I consider acceptable for public consumption.” This is what you’ve set as your standard of what is your best work to the public’s eye. If that work contains swaths of grammatical errors, the public will comment eventually. It may take time, but someone with a critical eye will find your piece. They will likely comment, and if your grammar is so atrocious that it took labor to understand your writing, they will be nasty about it. They won’t care about your feelings because you have wasted their time and effort and given them nothing for it but a migraine. At that point, it won’t matter how good or bad your story idea is. It will not be able to outshine the errors hanging over it like a fog. Bad grammar will overpower your talent every single time.

With the internet, it connects you not only to possible reviewers but also to agents and editors. They can and will look into your past if you get past initial rejection. Agents will look into your websites. They will find your temper tantrum over those poor critiques. Those will color their opinion on your work because they’ve now seen what you will be like on this project. No one wants to have to fight at work. No one wants to bring that amount of stress into his life. Agents and editors will see your poor behavior and go, “That writer isn’t ready for this emotionally yet.” You will be rejected, and if you’re lucky, they might tell you why.

Lastly, I wish to impart this knowledge to you: loving writing is not enough. It isn’t. You can love writing all you want, but if you cannot listen to criticism and grow from it, you will never improve. You will always be suffocating in the valley instead of joining those on the mountaintop. Those people are the ones who took the time and spent the effort to better their writing through grammar and feedback.  You will always be looking up to them and wondering how they are so good and why you’ve plateaued. As someone who has been writing since she was eleven, I can tell you that I’ve had people critique my writing. I didn’t whine about poor reviews either. I understood, even at that age, that I had to listen. I posted my works knowing they might get bad reviews and knew that I would have to grow a thick skin and sift through the ones of “u suk” and “wow that was bad” to find the “Your writing lacks description” types. It doesn’t matter if they aren’t saying how to improve precisely. A critique doesn’t need to say “if you change x, then it will fix y.” A critique can be as simple as “You have an issue with run-ons.” Why? It pointed out the flaw. You can now locate the issue and fix it. Nor is it the critic’s job to teach you grammar. As I pointed out though, if your grammar is unreadable, expect that critique to be harsh enough to remove paint. You offered what could’ve been a five star meal and gave them your half-chewed leftovers instead. And who wouldn’t be angry at that?

Sources/Further Reading

Sources about grammar in general:

http://ask.dailygrammar.com/Why-is-grammar-important.html

https://www.clearvoice.com/blog/yes-good-grammar-still-important-heres/

http://www.witslanguageschool.com/NewsRoom/ArticleView/tabid/180/ArticleId/279/Is-grammar-important.aspx

http://www.startribune.com/top-10-reasons-you-should-learn-to-use-proper-grammar/348141711/

https://www.huffingtonpost.com/william-b-bradshaw/why-grammar-is-important_b_4128521.html

Sources about the writing industry:

https://blog.reedsy.com/perfect-submission-tips-from-a-publisher/

https://thinkwritten.com/6-tips-for-submitting-your-manuscript/

http://www.writersdigest.com/editor-blogs/guide-to-literary-agents/pubtips

http://www.ian-irvine.com/on-writing/what-publishers-hate/

ManagementStrategy

A part of what makes an excellent product or service is. Marketing research have demonstrated again and again that high-quality brands will acquire more repeat purchases. Quality management time and cash upfront optimizing a commodity before it hits the market will minimize consumer complaints and returns.It's common for vendors of high quality brands to invest more to persuade customers to try their merchandise since the present value of a trial buy is bigger. The more successful companies are at pleasing customers throughout their first experience with a product, the more inclined they'll be to see repeat purchases from those same people.Testing goods on potential customers or a market research group will help create a fantastic item. Honest opinions will be given by people in these classes, and these are something a company can use to raise their product's quality. Coming out with the very best product possible without consulting individuals from outside the corporation can be a tragedy for routine consumer experience as an untrained eye occasionally can give great feedback.Quality inspection is a vital part of every production line. People of us who don't understand it is aren't considering the big image. Money-wise, the price of producing a product extends far beyond the build price, as it continues across its life cycle, from delivery and support to guarantee claims and -- for some products -- disposal.It might seem like an unnecessary investment now but, with appropriate Quality management , they could reduce future expenses, relating to consumer care, guarantee returns, along with rejected/returned items. They can even add value to your organization, as you'll rely on a competitive defense tool that will eventually pour more money into your pockets.This is a crucial concept for any item developer because in the manufacturing world, the sooner we identify and remove mistakes, the better. But before jumping to this, let's remember that there are six avenues where we could deal with errors. They fall into 3 categories: development, manufacturing, and delivery. Afterward, once recognized, all we can do is either prevent or correct them.According to numerous research, there's a cost/time ratio between these three broad classes. Following exactly the identical ratio, an error will then cost you 100 times more to fix whether it actually reaches the consumers.That's why applying quality review only in the end of the manufacturing line is a very risky move that only a few significant companies dare to take. Big, organized, and customer-oriented businesses are currently focusing on inspecting earlier to store resources.Companies having to print bulk will probably discover that having an excellent review process set up is extremely valuable.

 Print inspection systems can provide the assurance and quality management your organization needs to minimize mistakes. They'll also guarantee that the delivery of results that are consistent that will improve the image of your brand . In fact, the part of quality inspection methods becomes even more critical when dealing with counter commercial printers. Given that most printing presses function at rates, irregularities in the final product are more than possible, if not required. Quality Quality management software in print -- instead of manual review systems -- supplies the essential precision to attain optimum and consistent results on a normal basis.Modern print review techniques consist of innovative technology that connects with your printing media or internet reminder to achieve exceptional results. It works by integrating vision systems (cameras), net viewers, and high-tech applications that will catch any errors in time until they're printed in bulk.Over the years, these quality review systems have been developing at a rapid pace. These days, it is possible to find choices online. In fact, they need little to no maintenance, one of implementing these non-traditional tools of the advantages is that you have to earn a one-time investment. Other benefits include ease of use and functionality and the ability to get more control over the result.First Article Inspection, an important part of the First Generation Check, would be to inspect the first item to come off the manufacturing line in the factory. This is the very first and last chance to inspect the final product and place any flaws so corrections can be made ahead of mass production. This review assesses whether the final product meets of the technology, design, and specification requirements. The results are recorded and delivered to the client for confirmation is an essential preventative measure taken in the early phases of manufacturing, which may mitigate expensive mistakes in the long run by highlighting any problems before too many defective items are produced.Quality control inspectors usually perform on-site inspections when roughly 20% of the heap has come off the manufacturing line. If an issue is located at this time, it may be possible to discover a workaround to fix the faulty products and/or make necessary adjustments to the manufacturing process.Quality control inspectors carry out on-site inspections in the factory every day to strictly monitor production and keep the mill accountable from begin to finish. This is the final opportunity to spot any flaws and take corrective actions before Quality management is done, and until the goods are packed for shipping.The final but critical step in the quality control procedure is packing up the new product and properly preparing batches for shipping to destination markets.During the container loading check inspectors guarantee the correct number of unique styles, sizes and quantities are shipped out, and that they are appropriately loaded to lessen the risk of damage during transit.

Quality control inspectors check the packaging to ensure it complies with safety standards for your destination market and ensure that coverings will prevent harm from soiling. Venting in the packaging is also checked to reduce dampness and lessen the danger of mold growth before manufacturing starts, and storage will inspect raw materials and parts. We'll verify that the factory has ordered the appropriate materials, parts, and accessories after product samples are supplied. We inspect a sample of products that are partly produced and will randomly select for flaws, then report our findings on you. If needed, we can provide the factory with the technical advice required to improve product quality and to minimize the chance of flaws during production.During Production Inspections are best for imports of large quantities; merchandise lines with continuous production; rigorous requirements for on-time imports; and also as a follow-up should inferior results were found throughout Generation Inspection. Normally, Quality management Production Inspections are completed when of the merchandise is completed will inspect the production batch and examine products in the line for possible defects.At this point we'll identify deviations, if any, and give information on corrective measures which can ensure uniformity of product and quality. We'll also re-check any flaws discovered during Pre-Production Inspection and affirm that they have already been rectified.Final Random Inspections can begin only after generation was finished and all product is prepared and packed for dispatch. Through a method set by industry standards, we will sample products to verify quantity, workmanship, function, color, size, packing, product security, and more. This makes sure that your product is consistent and compliant with all country, business, or otherwise-specified needs and that no critical minor or major flaws appear.During Loading supervision, an I representative will carefully track the loading procedure, confirm product amount, and ensure proper handling of the cargo. Upon completion, the container(s) will be sealed with tape as proof of compliance

Module 1: Drill - A 70 Billion Dollar Security Mistake

In 2010, British Petroleum’s (BP) Deepwater Horizon Oil Rig lost control taking the lives of 11 people and spilling 651 million litres of oil into the environment. This resulted in $42 billion of compensation lawsuits and $28 billion of cleanup costs. This was caused by preventable human errors in decision making and failure of multiple safety systems.

A combination of multiple inaccurate analysis of the safety of the well and the failure to activate appropriate alarm and safety protocols. This breach of security protocol resulted in the subsequent events that lead to the failure of the oil rig. The inability to follow to correct procedure and interpretation of the valve readings caused a false sense of security amongst the workers on site. And the crew ended up diverting their attention elsewhere undermining the security and safety of the system.

The primary focus should have been on safety and reliability of the system. Even though this failure was not a result of malicious intent, the extreme disregard upon the proper functionality of the system. Multiple sections of the oil rig’s system failed to do their part in preventing the shutdown, warning the crew of the imminent danger and failed to activate any fail safe protocols. The lack of the system’s functional security resulted in the oil rig failure.

I believe that the loss of human life and the potentially thousands of years of irreversible environmental damage caused by BP should have been using much more top grade equipment, have better trained staff and increase the penalties and risks any mistakes. Additionally, there were so many equipment faults that BP should have done more testing and replacement if needed.

In conclusion, modern control systems like BP’s Deepwater Horizon Oil Rig must continue to improve upon the security of their systems to guarantee that this does not happen in the future. It is also crucial to point out that the crew working with the system should be better trained to analyse and spot out any flaws or inconsistencies.

Post Laboratory Discussion

There was no proper safety precautions on their cheap equipment and people just marked it off as right without checking. Most of the testing and safety checks were done by BP affiliated staff who had no real penalties if they made a mistake. Additionally each company has not held responsible for what they did and kept cutting corner, they just completed their task quickly. It would have been a good idea to have an external government offical to who had the ability to close down the oil rig if it didn’t meet anything.

They didn’t have enough equipment they needed onsite to fix their problem until they had it shipped in. It would have been a good idea to store equipment closer to the oil rig nearby because it took months to close off the cap with the right equipment. Additionally if it would have been possibly to make effective use of all the space on the oil rig with equipment that they would need to fix any problems.

They put too much faith in the blowout hole without proper testing. It was built and ready for regular circumstances but not extreme situations that the oil rig was dealing with. So these fail safe systems should be properly tested beforehand more than just the standard cases. Most of the approval of the equipment was simply a he-said, she-said instead of a standardised test.

Communication within the oil rig and between the oil rig and the mainland was also major cause of the failure. It is important to foster a cooperative community within the workers. Although it is a difficult task to change something like the culture in the company, it would make a huge difference to ensuring that the workers on the oil rig are all on the same level. Most of the data was kept on the oil rig itself and the data should be transmitted to the mainland for better comparison with other oil rigs to check whether the oil rig pressures are proper.

Review for Jetpack7's / Conceptopolis Gods & Goddesses 5th edition supplement

Those familiar with 3.5e edition of D&D, can recall one of the books written during its time was “Deities and Demigods “. This book was a supplement that detailed dozens of god's, giving their statistics, suggestions on creating your own gods, and even information on how to advance your character into god hood. This book was a wealth of information. One which I still pick up from time to time to read into when making and developing characters.  I'm excited that Jetpack7 / Conceptopolis developed a 5th edition supplement in the same vein as Deities and Demigods. Some information on Jetpack7 is they are responsible for some of the great looking art in both the Dungeon Master's Guide and the Monster Manual, also their art can found in several other locations and popular products such as League of Legends.

This book is laid out as follows. An introduction, and how to use this book. After this there are 16 Gods & Goddesses. Each God or Goddess has a page dedicated to who they are, dogma, clergy and temples. As well as who worship such a god/goddess. Afterward is a great picture of said god. A stat block of their avatar, then a Cleric sub-class and a paladin sub-class. After these pages are an appendix of companions to these deities. Some wondrous items from them as well. New spells, boons that deities can grant in this book, two new weapons and a couple NPC stat blocks.

Now will move into the distinct sections of the book.

For each page about these deities it goes into depth on who the god is, their dogma, clergy and temples to said gods. Also who worships them. These pages are great, and get the imagination flowing when reading these pieces. Reading through this book, as a DM it gave me ideas on how to incorporate these deities into my games and also inspired me to make characters who worshiped these same deities. These sections are great. The pictures afterword give plenty to tell your players if they ever meet an avatar of the deity face to face.

After each deity is a stat block of an “Avatar” of that deity that the players could face. All these deities are in the Challenge Rating 30 range, like Tiamat in The Rise of Tiamat. What worried me most in reading through these stat blocks was the wording and placement on them. An example would be, when comparing the Goddess known as “Baba Yaga” to a “Ancient Red Dragon” as far as placement goes. It lists in Baba Yaga’s stat block that she has a Frightful Presence. The stat block lists Baba Yaga’s Frightful presence as a feature, like Legendary Resistance rather than an action. The wording is correct on it but it is not clear whether her Frightful presence is something she can do at will requiring no action, or if it requires an action as normal.

Listed under actions for Baba Yaga, are actions like her gaining a fly speed. Mention of a pestle wand she uses and it acts as a wand of war mage +3. It is a bit odd that her fly speed is not built in, but requires an action for her to use. As well as the mentioning of her wand of war mage. Another odd thing on this stat block is mention of “Baba Yaga makes 4 magical attacks per a round”. It is unclear if they mean she can cast 4 spells or if her attacks count as magical, and she can make four per a round. Other unclear terms are such as Elemental Immunity which states, “Baba Yaga is immune to all (including magical) water, earth, wind and fire damage”, It might be better phrased as, “When Baba Yaga takes damage from a magical or otherwise elemental attack, she instead takes no damage from the attack”

Moving onto the next big part of this book Cleric and Paladin domains for each of these deities. A lot of these Cleric Domain and Paladin’s oaths feel a bit rushed and unoriginal. Before each domain and oath is a paragraph or two describing what a Cleric or Paladin of this deity would be like. This gives a great deal of inspiration when you’re sitting down to make a Cleric or Paladin of this chosen deity.  Going back to the rushed and unoriginal aspects of these domains and oaths. Some of these domains / oaths take existing material from, or magic items in general. An example of this would be the, “Domain of the Devious Spider” as a 2nd level ability they can spend a use of their channel divinity to displace themselves much like the the magical item “Cloak of Displacement” in the dungeon master’s guide.

The difference being the effect lasts for 1 minute in the Channel Divinity. The effect does not disappear when taking damage. Another example would be the 6th level feature from “Domain of the Wise”. Is the same exact feature as of that of the Nature Cleric from the Player’s Handbook. Also the “Champion of Baba Yaga (Paladin Oath)” its 15th level feature is a copy paste of “Relentless Endurance” from the Half-Orc traits in the Player’s Handbook. Other errors I picked up were feign death as a 3rd level oath spell. When Paladins don’t get 3rd level spell casting till 9th level. In another instance a paladin got True Strike, which is a cantrip as a 3rd level oath spell as well.

These sub-classes need to be looked at more, especially because of these simple errors. While I understand you cannot reinvent the wheel with every single subclass put into this book, since there are two for each of the of the 16 deities. More work should have be put into making them more unique. I make take on a project later re-making the sub-classes presented in this book for fun. To better align with the deities presented, at least the ones that need a bit of reworking.

Looking at the companion stat blocks to deities already listed. There is nothing glaring on them, and look fine as is.

Next in the list we have a few wondrous items, all which are on the artifact level because of what they are. The only issue I have with these, is when comparing these items to the ones in the Dungeon Master's Guide, the formula for artifacts in the DMG (besides the effect of the listed item). Each item also has those effects and a minor/major beneficial and or a detrimental property. Besides not following this formula the items seem great.

In the next section, there is a list of new spells. I am assuming these spells are  for clerics and paladins. There is nothing to specify who gets these spells on their spell lists. Some of these spells go beyond the spell casting capabilities of a single classed paladin. Yet some of these spells are on the domains of both clerics and paladins.  Looking at these spells and comparing them to others of the same levels. Some of these spells are weaker versions of existing spells. Such as whisper, a 1st level spell that lasts 10 minutes, extends 10ft, and gives a +5 to stealth checks, acting like Pass Without a Trace. Otherwise nothing seems crazy about these spells but they would need some play testing to be 100% sure.

The boons of the gods seem fine, and a lot of them seem inline with what is existing in the DMG.

In the NPC stat block section, it describes each of the NPC’s, a bit of history, assets, flaws of the character and how the NPC would interact with the party. There isn’t many errors I saw besides  forgetting the weapon of one of the NPC’s. You’re not sure what the NPC is attacking with, but you can find the information in the Players Handbook due to the damage it deals.

In closing, the book should have had some more time put into it. I would have rather waited longer for the book to be a 100% ready than coming out with so many glaring errors in the book. The first iteration of the PDF was missing the 17th level ability of the Cleric ability for Baba Yaga’s domain, comparing the first iteration of the original PDF to the new one, they have fixed some errors but a lot of others still remain.

I also got a hard copy of the book as well as the PDF, and it’s a bit sad to see the 17th level of the Cleric ability missing. As well as these other errors I pointed out before in the book. The hard copy of the book is right around the same size of the Player’s Handbook. The quality of the pages and book itself seem great as well.

If I had to give a review on this book out of 5 stars, I’d give it a solid 3. The artwork is beautiful, there is a great deal of inspiration in the book, but the many errors and thrown together cleric domains / paladin oaths bring the quality of the product down.

New Post has been published here https://is.gd/eZXv3d

Neither Dominant Nor Defeated, EOS Still a Work in Progress

This post was originally published here

Blockchain projects that comprise the greater cryptocurrency sector’s market cap are unquestionably bootstrapped — a product of ingenuity and crowdsourced blockchain fundraising.

But with the industry evolving further in the last few years, gaps between mature projects and less developed ones are more noticeable, exhibited by issues that a well-funded or more thorough team of development experts could avoid. The latest example of this came from EOS — a competitor with Ethereum — when a user figured out how to broadcast a fake transaction to the network for 1 trillion EOS (a single transfer for $3.6 trillion).

While the incident was entirely harmless, it cast doubts on the sanctity of a platform that’s meant to oust Ethereum from its position as the de facto decentralized computer. Using an exploit in an EOS idea called deferred transactions, the user set up a payment that would be settled at a later date — and it was published to the network, even though it was 1,000 times as large as the EOS market cap itself.

EOS block producers EOS New York noted that the transaction that created the deferred incident can only determine whether the create request was submitted or whether it failed, thus getting around the limitations. Once that happened, “it is subject to normal validity checks.” These events cast the upstart “Ethereum-killer” in a less-than-positive light, but they do create an opportunity for an updated, in-depth look into this promising platform.

The EOS evolutionary timeline

EOS is an auspicious blockchain project and remains a top market contender, vying for fifth on the list of top market capitalizations at any given moment. It began as a competitor to Ethereum in 2017, arriving as that solution began demonstrating issues with scaling and transaction speed. EOS had similar ideas: decentralized storage, bandwidth and incentives. In turn, EOS announced its intention to create a similar idea to Ethereum but with a different consensus, mining and other foundational concepts that would solve Ethereum’s transactional bottlenecks.

The initial coin offering (ICO) for EOS was astoundingly successful, thanks to its ambitious timeline, outlook and circumstantial trends. It garnered over $4 billion worth of ETH, setting records but, at the same time, demonstrating the inflated the value of most cryptos and the sector’s unsustainable optimism.

EOS’s founding team, Block.one, accordingly owned one of the fattest ETH wallets, using it it to push EOS through several releases and upgrades, sponsor international partnerships, launch a bug-bounty program, and deliver a working mainnet. The latest release, EOS 1.6, released in January 2019, brought with it upgrades including enhanced tools for smart contract development and faster remote data processing.

DApps on EOS are plentiful, and many of the most-used DApps are from EOS rather than competitors like Tron and Ethereum. While games such as BetHash and PokerEOS find audiences, blockchain development companies like LiquidApps use EOS as their permanent sandbox — and not only make working with it more fluid, but have also released new platforms like vRAM, which is a decentralized, Video RAM storage solution that is much more efficient than any alternatives.

However, various successes of the EOS platform aren’t substantial enough to hide its flaws. LiquidApps CEO and co-founder Beni Hakak notes about EOS that “blockchains today don’t yet scale. EOS […] which has solved many issues on the transaction speed side, still has resource limitations which are critical for the extensive dApp developer that is so needed for user adoption.”

Though several DApps have been deployed, the platform has been found lacking in many ways in 2019 alone, and the circumstances of its existence beg serious questions about the blockchain fundraising model and the ability of other firms to produce innovations reliably.

Peter Todd, who has expressed bearish views on EOS at times, claims that the platform’s problems are features rather than bugs. Speaking of EOS’ scalability, Todd notes that “it was more likely than not deliberately designed to be terrible,” so that it would make it difficult to access the validator set, due to its permissioned nature. The result is less competition and an unscalable platform.

EOS exploits display blockchain discrepancies

The bug bounty program launched by EOS came in handy this year, though its effectiveness had the secondary consequence of revealing just how fickle the platform remains. A Chinese cybersecurity firm found a false top-up vulnerability that would allow hackers to deposit EOS tokens into certain exchanges and wallets without actually transferring them. Several buffer overflow vulnerabilities were also found in EOS repositories, and the company has already paid in excess of $50,000 to white-hat hackers in the first three months of 2019.

EOS is also one of the primary projects used as an example of counterproductivity and paradoxical ideas in the blockchain fundraising sphere. With well over $4 billion in ETH in the mid-2017 bull market, the then-tiny project was worth more than many multinational corporations — and all without a real product.

Furthermore, companies that fund themselves with cryptocurrency are stuck with volatile balance sheets by the nature of their ICO, and must therefore sell to have more fungible and predictable working capital. This has raised questions about how funded blockchain projects represent a liability for the value of their blockchain’s underlying currency, with EOS one of the stronger sell pressures as the market receded in the year following its launch.

Though, according to Ethereum blockchain explorers, it had sold 2.5 million ETH by June 2018, the still-massive valuation of EOS doesn’t mean it’s any more successful than Ethereum. In fact, Ethereum’s volunteer developer community has arguably done more to make it a reliable user experience, without a centralized authority. EOS is criticized for its centralization, but some of the project’s advocates argue that it’s less of an issue than people think. According to renowned investor Mike Novogratz, CEO of Galaxy Digital, “EOS’ critics say it’s not decentralized enough, and that’s a very fair debate,” though he believes that “there will be markets for many different blockchains.”

EOS is still finding potentially groundbreaking errors despite a huge pool of funding to draw from, plus the resources of an organized company able to make policy decisions immediately rather than relying on the consensus of peers.

EOS outlines possible obstacles for competitors

Throughout its short lifespan, EOS has made a strong example of the pitfalls of centralized ICO fundraising. One of the biggest is that the SEC now defines projects like EOS more strictly and sees ICOs for these projects as issuing a security. By nature of its concentrated foundation, EOS and similar platforms must grapple not only with retroactive regular compliance, but also the fluctuating value of their working capital. Fully decentralized ideas without an official raise of funds — like Ethereum — encounter none of these obstacles because progress isn’t impacted by price and it has escaped new SEC classifications.

The largest boon for any decentralized idea is therefore not the amount of money it raised, nor the promises it made, but its ability to inspire peer-to-peer participation. People like to feel that they’re a foundational part of a new paradigm, and if the enthusiasm is not organic, enthusiasm for the project can wane. For projects that put investors on equal footing with developers and forego the executive board, failures are also a community problem to be solved rather than an injustice. When casual network peers can take roles of authority if they choose, and volunteer developers are responsible for fixing bugs, this community feeling of “mutually assured success” outweighs the momentum of a fat ICO wallet 10 times out of 10, and this is a lesson EOS is still learning.

#crypto #cryptocurrency #btc #xrp #litecoin #altcoin #money #currency #finance #news #alts #hodl #coindesk #cointelegraph #dollar #bitcoin View the website

New Post has been published here https://is.gd/eZXv3d

“The Altered Adventure: Secrets of the Cyclone: Grave Robbers (Chp 10)” Reaction

This will probably be the most different from the Minecraft roleplay. That’s exciting.

If you don’t want spoilers, stop scrolling down and blacklist “altered adventure spoilers” or “secrets of the cyclone”

I’m actually sad that Brayden wasn’t that involved in the book. I was under the impression that he would. Well, if the future books at least clarify his motives, I don’t care if he’s underused. Just fix the plot holes.

I thought campfire was a typo. Omg, I loved that joke. (There are a few typos and formatting errors in this book, btw)

Omg, Letvia and Inferno finally appear. Yuuuussss

Omg, guys, the novel is giving so much Voice/Letvia shipping fuel. I think this book is trying to redeem itself with how the roleplay treated Voice/Letvia

LETVIA, YOU’RE BLUE NOW. THAT’S MY ATTACK. Third time. Her skin is actually blue. I assume she’s a Justment. So Justments give no shit about what color they look like. But I want to know what their bodies look like figure-wise and what sets them apart from NPCs.

Inferno looks exactly the same.

I like the tension between these Guardians and the different opinions.

Without his body, Voice felt anxious and empty. And 136% done with all the puns he had to hear

Graves just pop out like daisies? Ok. I can roll with that. It feels like a video game. First the quest vibe. Now this. These aspects make me excited about Altered.

“rip Samantha Telling. You had a very weird name. Like, what parents in their right mind would name someone Samantha in Altered?” I wonder if Samantha Telling is a shoutout/easter egg that I don’t know.

Poor Betsy and Gizzy :( Why did they have to make this hurt

Elizabeth is more appreciated that Barath. Rip Barath. Rip. Still the least favorite Guardian of them all

Gizzy’s asking Benji for advice. That’s a step :D

A trap to anyone who steals the keys. Courtesy of the Guardians. Now that’s what I call actually protecting the Prophecy.

I’m glad there’s flaws to the morph ability. Coming to think about it, I think the morph ability is more balanced in the novel. It’s harder to kill things in the real world than in Minecraft, so it will be harder to gain new forms. I’m starting to appreciate this power

Daaaang. A skeleton army o_o This really escalated from the wolf pack and Ratchet

Barath was destroyed by his own hammer. How ironic. And finally Gizzy uses that hammer for once

Clayton, goddamnit. Have you been following him all this time?

I feel so worried for Gizzy and Benji. Who’s gonna save them this time? Not Betsy, that’s for sure.

Ouch. Hit in the head. …is it bad that I’m hoping for one of those flashbacks?

Yaaay, flashback

Omg. Please don’t mess up with Ratchet’s character and the timeline continuity. Pleeeeeaaaase. I’m begging you.

Witch left his chill back in the Minecraft roleplay. He’s so dramatic in the novels.

Oooooooooh, Voice. That was SAVAGE

“Egotistical notion” Witch is implying that Voice is saving the world just to improve his image. I can take this in two ways. 1: Voice loves his reputation, will do anything to secure it and thinks saving the world is the best way to do so. He’s not saving the world for the lives, but for himself, and doesn’t care if people get hurt. Or 2: Voice is so concerned about being Altered’s best Guardian. He feels like he has no choice but to prioritize the Prophecy over Aurona because he believes it’s what’s expected of him. He doesn’t want to fail Altered and make the people fall into despair.

“you’re going to pay for those words” BY BECOMING WORDS

Witch is also calling Voice hypocritical.

“This, Voice, is a fitting punishment for such a ridiculous name.” OOOOOOOOOH OOOOOOOOOOOH OOOOOOOOOH BUUUUUUURN. So apparently, in Altered, Shamas, Witch, Letvia, Samantha and Alpha are acceptable names. But being named Voice is a tragedy. Lol.

Looks like Voice’s attacks are weak when he has no body. I like that limitation.

Ok, the book doesn’t acknowledge the timeline continuity nor Ratchet’s motives. It better not had mess it up…

Seriously, Gizzy needs to get his head checked for a concussion. He won’t survive long enough to kill the Demon if he’s suffering internal bleeding.

Witch as ashamed? Gypsy has no chill? OMG, did he just SLAP his son? Omg, they’re both crying?? Omg. No nooooo. Omg. Witch’s mental breakdown reminds me of my Witch Redemption AU. I don’t know if I should be happy for the similarities or be even sadder. Aaaaaaah Omg. We finally get Witch’s backstory…but I don’t know what to make out of it :’D

Aurona overshadowed Witch. But Witch still cares about him.

Ok, Witch’s motives are better explained. I like that.

“You will become king of Altered” *DESK SLAM* STOP LYING. We know this isn’t true! The book describes Gypsy as uncertain when he said that. But why is Gypsy insisting it anyway? I hope this is addressed later.

Witch says that the Guardians made him look bad…but he is bad. He did a lot of bad stuff in the Minecraft roleplay. I wonder how the novel series is gonna present this guy. So far, he’s someone I sympathize for.

I’m finding so much info that aligns with my Witch redemption AU too :D Differences are Witch being more sentimental and being the older brother

I’m kinda confused…the Chosen One and the savior of Altered…are not the same thing. ???

Dang, Ratchet is still villainous. I’m starting to doubt that he will receive a redemption. Like, at this point, Witch has a better chance to be redeemed that Voice and Ratchet

I’m still confused about the Prophecy. It can either make Witch king or take Gizzy home. I hope this is addressed better later. If I didn’t knew about the Minecraft roleplay, I would assume that the Prophecy is something that grants people wishes.

Also, I noticed that Gypsy didn’t say that his time was coming to an end…hmm…

There’s one great thing about making Aurona and Gizzy children in the books: it questions morality. Witch was angry at Voice for separating him from Aurona (a child), but he was ok with Voice’s plan to separate Gizzy (another child) from his family. So, is Witch just as bad as Voice?

I don’t know what to think about Witch. His character is not clearly defined with all these different perspectives. Like, this info contradicts the info from chapters 2 and 3. I want to analyze this later and figure out why the narrator lied about Witch in chapters 2 and 3.

Did Witch agree to Voice’s plan willingly or unwillingly? What did Witch do as a Guardian? So many questions, but they can’t be answered in the book.

Voatz ‘Blockchain’ App Used in US Elections Has Numerous Security Issues, Says Report

Voatz, the Massachusetts-based company touting a blockchain-enabled mobile voting app, has been met with public criticism for a lack of transparency, among other things, particularly when it comes to data security. And with the threat of election tampering, the stakes are as high as ever.

Voatz has been used in elections in West Virginia; Jackson County, Oregon; Umatilla County, Oregon; municipal elections in Utah County, Utah; as well as in runoff elections and municipal elections in Denver, Colorado.

The public security audit by a reputable third-party firm that experts have been calling for is here at last. In December 2019, Voatz and Tusk Philanthropies, which funded most of Voatz’s mobile voting pilots, engaged security firm Trail of Bits to conduct a comprehensive white box audit.

Although Voatz failed to provide a backend to live-test malicious attack vectors, Trail of Bits had access to all of the source code, including the core server, Android client, iOS client and administrator web interface.

The audit report is comprehensive, and includes a 122-page security review and a 78-page document on threat-modeling considerations. Here’s a quick rundown of the main parts.

Voatz doesn’t need blockchain 

The appeal of blockchain voting is that it’s a decentralized system that doesn’t require voters to trust anybody. But the blockchain Voatz uses doesn’t actually extend to the mobile client. Instead, Voatz has been applying the votes to a Hyperledger Fabric blockchain, which it uses as an audit log — something just as easily done by using a database with an audit log.

Although a Voatz spokesperson claimed that Hyperledger “provides several security functions such as securing the aggregate vote, enabling post election auditing and providing a chain of custody for the digital ballots as they traverse through the ecosystem,” it’s unclear how it would do so, and this capability isn’t evident in the report.

The code Trail of Bits looked at did not use custom chaincode or smart contracts. In fact, the report reads:

“All data validation and business logic are executed off-chain in the Scala codebase of the Voatz Core Server. Several high-risk findings were the result of data validation issues and confused deputies in the core server that could allow one voter to masquerade as another before even touching the blockchain.”

Because voters do not connect directly to the blockchain themselves, they can’t independently verify that the votes reflect their intent. But anyone with administrative access to Voatz’s back-end servers has the ability to “deanonymize votes, deny votes, alter votes, and invalidate audit trails.”

The report found that the Voatz system doesn’t have any mitigation for deanonymizing voters based on the time their ballot was recorded in the blockchain. In a statement, a spokesperson for Voatz said it had an experimental mixnet running at the edge-infrastructure used for network level experiments, but without any source code, and Voatz’s FAQ claims that “once submitted, all information is anonymized, routed via a ‘mixnet’ and posted to the blockchain.” But this was called into question in an MIT report — and now again in this audit.

“There does not appear to be, nor is there mention of, a mixnet in the code provided to Trail of Bits,” the audit reads. “The core server has the capability to deanonymize all traffic, including ballots.”

Trail of Bits confirmed MIT’s findings — Voatz disputed them

On Feb. 13, MIT researchers published the aforementioned report, “The Ballot Is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections,” to which Voatz responded with a blog post the same day to refute what it called a “flawed report,” leading the MIT researchers to post an FAQ with clarifications.

It turns out that Voatz’s refutation was written three days after Trail of Bits confirmed the presence of the described vulnerabilities to MIT, having received an anonymized summary report of the issues from the United States Department of Homeland Security. This suggests that Voatz was aware that the report was accurate before publicly discounting it.

The audit also disputes some of Voatz’s objections to the MIT researchers’ reports. Voatz stated that the Android app analyzed was 27 versions old, but Trail of Bits wrote that it “did not identify any security relevant changes in the codebase” between the September 2019 version of the app used by the MIT researchers that would substantively affect their claims. 

Voatz also took issue with the researchers developing a mock server, calling it a “flawed approach” that “invalidates any claims about their ability to compromise the overall system.” Voatz even wrote that this practice “negates any degree of credibility on behalf of the researchers.” 

But Trail of Bits claims that “developing a mock server in instances where connecting to a production server might result in legal action is a standard practice in vulnerability research. It is also a standard practice in software testing.” Furthermore, the report points out that the findings focused on the Android client, but did not rely on in-depth knowledge of the Voatz servers.

A Voatz spokesperson says Voatz “objects to the methodology and approach of the MIT researchers,” and that there are “several errors in the report.”

“If our methodology was wrong, the theory would be that we would come to incorrect conclusions. However, all of the vulnerabilities we found have been confirmed by their own security review. Additionally, it doesn’t appear that they’re contesting any of them,” said Michael Specter, one of the MIT researchers who authored the report.

Prior audits were not comprehensive

Despite Voatz touting multiple security audits, this is the first time a white box assessment has been conducted, with the core server and backend having been analyzed. Although not all of the prior audits are public, Trail of Bits summarized all of them.

One prior security review was conducted in August 2019 by NCC, an independent, private nonprofit that doesn’t employ any technical security experts. The audit focused on usability rather than security. In July 2018, an unnamed vendor conducted a black box audit of Voatz’s mobile clients. 

In October 2018, TLDR Security, now known as ShiftState, conducted a broad security hygiene review that included system architecture, user and data workflows and threat mitigation planning, but didn’t look for bugs in the system nor in the actual application. ShiftState then conducted another audit in December 2018, looking at whether the system operated as intended and followed best practices.

Although ShiftState CEO Andre McGregor has previously said that Voatz “did very well,” Trail of Bits’ review of ShiftState’s audit points to issues with limited logging, unmanaged servers and a Zimperium anti-mobile malware solution that wasn’t enabled during the pilot. 

Since all of Voatz’s anti-tamper protections for mobile devices are based on Zimperium, it being inactive means the application could have been trivially tampered with, as Voatz lacks additional protection against malicious applications that could access sensitive information.

A Voatz spokesperson said that Zimperium wasn’t fully integrated until 2019 and that some researchers request its disablement for testing purposes, which they do on a case-by-case basis. “Trail of Bits could not independently verify that Zimperium’s proprietary anti-tamper checks explicitly verify the Android security provider,” the report reads, recommending an additional check in case Zimperium is ever disabled, intentionally or not. 

The final audit by the DHS, conducted in October 2019, simply looked at cloud resources, not at the application — whether there’s evidence of hacking or if it could be detected if it takes place.

Beyond the limitations of prior security assessments that Voatz has touted without making public — such as the fact that none of the audits included server and back-end vulnerabilities — Trail of Bits’ report states that the writeups from the other security assessments conducted were technical documents. This calls into question whether elected officials are making decisions based on documents they’re unqualified to read.

Voatz appears wildly disorganized

Trail of Bits’ assessment lasted an entire week longer than initially scheduled “due to a combination of delays in receiving code and assets, the unexpected complexity and size of the system, and the associated reporting effort.”

Trail of Bits never received a working copy of the code, prohibiting the firm from live-testing, meaning that the researchers were almost entirely limited to static-testing, which required them to read through a massive amount of code. According to the report, Voatz has so much code that it “required each engineer to analyze, on average, almost 3,000 pure lines of code across 35 files per day of the assessment in order to achieve minimal coverage.”

Although Trail of Bits received access to the backend for live-testing a day before the assessment was scheduled to end, —which a Voatz spokesperson said was due to simultaneous audits, delays in audits and parallel activities, and a limited amount of test platforms, the security firm was asked not to attack or alter the instance in a way that would deny service to concurrent audits.

Voatz made rookie mistakes — and doesn’t seem serious about fixes

Trail of Bits described several bugs that could lead to votes being observed, tampered with or deanonymized, or that could call the integrity of an election into question.

Beyond the fact that voters can’t independently validate that their ballot receipt is valid or that votes were tallied correctly, a Voatz employee could theoretically force a user to vote twice, allow them to vote twice or duplicate their vote without their knowledge on the backend. Also, Voatz uses an eight-digit PIN to encrypt all local data — something that could be cracked within 15 minutes.

Furthermore, the report found that the app doesn’t have security controls to prevent unattended Android devices from being compromised. Sensitive API credentials were stored in git repositories, which means anyone in the company with access to the code — perhaps even subcontractors — could use or abuse secret keys exposed in the repositories.

Voatz employees with admin access can look up specific voters’ ballots. Voatz uses an ad hoc cryptographic handshake protocol, which is generally not recommended — as homemade cryptography is prone to bugs, and it’s best to use encryption schemes that have been studied by researchers and tested out in the real world. The SSL (Secure Sockets Layer) wasn’t configured in an entirely secure way, missing a key feature that helps clients identify when a TLS (Transport Layer Security) certificate is revoked.

In one instance, Voatz even cut and pasted a key and initialization vector from a Stack Overflow answer. Cutting and pasting code is generally discouraged, even in college-level computer security courses, because the quality of information on Stack Overflow varies, and even good code might not work in a specific environment. However, cutting and pasting a key and IV is even worse, as it means that the key and IV used to encrypt the data are identical to something on the internet, even though it is not supposed to be public. A Voatz spokesperson said in an email that this was test-code for an in-app demo and “was not actually used in any case or transaction.”

Even when summarized, Trail of Bits’ recommendations are eight pages long. Voatz appears to have addressed eight security risks, partially addressed another six, and left 34 unfixed. Typically, companies have a comprehensive plan on how to fix high and medium risks. Indeed, a spokesperson for Voatz said, “We take each finding seriously, analyze each finding from a practical perspective, assign the probability of risk and then determine the course forward,” a Voatz spokesperson said in an email.

“If the bug or issue is practically exploitable in a real world scenario conforming to the small scale pilots we are conducting, then we address them immediately else they flow in our normal development pipelines subject to priorities.”

Shockingly, Voatz decided it “accepts the risk” of many of these bugs, essentially accepting risk on behalf of the voters rather than making the fixes suggested from the firm it hired.

Tusk Philanthropies, Voatz and Trail of Bits referred Cointelegraph to their separate blog posts about the audit, and Trail of Bits referred to the report itself.

This article has been updated with comments by a Voatz spokesperson.

Related: Safe Harbor or Thrown to the Sharks by Voatz?

window.fbAsyncInit = function () { FB.init({ appId: '1922752334671725', xfbml: true, version: 'v2.9' }); FB.AppEvents.logPageView(); }; (function (d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) { return; } js = d.createElement(s); js.id = id; js.src = "http://connect.facebook.net/en_US/sdk.js"; js.defer = true; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); !function (f, b, e, v, n, t, s) { if (f.fbq) return; n = f.fbq = function () { n.callMethod ? n.callMethod.apply(n, arguments) : n.queue.push(arguments) }; if (!f._fbq) f._fbq = n; n.push = n; n.loaded = !0; n.version = '2.0'; n.queue = []; t = b.createElement(e); t.defer = !0; t.src = v; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s) }(window, document, 'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '1922752334671725'); fbq('track', 'PageView'); Source link

The post Voatz ‘Blockchain’ App Used in US Elections Has Numerous Security Issues, Says Report appeared first on For Crypto.

from For Crypto https://ift.tt/2IQgc3P

Voatz ‘Blockchain’ App Used in US Elections Has Numerous Security Issues, Says Report

Voatz, the Massachusetts-based company touting a blockchain-enabled mobile voting app, has been met with public criticism for a lack of transparency, among other things, particularly when it comes to data security. And with the threat of election tampering, the stakes are as high as ever.

Voatz has been used in elections in West Virginia; Jackson County, Oregon; Umatilla County, Oregon; municipal elections in Utah County, Utah; as well as in runoff elections and municipal elections in Denver, Colorado.

The public security audit by a reputable third-party firm that experts have been calling for is here at last. In December 2019, Voatz and Tusk Philanthropies, which funded most of Voatz’s mobile voting pilots, engaged security firm Trail of Bits to conduct a comprehensive white box audit.

Although Voatz failed to provide a backend to live-test malicious attack vectors, Trail of Bits had access to all of the source code, including the core server, Android client, iOS client and administrator web interface.

The audit report is comprehensive, and includes a 122-page security review and a 78-page document on threat-modeling considerations. Here’s a quick rundown of the main parts.

Voatz doesn’t need blockchain 

The appeal of blockchain voting is that it’s a decentralized system that doesn’t require voters to trust anybody. But the blockchain Voatz uses doesn’t actually extend to the mobile client. Instead, Voatz has been applying the votes to a Hyperledger Fabric blockchain, which it uses as an audit log — something just as easily done by using a database with an audit log.

Although a Voatz spokesperson claimed that Hyperledger “provides several security functions such as securing the aggregate vote, enabling post election auditing and providing a chain of custody for the digital ballots as they traverse through the ecosystem,” it’s unclear how it would do so, and this capability isn’t evident in the report.

The code Trail of Bits looked at did not use custom chaincode or smart contracts. In fact, the report reads:

“All data validation and business logic are executed off-chain in the Scala codebase of the Voatz Core Server. Several high-risk findings were the result of data validation issues and confused deputies in the core server that could allow one voter to masquerade as another before even touching the blockchain.”

Because voters do not connect directly to the blockchain themselves, they can’t independently verify that the votes reflect their intent. But anyone with administrative access to Voatz’s back-end servers has the ability to “deanonymize votes, deny votes, alter votes, and invalidate audit trails.”

The report found that the Voatz system doesn’t have any mitigation for deanonymizing voters based on the time their ballot was recorded in the blockchain. In a statement, a spokesperson for Voatz said it had an experimental mixnet running at the edge-infrastructure used for network level experiments, but without any source code, and Voatz’s FAQ claims that “once submitted, all information is anonymized, routed via a ‘mixnet’ and posted to the blockchain.” But this was called into question in an MIT report — and now again in this audit.

“There does not appear to be, nor is there mention of, a mixnet in the code provided to Trail of Bits,” the audit reads. “The core server has the capability to deanonymize all traffic, including ballots.”

Trail of Bits confirmed MIT’s findings — Voatz disputed them

On Feb. 13, MIT researchers published the aforementioned report, “The Ballot Is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections,” to which Voatz responded with a blog post the same day to refute what it called a “flawed report,” leading the MIT researchers to post an FAQ with clarifications.

It turns out that Voatz’s refutation was written three days after Trail of Bits confirmed the presence of the described vulnerabilities to MIT, having received an anonymized summary report of the issues from the United States Department of Homeland Security. This suggests that Voatz was aware that the report was accurate before publicly discounting it.

The audit also disputes some of Voatz’s objections to the MIT researchers’ reports. Voatz stated that the Android app analyzed was 27 versions old, but Trail of Bits wrote that it “did not identify any security relevant changes in the codebase” between the September 2019 version of the app used by the MIT researchers that would substantively affect their claims. 

Voatz also took issue with the researchers developing a mock server, calling it a “flawed approach” that “invalidates any claims about their ability to compromise the overall system.” Voatz even wrote that this practice “negates any degree of credibility on behalf of the researchers.” 

But Trail of Bits claims that “developing a mock server in instances where connecting to a production server might result in legal action is a standard practice in vulnerability research. It is also a standard practice in software testing.” Furthermore, the report points out that the findings focused on the Android client, but did not rely on in-depth knowledge of the Voatz servers.

A Voatz spokesperson says Voatz “objects to the methodology and approach of the MIT researchers,” and that there are “several errors in the report.”

“If our methodology was wrong, the theory would be that we would come to incorrect conclusions. However, all of the vulnerabilities we found have been confirmed by their own security review. Additionally, it doesn’t appear that they’re contesting any of them,” said Michael Specter, one of the MIT researchers who authored the report.

Prior audits were not comprehensive

Despite Voatz touting multiple security audits, this is the first time a white box assessment has been conducted, with the core server and backend having been analyzed. Although not all of the prior audits are public, Trail of Bits summarized all of them.

One prior security review was conducted in August 2019 by NCC, an independent, private nonprofit that doesn’t employ any technical security experts. The audit focused on usability rather than security. In July 2018, an unnamed vendor conducted a black box audit of Voatz’s mobile clients. 

In October 2018, TLDR Security, now known as ShiftState, conducted a broad security hygiene review that included system architecture, user and data workflows and threat mitigation planning, but didn’t look for bugs in the system nor in the actual application. ShiftState then conducted another audit in December 2018, looking at whether the system operated as intended and followed best practices.

Although ShiftState CEO Andre McGregor has previously said that Voatz “did very well,” Trail of Bits’ review of ShiftState’s audit points to issues with limited logging, unmanaged servers and a Zimperium anti-mobile malware solution that wasn’t enabled during the pilot. 

Since all of Voatz’s anti-tamper protections for mobile devices are based on Zimperium, it being inactive means the application could have been trivially tampered with, as Voatz lacks additional protection against malicious applications that could access sensitive information.

A Voatz spokesperson said that Zimperium wasn’t fully integrated until 2019 and that some researchers request its disablement for testing purposes, which they do on a case-by-case basis. “Trail of Bits could not independently verify that Zimperium’s proprietary anti-tamper checks explicitly verify the Android security provider,” the report reads, recommending an additional check in case Zimperium is ever disabled, intentionally or not. 

The final audit by the DHS, conducted in October 2019, simply looked at cloud resources, not at the application — whether there’s evidence of hacking or if it could be detected if it takes place.

Beyond the limitations of prior security assessments that Voatz has touted without making public — such as the fact that none of the audits included server and back-end vulnerabilities — Trail of Bits’ report states that the writeups from the other security assessments conducted were technical documents. This calls into question whether elected officials are making decisions based on documents they’re unqualified to read.

Voatz appears wildly disorganized

Trail of Bits’ assessment lasted an entire week longer than initially scheduled “due to a combination of delays in receiving code and assets, the unexpected complexity and size of the system, and the associated reporting effort.”

Trail of Bits never received a working copy of the code, prohibiting the firm from live-testing, meaning that the researchers were almost entirely limited to static-testing, which required them to read through a massive amount of code. According to the report, Voatz has so much code that it “required each engineer to analyze, on average, almost 3,000 pure lines of code across 35 files per day of the assessment in order to achieve minimal coverage.”

Although Trail of Bits received access to the backend for live-testing a day before the assessment was scheduled to end, —which a Voatz spokesperson said was due to simultaneous audits, delays in audits and parallel activities, and a limited amount of test platforms, the security firm was asked not to attack or alter the instance in a way that would deny service to concurrent audits.

Voatz made rookie mistakes — and doesn’t seem serious about fixes

Trail of Bits described several bugs that could lead to votes being observed, tampered with or deanonymized, or that could call the integrity of an election into question.

Beyond the fact that voters can’t independently validate that their ballot receipt is valid or that votes were tallied correctly, a Voatz employee could theoretically force a user to vote twice, allow them to vote twice or duplicate their vote without their knowledge on the backend. Also, Voatz uses an eight-digit PIN to encrypt all local data — something that could be cracked within 15 minutes.

Furthermore, the report found that the app doesn’t have security controls to prevent unattended Android devices from being compromised. Sensitive API credentials were stored in git repositories, which means anyone in the company with access to the code — perhaps even subcontractors — could use or abuse secret keys exposed in the repositories.

Voatz employees with admin access can look up specific voters’ ballots. Voatz uses an ad hoc cryptographic handshake protocol, which is generally not recommended — as homemade cryptography is prone to bugs, and it’s best to use encryption schemes that have been studied by researchers and tested out in the real world. The SSL (Secure Sockets Layer) wasn’t configured in an entirely secure way, missing a key feature that helps clients identify when a TLS (Transport Layer Security) certificate is revoked.

In one instance, Voatz even cut and pasted a key and initialization vector from a Stack Overflow answer. Cutting and pasting code is generally discouraged, even in college-level computer security courses, because the quality of information on Stack Overflow varies, and even good code might not work in a specific environment. However, cutting and pasting a key and IV is even worse, as it means that the key and IV used to encrypt the data are identical to something on the internet, even though it is not supposed to be public. A Voatz spokesperson said in an email that this was test-code for an in-app demo and “was not actually used in any case or transaction.”

Even when summarized, Trail of Bits’ recommendations are eight pages long. Voatz appears to have addressed eight security risks, partially addressed another six, and left 34 unfixed. Typically, companies have a comprehensive plan on how to fix high and medium risks. Indeed, a spokesperson for Voatz said, “We take each finding seriously, analyze each finding from a practical perspective, assign the probability of risk and then determine the course forward,” a Voatz spokesperson said in an email.

“If the bug or issue is practically exploitable in a real world scenario conforming to the small scale pilots we are conducting, then we address them immediately else they flow in our normal development pipelines subject to priorities.”

Shockingly, Voatz decided it “accepts the risk” of many of these bugs, essentially accepting risk on behalf of the voters rather than making the fixes suggested from the firm it hired.

Tusk Philanthropies, Voatz and Trail of Bits referred Cointelegraph to their separate blog posts about the audit, and Trail of Bits referred to the report itself.

This article has been updated with comments by a Voatz spokesperson.

Related: Safe Harbor or Thrown to the Sharks by Voatz?

window.fbAsyncInit = function () { FB.init({ appId: '1922752334671725', xfbml: true, version: 'v2.9' }); FB.AppEvents.logPageView(); }; (function (d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) { return; } js = d.createElement(s); js.id = id; js.src = "http://connect.facebook.net/en_US/sdk.js"; js.defer = true; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); !function (f, b, e, v, n, t, s) { if (f.fbq) return; n = f.fbq = function () { n.callMethod ? n.callMethod.apply(n, arguments) : n.queue.push(arguments) }; if (!f._fbq) f._fbq = n; n.push = n; n.loaded = !0; n.version = '2.0'; n.queue = []; t = b.createElement(e); t.defer = !0; t.src = v; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s) }(window, document, 'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '1922752334671725'); fbq('track', 'PageView'); Source link

The post Voatz ‘Blockchain’ App Used in US Elections Has Numerous Security Issues, Says Report appeared first on Tip Crypto.

from Tip Crypto https://ift.tt/2wZrkZg

Voatz ‘Blockchain’ App Used in US Elections Has Numerous Security Issues, Says Report

Voatz, the Massachusetts-based company touting a blockchain-enabled mobile voting app, has been met with public criticism for a lack of transparency, among other things, particularly when it comes to data security. And with the threat of election tampering, the stakes are as high as ever.

Voatz has been used in elections in West Virginia; Jackson County, Oregon; Umatilla County, Oregon; municipal elections in Utah County, Utah; as well as in runoff elections and municipal elections in Denver, Colorado.

The public security audit by a reputable third-party firm that experts have been calling for is here at last. In December 2019, Voatz and Tusk Philanthropies, which funded most of Voatz’s mobile voting pilots, engaged security firm Trail of Bits to conduct a comprehensive white box audit.

Although Voatz failed to provide a backend to live-test malicious attack vectors, Trail of Bits had access to all of the source code, including the core server, Android client, iOS client and administrator web interface.

The audit report is comprehensive, and includes a 122-page security review and a 78-page document on threat-modeling considerations. Here’s a quick rundown of the main parts.

Voatz doesn’t need blockchain 

The appeal of blockchain voting is that it’s a decentralized system that doesn’t require voters to trust anybody. But the blockchain Voatz uses doesn’t actually extend to the mobile client. Instead, Voatz has been applying the votes to a Hyperledger Fabric blockchain, which it uses as an audit log — something just as easily done by using a database with an audit log.

Although a Voatz spokesperson claimed that Hyperledger “provides several security functions such as securing the aggregate vote, enabling post election auditing and providing a chain of custody for the digital ballots as they traverse through the ecosystem,” it’s unclear how it would do so, and this capability isn’t evident in the report.

The code Trail of Bits looked at did not use custom chaincode or smart contracts. In fact, the report reads:

“All data validation and business logic are executed off-chain in the Scala codebase of the Voatz Core Server. Several high-risk findings were the result of data validation issues and confused deputies in the core server that could allow one voter to masquerade as another before even touching the blockchain.”

Because voters do not connect directly to the blockchain themselves, they can’t independently verify that the votes reflect their intent. But anyone with administrative access to Voatz’s back-end servers has the ability to “deanonymize votes, deny votes, alter votes, and invalidate audit trails.”

The report found that the Voatz system doesn’t have any mitigation for deanonymizing voters based on the time their ballot was recorded in the blockchain. In a statement, a spokesperson for Voatz said it had an experimental mixnet running at the edge-infrastructure used for network level experiments, but without any source code, and Voatz’s FAQ claims that “once submitted, all information is anonymized, routed via a ‘mixnet’ and posted to the blockchain.” But this was called into question in an MIT report — and now again in this audit.

“There does not appear to be, nor is there mention of, a mixnet in the code provided to Trail of Bits,” the audit reads. “The core server has the capability to deanonymize all traffic, including ballots.”

Trail of Bits confirmed MIT’s findings — Voatz disputed them

On Feb. 13, MIT researchers published the aforementioned report, “The Ballot Is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections,” to which Voatz responded with a blog post the same day to refute what it called a “flawed report,” leading the MIT researchers to post an FAQ with clarifications.

It turns out that Voatz’s refutation was written three days after Trail of Bits confirmed the presence of the described vulnerabilities to MIT, having received an anonymized summary report of the issues from the United States Department of Homeland Security. This suggests that Voatz was aware that the report was accurate before publicly discounting it.

The audit also disputes some of Voatz’s objections to the MIT researchers’ reports. Voatz stated that the Android app analyzed was 27 versions old, but Trail of Bits wrote that it “did not identify any security relevant changes in the codebase” between the September 2019 version of the app used by the MIT researchers that would substantively affect their claims. 

Voatz also took issue with the researchers developing a mock server, calling it a “flawed approach” that “invalidates any claims about their ability to compromise the overall system.” Voatz even wrote that this practice “negates any degree of credibility on behalf of the researchers.” 

But Trail of Bits claims that “developing a mock server in instances where connecting to a production server might result in legal action is a standard practice in vulnerability research. It is also a standard practice in software testing.” Furthermore, the report points out that the findings focused on the Android client, but did not rely on in-depth knowledge of the Voatz servers.

A Voatz spokesperson says Voatz “objects to the methodology and approach of the MIT researchers,” and that there are “several errors in the report.”

“If our methodology was wrong, the theory would be that we would come to incorrect conclusions. However, all of the vulnerabilities we found have been confirmed by their own security review. Additionally, it doesn’t appear that they’re contesting any of them,” said Michael Specter, one of the MIT researchers who authored the report.

Prior audits were not comprehensive

Despite Voatz touting multiple security audits, this is the first time a white box assessment has been conducted, with the core server and backend having been analyzed. Although not all of the prior audits are public, Trail of Bits summarized all of them.

One prior security review was conducted in August 2019 by NCC, an independent, private nonprofit that doesn’t employ any technical security experts. The audit focused on usability rather than security. In July 2018, an unnamed vendor conducted a black box audit of Voatz’s mobile clients. 

In October 2018, TLDR Security, now known as ShiftState, conducted a broad security hygiene review that included system architecture, user and data workflows and threat mitigation planning, but didn’t look for bugs in the system nor in the actual application. ShiftState then conducted another audit in December 2018, looking at whether the system operated as intended and followed best practices.

Although ShiftState CEO Andre McGregor has previously said that Voatz “did very well,” Trail of Bits’ review of ShiftState’s audit points to issues with limited logging, unmanaged servers and a Zimperium anti-mobile malware solution that wasn’t enabled during the pilot. 

Since all of Voatz’s anti-tamper protections for mobile devices are based on Zimperium, it being inactive means the application could have been trivially tampered with, as Voatz lacks additional protection against malicious applications that could access sensitive information.

A Voatz spokesperson said that Zimperium wasn’t fully integrated until 2019 and that some researchers request its disablement for testing purposes, which they do on a case-by-case basis. “Trail of Bits could not independently verify that Zimperium’s proprietary anti-tamper checks explicitly verify the Android security provider,” the report reads, recommending an additional check in case Zimperium is ever disabled, intentionally or not. 

The final audit by the DHS, conducted in October 2019, simply looked at cloud resources, not at the application — whether there’s evidence of hacking or if it could be detected if it takes place.

Beyond the limitations of prior security assessments that Voatz has touted without making public — such as the fact that none of the audits included server and back-end vulnerabilities — Trail of Bits’ report states that the writeups from the other security assessments conducted were technical documents. This calls into question whether elected officials are making decisions based on documents they’re unqualified to read.

Voatz appears wildly disorganized

Trail of Bits’ assessment lasted an entire week longer than initially scheduled “due to a combination of delays in receiving code and assets, the unexpected complexity and size of the system, and the associated reporting effort.”

Trail of Bits never received a working copy of the code, prohibiting the firm from live-testing, meaning that the researchers were almost entirely limited to static-testing, which required them to read through a massive amount of code. According to the report, Voatz has so much code that it “required each engineer to analyze, on average, almost 3,000 pure lines of code across 35 files per day of the assessment in order to achieve minimal coverage.”

Although Trail of Bits received access to the backend for live-testing a day before the assessment was scheduled to end, —which a Voatz spokesperson said was due to simultaneous audits, delays in audits and parallel activities, and a limited amount of test platforms, the security firm was asked not to attack or alter the instance in a way that would deny service to concurrent audits.

Voatz made rookie mistakes — and doesn’t seem serious about fixes

Trail of Bits described several bugs that could lead to votes being observed, tampered with or deanonymized, or that could call the integrity of an election into question.

Beyond the fact that voters can’t independently validate that their ballot receipt is valid or that votes were tallied correctly, a Voatz employee could theoretically force a user to vote twice, allow them to vote twice or duplicate their vote without their knowledge on the backend. Also, Voatz uses an eight-digit PIN to encrypt all local data — something that could be cracked within 15 minutes.

Furthermore, the report found that the app doesn’t have security controls to prevent unattended Android devices from being compromised. Sensitive API credentials were stored in git repositories, which means anyone in the company with access to the code — perhaps even subcontractors — could use or abuse secret keys exposed in the repositories.

Voatz employees with admin access can look up specific voters’ ballots. Voatz uses an ad hoc cryptographic handshake protocol, which is generally not recommended — as homemade cryptography is prone to bugs, and it’s best to use encryption schemes that have been studied by researchers and tested out in the real world. The SSL (Secure Sockets Layer) wasn’t configured in an entirely secure way, missing a key feature that helps clients identify when a TLS (Transport Layer Security) certificate is revoked.

In one instance, Voatz even cut and pasted a key and initialization vector from a Stack Overflow answer. Cutting and pasting code is generally discouraged, even in college-level computer security courses, because the quality of information on Stack Overflow varies, and even good code might not work in a specific environment. However, cutting and pasting a key and IV is even worse, as it means that the key and IV used to encrypt the data are identical to something on the internet, even though it is not supposed to be public. A Voatz spokesperson said in an email that this was test-code for an in-app demo and “was not actually used in any case or transaction.”

Even when summarized, Trail of Bits’ recommendations are eight pages long. Voatz appears to have addressed eight security risks, partially addressed another six, and left 34 unfixed. Typically, companies have a comprehensive plan on how to fix high and medium risks. Indeed, a spokesperson for Voatz said, “We take each finding seriously, analyze each finding from a practical perspective, assign the probability of risk and then determine the course forward,” a Voatz spokesperson said in an email.

“If the bug or issue is practically exploitable in a real world scenario conforming to the small scale pilots we are conducting, then we address them immediately else they flow in our normal development pipelines subject to priorities.”

Shockingly, Voatz decided it “accepts the risk” of many of these bugs, essentially accepting risk on behalf of the voters rather than making the fixes suggested from the firm it hired.

Tusk Philanthropies, Voatz and Trail of Bits referred Cointelegraph to their separate blog posts about the audit, and Trail of Bits referred to the report itself.

This article has been updated with comments by a Voatz spokesperson.

Related: Safe Harbor or Thrown to the Sharks by Voatz?

window.fbAsyncInit = function () { FB.init({ appId: '1922752334671725', xfbml: true, version: 'v2.9' }); FB.AppEvents.logPageView(); }; (function (d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) { return; } js = d.createElement(s); js.id = id; js.src = "http://connect.facebook.net/en_US/sdk.js"; js.defer = true; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); !function (f, b, e, v, n, t, s) { if (f.fbq) return; n = f.fbq = function () { n.callMethod ? n.callMethod.apply(n, arguments) : n.queue.push(arguments) }; if (!f._fbq) f._fbq = n; n.push = n; n.loaded = !0; n.version = '2.0'; n.queue = []; t = b.createElement(e); t.defer = !0; t.src = v; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s) }(window, document, 'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '1922752334671725'); fbq('track', 'PageView'); Source link

The post Voatz ‘Blockchain’ App Used in US Elections Has Numerous Security Issues, Says Report appeared first on Crypto Waves.

from Crypto Waves https://ift.tt/2QfVChm

Audits and Quality Assurance: Patching the Holes in Smart Contract Security

On July 10, 2018, news broke that cryptocurrency wallet and decentralized exchange Bancor was hit with a hack. A wallet the Bancor team used to update the protocol’s smart contracts was infiltrated, and the $23.5 million vulnerability allowed the hackers to run off with $12.5 million ETH, $1 million NPXS tokens and $10 million of Bancor’s BNT token.

Following the hack, the Bancor team froze the BNT in question in an effort to stanch its losses.

The latest of its kind, the attack is an unfortunate reminder that smart contracts are not foolproof. Even built as they are on the blockchain’s security intensive network, they can feature bugs, backdoors and vulnerabilities that are ripe for exploitation.

Before Bancor, we saw the popular Ethereum wallet Parity drained of 150,000 ETH (now worth just over $68 million) in July of 2017. In November of the same year, Parity lost even more than this when a less-experienced coder accidentally froze some $153 million worth of ether and other tokens.

In perhaps the most infamous smart contract hack in the industry to date, The DAO, a decentralized venture fund, lost 3.6 million ether in June of 2016. The stolen funds are now worth $1.6 billion, and the fallout of the attack saw Ethereum hard fork to recoup losses.

The Why and How: Making the Same Mistake

If three’s company, then The DAO, Parity and now Bancor have become the poster triplets of smart contract vulnerabilities. But they’re not alone in their weakness, and similar smart contract bugs have been exploited or nearly exploited on other networks.

For such a nascent technology, such flaws may be expected, but given the mass sum of funds these contracts are supposed to protect, truly stalwart security measures are not yet routinely employed.

To Hartej Sawhney, co-founder of Hosho cybersecurity firm, the sheer amount of funds at stake is enough of an incentive to attract black hats to these smart contracts, especially if there’s a central point through which they can probe for access.

“There’s money behind every smart contract, so there’s an incentive to hack into it. And the scary part of smart contracts like Bancor is that they’ve coded their smart contracts in a way that gives centralized power to the founders of the project. They’ve put this backdoor in there,” Sawhney told Bitcoin Magazine in an interview.

Sawhney is referring to Bancor’s ability to confiscate and freeze tokens at will, as the smart contracts that govern their wallet and exchange feature central points of control. This degree of control has been widely criticized as centralized to the point that Bancor shouldn’t be able to advertise itself as a decentralized exchange.

And it may have even provided the hackers with an entry point into the network. While Bancor has not revealed the specifics of the hack and its execution, the team wrote in a blog post that “a wallet used to upgrade some smart contracts was compromised.” Sawhney indicated in our interview that “most smart contracts are coded to be irreversible,” while Bancor’s own are completely mutable. The hackers could have exploited — and likely did exploit — the same backdoor that the developers put into place to manage their project.

Bancor aside, Dmytro Budorin, CEO of cybersecurity community Hacken, echoed Sawhney’s belief that the industry’s treasure trove of assets is a powerful impetus for hackers to dirty their hands. He also believes that the relative youth of the technology makes it vulnerable to detrimental exploits.

“Coding on blockchain is something new,” Budorin added in an interview with Bitcoin Magazine. “We still lack security standards and best practices on how to properly code smart contracts. Also, when coding smart contracts, programmers think more about functionality than about security, since a programmer’s main task is to simply make the code work, and security is usually an afterthought.”

Working with new programming languages, security can take a back seat to functionality. More than just the casualty of a steep learning curve, Sawhney believes that security can slip by the eye of software engineers because they “don’t have a quality assurance (QA) mindset.”

With millions at stake and potential holes in the code to exploit, hackers are bound to drum up a scheme to breach these contracts, according to Budorin. Even if a team has audited their code for expected or known vulnerabilities, “a new type of attack can be developed any time and nothing can protect you from this.”

All it takes is a spurt of intuitive thinking to probe a smart contract’s code for an unexplored opening, Amy Wan, CEO and co-founder of Sagewise, iterated in a separate interview with Bitcoin Magazine.

“It is not often that developers are able to write perfect code that works the first time around — and even when that happens the code cannot be adapted to unforeseen situations. Code is also static, which makes smart contracts very rigid. However, humans are anything but static and very creative when it comes to problem solving. This combination creates something of a perfect storm, making smart contracts ill-suited where there are bugs in coding or loopholes/situation changes.”

Wan believes that “technology isn't about tech itself as much as it is about how humans interact with it,” meaning that we “are always going to have folks looking for opportunities to test the shortcomings of technology, which may result in hacks.”

To Wan, smart contracts feature intrinsic vulnerabilities. To make security matters worse, she also holds that they “cannot be amended or terminated (or in technologist speak, evolved or upgraded),” and their static nature renders them susceptible to the dynamic, adaptive strategies of black hats.

“Code aside, with every situation, there are an infinite number of things that can go awry. The rigidity of smart contracts presently cannot accommodate the fluidity of the real world,” she said.

Mending the Achilles Heel

If technical flexibility is the crux of smart contract weakness, then the fix is in the inception and carry-through of their development. Developers should put preventative measures in place to ensure that their code can bend without breaking, the CEOs expressed.

“We need to have a more comprehensive approach in order to solve this problem in the long term,” Budorin argued. “First of all, even though it is impossible to make all contracts absolutely secure, smart contract risks can be reduced. The best way to secure a smart contract is to have a security engineer on staff, conduct two different independent audits, and launch a bug bounty program for a dedicated period of time before deployment.”

Hacken itself facilitates such bug bounties, and the platform, called HackenProof, has seen its white hat community audit and test such industry projects as VeChainThor, Neverdie, Legolas Exchange, NapoleonX, Shopin and Enecuum. Budorin and his team find that bug bounties provide a reliable if tertiary buffer for projects before they go public.

“We believe that the only efficient way to mitigate modern cybersecurity threats is to host bug bounty programs on bug bounty platforms. This is called a crowdsourced security approach,” Budorin explained.

“Bug bounty platforms attract a crowd of third-party cybersecurity experts (dozens if not hundreds at a time) to test the client’s software. Testing can be ongoing for months or even years.”

Sawhney agrees that projects need to house more on-staff security experts to police vulnerabilities, while lamenting the fact that some projects lack a CIO or CTO for this effect. But he also indicated that, in some cases, companies need only to submit themselves to a proper audit to avoid a fate similar to Bancor’s.

“Some of these companies believe that they have the world’s best engineers, so they think they don’t need an audit. And if they get one, chances are they’ve done a third-party audit that was in their favor. Even if they’re getting an audit, some of these audit companies aren’t doing what we deem to be a professional audit. They’re taking the code and putting it through automated tooling. They’re not taking the time to do some of the more manual tasks which includes a dynamic analysis, quality assurance,” he explained.

The manual tasks that Sawhney lauds are at the heart of Hosho’s own auditing processes. They allow Hosho’s team to sniff out coding errors that automated tooling might miss, like discrepancies between the smart contract’s token algorithms and a white paper’s business model.

“So the most manual part of conducting an audit is marrying the code to the words — we call it dynamic analysis. Most of the time when we find errors with a smart contract, we’re finding colossal errors in the business logic. We’re finding everything from mathematical errors to errors in token allocation,” Sawhney said.

He went on to reveal that Hosho’s team includes professionals “from the infosec, devcon communities that are white hats who have spent years doing QA.” QA, shorthand for quality assurance, is a method by which coders test a code for its designed function to check for any malfunctions, defects and other flaws that may render it vulnerable or inoperable.

As Sawhney indicated earlier, part of the reason these projects and their auditors don’t do QA is simply because they lack the professional experience to do so. It’s easier, he claimed, to teach Solidity (a smart contract coding language) to those who know how to conduct sound QA than the other way around.

When lack of QA training or a learning curve isn’t the issue, however, Sawhney suggested that, at times, projects won’t secure a thorough audit because they’re simply cutting corners.

“Sometimes I think it’s sheer laziness and being cheap. They see that cost to code a smart contract was only $10k and [an auditor] is charging $30k to review it. They say, ‘Nah, we don’t need that. We have the best engineers in the world so we’re good.’”

To Sawhney, there’s no substitute for a thorough audit. He also holds that, once an audit has been completed, the smart contract should come with a seal of approval, one that both attests to the audit’s quality and reassures users that no code has been altered after the fact. For Hosho’s work, this comes in the form of a GPG file, a cryptographic stamp that simultaneously functions like a certificate of authenticity and denotes the final (or at least most recent) version of audited code, acting rather like the seal on a bottle of cough syrup that proves it hasn’t been tampered with since it last passed quality control.

“Having central governments, regulators, lawyers, PR firms, investors, token holders — everyone — looking for this GPG file, this sign of approval [answers the question]: Has this code been sealed? Because we can monitor this code once we’ve put this seal on it to prove that no one has touched this code, not one line of this code has been changed since a third party audited it. If code changes you’re opening up room for security vulnerabilities.”

Wan’s own solution offers a different sort of prescription, in that she adds post-audit safety nets like Sagewise’s software as a smart contract’s third line of defense.

“Going forward, I believe that blockchain companies will be able to prevent smart contract disasters by using a smart contract developer whose sole focus is developing smart contracts, hiring a reputable security auditing firm, and including a catch-all safety net into smart contracts, such as Sagewise's SDK.”

The Sagewise SDK integrates with smart contracts to police malicious inputs. It gives developers the chance to freeze the smart contract in question and adjust it accordingly.

“It starts with a monitoring and notification service so users are aware of what's happening with their smart contract. Paired with our SDK, which basically acts as an arbitration clause in code, users are notified of functions executing on their smart contract and, if such functions are unintended, [they have] the ability to freeze the smart contract. They then can take the time they need to fix whatever needs to be fixed, whether that's merely fixing a coding error to amending the smart contract or resolving a dispute,” she said.

A Community Problem, a Community Solution

In our interview, Wan claimed that “[less than] 2 percent of the population is able to read code.” Fewer people still are able to read Solidity, let alone at the level needed to insulate it with airtight security features.

So even if projects and companies want to take the measures necessary to vet and protect their code properly, they may be wanting for talent and resources. This problem will likely be educated out of existence as more software engineers develop a thorough, more sophisticated understanding of Solidity and other smart contract programming languages. More mature coding languages may present a solution to this ailment, as well.

But for the time being, the community can help developers and teams to err on the side of caution. Like an arbiter with skin in the game, people using these services need to step up and demand action and change, Wan believes. Otherwise these types of security breaches will continue to happen.

“[B]ecause much of the population cannot read code, it is difficult for them to hold developers accountable for when they do things like code an administrative backdoor into their smart contract (which many large projects have done),” said Wan.

“Just in 2017 alone, half a billion dollars in value was lost in smart contracts, but that apparently has not been enough to get developers to consider adding additional safety nets or community members to demand them. Perhaps we will need to lose billions more to get people to realize that this isn't how the system should work.”

Sawhney also reiterated this point: “[More] people need to be outspoken, call people out. I think people are scared because the community is tight-knit and everybody knows everybody. No one wants to shun people. There’s not enough self-governance in this space, and I think that’s the biggest step this community needs to take.”

He added, “[not] enough pressure [is] being put on security; there’s not enough regulation around security.”

In an effort to bring self-regulation to the forefront of the industry’s to do list, Hosho is hosting a summit for cybersecurity firms in Berlin. Slated for this September, Sawhney hopes the summit will spawn a self-regulatory organization (SRO) from its attendence, “complete with a certificate for our work, kind of like the Big Four for financial audits.”

Adding to the conversation on self-regulation, Budorin finds that the community would do well to document exploited vulnerabilities. This would create a library of case studies and situations for developers to study and to create the solutions necessary to avoid the same pitfalls in the future.

“...the blockchain community needs to collect, store and analyze all known vulnerabilities that have been found in smart contracts and host regular security conferences that will cover security issues in blockchain and develop security guidelines so that new generation of blockchain programmers is more prepared for these problems,” he said.

The onus is not on the community alone, as the lion’s share of responsibility rests on developers to ensure that their code is as sound as possible before reaching an audience. Together, however, the industry’s community and its architects may combine perspectives to make smart contract hazards an issue of yesterdays.

Until then, Sawhney, Budorin and Wan’s perspectives — and their respective companies’ purposes — provide a healthy reality check for the industry’s pain points. For mainstream adoption and acceptance, these points need be addressed if there is to be any sort of sustained sense of confidence in this new technology.

This article originally appeared on Bitcoin Magazine.

from InvestmentOpportunityInCryptocurrencies via Ella Macdermott on Inoreader https://bitcoinmagazine.com/articles/audits-and-quality-assurance-patching-holes-smart-contract-security/