The Infinite Idiocy Of The Security Questions

cyanide

I don’t expect that everybody who reads this site will know who Richard Stallman is, but they probably should. “RMS”, as he prefers to be called, invented the idea of a “free”, which is to say non-licensed, operating system for computers. Stallman’s insight was that you don’t really own a computer unless you have complete autonomy as to how you use it, and that is only possible with a truly free operating system. (For an example of how a non-free operating system works, try putting a foreign-market DVD into your Windows 10 laptop or Mac OS X system.)

The operating system that he and his associates wrote was meant to be a free replacement for the UNIX operating system, which was the property of Bell Labs, and it was called GNU, a recursive acronym meaning “GNU’s Not Unix”. The GNU Project never reached its goal of creating c complete UNIX replacement, but when it was combined with the “Linux” operating system kernel written by Linus Torvalds, it became GNU/Linux. Think of the kernel as the engine of a car; a car can’t move without it, but you can’t drive an engine by itself. You need everything from a frame to a steering wheel to brake pads. Torvalds built the engine; Stallman’s crew built the transmission and the wheels and the windows.

As important as GNU/Linux is — it underpins everything from Amazon to the wireless router in your house — Stallman’s true contribution to computing was the idea of freedom. His approach to computing is utterly socialist, to the point that he refuses to have a password for his accounts. About fifteen years ago, I sat down with RMS for dinner and a discussion in his office at MIT. Never before or since have I had any personal interaction with an intellect as formidable as his. I walked away thinking that Stallman was probably smarter than I was, an impression that I didn’t recall ever having before.

The purpose of these opening paragraphs is to make the case that the smartest man in computer science doesn’t think we should have passwords. It helps explain why the people on the other side of the argument are often so mind-numbingly stupid.


Until relatively recently, security was the central Florida of computer science, a swampy wasteland mostly populated with bumpkins. The brilliant people worked on operating system kernels, real-time computing, parallel computing, and clustering. Security was always the last department to receive any funding or any attention. Think about it. Which accomplishment would you rather have on your resume: doubling the performance of a new system, or an assertion that nobody hacked a particular system while you were responsible for its security?

As a consequence, if there were any truly bright bulbs in the security game, they were on the other side of the equation, in the “black hat” world. You could earn $80,000 a year working at JP Morgan Chase in the security department; you could make millions of dollars in an afternoon if you could break the bank, so to speak. There’s also the minor fact that pretty much every major government in the world has an obvious and pervasive interest in being able to decrypt communications and snoop on network traffic.

The NSA, as an example, has multiple Cray systems in Utah, each with over one million processors, basically devoted to breaking encryption and privacy schemes. Don’t be fooled by the recent brouhaha over the San Bernardino shooter’s iPhone; if it was a matter of true national interest, rather than an example of militant Islam that is profoundly inconvenient to the powers that be during an election year, that phone would have been unlocked and examined within minutes after recovery.

For all the reasons above, and many others, it’s a very good idea to assume that you have no security whatsoever when you operate a computer. Assume that every email you’ve ever written is in the custody of a collating agency of some type. Assume that your Chinese-made laptop will respond to remote commands from its maker, from Microsoft, or from the Chinese government. Assume that your phone listens to you all the time, because it can. Assume that your Amazon Alexa or Tap device listens for keywords and sends them to Amazon. Don’t expect security or privacy on the Internet. It doesn’t exist, unless you are willing to use the equivalent of a “one-time-pad” on every communication. Even then, I’d be very careful about betting that your one-time-pad is so random that the NSA’s million-processor Cray can’t calculate it. Computers can’t actually create random numbers, you know… or maybe you didn’t, but I’m going to fill you in on that.

When you log into your “secure” bank website, you’re relying on the all of the following things to be secure:

* Your physical location. If I can see you, I can see what you’re typing. If I can hear you type for fifteen minutes, I can remotely “see” what you’ve typed.
* Your computer hardware. It was made in China by a partner of the Chinese government. It contains millions of transistors and ten million lines of BIOS code. Have you reviewed all of them?
* Your operating system. Was it created by a corporation? Have you seen the source code? Do you know what it actually does?
* Your browser. Has it been compromised? (The answer, 99% of the time, is yes.)
* The HTTPS protocol and its underlying encryption itself. LOL.
* Between five and fifty routers on the Internet. All of which were made by companies that have multiple partnerships with each other and with various governments, and many of which route a copy of your data to the NSA for investigation.
* The physical hardware of the bank server.
* The operating system of the bank server.
* The webserver of the bank server. Webservers are hacked more often than any other commonly used program.
* The in-house software at the bank, which more often than not is written by foreign nationals whose allegiance is to India or China and who are usually controlled very closely by “body shops” like Wipro or Accenture.
* The various mainframe facilities that supply the bank website with information. This is the most secure step in the whole process, by far. But it’s not perfect.

You’re a fool if you think that the mess of spaghetti listed above is truly “secure” in any way. I haven’t even begun to discuss quantum computing, which will essentially end encryption as we know it. A sufficiently complex quantum computer could instantly break anything short of a truly random one-time pad. True security, therefore, only comes from human interaction. From what they call “sanity checks”. Did Bob really just reach out from Russia and empty out his savings to a numbered account in the Cayman Islands? Probably not.

What I want you to understand, therefore, is that everything you see on the Internet related to security is merely security theater. It’s about as effective as the TSA. Which is to say that your idiot neighbor probably won’t be able to figure out how to login to your bank account, the same way you can’t run through the airport security line waving an AK-47 and expect to be permitted to board. It primarily protects you from the random malice of extremely stupid people.

Or it would, if it wasn’t for the superbly moronic institution of the “security question”. Let’s get this part out of the way: there is no reason for the security question to exist. Not the way it’s implemented at most website. A security question, when used properly, can be helpful. PEER1 and Rackspace, as an example, use security questions to authenticate requests for phone support. The security question, in those cases, is one that you provide. As an example, your Rackspace security question could be, “What’s the pinkest brown?” and the answer could be “867-5309”. It’s a true shared secret. Of course, it’s stored on the Rackspace systems, which means its vulnerable. But as a good way to authenticate a voice on the phone that’s asking you to reboot a server or add a credential, it’s not bad.

The typical security question implementation, however, is not anything like that. Let’s use the one at the OhioHealth PatientConnect portal as an example of how not to do it. Any time you have a bill at the OhioHealth hospitals, they add it to your existing account and you have to use this system to pay it. Naturally, you have to use you existing username and password. So, as an example, when I broke my leg and had to pay the bill, I had to use the username and password that I set up back in 2012.

There’s no way I’ll remember that. So I ask for a reset link, which takes me to security questions. Now, I don’t remember how I set up my security questions back in 2012, but it can really only be one of two ways:

0. I gave honest and correct answers to the security questions. In which case, anybody who has ten minutes to research on the Internet can get that information and pretend to be me. Where was I born? It’s on Wikipedia. My mother’s maiden name? Easy to figure out. The name of my first pet? I don’t actually remember.

1. I made things up that aren’t the right answers at all, to prevent somebody from gaining access to my account. If I did that, then what I’ve done is to create three extra passwords for my account that never change or expire and which have to be stored somewhere. Of course, none of those passwords meet the various ridiculous standards that don’t help anyway.

There’s also a third possibility, which is that I put “fuckyou” as the answer to a security question. But since OhioHealth’s system won’t let you give the same answer to all three questions, it was probably

fuckohiohealth
Fuckohiohealth
FUckohiohealth

But which was which?

In the end, there’s only one thing to do: call and wait on hold for 38 minutes until I can get a person from India on the phone. He will ask me the security questions. I will tell him that I don’t know. This will confuse and upset him. How can I not remember the name of the street on which I grew up? “Because I lived twelve different places before I graduated from high school,” I’ll snap at him, because now we’re heading towards the 45-minute mark. Finally he’ll reset my account. I’ll choose three fake new answers to my security question and put them in a cloud account where any bored sysadmin with time on his hands can grab them and decrypt ’em with commonly available tools.

All of this, mind you, is so I can log in and pay my overblown post-Obamacare health bills, which have averaged over $7000 out of pocket every year since the ACA went into effect. Is it any wonder that a significant number of people just don’t bother? If the process is frustrating to a reasonably experienced computing scientist with a Prometheus-Society-level-IQ and the ability to sit on hold for 38 minutes, what’s it like for a working single mother who cleans houses for a living and parents three kids in a townhouse?

The answer, of course, is that it’s less frustrating, probably. Because our imaginary 110-IQ single mom just answers the questions honestly. For OhioHealth. For Amazon. For Huntington Bank. For shopping sites. Her password is her first child’s name, capitalized with a number and an exclamation point: Brittanee1!. So she truly has no security whatsoever. The system is even more broken for her than it is for me. Her only saving grace is that she has nothing worth taking.

If she was permitted to follow Richard Stallman’s advice and use a blank password, she’d probably be more security. Because then society would have to adjust its ideas around “identity theft” and the like to acknowledge that the only true way to know that somebody is who they say they are is to put that person in front of somebody who knows them. Just you watch. We’re headed back that way. Maybe not immediately. In twenty years, however, the idea of using a password and a security question to access your bank account will be as old-fashioned as the Frank Abagnale days when you could print your own checks and get money for them at a teller’s window. We’re just going to have to break a lot of eggs to make that omelet. And mark my words, dear readers: some of those eggs will belong to you, and to me. But not to Richard Stallman. He got a MacArthur grant, and something tells me he took it in cash.

43 Replies to “The Infinite Idiocy Of The Security Questions”

  1. jz78817

    one thing which kind of confused me about RMS is that for quite some time he was using this Chinese notebook with a MIPS CPU also designed and made in China. first because he preaches openness (for computing at least) and we know how “open” China is; and second because he was willingly using processors/logic ICs developed inside the PRC, and I doubt they were just giving out their HDL for everyone to audit.

    Reply
    • Jack BaruthJack Baruth Post author

      And right there is the problem with just throwing up our hands and letting China have an entire section. Because even if you have a US-made CPU, is anybody making modern x64 boards anywhere but China?

      Reply
      • Pete Dushenski

        I’m not sure where ‘pcengines’ manufactures, but they’re based in Switzerland and their boards ship without proprietary BIOS and with full schematics…

        Just you watch. We’re headed back that way.

        While it’s conceivable that, 20 years hence, the everyman will be using fingerprints and retinal scans to access his banking, this is little more than the security theatre you so aptly describe : a farcical show and little else besides. Not that this cirque won’t be more than sufficient for those with “nothing to hide.” ™

        For those of us intent on leaving something more than olde fables and washed-up hopes to our children, PGP (with RSA keys, ofc, and not that ECDSA garbage) is sine qua non for secure communications of every sort, from personal conversations to trading on stock exchanges. The barrier to entry to using PGP is admittedly high, but for security, identity, and the maintenance of a Web of Trust, nothing else comes close.

        Besides, the Internet is nothing if not a promoter of power law distributions, and so what if PGP is “hard to use” ?

        Reply
        • Jack BaruthJack Baruth Post author

          Well, you’re proceeding under the assumption that PGP isn’t already cracked wide open. Which is to say, that there’s no algorithm to quickly find primes from products.

          And you’re also proceeding under the assumption that your information isn’t already compromised before you encrypt it. Your keyboard has a microprocessor on it. What’s it doing? Do you use a Bluetooth keyboard?

          Think of all the archived HTTPS traffic that is now being cheerfully read by the NSA.

          It’s not in any way impossible to conceive of a day in the year 2047 when you are sitting peacefully at home and the goons kick down your door because their 2048-bit quantum box just read all of your files and your Bitcoin transactions in a matter of seconds.

          Reply
          • Pete Dushenski

            I’m more proceeding under the assumption that I didn’t personally use a cheap netbook, ‘smartphone,’ or other insufficiently entropic source to generate my PGP keys, because you’re right, PGP RSA keys have been cracked – their exponents were calculated using Euclid’s cutting-edge 2`300-year-old algorithm, no less. Recently too. But none of these keys were in ‘battlefield use,’ so to speak. They all seemed to have belonged to various sorts of ‘researchers’ who thought that creating keys would be nifty without thinking through the implications of their methodologies.

            As to my keyboard, I know exactly wtf it’s doing – principally because it’s a Model M that’s almost as old as I am. I’m therefore less concerned about backdoor or wireless attacks on it than microphones picking up the clickity-clacks, and it’s much easier to fight the devil you can see than the one you can’t.

            As to quantum computing, it remains a distant objective, like an autonomous car in every driveway or the ‘Internet of Things,’ all of which I sincerely doubt we’ll see in our lifetimes ; but even if we did, the breakthrough that leads to QC’s development will almost necessarily also lead to the development of algorithms that take millennia for said QC to brute-force and therefore provide the same level of security that wily PGP users enjoy today. So if the cat moves the game, so too does the mouse move on. Of course, this is all speculation for as long as we don’t have quantum computers, and we won’t know… until we know!

            As to the state’s goons kicking my door in, by 2047, if I’m still on the green side of the grass, it won’t in any way be inconceivable that my goons will be kicking their doors in. With money and imagination, anything is possible, no ?

          • Jack BaruthJack Baruth Post author

            Ah, a Model M brother. I have thirty of them in a box, if you ever kill yours.

            Incidentally, I might email you over the weekend — I want to write something that is in partial opposition to one of your recent posts.

        • Pseudoperson Randomian

          Yup, fingerprints and retinal scans, the one password system where you CAN’T change the password once you’re compromised.

          Seriously, information security needs to be designed around how they cope with failure – not how they work in an ideal situation.

          The problem with security question is precisely because of that

          Reply
          • Orenwolf

            This is a common and naïve misconception. Fingerprints and retinal scans don’t take pictures of your body, they use a representation of it to generate a unique key. The key is not idempotent- if you go through the creation process again, it will be different.

            If your key is compromised, you regenerate your fingerprint id’s and the old key becomes worthless.

        • jz78817

          “Besides, the Internet is nothing if not a promoter of power law distributions, and so what if PGP is “hard to use” ?”

          if it’s hard to use, people won’t use it or will use it improperly. for most daily tasks, people prioritize convenience over everything. for ex, I recently switched to an iPhone with Touch ID. previously I didn’t use a passcode on my phones because a passcode of any worth (alphanumeric, special characters) was just an enormous pain in the ass. start tapping it out on the on-screen keyboard, realize I hit the wrong key somewhere, backspace over the whole thing and start over, etc. With Touch ID I only need to enter it once in a while, e.g. after re-starting the phone. otherwise it’s just a touch on the sensor.

          is it foolproof security? Likely not. is my shit a lot more secure than it was before? Yep.

          (and here I define “secure” as “if I lose the phone or someone boosts it, they’re not going to be able to get in and get my login credentials or any account information. I don’t mean “secure” from Apple or Google, but apparently with the court fights going on now I actually am reasonably secure from Apple so long as I don’t use iCloud.)

          Reply
  2. mas

    I am pretty sure you use OTP for sites that matter, don’t you? (The one that forces you to have a 6 digit number that is a function of time, your identity and target site)
    Then again, it is too much to ask OhioHealth to enable and support that.

    Reply
  3. Orenwolf

    (disclaimer: at least part of my job is in Information Security).

    This is a great post, mainly because Jack’s managed to have a real discussion wrapped in a straw-man argument. Reminds me a bit of scientology – they wrap some mildly interesting psychology around a batshit-crazy cult. The psychology hooks you, the cult bleeds you dry.

    Anyway,

    The idea that all security is theater is a straw man argument. When anyone on the street can pull out a gun and *kill you* all security is theater. Usually, though, that’s not what you’re trying to defend yourself from.

    For *most people*, the big evil gov’t isn’t trying to infiltrate your collection of dog-porn. Lazy hackers are trying to use least-effort means to get your personally identifying information (PII). Properly implemented TLS encryption, per-site generated passwords, and two-factor auth will keep most of the threats *you are actually likely to face* at bay: someone hacking your favourite dog-porn site gets a password you use nowhere else. Someone hacking your home wifi can’t easily decrypt your logins, and even if they somehow do, two-factor auth will, at least, notify you that something is up when you get an unexpected SMS message.

    No, it won’t stop targeted hackers with nation-state levels of resources. But that probably is a RL issue for *exactly none* of Jack’s readers. So, straw argument.

    NOW, that being said, password recovery mechanisms DO SUCK. freeform secret questions are indeed best, though, as has been true since society began, social engineering tends to derail those too. In most cases, the path of least resistance is to browbeat a phone rep into giving you account credentials, rather than trying to defeat actual technology to do so. Companies are trying to combat this by sending you a text/email/whatever when your account information changes, so that at least you have earliest possible notification of an attack. But it’s not perfect.

    The “solution”, used by some orgs (like google if you turn on two-factor auth, or use whole-disk encryption), is to tell you plainly that if you forget your password *and* can’t use two-factor auth to recover your account, you are fucked. At first glance this is a customer-hostile choice, the opposite is true. Currently, it’s the best way to protect your PII, because social engineering doesn’t help. The responsibility is on YOU not to lose your recovery codes or forget to change your recovery phone number or whatever. And if you decide to keep your recovery information in the same place as your primary password (i.e., digitally, or with your laptop), again, the onus is on you.

    Obviously, this doesn’t work for corporations with ongoing relationships (medical, utilities, cellphone, banking, whatever). These services are most susceptible to social engineering, mostly because they refuse to require you to come in with ID to reset your account. But they should. It’s one of the only ways to remove causal social engineering as a threat.

    Reply
    • Disinterested-Observer

      In the past 10 years a state agency lost my wife’s health care info, Heartland lost my credit card, Anthem gave away my sons’ SSNs, and OPM gave the Chinese everything when they got into my dad’s clearance files. What is the strawman?

      Reply
    • Jack BaruthJack Baruth Post author

      All you’re telling me is that two-factor auth makes it tougher for me to get to my own stuff.

      It doesn’t make it any tougher for Google to show me targeted ads, does it?

      True story: In early 2013, a lady friend of mine texted me one that she was pretty sure she was pregnant. By me. My phone backed up my SMS conversation to my GMail. When I logged on that afternoon, my ads on GMail were for pregnancy tests.

      In truth, it’s the social contract and law enforcement, not security theater, that keeps people’s accounts safe. Two-factor authentication is like 30-day waiting periods for rifles; the people who are willing to wait won’t shoot you anyway and the people who want to kill you badly enough to risk jail are also willing to risk stealing a gun.

      Reply
    • Kevin Jaeger

      “For *most people*, the big evil gov’t isn’t trying to infiltrate your collection of dog-porn. Lazy hackers are trying to use least-effort means to get your personally identifying information (PII). Properly implemented TLS encryption, per-site generated passwords, and two-factor auth will keep most of the threats *you are actually likely to face* at bay:”

      This is basically saying that the average person is probably secure as long as they don’t have anything worth securing. Well, yes, that’s more or less true.

      But the future is hard to predict and one day you may actually have someone interested in you. Maybe you messed with the wrong person’s daughter or they’ve started to get serious about rounding up climate change deniers, or firearms owners, or something. At the point the entire trail of your digital existence will be available if the right people want it badly enough.

      Reply
  4. Orenwolf

    The strawman is that there wasn’t something that could have been done, that all of those vulnerabilities and losses were inevitable.

    How many of the issues you just described were caused by 1) human incompetence or 2) social engineering instead of technological failure? I will bet most of them.

    The idea that we can’t produce perfect information security as a reason to believe security is unimportant *is* a strawman, because most often the technology *is not the reason the data was compromised*.

    Reply
  5. Orenwolf

    Jack, that’s totally possible. But not *likely*, because the average person just isn’t that interesting to a nation-state.

    When lazy identity-theft hackers can gain access to these tools, (and solve-the factoring problem, which you imply has already been done), then the basis for our current encryption will be useless, *even to the common man suffering a common attack*.

    As another note, you know that most of these microcontrollers you’re talking about *today* have, like, barely any code, right? sure one day every microcontroller will have tons of firmware and memory capacity that can be hacked, but today that’s not the case for *most* IC’s. Just because it’s a chip doesn’t mean it’s a little hidden supercomputer waiting for an evil megacorp to rewrite it’s base code a-la the latest spy thriller. That’s why these sorts of intrusions are usually found in higher order items like routers or processors, etc.

    Reply
    • Jack BaruthJack Baruth Post author

      If you can run a Lynx-style browser on a 6502 or a Zilog Z80 — and you can — then it seems reasonable to assume that you can run a keystroke logger on the average keyboard controller, which is probably an order of magnitude smarter than a Z80?

      I’m not saying that every chip in the world is evil. I’m just saying that finding out is beyond almost everybody’s interest or ability. Even RMS, in the example given by JZ, didn’t black-box his MIPS chip to see exactly what it was doing, right?

      Edited because the first sentence didn’t contain the “logger” portion and therefore made NO SENSE

      Reply
      • Eric H

        Sure, your keyboard can log keystrokes to it’s 16 byte memory.
        But then, what the hell does it do with it? It has no connection to the outside world except through the computer it’s connected to and RF noise. If your computer is compromised then you’re boned, and if you are a significant enough target to have a monitoring van parked outside then you’re even more boned.
        I’d be considered a fairly paranoid guy. I don’t own a cell phone. I don’t participate in social media. I’m also a guy who’s been designing hardware and software (kernel and driver development) for over two decades. I minimize exposure by minimizing the data that’s out there, because if it’s there it will be exposed.

        Reply
        • Jack BaruthJack Baruth Post author

          Think of it as a two part thing, like the Ken Thompson hack.

          This is how I’d do it… I’d bundle the keyboard with a driver. That happens fairly often, right? The keyboard listens and maybe it XORs what you’re typing with a known string. Then, periodically, the driver sends debug information via plain HTTP to a listening system.

          We’re not talking about a specifically targeted attack here — how could you ensure that somebody bought a particular keyboard, unless you awarded it to them or intercepted the UPS guy? — but rather a way to do extensive keystroke monitoring across a whole segment of society.

          Reply
      • jz78817

        yeah. I’m a mechanical engineer. On a base level I understand how transistors and logic gates “work,” but once you get into reasonably complex ICs I can’t see them as anything more than “magic black rectangles which take in electricity and output Fallout 4.

        Reply
  6. Orenwolf

    Jack, I don’t understand. Your article discusses that, basically, your information is free to anyone to get because encryption is irrelevant/broken and evil code is in every IC ever made now.

    What does that have to do with a corporation you gave your data to using it for targeted ads? If you didn’t want google to access your SMS messages, why did you give them the data in the first place?

    If you want to argue that all data should be unread unless you specifically give entities permission to do so, and that should be backed up legally, I fully support that. But I’m fairly certain the gmail terms of service give google the right to do exactly what your example suggests. The fix is to *not use their service* in that case.

    Reply
    • Jack BaruthJack Baruth Post author

      What I’m suggesting here is that keeping your Google account secure is mostly theater because the greatest threat to your privacy is Google itself, and they already have the keys. That’s all.

      Reply
      • Pseudoperson Randomian

        Bingo, and the same applies to all other companies.

        Google may be doing even more security theater than the rest BECAUSE they refused to completely play along with China and mostly closed shop instead.

        So many countries have asked Blackberry to turn over keys to their messaging system. The American big companies will yell and scream about the FBI, but seem completely A-OK functioning in China. And it’s not just China either. Democratic countries, including many in Europe and India have had some intrusive govt moves to compromise the big American companies.

        Honestly, I’m completely A-OK with protecting my privacy from the random script kiddie or social hacker, but assuming real privacy on the internet is foolish.

        Reply
      • jz78817

        I think the tough nut to crack is that people in general aren’t really worried about that aspect of security. We’re mostly concerned with things within our monkeyspheres. Google seeing keywords to tailor ad delivery is something that happens over there, far away, and people may or may not even notice (I have.)

        the worries within one’s own monkeysphere is some individual stealing our bank account information and wiping us out, or finding potentially embarrassing information to humiliate or blackmail us, or using our information to impersonate us and get us in trouble.

        I’m not worried about Google or Apple stealing my credit card #, or threatening to tell my mother I searched for “nuns & donkeys porn” once.

        Reply
  7. Orenwolf

    That’s fair, and part of why I believe supporting north-american corporations that do not derive a significant portion of their income from selling your personal details should be a priority for everyone.

    Reply
    • Disinterested-Observer

      And I would like to see the executives’ heads on pikes. Between the two of us, who is more naive? Who is more likely to see their wish granted?

      Reply
  8. Orenwolf

    *my* wish is granted, actually, everytime someone makes an informed decision before choosing a data services provider. There are lots of choices. Start by looking for ones that are not “free”, which is usually a giveaway that they are gaining their revenue through other means.

    If your corporation decides to use google mail instead of office365 (or a hosted exchange server), for example, then I don’t think you can claim you’ve made a choice to support information security.

    I’ve hosted my own mailserver since 1996. my families email stays there, not in gmail. Sure they don’t have a snazzy web interface, but what modern phone or PC doesn’t have a workable IMAP mail client nowadays?

    Look, I buy cleaning products that are both 1) north american and 2) certified cruelty-free by the american anti-vivisection society. They cost more, but I feel it’s worth it. I buy locally-grown food where possible. I choose a power provider that does not use coal or natural gas, and I choose to keep my data with companies that don’t use it to sell me targeted advertising. I advocate all of this to everyone I know. Many of them follow my advice. I am content in this, and do not feel I have “failed” because the masses do not. My wish is to make a positive change where I can, and I do.

    So, the answer to your question is: my wish is granted every time someone wakes up and does a little research. No pikes required.

    Reply
    • Disinterested-Observer

      Good on ya, mate. Fighting the good fight. I would certainly hate to see us splinter like the PFJ versus the JPF, or the JPPF, or the PFJ. Wait, we’re the PFJ! I still think we need the pikes.

      Reply
  9. kvndoom

    Damn Jack, anyone who doesn’t come here would only think you’re a hippie car guy or something. You should let your inner computer nerd out more often. I bet you have some cool stories from that section of your life.

    Granted you’re not Asia Carerra, but no one will remember her as a computer geek regardless. :p

    Reply
  10. LIQ

    I used to be really into this stuff during 2012-2013 when I still browsed /g/ frequently instead of /o/. About a few months ago a friend of a friend joined our Skype call. He asked for one of us to give him someones Skype name. Within 5 minutes he left the call and rejoined on the other persons Skype account. He was able to do this because of all the databases of compromised user info from various, mostly gaming websites. Makes me wonder how many people have been using the same name, email, recovery questions, and password for everything since they were 12 and had no idea what they were doing on the internet.

    Reply
  11. Pingback: dustbury.com » Not at all hiding in plain sight

Leave a Reply

Your email address will not be published. Required fields are marked *