Nanashi comments on A pair of free information security tools I wrote - LessWrong

17 Post author: Nanashi 11 April 2015 11:03PM

You are viewing a comment permalink. View the original post to see all comments and the full post content.

Article Navigation

Comments (97)

Comments (97)

You are viewing a single comment's thread. Show more comments above.

Comment author: Nanashi 12 April 2015 09:01:55PM *  9 points [-]

Yeah... Ummmm..... There's a lot wrong with this.

  1. If I had malicious intent, it would not matter if my site were SSL or not.
  2. If my site were compromised somehow, it would not matter if my site were SSL or not.
  3. Everything about the script happens client-side.
  4. The code is written in Javascript, thus you can verify #3 by simply looking at the source code.
  5. If you're not a programmer and don't understand the source code and are still suspicious, you can copy the source code to a local file, and run it on a computer that's sandboxed from the rest of the Internet.

Don't get me wrong. I appreciate the need for constant vigilance, but this type of knee-jerk reaction is what prevents the wider scale adoption of good crypto practices.

Edit- for posterity's sake: I accidentally down voted your post when I meant to upvote it. I wasn't just being snide when I said "I appreciate the need for constant vigilance", and it definitely resulted in a good discussion. I updated my vote.

Comment author: g_pepper 12 April 2015 09:48:23PM 9 points [-]

Actually, there is still a small danger to executing this via a non-SSL encrypted web site, even if I trust that you have no malicious intent, your site has not been compromised and the script runs client-side. The danger is a man-in-the-middle attack, in which an attacker intercepts my http request for the script and replaces your script (in the response) with a version that captures my private key and sends it to a server controlled by the attacker.

I realize that most browsers won't let client-side javascript send requests to hosts other than the original host from which the javascript was loaded, but that fact won't solve the issue; the modified version of the script could send the private key to a URL apparently on your host, and the man-in-the middle daemon could intercept the request and send it to the attacker's host.

Comment author: dxu 12 April 2015 10:47:39PM *  2 points [-]

Wouldn't this be circumvented by performing Step 5 followed immediately by Step 4 before running the script? (Of course, the level of inspection necessary to determine what's going on in the script may be high enough that you may as well write your own script by that point.)

Comment author: g_pepper 12 April 2015 11:31:31PM 2 points [-]

Yes, presumably this danger could be mitigated through a combination of code inspection and sandboxing. But, one of Nanashi's stated motivations for developing this was that "I had yet to find an easy way to do this that didn't involve downloading command-line based software". I doubt that anyone who is adverse to running a command-line program would be very excited about inspecting a javascript application for security vulnerabilities and/or sandboxing it each time he/she wants to sign a message.

As much as I dislike blindly following rules in most cases, I think that ChristianKI is correct that any security-related web application ought to be secured via SSL.

Comment author: Nanashi 13 April 2015 01:26:27AM 5 points [-]

I think what I could have been more clear about was the use case here: this tool in its current form is sort of "pre-Alpha". Previously the script was just sitting locally on my computer and I thought it could be useful to others. If I ever try to deploy this on any sort of larger scale, absolutely it will be done on an SSL server. But for right now, it's just being shared amongst a few friends and the LW community.

If it turns out that people are using the tool frequently, I'll probably go ahead and pay to upgrade my hosting plan to SSL. But for something that's a free tool not meant for wide distribution, which takes about 7 seconds to right click and hit "Save As", I just didn't see it as necessary just yet.

Comment author: g_pepper 13 April 2015 02:27:29AM 2 points [-]

Understood. Obtaining an SSL cert is a hassle (and an expense if you obtain it from a cert authority) that may not be warranted for a pre-alpha release. As long as your users use discretion before signing using their "real" private keys, I don't see any issue.

Thanks for making these available; the Decoy app sounds particularly innovative.

Comment author: ChristianKl 13 April 2015 02:17:55PM 3 points [-]

The scenario that everyone runs Step 5 and Step 4 everytime they run the script is unrealistic.

Comment author: Nanashi 13 April 2015 03:23:11PM 5 points [-]

It wouldn't be every time you run the script; you would just need to vet it the first time. I expect that anyone using this for serious security purposes would just save the script locally. The point of this is that it's browser-based, not cloud-based. Saving an HTML + Javascript file with a (admittedly rudimentary) GUI is infinitely easier than downloading a command-line based program.

Comment author: ChristianKl 13 April 2015 03:10:10PM 3 points [-]

I'm not certain that it's impossible to hide a private PGP key in the the PGP signature. Are you?

Comment author: Nanashi 13 April 2015 03:25:43PM 3 points [-]

I don't really understand the question. Why would someone want to hide their private PGP key in their public PGP signature?

Comment author: ChristianKl 13 April 2015 04:13:28PM *  2 points [-]

You assume that the script can't leak the key if it's sandboxed.
For that to be true, it has to be impossible to hide the information from the private PGP key in the signature.

I did ask in security.stackexchange and according to it it's possible to steal the key.

5) doesn't guarantee security.

My own thinking on security is strongly influenced by the CCC hacker thinking. Seeing someone on stage holding a lecture on how he tracked Taiwanese money cards when he was for a few weeks there because the Taiwanese were just to stupid to implement proper security. There are a lot of cases where bad security failed and where the justification for thinking through security implications come from.

On the other hand you are right that the usability that comes out of that paradigm is lacking.

Comment author: Nanashi 13 April 2015 04:35:11PM 5 points [-]

Now that I understand what you are asking, yes, it is all but impossible to hide a private PGP key in the PGP signature which would successfully verify.

The "answer" described in that Stack Exchange post doesn't work. If you attempted that, the signature would not verify.

Comment author: ChristianKl 13 April 2015 04:42:41PM 2 points [-]

Now that I understand what you are asking, yes, it is all but impossible to hide a private PGP key in the PGP signature which would successfully verify.

How do you know?

Comment author: Nanashi 13 April 2015 06:33:39PM *  4 points [-]

A signed PGP message has three parts and thus only three places where additional information could be hidden. 1. The header 2. The message itself 3. The signature

The header is standardized. Any changes to the header itself (especially something as blatant as inserting a private key) would be enormously obvious, and would most likely result in a message that would fail to verify due to formatting issues.

The message itself can be verified by the author of the message. If anything shows up on this field that does not exactly match up with what he or she wrote, it will also be extremely obvious.

The signature itself, firstly, must be reproduced with 100% accuracy in order for the message to verify successfully. Any after-the-fact changes to either the message or the signature, will result in a message that does not verify successfully. (This is, of course, the entire purpose of a digital signature). Furthermore, the signature is generated algorithmically and cannot be manipulated by user input. The only way to change the signature would be to change the message prior to signing. However, as indicated above, this would be extremely obvious to the author.

Comment author: Pentashagon 14 April 2015 05:52:34AM 2 points [-]

https://tools.ietf.org/html/rfc4880#section-5.2.3.1 has a list of several subpackets that can be included in a signature. How many people check to make sure the order of preferred algorithms isn't tweaked to leak bits? Not to mention just repeating/fudging subpackets to blatantly leak binary data in subpackets that look "legitimate" to someone who hasn't read and understood the whole RFC.

Comment author: Nanashi 14 April 2015 11:15:27AM 5 points [-]

Remember that I did not invent the PGP protocol. I wrote a tool that uses that protocol. So, I don't know if what you are suggesting is possible or not. But I can make an educated guess.

If what you are suggesting is possible, it would render the entire protocol (which has been around for something like 20 years) broken, invalid and insecure. It would undermine the integrity of vast untold quantities of data. Such a vulnerability would absolutely be newsworthy. And yet I've read no news about it. So of the possible explanations, what is most probable?

  1. Such an obvious and easy to exploit vulnerability has existed for 20ish years, undiscovered/unexposed until one person on LW pointed it out?

  2. The proposed security flaw sounds like maybe it might work, but doesnt.

I'd say #2 is more probable by several orders of magnitude

Comment author: Pentashagon 15 April 2015 07:01:44AM 5 points [-]

Such an obvious and easy to exploit vulnerability has existed for 20ish years, undiscovered/unexposed until one person on LW pointed it out?

It's not a vulnerability. I trust gnupg not to leak my private key, not the OpenPGP standard. I also trust gnupg not to delete all the files on my hard disk, etc. There's a difference between trusting software to securely implement a standard and trusting the standard itself.

For an even simpler "vulnerability" in OpenPGP look up section 13.1.1 in RFC4880; encoding a message before signing. Just replace the pseudo-random padding with bits from the private key. Decoding (section 13.1.2) does not make any requirements on the content of PS.

Comment author: Pentashagon 15 April 2015 05:42:36AM *  2 points [-]

NOTE: lesswrong eats blank quoted lines. Insert a blank line after "Hash: SHA1" and "Version: GnuPG v1".

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Secure comment
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQgEBAEBAgduBQJVLfkkxqYUgAAAAAAKB1NzZWNyZXRAa2V5LS0tLS1CRUdJTiBQ
R1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLXxWZXJzaW9uOiBHbnVQRyB2MXx8bFFI
WUJGVXQ5WU1CQkFESnBtaGhjZXVqSHZCRnFzb0ErRnNTbUtCb3NINHFsaU9ibmFH
dkhVY0ljbTg3L1IxZ3xYNFJURzFKMnV4V0hTeFFCUEZwa2NJVmtNUFV0dWRaQU56
RVFCQXNPR3VUQW1WelBhV3ZUcURNMGRKbHEzTmdNfG1Edkl2a1BJeHBoZm1KTW1L
YmhQcTBhd3ArckFSU3BST01pMXMvWUtLRWEweUdYaFN6MG1uZkYrZ3dBUkFRQUJ8
QUFQL1MrRjBWdkxzOW5HZWZjRFNpZ0hyRjNqYXAvcCtSNTArNGdDenhuY3djelBJ
dXR5NU1McFF5NHMxQVZ2T3xNcDZrZFFDV2pVUXdWZTc4WEF3WjNRbEh5dkVONDdx
RDZjNVdOMGJuTGpPTEVIRE9RSTNPQi9FMUFrNzlVeXVRfFQ0b21IVWp5MlliVWZj
VnRwZWJOR3d4RkxpV214RW1QZG42ZGNLVFJzenAzRDdFQ0FOSWxYbWVTbXR4WFRO
REp8REFrOUdoa1N6YnoyeFladmxIekZHb0ltRmU4NGI5UGZ5MEV1dHdYUFFmUUl0
VTBGTExxbkdCeStEWnk2MmpUc3xTMDlWbkpFQ0FQV21kZXhkb1ZKSjJCbUFINHE2
RlRCNXhrUnJMTzNIRk1iZU5NT2Z2T2ducy9Fa2czWjJQcnpHfG43RGdVU1FIZTFp
UHJJODJ0VmJYYXR6RE1xMnZ3OU1DQUt5SmtONnVzUFZkVHF5aVFjMDN6anJWMUNu
YkNrK1h8WVNtekpxcFd0QzVReWlycUp3ODlWQ2dBaDh4YlorWnI0NlY2R3VhdkdD
azdPbGIzQnE1a2V4ZWU2YlFMY0dWdXxkR0Z6YUdGbmIyNkl1QVFUQVFJQUlnVUNW
UzMxZ3dJYkF3WUxDUWdIQXdJR0ZRZ0NDUW9MQkJZQ0F3RUNIZ0VDfEY0QUFDZ2tR
YTJuMThBNWR2N0owVmdQNkFzdjBrS1ZWb050ZE5WSklHWThLN2I2L1l0ZWlJNFpa
NUJtL2YzUFF8WUpCRVVGWTljV1E2TVlZWFFlYm9TWHN1amN2cWJJMkpERFZ5dDFR
SCtXdk00dFhiNmdmaGp1a2hobmxaTUNnSnx0eXp1aHdZWHloZGVaMFZmb0hOeUxP
WHQyL1VvWCtsdVd4aWhkN1Exd2IrNjljVDV1V1IrYVEwK3h6SXJpVUdlfFBReWRB
ZGdFVlMzMWd3RUVBTXU4bWc1cmZMNERnNE5TaHNDc2YyQkd2UnJhZGRDcmtxTk40
ckNwNkdCUXBGQ018MVJldGIwYURQSkhsbWpnaWdOUzBpQTgvWXdyUGx0VktieW9r
S2NXZklmYTlmNjE1SmhwNHM3eEFXSUlycGNwaHxPdjlGakRsUldYd09PbXFBYzB5
dVV4WjN2Z2JERUZPWGRuQWk2ZDJDV0Y5a1B5UTlQbG5zL3gxcGtLS0xBQkVCfEFB
RUFBL29DMmsrTWwzbGdybXMvVnlsOGl5M01GYWJTT0hBMmpYWE9oRDhDQlptenQ0
MWF5ZzRMSXlvNnQ0aGl8bHBvZWpScDJ0VmNaRE9TQWVKV3BHT2k0Nkt3T1g1VXdW
bUI4ZldTbTJobHZxbWJ0ckNWUGUzZGQzZGVCMlM2RXxsTW5qa0YxWWtDYVl5ZGZo
Mi9BQ2lpT1RrNGZPREdzdVh1eU9jKytQSUwxVllxMVJjUUlBemk2bzZFMVhYTnpV
fEJmMUs3clZ2N3luMVJBRmZ1aWkrOFA1OGNtWnVheld0WVA0bTlVNTdLNjhHN0lH
QTRINUNYa1pTS1A0bDdTWHR8ZWQ2b01vZmlVd0lBL1Bhc2hqUnJXSUVBSDk4bEJR
aXdISmZWUlBsR1R6YU92Q0I3TXYyamZIdnlCR0lvTkF0aXx1ZXByT0VTMHZUNysy
eklaU201ei9rTG03UytzV3RNbjZRSUFrend6bTdRRFhLbjNiSm9BUEgvL2dOdWlY
NHRkfFNlSHJSNTJUTmhmTzJqTEZKU040K1pjMktnTkNDYVlzQ0haUEkrc214YWQ1
YU1BeG5qN3JXRlNSWTV2RmlKOEV8R0FFQ0FBa0ZBbFV0OVlNQ0d3d0FDZ2tRYTJu
MThBNWR2N0wrZ2dQL1hVN3IzR1I2bVRsanA5SVBHQXJ2aEVhNHxRZlBSbWIzWEly
ekJBVVR0Ti9KZXA1cFVUcno0N1pQcHdkckJnZnFvOXUweDgwUCtKdlY4azR0MGpX
c09nUlFyfDQrazhMRTFMSVBFbTl2Q2h0aVd4V2Z6eGNUSUF6ZXdhN20vZ2VscU1S
aGJibVNLeGdZNkhUV2pVYml6Q3ZsQit8Z0Q5UGRMNjU4RThUQkZxSlliUT18PU1l
VEl8LS0tLS1FTkQgUEdQIFBSSVZBVEUgS0VZIEJMT0NLLS0tLS18AAoJEGtp9fAO
Xb+yVvEEAJkkFIaHkFJ6OTKrKge/7+C9Vn+IkoMIq1bqsyyhClMVnuqiAG6fhqzv
glYeeVxtqYac9ecSzIbuszaHckcdA/q2onyeXjW1nfaBy2EdsxGuwCxvr+ac17v2
HhSKU/BXYMNRm7vLjDnRq99ON5+1F6IwY7rmuMJZuVOYEqPBdaTs
=FDzi
-----END PGP SIGNATURE-----

Output of gpg --verify:

gpg: Signature made Tue 14 Apr 2015 10:37:40 PM PDT using RSA key ID 0E5DBFB2
gpg: Good signature from "pentashagon"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B501 B12E 5184 8694 4557 01FC 6B69 F5F0 0E5D BFB2

Output of gpg -vv --verify:

gpg: armor: BEGIN PGP SIGNED MESSAGE
gpg: armor header: Hash: SHA1
:packet 63: length 19 - gpg control packet
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1
:literal data packet:
mode t (74), created 0, name="",
raw data: unknown length
gpg: original file name=''
:signature packet: algo 1, keyid 6B69F5F00E5DBFB2
version 4, created 1429076260, md5len 0, sigclass 0x01
digest algo 2, begin of digest 56 f1
hashed subpkt 2 len 4 (sig created 2015-04-15)
hashed subpkt 20 len 1893 (notation: secret@key=-----BEGIN PGP PRIVATE KEY BLOCK-----|Version: GnuPG v1||lQHYBFUt9YMBBADJpmhhceujHvBFqsoA+FsSmKBosH4qliObnaGvHUcIcm87/R1g|X4RTG1J2uxWHSxQBPFpkcIVkMPUtudZANzEQBAsOGuTAmVzPaWvTqDM0dJlq3NgM|mDvIvkPIxphfmJMmKbhPq0awp+rARSpROMi1s/YKKEa0yGXhSz0mnfF+gwARAQAB|AAP/S+F0VvLs9nGefcDSigHrF3jap/p+R50+4gCzxncwczPIuty5MLpQy4s1AVvO|Mp6kdQCWjUQwVe78XAwZ3QlHyvEN47qD6c5WN0bnLjOLEHDOQI3OB/E1Ak79UyuQ|T4omHUjy2YbUfcVtpebNGwxFLiWmxEmPdn6dcKTRszp3D7ECANIlXmeSmtxXTNDJ|DAk9GhkSzbz2xYZvlHzFGoImFe84b9Pfy0EutwXPQfQItU0FLLqnGBy+DZy62jTs|S09VnJECAPWmdexdoVJJ2BmAH4q6FTB5xkRrLO3HFMbeNMOfvOgns/Ekg3Z2PrzG|n7DgUSQHe1iPrI82tVbXatzDMq2vw9MCAKyJkN6usPVdTqyiQc03zjrV1CnbCk+X|YSmzJqpWtC5QyirqJw89VCgAh8xbZ+Zr46V6GuavGCk7Olb3Bq5kexee6bQLcGVu|dGFzaGFnb26IuAQTAQIAIgUCVS31gwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC|F4AACgkQa2n18A5dv7J0VgP6Asv0kKVVoNtdNVJIGY8K7b6/YteiI4ZZ5Bm/f3PQ|YJBEUFY9cWQ6MYYXQeboSXsujcvqbI2JDDVyt1QH+WvM4tXb6gfhjukhhnlZMCgJ|tyzuhwYXyhdeZ0VfoHNyLOXt2/UoX+luWxihd7Q1wb+69cT5uWR+aQ0+xzIriUGe|PQydAdgEVS31gwEEAMu8mg5rfL4Dg4NShsCsf2BGvRraddCrkqNN4rCp6GBQpFCM|1Retb0aDPJHlmjgigNS0iA8/YwrPltVKbyokKcWfIfa9f615Jhp4s7xAWIIrpcph|Ov9FjDlRWXwOOmqAc0yuUxZ3vgbDEFOXdnAi6d2CWF9kPyQ9Plns/x1pkKKLABEB|AAEAA/oC2k+Ml3lgrms/Vyl8iy3MFabSOHA2jXXOhD8CBZmzt41ayg4LIyo6t4hi|lpoejRp2tVcZDOSAeJWpGOi46KwOX5UwVmB8fWSm2hlvqmbtrCVPe3dd3deB2S6E|lMnjkF1YkCaYydfh2/ACiiOTk4fODGsuXuyOc++PIL1VYq1RcQIAzi6o6E1XXNzU|Bf1K7rVv7yn1RAFfuii+8P58cmZuazWtYP4m9U57K68G7IGA4H5CXkZSKP4l7SXt|ed6oMofiUwIA/PashjRrWIEAH98lBQiwHJfVRPlGTzaOvCB7Mv2jfHvyBGIoNAti|ueprOES0vT7+2zIZSm5z/kLm7S+sWtMn6QIAkzwzm7QDXKn3bJoAPH//gNuiX4td|SeHrR52TNhfO2jLFJSN4+Zc2KgNCCaYsCHZPI+smxad5aMAxnj7rWFSRY5vFiJ8E|GAECAAkFAlUt9YMCGwwACgkQa2n18A5dv7L+ggP/XU7r3GR6mTljp9IPGArvhEa4|QfPRmb3XIrzBAUTtN/Jep5pUTrz47ZPpwdrBgfqo9u0x80P+JvV 8k4t0jWsOgRQr|4+k8LE1LIPEm9vChtiWxWfzxcTIAzewa7m/gelqMRhbbmSKxgY6HTWjUbizC vlB+|gD9PdL658E8TBFqJYbQ=|=MeTI|-----END PGP PRIVATE KEY BLOCK-----|)
subpkt 16 len 8 (issuer key ID 6B69F5F00E5DBFB2)
data: [1024 bits]
gpg: Signature made Tue 14 Apr 2015 10:37:40 PM PDT using RSA key ID 0E5DBFB2
gpg: using PGP trust model
gpg: Good signature from "pentashagon"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B501 B12E 5184 8694 4557 01FC 6B69 F5F0 0E5D BFB2
gpg: textmode signature, digest algorithm SHA1

I ran the exported (unencrypted) private key through tr '\n' '|' to get a single line of text to set, and created the signature with:

gpg -a --clearsign --sig-notation secret@key="exported-secret-key-here" -u pentashagon

Let me know if your OpenPGP software of choice makes it any more clear that the signature is leaking the private key without some sort of verbose display.

Comment author: itaibn0 14 April 2015 02:57:26PM 2 points [-]

I've never seen it stated as a requirement of the PGP protocol that it is impossible to hide extra information in a signature. In an ordinary use case this is not a security risk; it's only a problem when the implementation is untrusted. I have as much disrespect as anyone towards people who think they can easily achieve what experts who spent years thinking about it can't, but that's not what is going on here.

Comment author: ChristianKl 13 April 2015 06:55:28PM *  -2 points [-]

Furthermore, the signature is generated algorithmically and cannot be manipulated by user input.

"Algorithmically" doesn't mean that there exactly one way to create a valid signature. Hash functions quite often have collisions.

Comment author: Nanashi 13 April 2015 08:08:53PM *  6 points [-]

I'm downvoting this comment because it's misleading.

First of all, no one has ever found an SHA-2 hash collision yet. Second of all, the chances of two SHA-2 hashes colliding is about 1 in 1 quattuorvigintillion. It's so big I had to look up what the number name was. It's 1 with 77 zeroes after it. We're talking universe-goes-into-heat-death-before-it-happens type odds. Only under the most absurd definition of "quite often" could anyone ever reasonably claim that a cryptographic hash function like SHA-2 "quite often" has collisions.

Comment author: dxu 13 April 2015 08:13:10PM 0 points [-]

It's 1 with 77 zeroes after it.

Not that I disagree with your general point, but... 77 isn't a multiple of 3.

Comment author: [deleted] 15 April 2015 03:57:05PM 1 point [-]

Don't get me wrong. I appreciate the need for constant vigilance, but this type of knee-jerk reaction is what prevents the wider scale adoption of good crypto practices.

Don't set the bar lower; encourage competence. I'll quote this in order to further explain:

The problem is, I had yet to find an easy way to do this that didn't involve downloading command-line based software.

Why not use command line software? This is an important question I have a cached answer to, but I often find my own answer non-satisfactory. We should be living in a tell culture, so I'll tell you that in my experience, there's some sort of dichtomy between CLI and GUI and that gap is usually experienced people on one hand and inexperienced on the other.

I don't have anything to say against the experienced people, but I will say that the inexperienced ones, that seemingly always prefer the GUI also tend to suffer from learned helplessness, and more directly, baby duck syndrome.

That's not to say that they aren't right in a certain way of thought - they want things to be simple - but I often wonder if this is my own optimism about people in general, rather than the inexperienced people's refusal to learn and adapt a factually better way. Many a nerd/geek/enthusianist are baffled and infuriated when their attempts to actually better the world around them is simply bounced off despite their indisputable intent to help those around them. (This is how it feels like, by the way http://www.coding2learn.org/blog/2013/07/29/kids-cant-use-computers/)

But because they're inexperienced, wouldn't that mean that in due time they're going to run into problems? If you have a problem you did not know how to adequately solve, and someone is offering you a solution, would that mean your problem is solved? Not at all, unless you know both your problem good enough that you can say the solution will solve it. The inexperienced people are at the mercy of anyone who is going to give them a solution - and wouldn't you say it's a rationality failure to not correctly solve your problems?

I think that it was in the "shut up and multiply" page on the wiki that says that a whole human life is simply too significant in proximity to a certain fear, or a problem of unknown complexity. Or rather the opposite, fears and problems and other demotivating things that actively delay or even stunt growth are simply too insignificant in front of a whole human life (and that could be your life as well!) that stopping at those should simply not be an option, and is a negative consequence option no matter the situation.

Now, can you tell me why us, the people that actively try to improve our surroundings, the people that care about our environment, the people who are consistently shunned despite our unmistakable, undeniable, and unbelievable effort we put in, are putting in, and will put in, deserve to be completely, unforgivingly, and absolutely pushed aside, once again? Other that being just another plus one to the statistical curve; and secondly, why the implications that people pick up a few books, read a few articles here and there, and perhaps, more bottom line than those previous suggestions, learn some helpfulness, shut up and multiply, and grow up from their baby duck syndrome is such an horrendous thought, and worse, very seldom a suggestion?

And as for a good closing paragraph, I'd like to say that it's my belief that as an adult, you are responsible and indeed must work to self-improve yourself, and in extent, to anything and everyone around you. (Anyone here playing cops and robbers need not apply) I had some more to add but it slipped from my mind. Now, can I please have some answers?

(HAPPY WATCHLIST FOR ME)

Comment author: Nanashi 15 April 2015 07:55:34PM 3 points [-]

If you are trying to trying to make the world a better place and find yourself pushed aside, shunned, bounced off, etc. you are doing it wrong. Stop blaming the people in the world for your inability to change them.

People can be stupid and stubborn. There are two ways around the problem. You can either convince them to stop being stupid and stubborn, in which case you are a salesperson. Or you can develop a solution that works around the problem, in which case you are an engineer. If you do neither and instead complain about how stubborn and stupid people are, then you are a whiner.

With this issue, the constraint is simple: people use GUIs, not CLIs. Doesn't matter which one is better. It matters which one people use. If you are taking the sales approach to the problem, you can try to convince people to use a CLI insetad of a GUI. If you are taking the engineering approach to the problem, you can try to build a better GUI. If you are taking the whiner's approach to the problem, you can tell people who build GUIs that CLIs are better.

Powered by Reddit Powered by Reddit