queenlua | Reading

I finished Life is Strange: Double Exposure!

tl;dr — I really enjoyed it. It might be my favourite LiS game. (Someone ask me my ranking. I dare you.)

Full spoilers below the cut.

( Welcome to the temporal mosh pit )

mozaikmage

Last month I read too many long books, so this month I read a lot of really short books! I wrote this up a few days ago but only found the time to post it now rip. Anyway, here we go!

My Nemesis by Charmaine Craig

I… don’t know if I liked it or not. I don’t think I understood it very well. Short, but felt like it took a long time to read.

Have His Carcase by Dorothy L. Sayers

Fun! It’s interesting how much Dorothy Sayers likes her detectives: Wimsey and Harriet are her little blorbos and she thinks they’re so fun and she wants to write about them doing fun things. While Agatha Christie clearly does not really like any of her detective characters as much as she likes her puzzles and mysteries. I feel like it could’ve been shorter though. Still unsure if I wanna try Gaudy Night or not.

Great Big Beautiful Life by Emily Henry

I think Henry's characterization and framing of the interviewing-an-aging-celebrity setup worked better than the same setup in Evelyn Hugo, but the romance was unconvincing and the final twist didn’t land super well. Also Evelyn Hugo did have more Diversity even if it was also very annoying about it (‘being bisexual… is just like being biracial’ was somehow a repeated motif in Evelyn Hugo. which. okay) I guess with straight white women authors you gotta pick your poison huh. The romantic leads did have convincing physical chemistry, even though the sex scenes were more implied than explicit.

Convenience Store Woman by Sayaka Murata

I Get It Now. So short and sweet but man. She’s so right. Long live the minimum wage service worker.

Flirting Lessons by Jasmine Guillory

Hm. It keeps telling me these women are sexually attracted to other women but without describing any of them thinking about other women in a sexual manner at all. Both POV characters are constantly saying the other is super hot, without describing what is hot about her. Does she have big boobs, long legs, nice eyes? Who knows! Sometimes their clothes are described at least. It's not even that it's not explicit they're not... in their bodies enough? Not having enough bodily reactions to things, or reacting enough to body things, even when doing body-related events like salsa dancing and attending a burlesque show. The sex scenes felt like Insert Finger A into Hole B, rote lists of events with no emotion attached to them. Remarkably unhorny for a book with multiple sex scenes. Felt like an “eat your vegetables” kind of F/F. Also I found it implausible that Taylor's long string of exes were all just totally fine and cool with no longer dating Taylor and that there were zero lingering messy feelings on anyone's part at all.

Thornhedge by T. Kingfisher

Fun enough, a fairytale twist/retelling. Short and sweet. I wish I was allowed to write novellas.

Cover Story by Celia Laskey

OP said this was originally set in present day and then rewritten to be in 2005 and it was not rewritten hard enough because it does Not feel like 2005 at all. Characters reference memes and fashion trends that did not exist in 2005 and there’s not nearly enough ambient homophobia to be plausible/make the closet thing make any sense, especially with how the characters talk about being gay and out in a very not-2005 kind of way. They weren't even doing Target Pride Collections yet in 2005! I have a weakness for mid-2000s chick lit and that’s why this feels so off to me. It doesn’t sound like the Devil Wears Prada, or Sex and the City, or any of those types of books. But Y2K is in and cool now, OP should’ve leaned into it more! Sex scenes and relationship were both fine enough I guess.
Hilariously the book got one-star bombed by Swifties accusing OP of being a Gaylor which, if that's true, I did not pick up on it because the Celebrity Character read a lot more like a knockoff Kristen Stewart than anyone else.

Small Things Like These by Claire Keegan

Very short, but dense. Lots going on. Very clear atmosphere and very direct story.

Her Majesty’s Royal Coven by Juno Dawson

Very cruel sequel hook, very topical and pointed subject matter. I don’t know if it’s a stylistic choice or the editor just ignored it but none of the dialogue is punctuated correctly? Otherwise the prose is fine and that one Goodreads reviewer was exaggerating. The magic system made sense.

Nicked by M. T. Anderson

FIVE STAR READ: whimsical, funny, entertaining, AND gay. M. T. Anderson is so good at words, the opening and ending both hit so well. Loved, loved, loved. Might have to buy a copy now.

Disney High: The Untold Story of the Rise and Fall of Disney Channel's Tween Empire by Ashley Spencer

I stayed up late to inhale this but I don’t know if I’d call this “good,” I was just a disney channel kid at exactly the correct time to be invested in extra lore about my childhood favorite shows. I don’t think the structure worked well, it should’ve been chronological because a lot of the later chapters had overlapping “recurring characters” I guess (like the Jonas Brothers, Miley, Selena, Demi, etc) and that got confusing. The “fall” part in the title happened entirely in a 5 page epilogue, which, lol. Overall feeling was that Disney Channel was really good when the author was at the right age to enjoy it and got worse when they grew out of it. Fortunately this coincided perfectly with the age I was watching it so I had fun reading about things I cared about when I was young.

Like Real People Do by E.L. Massey

Decent fic that doesn’t function as well on its own.

How to Summon a Fairy Godmother by Laura J. Mayo

Not funny but trying very hard to be. Ending was extremely satisfying, but most of the buildup to it was less satisfying. Everyone kept speaking in big paragraphs with no body language or description to break it up, which annoyed me.

Thick as Thieves by Megan Whalen Turner

Read for reference on my romantasy wip and I did enjoy it a lot. Reminded me of Nicked lol. I liked the worldbuilding and the characters.
Personal updates: starting my editorial internship next week aaaaaaaaaaaaaaa. hopefully it goes well!

Current Location: catsitting at my neighbor's house!
Current Music: da-da-da-dameningenda which I still can't FC on expert in prsk :(

mjg59

As I wrote in my last post, Twitter's new encrypted DM infrastructure is pretty awful. But the amount of work required to make it somewhat better isn't large.

When Juicebox is used with HSMs, it supports encrypting the communication between the client and the backend. This is handled by generating a unique keypair for each HSM. The public key is provided to the client, while the private key remains within the HSM. Even if you can see the traffic sent to the HSM, it's encrypted using the Noise protocol and so the user's encrypted secret data can't be retrieved.

But this is only useful if you know that the public key corresponds to a private key in the HSM! Right now there's no way to know this, but there's worse - the client doesn't have the public key built into it, it's supplied as a response to an API request made to Twitter's servers. Even if the current keys are associated with the HSMs, Twitter could swap them out with ones that aren't, terminate the encrypted connection at their endpoint, and then fake your query to the HSM and get the encrypted data that way. Worse, this could be done for specific targeted users, without any indication to the user that this has happened, making it almost impossible to detect in general.

This is at least partially fixable. Twitter could prove to a third party that their Juicebox keys were generated in an HSM, and the key material could be moved into clients. This makes attacking individual users more difficult (the backdoor code would need to be shipped in the public client), but can't easily help with the website version[1] even if a framework exists to analyse the clients and verify that the correct public keys are in use.

It's still worse than Signal. Use Signal.

[1] Since they could still just serve backdoored Javascript to specific users. This is, unfortunately, kind of an inherent problem when it comes to web-based clients - we don't have good frameworks to detect whether the site itself is malicious.

rionaleonhart

My gaming partner Tem has been away for a few days, so I've been taking an enforced break from ludicrous child soldier simulator The Hundred Line: Last Defense Academy.

I was itching for something else to play in the meantime, so I've picked up Clair Obscur: Expedition 33. I'm having a really good time with it!

The central concept of Clair Obscur is so interesting. This is the main reason I took an interest in this game; I looked up the central premise and went, 'Huh, that's really unusual and fascinating.' The fact that a lot of people I follow on Dreamwidth are playing and enjoying it definitely helped to recommend it! But just learning the premise was the first thing that tempted me to play this game.

I'll pop the premise behind a short cut, just in case anyone wants to go into this game knowing nothing at all. This cut only contains the basic concept of the game; there's a more spoilery cut further down the post.

( The premise of Clair Obscur: Expedition 33. )

I was a little nervous about the battle system, but I'm enjoying it! It's challenging - more than once I've had my party wiped out during a regular enemy encounter - but I'm having fun. I tend not to like games that really expect you to be able to parry with precise timing, but it turns out that's a demand I'm a lot more comfortable with in a turn-based battle system; I only have to focus on parrying during the enemy's turn, rather than having to worry about it all the time.

The scenery is gorgeous. I love how weird and dreamlike the landscapes are. Incredible soundtrack, too.

Major spoilers below the cut! I've just reached the Forgotten Battlefield.

( Spoilers for Clair Obscur: Expedition 33. )

As a final note: Clair Obscur is perhaps the Frenchest game I've ever played, which is saying something, given that I've played Assassin's Creed: Unity.

mjg59

(Edit: Twitter could improve this significantly with very few changes - I wrote about that here. It's unclear why they'd launch without doing that, since it entirely defeats the point of using HSMs)

When Twitter[1] launched encrypted DMs a couple
of years ago, it was the worst kind of end-to-end
encrypted - technically e2ee, but in a way that made it relatively easy for Twitter to inject new encryption keys and get everyone's messages anyway. It was also lacking a whole bunch of features such as "sending pictures", so the entire thing was largely a waste of time. But a couple of days ago, Elon announced the arrival of "XChat", a new encrypted message platform built on Rust with (Bitcoin style) encryption, whole new architecture. Maybe this time they've got it right?

tl;dr - no. Use Signal. Twitter can probably obtain your private keys, and admit that they can MITM you and have full access to your metadata.

The new approach is pretty similar to the old one in that it's based on pretty straightforward and well tested cryptographic primitives, but merely using good cryptography doesn't mean you end up with a good solution. This time they've pivoted away from using the underlying cryptographic primitives directly and into higher level abstractions, which is probably a good thing. They're using Libsodium's boxes for message encryption, which is, well, fine? It doesn't offer forward secrecy (if someone's private key is leaked then all existing messages can be decrypted) so it's a long way from the state of the art for a messaging client (Signal's had forward secrecy for over a decade!), but it's not inherently broken or anything. It is, however, written in C, not Rust[2].

That's about the extent of the good news. Twitter's old implementation involved clients generating keypairs and pushing the public key to Twitter. Each client (a physical device or a browser instance) had its own private key, and messages were simply encrypted to every public key associated with an account. This meant that new devices couldn't decrypt old messages, and also meant there was a maximum number of supported devices and terrible scaling issues and it was pretty bad. The new approach generates a keypair and then stores the private key using the Juicebox protocol. Other devices can then retrieve the private key.

Doesn't this mean Twitter has the private key? Well, no. There's a PIN involved, and the PIN is used to generate an encryption key. The stored copy of the private key is encrypted with that key, so if you don't know the PIN you can't decrypt the key. So we brute force the PIN, right? Juicebox actually protects against that - before the backend will hand over the encrypted key, you have to prove knowledge of the PIN to it (this is done in a clever way that doesn't directly reveal the PIN to the backend). If you ask for the key too many times while providing the wrong PIN, access is locked down.

But this is true only if the Juicebox backend is trustworthy. If the backend is controlled by someone untrustworthy[3] then they're going to be able to obtain the encrypted key material (even if it's in an HSM, they can simply watch what comes out of the HSM when the user authenticates if there's no validation of the HSM's keys). And now all they need is the PIN. Turning the PIN into an encryption key is done using the Argon2id key derivation function, using 32 iterations and a memory cost of 16MB (the Juicebox white paper says 16KB, but (a) that's laughably small and (b) the code says 16 * 1024 in an argument that takes kilobytes), which makes it computationally and moderately memory expensive to generate the encryption key used to decrypt the private key. How expensive? Well, on my (not very fast) laptop, that takes less than 0.2 seconds. How many attempts to I need to crack the PIN? Twitter's chosen to fix that to 4 digits, so a maximum of 10,000. You aren't going to need many machines running in parallel to bring this down to a very small amount of time, at which point private keys can, to a first approximation, be extracted at will.

Juicebox attempts to defend against this by supporting sharding your key over multiple backends, and only requiring a subset of those to recover the original. ~~I can't find any evidence that Twitter's does seem to be making use of this,~~Twitter uses three backends and requires data from at least two, but all the backends used are under x.com so are presumably under Twitter's direct control. Trusting the keystore without needing to trust whoever's hosting it requires a trustworthy communications mechanism between the client and the keystore. If the device you're talking to can prove that it's an HSM that implements the attempt limiting protocol and has no other mechanism to export the data, this can be made to work. Signal makes use of something along these lines using Intel SGX for contact list and settings storage and recovery, and Google and Apple also have documentation about how they handle this in ways that make it difficult for them to obtain backed up key material. Twitter has no documentation of this, and as far as I can tell does nothing to prove that the backend is in any way trustworthy. (Edit to add: The Juicebox API does support authenticated communication between the client and the HSM, but that relies on you having some way to prove that the public key you're presented with corresponds to a private key that only exists in the HSM. Twitter gives you the public key whenever you communicate with them, so even if they've implemented this properly you can't prove they haven't made up a new key and MITMed you the next time you retrieve your key)

On the plus side, Juicebox is written in Rust, so Elon's not 100% wrong. Just mostly wrong.

But ok, at least you've got viable end-to-end encryption even if someone can put in some (not all that much, really) effort to obtain your private key and render it all pointless? Actually no, since you're still relying on the Twitter server to give you the public key of the other party and there's no out of band mechanism to do that or verify the authenticity of that public key at present. Twitter can simply give you a public key where they control the private key, decrypt the message, and then reencrypt it with the intended recipient's key and pass it on. The support page makes it clear that this is a known shortcoming and that it'll be fixed at some point, but they said that about the original encrypted DM support and it never was, so that's probably dependent on whether Elon gets distracted by something else again. And the server knows who and when you're messaging even if they haven't bothered to break your private key, so there's a lot of metadata leakage.

Signal doesn't have these shortcomings. Use Signal.

[1] I'll respect their name change once Elon respects his daughter

[2] There are implementations written in Rust, but Twitter's using the C one with these JNI bindings

[3] Or someone nominally trustworthy but who's been compelled to act against your interests - even if Elon were absolutely committed to protecting all his users, his overarching goals for Twitter require him to have legal presence in multiple jurisdictions that are not necessarily above placing employees in physical danger if there's a perception that they could obtain someone's encryption keys

lassarina

( You're about to view content that the journal owner has advised should be viewed with discretion. )

lavendre

( You're about to view content that the journal owner has advised should be viewed with discretion. )

skygiants

Over Memorial Day weekend

genarti and I were on a mini-vacation at her family's cabin in the Finger Lakes, which features a fantastic bookshelf of yellowing midcentury mysteries stocked by

genarti's grandmother. Often when I'm there I just avail myself of the existing material, but this time -- in increasing awareness of the way our own books are threatening to spill over our shelves again -- I seized this as an opportunity to check my bookshelves for the books that looked most like they belonged in a cabin in the Finger Lakes to read while I was there and then leave among their brethren.

As a result, I have now finally read the second-to-last of the stock of Weird Joan Aikens that

coffeeandink gave me many years ago now, and boy was it extremely weird!

My favorite Aiken books are often the ones where I straight up can't tell if she's attempting to sincerely Write in the Genre or if she is writing full deadpan parody. I think The Embroidered Sunset is at least half parody, in a deadpan and melancholy way. I actually have a hypothesis that someone asked Joan Aiken to write a Gothic, meaning the sort of romantic suspense girl-flees-from-house form of the genre popular in the 1970s, and she was like "great! I love the Gothic tradition! I will give you a plucky 1970s career girl and a mystery and a complex family history and several big creepy houses! would you also like a haunted seaside landscape, the creeping inevitability of loss and death, some barely-dodged incest and a tragic ending?" and Gollancz, weary of Joan Aiken and her antics, was just like "sure, Joan. Fine. Do whatever."

Our heroine, Lucy, is a talented, sensible, cross and rather ugly girl with notably weird front teeth, is frequently jokingly referred to as Lucy Snowe by one of her love interests; the big creepy old age home in which much of the novel takes place is called Wildfell Hall; at one point Lucy knocks on the front door of Old Colonel Linton and he's like 'oh my god! you look just like my great-grandmother Cathy Linton, nee Earnshaw! it's the notably weird front teeth!" Joan Will Have Her Little Jokes.

The plot? The plot. Lucy, an orphan being raised in New England by her evil uncle and his hapless wife and mean daughter, wants to go study music in England with the brilliant-but-tragically-dying refugee pianist Max Benovek. Her uncle pays her fare across the Atlantic, on the condition that she go and investigate a great-aunt who has been pulling a pension out of the family coffers for many years; the great-aunt was Living Long Term with Another Old Lady (the L word is not said but it is really felt) and one of them has now died, but no one is really clear which.

The evil uncle suspects that the surviving old lady may not be the great-aunt and may instead be Doing Fraud, so Lucy's main task is to locate the old lady and determine whether or not she is in fact her great-aunt. Additionally, the great aunt was a brilliant folk artist unrecognized in her own time and so the evil uncle has assigned Lucy a side quest of finding as many of her paintings as possible and bringing them back to be sold for many dollars.

However, before setting out on any of these quests, Lucy stops in on the dying refugee pianist to see if he will agree to teach her. They have an immediate meeting of the minds and souls! Not only does Max agree to take her on as His Last Pupil, he also immediately furnishes her with cash and a car, because her plan of hitchhiking down to Aunt Fennel's part of the UK could endanger her beautiful pianist's hands!! Now Lucy has a brilliant future ahead of her with someone who really cares about her, but also a ticking clock: she has to sort out this whole great-aunt business before Max progresses from 'tragically dying' to 'tragically dead.'

The rest of the book follows several threads:
- Lucy bopping around the World's Most Depressing Seaside Towns, which, it is ominously and repeatedly hinted, could flood catastraphically at any moment, grimly attempting to convince a series of incredibly weird and variably depressed locals to give her any information or paintings, which they are deeply disinclined to do
- Max, in his sickroom, reading Lucy's letters and going 'gosh I hope I get to teach that girl ... it would be my last and most important life's work .... BEFORE I DIE'
- Sinister Goings On At The Old Age Home! Escaped Convicts!! Secret Identities!!! What Could This All Have To Do With Lucy's Evil Uncle? Who Could Say! Is Their Doctor Faking Being Turkish? Who Could Say!! Why Does That One Old Woman Keep Holding Up An Electric Mixer And Remarking How Easy It Would Be To Murder Someone With It? Who Could Say That Either!!!
- an elderly woman who may or may not be Aunt Fennel, in terrible fear of Something, stacked into dingy and constrained settings packed with other old and fading strangers, trying not to think too hard about her dead partner and their beloved cat and the life that she used to have in her own home where she was happy and loved .... all of these sections genuinely gave me big emotions :(((

Eventually all these plotlines converge with increasingly chaotic drama! Lucy and the old lady meet and have a really interesting, affectionate but complicated relationship colored by deep loneliness and suspicion on both sides; again, I really genuinely cared about this! Lucy, who sometimes exhibits random psychic tendencies, visits the lesbian cottage and finds it is so powerfully and miserably haunted by the happiness that it once held and doesn't anymore that she nearly passes out about it! Then whole thing culminates in ( huge spoilers )

Anyway. A wild time. Some parts I liked very much! I hit the end and shrieked and then forced Beth to read it immediately because I needed to scream about it, and now it lives among its other yellowing paperback friends on the Midcentury Mysteries shelf for some other unsuspecting person to find and scream about.

NB: in addition to everything else a cat dies in this book .... Joan Aiken hates this cat in particular and I do not know why. She likes all the other cats! But for some reason she really wants us to understand that this cat has bad vibes and we should not be sad when it gets got. But me, I was sad.

mindstalk

If you've read Sherlock Holmes, you likely recall his supposedly paying attention to all details around him, like how many steps were in the staircase. That seems mostly unnecessary[1], and 'all' details is bunk/impossible... but I am building up a list of things to try to be more conscious of, whether for personal utility or good citizenship. And a recent afternoon where I kept an eye out for bike racks, in an area I've been up and down multiple times since March, and discovered many racks I had been totally unaware of, highlighted how much difference conscious attention can make. ( Read more... )

althea_valara posting in

finalfantasy

Yes, Final Fantasy Tactics is coming to multiple platforms on September 30th!

Caves of Narshe news article: https://www.cavesofnarshe.com/news/article/its-finally-here-the-ivalice-chronicles/

Square Enix official blog: https://www.square-enix-games.com/en_US/news/final-fantasy-tactics-the-ivalice-chronicles

There will be a collector's box full of goodies.

I am very hyped, because I have long wanted to play Tactics but lacked a method to do so (I do own the iOS version, but my phone is small and I can't see it.) I'm just trying to decide which platform to get it on. I could do PS5, original Switch, or Steam. DECISIONS!

Current Mood: excited

Profile

Expand Cut Tags

No cut tags

Lost in Lualand

Reading

september.

May Reads!

How Twitter could (somewhat) fix their encrypted DMs

We Continue.

Twitter's new encrypted DMs aren't better than the old ones

What Are You Playing Wednesday

"I only know what you used to say. That you were tired of running. That you just wanted to be free."

(no subject)

things to be aware of

TACTICS TACTICS TACTICS TACTICS TACTICS

Profile

Links

Expand Cut Tags