First off: I’m not say­ing that two-factor authen­ti­ca­tion (2-FA) is bad. It’s a rather good method. But people should be aware of what their authen­ti­ca­tion fac­tors really are, and not pre­sume pro­per­ties that they do not have.

Let me explain.

We all know about the qua­lity of the easy “some­thing you know” fac­tor: it’s a password/-phrase/-poem or simi­lar, stuff that you can easily memo­rize and thus do not need to carry around outs­ide of your head. Let me repeat: it’s a memo­riz­able quan­tum of infor­ma­tion. Thus, the only safe sto­rage for this — logi­cally — is your head, as this infor­ma­tion can be extrac­ted ter­ri­bly easy by humans if it’s any­where else. That means rea­ding it off a post-it, fin­ding the file con­tai­ning the pass­word — or even gues­sing it, because, let’s face it, many people use mne­mo­nic passwords.

As the name of 2-FA implies, there’s also a second fac­tor, often descri­bed be the phra­ses “some­thing you have” or “some­thing you are”. What these mne­mo­nics insi­nuate is that there is not­hing that you “know” about these fac­tors, which — alt­hough in most cases mostly true — isn’t accurate.

When using com­mon second fac­tors like cryp­to­gra­phic tokens, keys, bio­me­tric data or simi­lar, you shouldn’t for­get that you’re still dea­ling with sim­ple infor­ma­tion. It’s just that this par­ti­cu­lar piece of infor­ma­tion, usually, is not memo­riz­able in the usual terms. A key’s beard can be easily map­ped into infor­ma­tion descri­bing where the pits are, how deep they are, etc. A human’s DNA can be rep­re­sen­ted in a pretty long string. A key ring authen­ti­ca­tion fob is usually little more than a secret “seed” plus an algo­rithm applied to it.

So it’s not that it’s impos­si­ble to gain access to the second fac­tor wit­hout pos­ses­sing it, it’s just way less tri­vial than a sim­ple effort of memo­riza­tion. Key fobs don’t allow you to view the seed, for example, but if you can eaves­drop on a syn­chro­niza­tion, you’re game — and don’t even need the key. Depen­ding on the com­ple­xity of a phy­si­cal key, a sim­ple pho­to­graph is enough to fake it. And these are all methods where you wouldn’t even know your secret infor­ma­tion was lea­ked, if done right.

Thus, always remem­ber: two-factor authen­ti­ca­tion isn’t inher­ently secure. You need to pro­tect all the fac­tors equally well, and do not trust a fac­tor to be “safe”. After all, you are sus­cep­ti­ble to rubber-hose cryp­t­ana­ly­sis.

For a quick popu­lar cul­ture example of authen­ti­ca­tion fac­tor secrecy, the movie “Incep­tion” is an unex­pec­ted but wel­come can­di­date. (Spoi­lers.) In it, each cha­rac­ter that del­ves into dreams is urged to fashion a “totem” with spe­ci­fic pro­per­ties that only they know, so that they can check they’re not in someone else’s dream. It’s vital for them not to let anyone else see their totem, as it would give them the power to fool the other into belie­ving in an inva­lid authentication.

Here, the infor­ma­tion is phy­si­cal, but due to the spe­cial nature, also memo­riz­able. You might argue this redu­ces it into a “what you know” cate­gory, but it is a phy­si­cal fac­tor that allows you to verify that the cur­rent rea­lity is the same as the one you crea­ted your totem in. Just due to the fact that the rele­vant sys­tem isn’t a com­pu­ter but the real world shows how fee­ble the idea of a phy­si­cal token actually is.

Two-factor authentication still means you're dealing with merely two disparate sets of information. Bonus points for Inception pop reference.

If you’re a bit of a gamer and have a bit of loose change, you’ll pro­bably have the ten­dency to acquire Steam games during sales.

This will inva­ria­bly lead to you having a pretty big Steam game port­fo­lio over time. Accor­ding to steamcalculator.com, my account is worth about 2000 USD right now. That’s the cur­rent pri­ces for the games, which is way more than what I put into the games — after all, I bought most of them during sale actions.

On the other hand, I’ve also put quite a few hours of my time into Steam games, and even with mini­mum wage I’d pro­bably get a couple thousand more. Hell, I’ve played Fall­out: New Vegas for “only” 70 hours, and that’s actually not pretty much.

The thing is that you’ll inva­ria­bly build up a back­log. Even with the mixed «bles­sing» of rather short sin­gle player por­ti­ons of games these days, you’ll have a hell of a time catching up with each game that you bought, espe­cially if you want to milk them for their money’s worth.

Which is pretty inte­res­ting, since in the end, you could spend up spen­ding more money for the fun of having variety than the pro­fes­sed goal of get­ting the most worth out of sin­gle games.

And what actually hap­pens is that you’ll pro­bably end up not play­ing some games at all.

There’s a mul­ti­tude of rea­sons for it. For example, you might just not have the time to actually play a game. More com­monly, though, you will pro­bably not have time to pur­sue a game. You might play it for a bit, but then you’ll start ine­vi­ta­bly filing it under “have to play this more during downtime”.

Except you’ll never use that down­time for that game, since there’s pro­bably some­thing else that actually tick­les your cur­rent fancy. Often enough, there’s no real chance to get bored “enough” for you to go back to your gaming back­log except if you make a con­scious effort.

So the back­log grows, and grows, and grows.

In my case, there’s still some Hum­ble Bundle games that are lying around, which isn’t that much of a loss since I mainly bought it for the other games.

But then, there’s quite a lot more: The King’s Bounty series, pro­bably about at least 100 hours of gaming. Cthulhu saves the world, a char­ming little adven­ture. The Pen­um­bra and Amne­sia games, sup­po­sedly very great. The very cute Braid. Darksi­ders. Ano­maly: War­zone Earth. Atom Zom­bie Smas­her. Fro­zen Syn­apse. Far Cry 2. Machi­na­rium. Magi­cka. Indigo Pro­phecy. Osmos. Nation Red. Recet­tear. Saira. Space­Chem. Trine.

All very good games and I don’t feel bad for having bought them. (As oppo­sed to Dead Rising 2. Blech.)

There’s just no way I’ll have the kind of casual down­time that allows me to click off with one of these for half an hour. I’d rather hit up Bor­der­lands and finish up some DLC, for example.

Thus, in con­clu­sion, I have to liken this to some­thing inter­net nerds ever­y­where have a cer­tain con­nec­tion with. There’s other things which you some­ti­mes really need to get around to, but never seem to be able to finish.

Two dre­a­ded words: “inbox zero”.

That time when you actually manage to have zero unread mails — or rather, zero mails that still need your atten­tion, if you don’t use read state to indi­cate that.

Using that nomen­cla­ture, it seems I’ll never be able to one day post a sta­tus update con­tai­ning the sim­ple words “Steam zero”.

If you're a bit of a gamer and have a bit of loose change, you'll probably have the tendency to acquire Steam games during sales. This will invariably lead to you having a pretty big Steam game portfolio over time. According to steamcalculator.com, my account is worth about 2000 USD right now. That's the current ...

Cypher­punks ever­y­where know that using two-factor authen­ti­ca­tion, when done right, is inher­ently more secure.

Not­hing can be said against the secu­rity of wisely-used one-factor authen­ti­ca­tion, but care must be taken to ensure the ongo­ing secu­rity of that fac­tor. If you use a pass­word, you need to choose a secure one — and if you don’t change it regu­larly, it logi­cally gets wea­ker, too.

I know of at least one WoW player who is posi­tively para­noid about expo­sing their pass­words to someone, even though they don’t exhi­bit that beha­viour elsewhere.

And then, of course, there’s the people who com­plain about having their accounts hacked, even though they used a secure pass­word like their birth­day. Or abcde.

A miti­ga­ting fac­tor against people being too stu­pid to use pass­words secu­rely, then, is nee­ded. And that’s where two-factor authen­ti­ca­tion comes along.

Two-factor authen­ti­ca­tion, in essence, means that there you need to prove your own iden­tity by two dif­fe­rent means. This isn’t like using two dif­fe­rent pass­words. The com­mon exam­ples for fac­tors include “things the user knows” — like a pass­word, PIN, etc, “things the user has”, like some form of phy­si­cal secu­rity token, and “things the user is”, i.e. bio­me­tric veri­fi­ca­tion methods.

Bio­me­tric veri­fi­ca­tion is more “com­for­ta­ble” to use, but does have two major drawbacks:

1. it requi­res spe­cia­li­zed equip­ment (in most cases)
2. it is vul­nera­ble to replay attacks

So, mainly for rea­sons of prac­tica­lity, owning an authen­ti­ca­tion token is the best method of get­ting a second fac­tor into the mix.

But why would a com­pany like Bliz­zard, for example, cough up the effort to actually enable some­thing like authen­ti­ca­tors — not only via device, but by mobile phone, too — and then go ahead and reward play­ers (in the form of an in-game pet, but nevert­he­l­ess) for using an authen­ti­ca­tor — merely to save people from their own stupidity?

Sim­ple enough: to help battle against “eco­no­mic” abuse, and to help pro­tect their own inte­rests by having to deal with less “hacked account” cases.

Even though the lat­ter rea­son might just be enough to imple­ment it, the for­mer is actually the most import­ant one. Gold far­ming is a serious pro­blem for online gaming com­pa­nies, and even under­de­ve­l­o­ped eco­no­mies like that of WoW can suf­fer greatly from such manipulation.

If you want to read a fic­tio­nal example of a near-future vision on the import­ance and con­cepts of gold far­ming, you should read up on Cory Doctorow’s “For The Win”. Even though it’s a bit over the top com­pa­red to the cur­rent state of the game, it might very well be simi­lar in the years to come.

Of course, the battle.net authen­ti­ca­tion token Bliz­zard dis­tri­bu­tes does seem to have relia­bi­lity pro­blems, the mobile authen­ti­ca­tor — a Java app­li­ca­tion — seems to work fairly well, and, com­pa­red to the DIGI­PASS Go 6 authen­ti­ca­tors used by Bliz­zard, actually has a reverse-engineered spec avail­able.

Even though the DIGI­PASS algo­rithm was, to the author’s know­ledge, not bro­ken so far, the fact that the deve­lo­ping com­pany does not dis­close the DIGI­PASS source code to non-customers, along with a rather cheeky atti­tude, should serve as suf­fi­ci­ent indi­ca­tors to avoid their products.

A short explanation of two-factor authentication used in MMOs.

I was recently rea­ding up on the ste­alth and cover mecha­nics, and even though I was fairly cer­tain about what is and what is not pos­si­ble, I found out that one edge case isn’t par­ti­cu­larly well-documented.

The rules, to be exact the Ste­alth rules cor­rec­tion from Player’s Hand­book 2, state:

Beco­m­ing Hid­den: You can make a Ste­alth check against an enemy only if you have supe­rior cover or total con­ceal­ment against the enemy or if you’re outs­ide the enemy’s line of sight. Outs­ide com­bat, the DM can allow you to make a Ste­alth check against a dis­trac­ted enemy, even if you don’t have supe­rior cover or total con­ceal­ment and aren’t outs­ide the enemy’s line of sight. The dis­trac­ted enemy might be focu­sed on some­thing in a dif­fe­rent direc­tion, allo­wing you to sneak up.

So, what it espe­cially says is that “supe­rior cover” works as a basis to get hid­den behind. Accor­ding to the Dun­geon Master’s Guide on deter­mi­ning cover for ran­ged attacks:

Choose a Cor­ner: The atta­cker choo­ses one cor­ner of a square he occu­p­ies, and draws ima­gi­nary lines from that cor­ner to every cor­ner of any one square the defen­der occu­p­ies. If none of those lines are blo­cked by a solid object or an enemy crea­ture, the atta­cker has a clear shot. The defen­der doesn’t have cover. (A line that runs par­al­lel right along a wall isn’t blo­cked.)
Supe­rior Cover: The defen­der has supe­rior cover if no mat­ter which cor­ner in your space you choose and no mat­ter which square of the target’s space you choose, three or four lines are blo­cked. If four lines are blo­cked from every cor­ner, you can’t tar­get the defender.

So, in theory, if you’d have a situa­tion where you’d have supe­rior cover from an enemy, e.g.

you’d be able to ste­alth your­self and gain com­bat advantage.

The only thing that really denies this pos­si­bi­lity are, again, the Ste­alth updates from Player’s Hand­book 2, this time the “Remai­ning Hid­den” sec­tion [empha­sis mine]:

Keep Out of Sight: If you no lon­ger have any cover or con­ceal­ment against an enemy, you don’t remain hid­den from that enemy. You don’t need supe­rior cover, total con­ceal­ment, or to stay outs­ide line of sight, but you do need some degree of cover or con­ceal­ment to remain hid­den. You can’t use ano­ther crea­ture as cover to remain hid­den.

Many thanks to @Milambus for loo­king up that pas­sage. [And making me feel stu­pid for not having found it mys­elf, by the way.]

And that’s the only pro­blem. So, you could gain ste­alth moving behind enemies, but imme­dia­tely lose ste­alth sta­tus again by being only behind a creature.

In a sense, this is balan­ced, since your rogue strikers could then just con­ti­nue to camp behind your own figh­ters and shoot sneak attacks at enemies from just behind their bud­dies (since they don’t block for the player), which would make com­bat encoun­ters quick enough, but also a bit boring.

Then again, as my player rogue poin­ted out, when there’s two huge dra­gon­born war­ri­ors poun­ding away at an enemy, how are they not sup­po­sed to be able to hide behind them? They aren’t 5′ wide, surely, but cer­tainly big­ger than a half-elf in every other dimension.

I just think that with a fur­ther update (yuck), we might be able to get a bit of cla­ri­fi­ca­tion on the fact how allies grant cover, but can­not grant supe­rior cover.

On why rogues can't really hide behind other players.

So, if you’re won­de­ring your­self: “Why, Ubuntu is in the pro­cess of making ever­y­thing quite a bit more annoy­ing and fucking things up”, yet still think “that might just be mis­jud­ged opi­nion”, then fret no more. There’s an easy way to now know that Cano­ni­cal has offi­ci­ally gone bonkers.

The Ubuntu One Music Store.

After instal­ling an annoy­ing App Market-like “Soft­ware cen­ter” by default, swit­ching users over to a IM cli­ent that’s only remo­tely usa­ble, try­ing to sell you a cloud-based sto­rage solu­tion and swit­ching to Yahoo as the default search engine, you really have to won­der what the guys responsi­ble are up to.

So.

In short, Cano­ni­cal is on the verge of going Apple. Just bail boat while you still can.

Why you should stop using Ubuntu.

See­ing how ever­yone else is cur­rently crea­ting inte­res­ting items, I thought that I should throw one of my ideas into the mix. And after a bit of tin­ke­ring with how it should work, I present:

Nobody really knows how these devices ever came to be, but they seem to have been used by devout and loyal war­ri­ors throug­hout time to save com­ra­des from cer­tain death by using their own life to shield them. The ulti­mate heroic sacri­fice, most souls sacri­fi­cing their bodies this way ascend to the Astral Sea.

A new magic item for D&D, allowing a character to heroically sacrifice himself to save his friends.

Update: added the “C” flag to SSL attri­bu­tes which I acci­den­tally for­got to include.
Also chan­ged $HOST to $host, as $HOST is the shell para­me­ter for the cur­rent hostname…

If you’re not really sure about how you can stop Chrome from per­man­ently remin­ding you that the ser­ver you’re con­nec­ting to is a bad boy (read: using a self-signed cer­ti­fi­cate), you’ll pro­bably end up loo­king at CACert’s Brow­ser Cli­ent page by way of Google. With a bit of rea­ding docu­men­ta­tion, you can pro­bably find out how to import a self-signed cer­ti­fi­cate and mark it as trus­ted, but since you’re pro­bably lazy, you’d rather just copy and paste a few instructions.

First, I have to stress is that blindly trus­ting a cer­ti­fi­cate you down­load off the inter­net is a Bad Idea. But expres­sing a cer­tain laissez-faire atti­tude: if you’re stu­pid enough to copy and paste blindly, you deserve it.

Second, sim­ple copy and paste instructions:

openssl s_client -connect $host:443 -showcerts > temporary_file
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i temporary_file

Third, expla­na­ti­ons:

• s_client just con­nects to the given host­name, 443 being, as you should know, the (default) HTTP SSL port.
• –show­certs shows all kinds of infor­ma­tion about the cer­ti­fi­cate, inclu­ding the cer­ti­fi­cate its­elf. You will pro­bably have to hit ^C/^D to stop s_client.
• If you get mul­ti­ple (and dif­fe­rent) cer­ti­fi­ca­tes, first one will be the ser­ver cer­ti­fi­cate, and second one the CA certificate.
• cer­tu­til (package hint: libnss3-tools can be used to manage your local «Net­work Secu­rity Ser­vices» SQLite database.
• The spe­ci­fied argu­ment for cer­tu­til are:
  1. The data­base to use (in this case, the user-specific NSS database).
  2. The flag to add some­thing to the data­base (-A).
  3. The “trust types” for the cer­ti­fi­cate, in “SSL, S/MIME, CA” noti­fi­ca­tion: “P” for a trus­ted peer, and “C” for a cer­ti­fi­cate aut­ho­rity that may issue ser­ver certificates.
  4. A short­name to iden­tify the cer­ti­fi­cate in the data­base. The host­name works well and is fairly obvious.

How to trust a self-signed certificate in Google Chrome.

After I stum­bled upon the won­der­ful URL shor­te­ner http://to/ today and imme­dia­tely began pos­ting it on IRC, I recei­ved a com­ment that someone didn’t even know that is was pos­si­ble to do so. I, of course, could only com­ment “of course it’s pos­si­ble”. But in the same train of thought, I just had to have a look at who else has a valid A record on their top level domain. So I fet­ched the IANA TLD list and, after being baff­led by the puny­code TLDs, threw some sh at the pro­blem:
(for domain in $(grep -v '^#' tlds-alpha-by-domain.txt); do host -t A "${domain}."; done) | grep -v 'has no A record'

For the sake of enjoy­a­bi­lity, I thus offer the results in table form, along with what kind of site is run­ning on port 80. Data time­stamp is 2010–01-08T16:05:00+0100, loca­tion for rou­ting is DTAG-DIAL26 / AS3320.

So, in short, 5 of 18 (27%) are down­right bro­ken, one is being autistic, and a fur­ther 2 (11%) are not con­fi­gu­red to do anything mea­ningful, lea­ding to a total of 8 — or 44% — of TLD A records being use­l­ess. Bonus: none of the sites have AAAA records and, thus, no IPv6 availability.

After I stumbled upon the wonderful URL shortener http://to/ today and immediately began posting it on IRC, I received a comment that someone didn't even know that is was possible to do so. I, of course, could only comment "of course it's possible". But in the same train of thought, I just had to ...

Since I was play­ing around with Date modu­les a bit, I deci­ded to con­jure up some iCal files for the Dis­cor­dian calen­dar, which chro­ni­cles the Year of Our Lady Dis­cord, as descri­bed in the Prin­ci­pia Discordia.

With the goal eli­mi­na­ting any kind of depen­dency on actions by me to gene­rate the calen­dar files, I just pre­ge­ne­ra­ted them for the whole 21^st century.

The files are stored at /discordian/$year.ical, with $year ran­ging from 2001 (which was the real start of the cen­tury and the mil­le­nium) to 2100.

For the sake of easy access — and as an expe­ri­ment to see what Google’ll make of it — I’ve com­pi­led a handy table so you can just click for the file you want.

Feel free to include this on your Google calen­dar (will make for an inte­res­ting traf­fic study) or redis­tri­bute it with a kudos to me, lin­king to this page (http://ydal.de/discordian-ical/). Copy­right shouldn’t be an issue since this com­pi­la­tion does not exceed the Schöp­fungs­höhe, but I’ll declare them to be CC-BY-DE 3.0 just in case.

Read the rest of this entry »

Since I was playing around with Date modules a bit, I decided to conjure up some iCal files for the Discordian calendar, which chronicles the Year of Our Lady Discord, as described in the Principia Discordia. With the goal eliminating any kind of dependency on actions by me to generate the calendar files, I just ...

Ear­lier this year, I swit­ched from Debian to Ubuntu on both my net­book and my desk­top machine, because it quite plea­sed me how well it worked. For the net­book, this was sort of appro­priate, when igno­ring the fact that a net­book is slow by prin­ciple, but with my desk­top, my choice might have been less than wise.

Jaunty, 9.04, left me with occa­sio­nal ran­dom cra­shing of my X ser­ver, and app­li­ca­ti­ons some­ti­mes only star­ting at the second try, if at all. You’d get situa­ti­ons like bans­hee firing up, dra­wing the win­dow on the desk­top, and then locking up — which my com­piz duly ack­now­ledged by shading the win­dow after about fif­teen seconds. You kill it, you restart it, ever­y­thing works.

Add to this some other app­li­ca­ti­ons (like Evo­lu­tion, Nau­ti­lus and Tom­boy), along with the fact that GNOME Do just seems to ran­domly eva­po­rate into digi­tal not­hing­ness in the course of my uptime, and voila, you have a sys­tem that works mostly well, but just some­ti­mes annoys the hell out of you, espe­cially when the X ser­ver cras­hed the sys­tem because you did some­thing like Alt-Tabbing while you had two app­li­ca­ti­ons run­ning full­screen on dif­fe­rent moni­tors. Yep, it happened.

So, alas and behold, comes the saviour: Ubuntu 9.10, Kar­mic Koala! It shi­nes, it glit­ters, and it saves kit­tens from trees! Ever­y­thing is so much bet­ter with it!

… not.

Kar­mic, in the vain hope to be so much grea­ter to the com­mon good, tries to opti­mize and dumb down things for the users. Which, accor­ding to others, seems to work sple­ndidly — but abso­lu­tely fai­led on my end.

My woes with the rare animal

odin (the desktop)

For the record: odin’s specs are some­thing along the line of a Core2 Duo, GeForce 260 lin­ked to two screens, a couple of tera­bytes of hard drive and a Sound­Blas­ter SB Live! 5.1, after the onbound sound­card star­ted acting up and being gene­rally retar­ded on the gaming OS.

1. Boot time has gone way … up. Even though it’s sup­po­sed to be opti­mi­zed for qui­cker boot and what­not, my pre­vious “less than ten seconds” boot time some­what dimi­nis­hed in the face of the opti­mi­zed boo­tup, which made my resol­v­conf (which I haven’t even tou­ched!) for no appa­rent rea­son, adding a 30 to 60s time­out on the top.
2. It sol­ved the cra­shing pro­blems … not at all. The only it actually mana­ged is to get bug-buddy to be all “It looks like nau­ti­lus cras­hed” with a nice dia­log say­ing I should report a bug to Ubuntu. Which I won’t, since there’s not­hing log­wor­thy to sub­mit, it just dies and that’s it.
3. The sound inter­face has been made super-easy! And, also, bloody hard to con­fi­gure cor­rectly. The new sound pre­fe­ren­ces eschew any kind of know­ledge about your sound card and just pre­sume to know bet­ter than you, which is exactly why it thinks it should fiddle with the Mas­ter volume of my Sound­blas­ter when on four way ste­reo mix up, which con­trols only two chan­nels, and not the PCM, which then regu­la­tes ever­y­thing. Jaunty allo­wed me to change the mixer con­trol to one I deemed best — no dice in Kar­mic. I now need to fire up alsa­mi­xer for that, and can’t use my key­board volume wheel wit­hout fiddling.
4. Speaking of sound, it has become even more annoy­ing to find a way to turn off the logon sounds with GDM, since gdmsetup has been repla­ced by some­thing which does quite about not­hing at all.
5. And, of course, hiber­nate doesn’t work any­more. As if any dis­tri­bu­tion would ever get that right.

baldr, the netbook

1. Boot time has gone way … up. Yes, even one the famed “we sooo lurv you” Atom note­books Kar­mic pre­tends to like so much, per­for­mance pretty much went down the drain.
2. Impro­ved exter­nal moni­tor sup­port! Plug in a second screen, get none of the real estate! As soon as I plug in the VGA dis­play while the lap­top is still run­ning, screens go irre­ver­si­bly blank until reboot. Having it plug­ged in while reboo­ting allows you to run 800×600 on both dis­plays, clo­ned, wit­hout the abi­lity to change the resolution.
3. Hiber­nate doesn’t work. Even though it did before.
4. And myriads of minor nui­san­ces like stut­ters and all that jazz.

May I note that this even hap­pens when being freshly instal­led from source on the net­book, so this is no tale of the com­mon upgrade blues.

Con­clu­sion

Well, I’ll pro­bably be chan­ging dis­tri­bu­tion soo­nish, yet again. Fedora might be a neat idea for the net­book, not yet sure if I will revert to Debian on odin.

The Kar­mic Koala is beco­m­ing incre­a­sin­gly extinct and fails to repro­duce appro­pria­tely even with an accep­ting mindset.

Ranting about the Karmic Koala.