Dhole Moments

2023-10-02 07:31:48

I quit my job towards the end of last month.

When I started this blog, I told myself, “Don’t talk about work.” Since my employment is in the rear view mirror, I’m going to bend that rule for once. And most likely, only this one time.

Why? Since I wrote a whole series about how to get into tech for as close to $0 as possible without prior experience, I feel that omitting my feelings would be, on some level, dishonest.

Refusing Forced Relocation

I had been hired in 2019 for the cryptography team at a large tech company. I was hired as a 100% remote employee, with the understanding that I would work from my home in Florida.

Then a pandemic started to happen (which continues to be a mass-disabling event despite what many politicians proclaim).

The COVID-19 pandemic forced a lot of people who preferred to work in an office setting to sink-or-swim in a remote work environment.

In early 2020, you could be forgiven for imagining that this new arrangement was a temporary safety measure that we would adopt for a time, and then one day return to normal. By mid 2022, only people that cannot let go of their habits and traditions continued to believe that we’d ever return to the “normal” they knew in 2019.

As someone who had been working remote since 2014, as soon as the shift happened, many of my peers reached out to me for advice on how to be productive at home. This was an uncomfortable experience for many of them, and as someone who was comfortable in a fully virtual environment, I was happy to help.

By early 2021, I was considered to not only be a top performer, but also a critical expert for the cryptography organization. My time ended up split across three different teams, and I was still knocking my projects out of the park. But more importantly, junior employees felt comfortable approaching me with questions and our most distinguished engineers sought my insight on security and cryptography topics.

It became an inside joke of the cryptography organization, not to let me ever look at someone else’s source code on a Friday, because I would inevitably find at least one security issue, which would inevitably ruin someone’s weekend. I suppose the reasoning was that, if the source code in question belonged to a foundational software package, it carried the risk of paging the entire company as we tried to figure out how to mitigate the issue and upstream the fix.

(I never once got earnestly reprimanded for finding security bugs, of course.)

I can’t really go into detail about the sort of work I did. I don’t really want to name names, either. But I will say that I woke up every day excited and motivated. The problems were interesting, the people were wonderful, and there was an atmosphere of respect and collaboration.

Despite the sudden change in working environment for most of the cryptography organization in response to COVID-19, we were doing great work and cultivating the same healthy and productive work environment that everyone fondly remembered pre-pandemic.

Art: CMYKat

And then the company’s CEO decided to make an unceremonious, unilateral, top-down decision (based entirely on vibes from talking to other CEOs, rather than anything resembling facts, data, or logic):

Everyone must return to the office, and virtual employees must relocate. Exceptions would be few, far between, and required a C-level to sign off on it. Good luck getting an exception before your relocation decision deadline.

Hey, tech workers, stop me if you’ve heard this one before.

To the credit of my former managers, they sprung this dilemma on me literally the day before I went to a hacker conference–a venue full of hiring managers and technical founders.

On Ultimatums

If I had to give only one bit of advice to anyone ever faced with an ultimatum from someone with power over them (be it an employer or abusive romantic partner), it would be:

Ultimately, never choose the one giving you an ultimatum.

Art: AJ_LovesDinos

If your employer tells you, “Move to an expensive city or resign,” your best move will be, in the end, to quit. Notice that I said, in the end.

It’s perfectly okay to pretend to comply to buy time while you line up a new gig somewhere else.

That’s what I did. Just don’t start selling your family home or looking at real estate listings, and definitely don’t accept any relocation assistance (since you’ll have to return it when you split).

Conversely, if you let these assholes exert their power over you, you dehumanize yourself in submission.

(Yes, you did just read those words on a blog written by a furry.)

If you take nothing else away from this post, always keep this in mind.

Art: MarleyTanuki

From Whence Was This Idiocy Inspired?

Nothing happens in a vacuum.

When more tech workers opted to earn their tech company salaries while living in cheaper cost-of-living houses, less tech worker money circulated to big city businesses.

This outflow of money does hurt the local economies of said cities, including the ones that big tech companies are headquartered in. In some cases, this pain has jeopardized a lot of the tax incentives that said companies enjoy.

That’s why we keep hearing about politicians praising the draconian way that the return-to-office policies are being enforced.

At the end of the day, incentives rule everything around us.

Companies have to kowtow to the government in order to reduce their tax bill (and continue pocketing record profits–which drive inflation–while their workers’ wages stagnate).

This outcome was incredibly obvious to everyone that was paying attention; it was just a matter of when, not if.

Signs of Things to Come

Do you know who was really paying attention? The top talent at most tech companies.

After I turned in my resignation, I received a much larger outpour of support from other very senior tech workers than I ever imagined.

Many of them admitted that they were actively looking for new roles; some of them for the first time in over a decade.

Many of them already have new gigs lined up, and were preparing to resign too. Some of those already have.

Others are preparing to refuse to comply with either demand, countering the companies’ ultimatums with one of their own: Shut up or fire me.

What I took from these messages is this: What tech companies are doing is complete bullshit, and everyone knows it, and nobody is happy about it.

With all this in mind, I’d like to issue a prediction for how this return-to-office with forced relocation will play out, should companies’ leaders double down on their draconian nature.

My Prediction

Every company that issued forced relocation ultimatums to their pre-pandemic remote workers will not only lose most (if not all) their top talent in the next year, but they will struggle to hire for at least the coming decade.

The bridge has been burnt, and the well has been poisoned.

Trust arrives on foot, but leaves on horseback.

Dutch proverb

The companies that issued these ultimatums are not stupid. They had to know that some percentage of their core staff would leave over their forced relocation mandates. Many described it as a “soft layoff” tactic.

But I don’t think they appreciate the breadth or depth of the burn they’ve inflicted. Even if they can keep their ships from sinking, the wound will fester and their culture will not easily recover. This will lead to even more brain drain.

Who could blame anyone for leaving when that happens?

Unfortunately, there is a class of people that work in tech that will bear the brunt of the ensuing corporate abuse: H-1B visa employees, whose immigration status is predicated on their ongoing employment. Their ability to hop from abusive companies onto lifeboats is, on the best of days, limited.

And that? Well, that’s going to get ugly.

There’s still time for these companies to slam the brakes on their unmitigated disaster of failed leadership before it collapses the whole enterprise.

If I were a betting dhole, I wouldn’t bet money on most of them doing that.

Their incentives aren’t aligned that way yet, and when they finally are, it will be far too late.

Toward New Opportunities

As for me, I’m enjoying some well-earned downtime before I start my new remote job.

I wasn’t foolish enough to uproot my life and everyone I love at some distant corporate asshole’s whims, but I also wasn’t impulsive enough to jump ship without a plan.

That’s as much as I feel comfortable saying about myself on here.

If you’re facing a similar dilemma, just know that you’re not alone. Savvy companies will be taking advantage of your current employer’s weakness to pan for gold, so to speak.

You are not trapped. Your life is your own to live. Choose wisely.

Addendum

After I posted this, it made the front page of Hacker News and was subsequently posted in quite a few places. After reading some of the comments, I realize a few subtleties in my word choice didn’t come across, so I’d like to clarify them.

When I say “RTO is bullshit”, I don’t mean “office work is bullshit” or anything negative about people that prefer in-person office work. I mean “the forced relocation implementation of transitioning a whole company to never-remote (a.k.a. RTO) is bullshit”.

If working in an office is better for you, rock on. I don’t have any issue with that. The bullshit is the actions taken by company’s leadership teams in absence of (or often in spite of) hard data on remote work versus in-person work. The bullshit is changing remote worker’s employment agreements without their consent and threatening “voluntary resignation” as the only alternative (even though that’s pretty obviously constructive dismissal).

When I discussed ultimatums above, I’m specifically referring to actual ultimatums, not colloquial understandings of the word. If you can talk with the person and negotiate with them, it’s not a goddamn ultimatum. What I was faced with was an actual ultimatum: Comply or suffer. I chose freedom.

Hope that helps.

CMYKat made this, I edited the text

Regarding some of the other comments, I come from the “I work to live” mindset, not the “I live to work” mindset. My opinions won’t resonate with everyone. That’s okay!

Update: I wrote a follow-up to this post to address a lot of bad comments I saw on HN and Reddit.

https://soatok.blog/2023/10/02/return-to-office-is-bullshit-and-everyone-knows-it/

#business #businessEthics #forcedRelocation #returnToOffice #Society #techIndustry #Technology #ultimatums #work

Dhole Moments

2021-02-11 14:12:31

Let me say up front, I’m no stranger to negative or ridiculous feedback. It’s incredibly hard to hurt my feelings, especially if you intend to. You don’t openly participate in the furry fandom since 2010 without being accustomed to malevolence and trolling. If this were simply a story of someone being an asshole to me, I would have shrugged and moved on with my life.

It’s important that you understand this, because when you call it like you see it, sometimes people dismiss your criticism with “triggered” memes. This isn’t me being offended. I promise.

---

My recent blog post about crackpot cryptography received a fair bit of attention in the software community. At one point it was on the front page of Hacker News (which is something that pretty much never happens for anything I write).

Unfortunately, that also means I crossed paths with Zed A. Shaw, the author of Learn Python the Hard Way and other books often recommended to neophyte software developers.

As someone who spends a lot of time trying to help newcomers acclimate to the technology industry, there are some behaviors I’ve recognized in technologists over the years that makes it harder for newcomers to overcome anxiety, frustration, and Impostor Syndrome. (Especially if they’re LGBTQIA+, a person of color, or a woman.)

Normally, these are easily correctable behaviors exhibited by people who have good intentions but don’t realize the harm they’re causing–often not by what they’re saying, but by how they say it.

Sadly, I can’t be so generous about… whatever this is:

https://twitter.com/lzsthw/status/1359659091782733827

Having never before encountered a living example of a poorly-written villain towards the work I do to help disadvantaged people thrive in technology careers, I sought to clarify Shaw’s intent.

https://twitter.com/lzsthw/status/1359673331960733696

https://twitter.com/lzsthw/status/1359673714607013905

This is effectively a very weird hybrid of an oddly-specific purity test and a form of hazing ritual.

Let’s step back for a second. Can you even fathom the damage attitudes like this can cause? I can tell you firsthand, because it happened to me.

Interlude: Amplified Impostor Syndrome

In the beginning of my career, I was just a humble web programmer. Due to a long story I don’t want to get into now, I was acquainted with the culture of black-hat hacking that precipitates the DEF CON community.

In particular, I was exposed the writings of a malicious group called Zero For 0wned, which made sport of hunting “skiddiez” and preached a very “shut up and stay in your lane” attitude:

Geeks don’t really come to HOPE to be lectured on the application of something simple, with very simple means, by a 15 year old. A combination of all the above could be why your room wasn’t full. Not only was it fairly empty, but it emptied at a rapid rate. I could barely take a seat through the masses pushing me to escape. Then when I thought no more people could possibly leave, they kept going. The room was almost empty when I gave in and left also. Heck, I was only there because we pwned the very resources you were talking about.

Zero For 0wned

My first security conference was B-Sides Orlando in 2013. Before the conference, I had been hanging out in the #hackucf IRC channel and had known about the event well in advance (and got along with all the organizers and most of the would-be attendees), and considered applying to their CFP.

I ultimately didn’t, solely because I was worried about a ZF0-style reception.

I had no reference frame for other folks’ understanding of cryptography (which is my chosen area of discipline in infosec), and thought things like timing side-channels were “obvious”–even to software developers outside infosec. (Such is the danger of being self-taught!)

“Geeks don’t really come to B-Sides Orlando to be lectured on the application of something simple, with very simple means,” is roughly how I imagined the vitriol would be framed.

If it can happen to me, it can happen to anyone interested in tech. It’s the responsibility of experts and mentors to spare beginners from falling into the trappings of other peoples’ grand-standing.

Pride Before Destruction

With this in mind, let’s return to Shaw. At this point, more clarifying questions came in, this time from Fredrick Brennan.

https://twitter.com/lzsthw/status/1359712275666505734

What an arrogant and bombastic thing to say!

At this point, I concluded that I can never again, in good conscience, recommend any of Shaw’s books to a fledgling programmer.

If you’ve ever published book recommendations before, I suggest auditing them to make sure you’re not inadvertently exposing beginners to his harmful attitude and problematic behavior.

But while we’re on the subject of Zed Shaw’s behavior…

https://twitter.com/lzsthw/status/1359714688972582916

If Shaw thinks of himself as a superior cryptography expert, surely he’s published cryptography code online before.

And surely, it will withstand a five-minute code review from a gay furry blogger who never went through Shaw’s prescribed hazing ritual to rediscover specifically the known problems in OpenSSL circa Heartbleed and is therefore not as much of a cryptography expert?

(Art by Khia.)

May I Offer You a Zero-Day in This Trying Time?

One of Zed A. Shaw’s Github projects is an implementation of SRP (Secure Remote Password)–an early Password-Authenticated Key Exchange algorithm often integrated with TLS (to form TLS-SRP).

Zed Shaw’s SRP implementation

Without even looking past the directory structure, we can already see that it implements an algorithm called TrueRand, which cryptographer Matt Blaze has this to say:

https://twitter.com/mattblaze/status/438464425566412800

As noted by the README, Shaw stripped out all of the “extraneous” things and doesn’t have all of the previous versions of SRP “since those are known to be vulnerable”.

So given Shaw’s previous behavior, and the removal of vulnerable versions of SRP from his fork of Tom Wu’s libsrp code, it stands to reason that Shaw believes the cryptography code he published would be secure. Otherwise, why would he behave with such arrogance?

SRP in the Grass

Head’s up! If you aren’t cryptographically or mathematically inclined, this section might be a bit dense for your tastes. (Art by Scruff.)

When I say SRP, I’m referring to SRP-6a. Earlier versions of the protocol are out of scope; as are proposed variants (e.g. ones that employ SHA-256 instead of SHA-1).

Professor Matthew D. Green of Johns Hopkins University (who incidentally used to proverbially shit on OpenSSL in the way that Shaw expects everyone to, except productively) dislikes SRP but considered the protocol “not obviously broken”.

However, a secure protocol doesn’t mean the implementations are always secure. (Anyone who’s looked at older versions of OpenSSL’s BigNum library after reading my guide to side-channel attacks knows better.)

There are a few ways to implement SRP insecurely:

1. Use an insecure random number generator (e.g. TrueRand) for salts or private keys.
2. Fail to use a secure set of parameters (q, N, g).
   To expand on this, SRP requires q be a Sophie-Germain prime and N be its corresponding Safe Prime. The standard Diffie-Hellman primes (MODP) are not sufficient for SRP.

   This security requirement exists because SRP requires an algebraic structure called a ring, rather than a cyclic group (as per Diffie-Hellman).

3. Fail to perform the critical validation steps as outlined in RFC 5054.

In one way or another, Shaw’s SRP library fails at every step of the way. The first two are trivial:

1. We’ve already seen the RNG used by srpmin. TrueRand is not a cryptographically secure pseudo random number generator.
2. Zed A. Shaw’s srpmin only supports unsafe primes for SRP (i.e. the ones from RFC 3526, which is for Diffie-Hellman).

The third is more interesting. Let’s talk about the RFC 5054 validation steps in more detail.

Parameter Validation in SRP-6a

Retraction (March 7, 2021): There are two errors in my original analysis.

First, I misunderstood the behavior of SRP_respond() to involve a network transmission that an attacker could fiddle with. It turns out that this function doesn’t do what its name implies.

Additionally, I was using an analysis of SRP3 from 1997 to evaluate code that implements SRP6a. u isn’t transmitted, so there’s no attack here.

I’ve retracted these claims (but you can find them on an earlier version of this blog post via archive.org). The other SRP security issues still stand; this erroneous analysis only affects the u validation issue.

Vulnerability Summary and Impact

That’s a lot of detail, but I hope it’s clear to everyone that all of the following are true:

1. Zed Shaw’s library’s use of TrueRand fails the requirement to use a secure random source. This weakness affects both the salt and the private keys used throughout SRP.
2. The library in question ships support for unsafe parameters (particularly for the prime, N), which according to RFC 5054 can leak the client’s password.

Salts and private keys are predictable and the hard-coded parameters allow passwords to leak.

But yes, OpenSSL is the real problem, right?
(Art by Khia.)

Low-Hanging ModExp Fruit

Shaw’s SRP implementation is pluggable and supports multiple back-end implementations: OpenSSL, libgcrypt, and even the (obviously not constant-time) GMP.

Even in the OpenSSL case, Shaw doesn’t set the BN_FLG_CONSTTIME flag on any of the inputs before calling BN_mod_exp() (or, failing that, inside BigIntegerFromInt).

As a consequence, this is additionally vulnerable to a local-only timing attack that leaks your private exponent (which is the SHA1 hash of your salt and password). Although the literature on timing attacks against SRP is sparse, this is one of those cases that’s obviously vulnerable.

Exploiting the timing attack against SRP requires the ability to run code on the same hardware as the SRP implementation. Consequently, it’s possible to exploit this SRP ModExp timing side-channel from separate VMs that have access to the same bare-metal hardware (i.e. L1 and L2 caches), unless other protections are employed by the hypervisor.

Leaking the private exponent is equivalent to leaking your password (in terms of user impersonation), and knowing the salt and identifier further allows an attacker to brute force your plaintext password (which is an additional risk for password reuse).

Houston, The Ego Has Landed

Earlier when I mentioned the black hat hacker group Zero For 0wned, and the negative impact their hostile rhetoric, I omitted an important detail: Some of the first words they included in their first ezine.

For those of you that look up to the people mentioned, read this zine, realize that everyone makes mistakes, but only the arrogant ones are called on it.

Zero For 0wned

If Zed A. Shaw were a kinder or humbler person, you wouldn’t be reading this page right now. I have a million things I’d rather be doing than exposing the hypocrisy of an arrogant jerk who managed to bullshit his way into the privileged position of educating junior developers through his writing.

If I didn’t believe Zed Shaw was toxic and harmful to his very customer base, I certainly wouldn’t have publicly dropped zero-days in the code he published while engaging in shit-slinging at others’ work and publicly shaming others for failing to meet arbitrarily specific purity tests that don’t mean anything to anyone but him.

But as Dan Guido said about Time AI:

https://twitter.com/veorq/status/1159575230970396672

It’s high time we stopped tolerating Zed’s behavior in the technology community.

If you want to mitigate impostor syndrome and help more talented people succeed with their confidence intact, boycott Zed Shaw’s books. Stop buying them, stop stocking them, stop recommending them.

Learn Decency the Hard Way

(Updated on February 12, 2021)

One sentiment and question that came up a few times since I originally posted this is, approximately, “Who cares if he’s a jerk and a hypocrite if he’s right?”

But he isn’t. At best, Shaw almost has a point about the technology industry’s over-dependence on OpenSSL.

Shaw’s weird litmus test about whether or not my blog (which is less than a year old) had said anything about OpenSSL during the “20+ years it was obviously flawed” isn’t a salient critique of this problem. Without a time machine, there is no actionable path to improvement.

You can be an inflammatory asshole and still have a salient point. Shaw had neither while demonstrating the worst kind of conduct to expose junior developers to if we want to get ahead of the rampant Impostor Syndrome that plagues us.

This is needlessly destructive to his own audience.

Generally the only people you’ll find who outright like this kind of abusive behavior in the technology industry are the self-proclaimed “neckbeards” that live on the dregs of elitist chan culture and desire for there to be a priestly technologist class within society, and furthermore want to see themselves as part of this exclusive caste–if not at the top of it. I don’t believe these people have anyone else’s best interests at heart.

So let’s talk about OpenSSL.

OpenSSL is the Manifestation of Mediocrity

OpenSSL is everywhere, whether you realize it or not. Any programming language that provides a crypto module (Erlang, Node.js, Python, Ruby, PHP) binds against OpenSSL libcrypto.

OpenSSL kind of sucks. It used to be a lot worse. A lot of people have spent the past 7 years of their careers trying to make it better.

A lot of OpenSSL’s suckage is because it’s written mostly in C, which isn’t memory-safe. (There’s also some Perl scripts to generate Assembly code, and probably some other crazy stuff under the hood I’m not aware of.)

A lot of OpenSSL’s suckage is because it has to be all things to all people that depend on it, because it’s ubiquitous in the technology industry.

But most of OpenSSL’s outstanding suckage is because, like most cryptography projects, its API was badly designed. Sure, it works well enough as a Swiss army knife for experts, but there’s too many sharp edges and unsafe defaults. Further, because so much of the world depends on these legacy APIs, it’s difficult (if not impossible) to improve the code quality without making upgrades a miserable task for most of the software industry.

What Can We Do About OpenSSL?

There are two paths forward.

First, you can contribute to the OpenSSL 3.0 project, which has a pretty reasonable design document that almost nobody outside of the OpenSSL team has probably ever read before. This is probably the path of least resistance for most of the world.

Second, you can migrate your code to not use OpenSSL. For example, all of the cryptography code I’ve written for the furry community to use in our projects is backed by libsodium rather than OpenSSL. This is a tougher sell for most programming languages–and, at minimum, requires a major version bump.

Both paths are valid. Improve or replace.

But what’s not valid is pointlessly and needlessly shit-slinging open source projects that you’re not willing to help. So I refuse to do that.

Anyone who thinks that makes me less of a cryptography expert should feel welcome to not just unfollow me on social media, but to block on their way out.

https://soatok.blog/2021/02/11/on-the-toxicity-of-zed-a-shaw/

#author #cryptography #ImpostorSyndrome #PAKE #SecureRemotePasswordProtocol #security #SRP #Technology #toxicity #vuln #ZedAShaw #ZeroDay

Dhole Moments

2020-04-24 02:43:25

My recent post about the alleged source code leaks affecting Team Fortress 2 and Counter-Strike: Global Offensive made the rounds on Twitter and made someone very mad, so I got hate DMs.
No more Angry Whoppers for you, mister!
…Look, I only said I got hate DMs, not that I got interesting or particularly effective hate DMs! Weak troll is weak, I know.

A lot of people online claim they “hate furries”, but almost none of them quite understand how prolific our community is, let alone how important we are to the Internet. As Stormi the Folf puts it…

I guarantee you the internet would collapse in a most horrific manner if all the furries in the world got Thano's snapped.

They *run* the internet in more ways than most people realize

— 🦊Stormi the Folf🐺 🔜FWA (@StormiFolf) April 23, 2020

Stormi is the Potato of Knowledge and Floof
What Stormi’s alluding to is true, and that’s a tale best told by an outsider to our community.

Telecommunications as a whole, which also encompasses The Internet, is in a constant state of failure and just in time fixes and functionally all modern communication would collapse if about 50 people, most of which are furries, decided to turn their pager off for a day. https://t.co/k1UqOv5kpd

— Ẑ͚͔͍̻̤̟ä̶̼̗̟͔́̿̾̓n̬͙̫̿͑͊̈̚d̡̰̭̞͖̟̖̟ͬ̚ê̺͖̂ͩ̀̉ͣrͪ̓ (@mmsword) November 28, 2019

Their follow-up tweet that elaborates on furry involvement is here.
So I’d like take the time to explain why nobody should ever underestimate the ingenuity or positivity of the furry community.

The Furry Fandom Has Saved Lives

https://www.youtube.com/embed/3h9sO17CV9A?feature=oembed
This is just one of many anecdotes. You can find many more here.
Although the furry fandom is widely misunderstood, it’s difficult to overstate how many lives have been saved and enriched by our community.

I wanted to share this touching moment. @Reo_Grayfox was telling me his story, and said those lines while staring straight into his fursuit's eyes. Hearing personal stories like this makes you appreciate the vastly diverse reasons why the furry fandom is essential to so many. pic.twitter.com/fD09Wmv6mf

— Joaquín Baldwin (@joabaldwin) January 22, 2018

Furries Provide Much-Needed Comfort to Others

In 2016, refugees from the civil war in Syria ended up in a hotel in Canada. This would have been an utterly remarkable fact if it wasn’t the same hotel and weekend as the local furry convention, Vancoufur.

The kids loved it.

This isn’t an isolated incident either. Our community is well-known for kindness and generosity in spades.

https://charcoalthings.tumblr.com/post/132996328881/i-will-defend-furries-to-my-grave

https://wakor.tumblr.com/post/126072529744/ok-you-know-what

What’s there to hate?

The Furry Fandom is Collectively Pretty Bad-Ass

Art by RueMaw.
No, not like that.

The fandom is bad-ass in as many ways as the fandom is incredibly diverse.
Image source and backstory of this meme: Dogpatch Press

90s furries built the Internet pic.twitter.com/Gicxme2HkT

— SwiftOnSecurity (@SwiftOnSecurity) April 30, 2019

SwiftOnSecurity knows the truth about more than just corn.

So one of my friends said furries pretty much run the US nuclear response communication networks. Just in case you're worried about Trump.

— SwiftOnSecurity (@SwiftOnSecurity) November 12, 2016

Seriously.

Some of the Most Talented People You’ll Ever Meet Are Furries

eSports Champions:

https://www.youtube.com/embed/TWhrECl6zOY?feature=oembed

Musicians:

https://open.spotify.com/embed/album/4NlXsjKmcWegIfQEI0JzHK?utm_source=oembed

Artists and costume makers: I could literally link to hundreds of artists here. Follow me on Twitter; I retweet a lot of cute stuff.

Pretty much everything you could aspire to be that isn’t also terrible, if you look hard enough, you’ll find furries in the leaderboards having a fun time with it all.

The only reason to hate furries is thinly-veiled homophobia, because only about 25% of furries are heterosexual.

Why So Curious?

If I’ve made you curious about our community, and now you want to learn more about us, I’ve got you.

https://www.youtube.com/embed/K2XeOxWW2oY?feature=oembed

Psychology Today: What’s the Deal with Furries?

Furry Fandom Documentary When?

https://www.youtube.com/embed/cF9DQQsUcs0?feature=oembed

Ash Coyote is releasing a documentary about our subculture soon, titled The Fandom. You can find out more about it on her YouTube channel.

https://soatok.blog/2020/04/23/never-underestimate-the-furry-fandom/

#furries #furry #FurryFandom #hateMail #positivity #Society