darkoshi: (Default)
This page on the Apple.com site: Government Information Requests
states: In the second half of 2016, Apple received between 5,750 and 5,999 National Security Orders.

Apple's Transparency Reports - contain details on the various customer information requests received by Apple from 2013 through 2016. The number of national security orders received by Apple increased from less than 500 in 2013, to between 8500 and 9000 in 2016.

See below for the difference between "National Security Orders/Requests" versus National Security Letters.

In this prior post, I linked to another article which stated: the FBI issued nearly 13,000 NSLs in 2015 alone. But that number must have been way under-estimated. Indeed, one of the below articles indicates that over 48,000 NSLs were sent in 2015.

A Decade-Old Gag Order, Lifted (November 2015):
relying on changes made by the Patriot Act, the FBI began issuing hundreds of NSLs demanding credit reports, banking information, or records relating to Internet activity. Some of the NSLs sought information about terrorism suspects, but most sought information about people who were one, two, three, or more degrees removed from anyone suspected of having done anything wrong. According to the Justice Department’s inspector general, the FBI issued a staggering 143,074 NSLs between 2003 and 2005. And every NSL was accompanied by a categorical and permanent gag order.


That link and this one: Doe v. Holder describe a decade-long court battle to get a single gag order lifted. It mentions some changes made to the laws regarding the gag orders during that time, but I'm not clear on the final outcome. I assume that most other NSL recipients are still under similar gag orders which haven't been changed.


Newly published FBI request shines light on National Security Letters (November 2015):

In 2007, the Office of the Inspector General reported that the FBI issued approximately 40,000 to 60,000 letters per year. President Obama’s Intelligence Review Group reported more recently in 2013 that the government issued an average of nearly 60 NSLs per day.
..
Companies can only report NSLs in bands of 1,000, if they're separated from FISA court order requests, or in bands of 250 if reported as a broader "national security request."


The "national security orders" referenced on the Apple.com page must be the broader category, including FISA requests in addition to NSLs, as they are listed in bands of 250. But the last link below indicates there are less than 2000 FISA request per year, so that doesn't explain the large discrepancy in numbers.

Even the above article implies that in 2013, a total of 365*60 = 25,550 NSLs were issued, while twice as many were issued 6 years prior. I doubt the number would have decreased that much over time, if there were no legal changes governing the issuance of the requests.

US foreign intelligence court did not deny any surveillance requests last year :
The court received 1,457 requests last year [in 2015] on behalf of the National Security Agency and the FBI for authority to intercept communications, including email and phone calls. ... The court did not reject any of the applications in whole or in part, the memo showed.

The total represented a slight uptick from 2014, when the court received 1,379 applications and rejected none.
..
The memo also stated that 48,642 national security letter (NSL) requests were made in 2015 by the FBI.
..
The majority of NSL requests, 31,863, made in 2015 sought information on foreigners, regarding a total of 2,053 individuals, the memo stated.

The FBI made 9,418 requests for national security letters in 2015 for information about US citizens and legal immigrants, regarding a total of 3,746 individuals, it showed.

The FBI also made 7,361 NSL requests for only “subscriber information”, typically names, addresses and billing records, of Americans and foreigners regarding 3,347 different people.
darkoshi: (Default)
My new cellphone has Android Marshmallow. I brought my contacts over from my old phone by exporting them to a vcf file, copying the file to my computer and then to the new SD card, and then importing them to the new phone.

One thing that surprised me is that when I clicked to add a new Contact on the new phone, I got the message "Your new contact will be synchronized with [my Gmail address]". Even after turning Sync OFF for Contacts in the Account Settings (for which I first had to *enable* sync in general, as I had it previously turned it completely off), it still gave me that message, with no option of adding the contact without synchronizing.

Now I no longer get the message - maybe because I edited one contact, and it only shows the message before you save any update. But the Add Contact screen still shows "Google Account" along with my Gmail address at the top of the screen, making it appear that the Contact belongs to the Gmail account, rather than simply belonging to the contact list on the phone, as it did on my old phone.

Logging into Gmail on the computer, under Contacts it showed all my phone contacts (which I had never added in Gmail), so it must have synced them when I originally added the Gmail account to the phone (for using the Play Store), before I turned off the auto-sync setting.

Or it is slightly possible they got synced from my old phone, and I never realized it, as I hadn't checked the contacts for that Gmail account before. I never had any reason to think my phone would be syncing my contacts to my Gmail account. But I think I had sync turned off on the old phone too.

Now I tested adding a new contact on the phone, and so far, it does not show up in Gmail on the computer. So hopefully it is working as desired now. I was able to select all the Gmail Contacts on the computer, to delete them all at once from there. I don't email anyone from that account, so it doesn't need contacts anyway.

The apparent lesson for me is:
Make sure Sync is turned off for Contacts in the Google Account settings on the phone, *before* importing contacts.
Or, if I import the contacts before adding the Google Account, put phone into airplane mode and then add the account, and then make sure it is set not to sync Contacts before taking it out of airplane mode.

And now, after reading this: Why can't I save new contacts to my phone or SIM?, I will try out this app which hopefully will let me import and save contacts to the phone without them being linked to any Google account: MyLocalAccount

Ghost

Sunday, February 26th, 2017 02:47 am
darkoshi: (Default)
Ghost in the Shell (1995 version).

Cool opening sound effects/music.

The opening sequence of the naked female body seemed to go on way too long. I suppose they made the anime movie for teenage boys?

I started out watching it with the English dialogue. But that was hard to follow. So I switched to Japanese with English subtitles, and started it back from the beginning.

In the English dialogue, her answer to "What's with all the noise in your brain today?" was "Must be a loose wire".
In the English subtitles, her answer was "It's that time of the month." I wonder if that matches the Japanese version, even though it makes less sense.

The sequence of her disrobing and letting herself fall backwards over the edge of the building... I've seen that before, haven't I? Ah... right, there is a live-action version of this movie coming out, the one with that cool trailer. I wonder how long I've had this item in my Netflix queue.

"The Puppet Master. That phantom hacker, right?" .. "Internationally wanted on dozens of charges of stock manipulation, spying, political engineering, terrorism, and violation of cyber-brain privacy. "

Hmm. "Political engineering". That reference sure doesn't sound like the Wikipedia definition of political engineering. It sounds more like this: The Rise of the Weaponized AI Propaganda Machine. That's not the first article I've read about Cambridge Analytica. I already posted a link to another article about them back in November. This one is even more disturbing than the last one though.

When I searched Google on "political engineering", the ad shown at the top of the page was "How Liberal Are You? - theadvocates.org‎. Take the World's Smallest Political Quiz and find out in minutes." Mmm, no. I don't need to take a quiz to know how liberal I am. Someone *else* wants to know how liberal I am. So that they can build their profile on me, and feed me personalized ads as mentioned in the above article.

The Google results also had 3 other ads, at the *bottom* of the page. Having ads at the bottom seems new. Or maybe not? Maybe they've been there before.

..

"Hope? In the darkness of the sea?"

..

Oh well. It's too late now to watch the whole movie tonight.

..

Two Saturdays in a row that I've worked from home, after working extra hours on Friday too. At least it is enjoyable work, debugging and researching issues. That's why I did it... nobody specifically requested me to, but I have the feeling that I should, as we are near the planned release date and still having all these problems.
darkoshi: (Default)
Yesterday while trying to get my LJ login to persist, I accidentally deleted all cookies. And now today it was Dreamwidth that kept logging me out! Even though I didn't change my Dreamwidth exception, which was working before.

Obviously I didn't completely understand how the cookie exceptions work, so I read up on them, and did some more testing.

Cookie settings - from http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies :

Path: The default value of “/” means every request will get the cookie, while “/forums/” would limit the cookie to just that path.

Domain: Setting “www.example.com” will mean only the exact domain “www.example.com” will be matched, while “.example.com” will also match again any subdomain (forums.example.com, blog.example.com).

Secure: tells the browser (or other http clients) to only send the cookie over SSL connections.

HttpOnly: tells the browser that it should not allow JavaScript to access the contents of the cookie. This is primarily a defense against cross site scripting.


(so apparently "HttpOnly" has nothing to do with HTTP vs HTTPS, but "Secure" does.)

The DW cookies have Path = "/", Domain = ".dreamwidth.org", HttpOnly = true, Send for = "any type of connection" (which must mean Secure=false). So the cookies are sent from the browser to the DW server when any DW page on any subdomain is opened, and for both http and https.

But the Exceptions are what control how long the cookies are stored.

Based on the following pages, you don't have to enter subdomains (and you shouldn't use wildcards) in the URLs for Exceptions - all subdomains are included by default. Ie. "yahoo.com" includes "mail.yahoo.com".
https://bugzilla.mozilla.org/show_bug.cgi?id=336207
https://bugzilla.mozilla.org/show_bug.cgi?id=286499

Based on my testing, HTTP and HTTPS exceptions are mutually exclusive. Adding an "http://" exception will only work on pages using HTTP. Adding an "https://" exception will only work on pages using HTTPS. So if you've set your cookies to be deleted when closing the browser, but you want your "ljloggedin" cookie to persist whether you've logging in from an HTTP *or* an HTTPS dreamwidth page, you need to have "Allow" exceptions for both "http://dreamwidth.org" and "https://dreamwidth.org". Whereas if you are careful to only login from the HTTPS pages, you should only need the latter.
darkoshi: (Default)
I'm configuring my "new" laptop. 13 months after getting it, I've finally moved my files over to it, and started using it as my main computer. I realized I might never finish doing all those other things I wanted to do before moving the files, so finally just went ahead and did the move.

Now, I kept being logged out of LiveJournal, even though I was selecting the checkbox to stay logged in.

My Firefox configuration is set to delete cookies when I close the browser, but I had added an exception for http://livejournal.com. I added another exception for http://www.livejournal.com, but still kept being logged out. Looking at the cookies after logging in showed that they were still set to expire at the end of the session.

Finally, I tried adding an exception for https://livejournal.com. That did the trick. So even though the LiveJournal login page shows "http" in the URL bar, it must be using https behind the scenes.

I didn't have the same trouble with Dreamwidth, as I had added its exception using "https" to begin with, thinking that the Dreamwidth pages used https by default. But now I see that the Dreamwidth pages show "http" in the URL bar too. I must have configured my old laptop to redirect to https for Dreamwidth. Still need to do that here.

I don't see anything on Firefox's Cookies page to indicate whether a cookie was added via HTTP vs HTTPS. I wonder if there is any way to know which version of the URL you need to add as an exception, other than trial and error.

Firefox history

Sunday, October 18th, 2015 11:17 pm
darkoshi: (Default)
I accidentally deleted my Firefox browsing history today. I have a backup from a few months ago, so only a few months are lost.

I only intended to delete the cache, cookies, and active logins. It didn't seem to be working (it wasn't logging me out of Dreamwidth) so I tried several times. On maybe the 3rd attempt, Firefox locked up at 50% CPU for a long time, so I terminated Firefox. Only then did I realize my mistake, and that maybe it was using a lot of CPU while trying to delete a decade's worth of history.

Then I checked my profile folder. My places.sqlite file was 71 MB in size, exactly the same size as my last backup. I wondered if maybe my history wasn't really deleted, even though it was no longer showing up in the History view.

So I installed the SQLite Manager add-on and opened the sqlite file.

Surprisingly, the moz_places table still seems to have all my history entries. The only thing which shows that they are deleted is that visit_count is zero, and last_visit_date is blank.
So the site history is still there, just not the dates of when I visited what. Yet, each entry has an ID, and the IDs are in increasing order based on the dates that I had visited the sites.

I have to assume that the entries are still there only because I terminated Firefox while it was in the middle of doing its deletes. According to this bug: Clearing firefox's browser history doesn't change places.sqlite file size, the deleted data should be getting zero-filled even if the file size remains the same. But that comment is 8 years old. The last comment seems to indicate the data may not be actually getting deleted or zero-filled, only hidden.

In comparing the current places.sqlite with the backup, the IDs of the old entries don't match up... the current one seems to be missing entries compared to the old one, even though the total number of entries is only different by 46. So... I guess old entries have been getting deleted automatically by Firefox anyway in the last months, due to the maximum allowed history size.

Hmm.

Let me try the delete again, without terminating it this time. I'll take my shower in the meanwhile. Then I'll check if the entries really get deleted.

Update: Allrighty, over an hour later and the Firefox window still hasn't refreshed, and Firefox is still using 50% CPU. (I'm posting this from a different browser). It can't take that long to clear out 71 MB of data. Or rather 61 MB, as I had earlier decreased the size by running the places maintenance add-on. So it must be looping, or have a serious performance issue. Oh well. I don't have the time to research it more. I'll just revert to my old backed up history.

... After closing Firefox, the places.sqlite file didn't change in size, but the places.sqlite-wal file was over 465 MB! Now after restarting Firefox, the latter file is back down to 37 MB. SQLite Manager is showing that the moz_places table now has about 1000 fewer entries in it (out of 104k) than before. Serious performance issue.

LinkedIn data mining

Monday, July 6th, 2015 08:54 pm
darkoshi: (Default)
This is in the same vein as a prior post of mine.

Today I was surprised to see Qiao listed in the "People You May Know" section of an email from LinkedIn. He and I have no shared LinkedIn connections between us. There is no connection between us work-wise. We are not connected through Facebook. The only conceivable way for LinkedIn to have connected us, is that we have the same mailing address.

So LinkedIn must be combing through databases of people's physical addresses, to determine possible relationships between people.

Ooh. I just thought of another possibility. They could be matching us up by our IP address, if Qiao ever logs into LinkedIn from home. Though I think our IP address is not static, and we turn off the modem nearly every night, and it's unlikely that we'd access the site at the same time or on the same day.
darkoshi: (Default)
Terrorists used false DMCA claims to get personal data of anti-islamist YouTuber

First, I'll mention a few items from the original German article that I didn't see mentioned in the other English posts I read.

The automated emails sent by YouTube to the channel owners clearly stated that 1) the channel owner had to provide their personal data in order to counter the copyright infringement claim, and 2) that this personal data would be shared with the person who submitted the claim.

YouTube alternately allows you to provide the contact information of an authorized representative (such as a lawyer) rather than your own, but the channel owners didn't discover that until afterwards.

Neither of the 2 main presenters of the channel were willing to share their contact information. Sabatina James (not her real name) was already in a victim's protection program, and in the habit of moving every few years for her own protection. In the past, she received death threats from her own family after fleeing an arranged marriage in Pakistan.

They suspected that the person making the false claim was an Islamist, and they repeatedly tried to tell YouTube this. But they were ignored.

After YouTube received 3 copyright infringement claims and no counter claim, the channel was shut down. After the channel was shut down, one of the channel's collaborators offered to provide his contact information in order to get the channel reinstated. It was this person's personal data that was provided to the false claimant and subsequently made public.

.

According to Google's help pages, one can submit a copyright infringement complaint by web-form or email. The web-form requires you to enter your full legal name, address and phone number. But curiously, the email option only says that it requires your contact information "such as an email address, physical address or telephone number".

Whereas, when submitting a counter-notification by email, you are required to include a full legal name, email address, physical address, and phone number.

So it sounds like someone can file a claim by providing only an email address, whereas to fight a claim, one has to disclose much more.
darkoshi: (Default)
After creating the new Facebook account under my real name, I started getting emails "Do you know so-and-so?", including names of some people I know from work. They looked like LinkedIn emails, and I didn't pay much attention to them.

Then I noticed that the emails were from Facebook, not LinkedIn. How did Facebook link me with those people? I haven't yet posted anything on Facebook, haven't friended anyone, and have only filled out a few things on my profile.

Both accounts are set up under the same email address, so maybe it's based on that.

But how did Facebook get info on my LinkedIn connections? At first, I thought that I might not have turned off sharing with 3rd Party Applications in the LinkedIn settings. But I checked the settings, and they were already set not to share my info.

I wonder, has Facebook been sending similar emails to my work colleagues, saying "Do you know [my name]?", and linking to my new account?

My email address is not public on either account. But where I work is visible on LinkedIn. I suppose any 3rd party could do LinkedIn searches to find everyone connected to that company. And I suppose Facebook could use my name to link me up with those other people.

.

One thing I've been mentally debating is having my gender publicly visible on the Facebook account. I like that I can display my true gender, "androgyne". It could be a simple way to come out to friends and family who might not otherwise know, without making a big deal of it.

But I was thinking... there are health insurance plans that have clauses that exclude transgender-related expenses, and some (though hopefully few) even go so far as to exclude any services at all for a person who is transgender.

So maybe it would be better *not* to publicly out myself as transgender under my legal name.

And do I really even want to out myself to just anyone from work? Sometimes, I think it would make me seem even more odd from other people's viewpoints.

Maybe I'll set my gender display to friends-only. Though it's likely already been data mined, as that's one thing I've had publicly visible so far.

Not sure I'm even going to use the FB account for anything. Haven't felt inspired to so far.

2016/08/27: changed post visibility from Access List to Public
darkoshi: (Default)
Yesterday I had to download ActiveMQ for work.

I'm somewhat familiar with verifying the hashes of downloaded files, and have used a few different tools for doing that. The ActiveMQ page indicates that MD5 signatures can be used to verify the downloaded files. That sounded like the hashes that my tool could verify. But nowhere on the page did I see the actual MD5 values that one would compare against.

The ActiveMQ page also indicates that PGP or GPG signatures could be used for verifying the files. Ok... I figured that maybe this was a good reason for me to finally try out PGP and see how it works.

I read about the differences between PGP and GPG, and decided to try GPG. So I went to the GnuPG download page. But found that it only has the source code. Apparently the binary packages are only available on the mirrors. There's no mirror in the U.S. The Canada mirror site wasn't responding. So I looked at a few of the other mirrors.

It seems the latest GnuPG 2.0 version is not available in a Windows version. Why not? I don't know, but after reading a bit, it sounded like the 1.4.* version should suffice for my needs.

Versions 1.4.0 and older are available as zip files, while new versions up to 1.4.9 are exe files. Why no zips for the later versions? I'd prefer not having to install anything... And how would I verify these downloads? Where are the checksums for them?

It was at this point that I decided to forgo verifying the downloaded ActiveMq files.
I had a fuzzy head type head-ache, by the way. Makes it harder to think.

Based on this experience, I'm not surprised that the use of PGP encryption hasn't caught on all that much. It seems you have to be a developer to even figure out how to get it. Heck, the first answer on this page to the question "Where can I find a command-line version of GPG for Windows?" is "You could download it and compile it yourself".

I subsequently found this Gpg4win download page which has a small 4MB version and also lists the SHA1 checksums. Whenever I feel up to it, I may try that one out.
darkoshi: (Default)
Yesterday I encountered this problem again, where the wrong search term was passed in the Referring URL, when I clicked a result in Google's search results. I narrowed down that the problem only happened when NoScript was enabled.

More info can be found on this thread that I posted to the NoScript forum.

Other things that I've discovered in the last 24 hours:

If NoScript is set to block JavaScript for google.com, then on the Google page, you don't get the drop-down with search suggestions, as you type. (But the Firefox Search Bar does still provide search suggestions.)
When you open the main Google page, the focus won't automatically be set to the search box.
Most of the search functionality is still there even with JavaScript disabled, but small niceties like those are missing.

This page has info on using either "https://www.google.com" or "https://encrypted.google.com" for encrypting your searches. It also mentions some of the differences between them.

Using https google.com prevents referring URLs being sent, except for ad links.
Using encrypted google.com prevents referring URLs being sent, including ad links.

You can configure NoScript to force connections to google.com to use HTTPS:
Options - Advanced - HTTPS - Behavior - add *.google.com in the box for "Force the following sites to use secure (HTTPS) connections".

For certain pages to work, the following also need to be configured in the "Never force" box:
www.google.com/imgres
translate.google.com

With NoScript forcing HTTPS for *.google.com, it appears that no referring URL is sent, even when you click on ad links in the Google search results.

There's no simple/obvious way to update the Firefox Search Manager settings to customize the URL/parameters that get used for each search engine. But with the above "Force HTTPS" NoScript configuration for google.com, any Google searches initiated via Firefox's search bar or the "Search Google for..." context menu item will get sent to the encrypted https://www.google.com site rather than the default non-encrypted http://www.google.com site.

Changing the search engine which is selected in the Firefox Search bar also controls the search engine that is included in the context menu item "Search ... for ...". (It always struck me as preferential treatment that only a Google search entry was included in the Context menu; I didn't realize that it was controlled by the Search bar selection).

In Opera, it is easy to update the URL/parameters used for each search engine. Simply click the Search drop-down, select "Manage Search Engines", and click the "Add..." or "Edit..." button.

This page lets you manually add a search provider for IE7. I didn't test it. It might not work in IE9. There isn't any other obvious way of manually entering your own search provider in IE9.


In Firefox, you can configure whether or not referring URLs are passed (for all sites) via the network.http.sendRefererHeader setting on the about:config page.

In Opera, you can configure whether or not referring URLs are passed (for all sites) via:
Tools - Preferences - Network - Send Referrer information
or
Tools - Quick Preferences - Send Referrer information



Info on configuring ABE in NoScript. (need to whitelist the domain first)
darkoshi: (Default)
Forestfen is having difficulties with Yahoo's new web-mail interface. Its "Clean, simple design that makes email a breeze" is different from how it was before, and therefore is not simple for her. I'm sure there are many other similarly disgruntled non-tech-savvy users like her.

Last week somehow all her Inbox messages got moved to the Trash folder, and I had to show her how to restore them. It might have happened due to the "Select All" checkbox and the "Delete" button being right next to each other, making it easy to accidentally click both.

I've suggested a few times she switch to Gmail. But her business cards have her Yahoo email address, so she doesn't want to change it.

.

This is from Yahoo Mail's Additional Terms of Service:
By using the Services, you consent to allow Yahoo!’s automated systems to scan and analyze all incoming and outgoing communications content sent and received from your account (such as Mail and Messenger content including instant messages and SMS messages) including those stored in your account to, without limitation, provide personally relevant product features and content, to match and serve targeted advertising and for spam and malware detection and abuse protection. Unless expressly stated otherwise, you will not be allowed to opt out of this feature. If you consent to this ATOS and communicate with non-Yahoo! users using the Services, you are responsible for notifying those users about this feature.

Bold font added by me - I find that last sentence rather objectionable. I wonder if Gmail has something similar in their TOS.
darkoshi: (Default)
I'm trying out Ubuntu on my old desktop computer. It seems I need to install some extra files for the wireless adapter to work. So on my laptop, I a did a Google search for "linux firmware wireless mn-730", and opened one of the results pages in a new Firefox window (like I normally do).

The results page that I opened (http://www.tomshardware.com/forum/7944-42-does-wireless-adapter-work-linux) included a section at the top which displayed this:
You have searched for "xxxx" . You might be interested in the following threads: ....

Where "xxxx" was a totally different search phrase, unrelated to Linux, which I had entered in Google earlier today! The page then displayed links to other pages on the site which were presumably in some way relevant to my previous search. Another section of the page included "xxxx" again - "helpfully" pre-filling an entry field with it so that I could post my question on their forums.

I was particularly miffed by this, as the search string "xxxx" in question included part of my home address.

So apparently this website is not only able to see the search phrase I used to find the website, but *also* a totally different search phrase I previously had entered in Google. This disturbs me. This is surely considered an invasion of privacy, is it not? Since when does Google share your search history with other websites? Has this been going on for a long time?

I have NoScript running, blocking most scripts. The only Google site I see marked as allowed on this page is "googlesyndication.com".

Maybe this is a bug. It seems reasonable that my actual search string "linux firmware wireless mn-730" should have been passed to the page, but perhaps my prior search string was passed by mistake.

Update: Even when I open that tomshardware.com webpage using the above link, it *still* displays my prior Google search string! Closing all my browser windows and forbidding script access for googlesyndication.com didn't get rid of it either. Clearing my cookies didn't get rid of it. It only went away after clearing my Cache, Active Logins, and Site Preferences.

I then tried to recreate the scenario of having the page display a previous search phrase, but it hasn't happened again. So it must be a bug somewhere.

(no subject)

Monday, June 23rd, 2008 08:20 pm
darkoshi: (Default)
Internet friends aren't real friends, they just let you pretend you have some kind of social circle.
Internet friends are entertainment like TV, like a book, for when you're bored, with the added bonus of being interactive.
They can be ignored when you're busy or tired or not in the mood, and they don't get mad at you when you do so; it's the same way for them.

Maybe I don't want real friends, maybe I really do just want to be entertained, and to pretend.
The thought of having real friends, and having to spend time doing things with them... doesn't actually sound so great. What kinds of things would we do? Would I enjoy the activities, or would it seem like a waste of time which I could have spent doing other things? I can't think of much of anything I'd really want to do, which I couldn't do as well by myself. One friend actually is all one needs, a companion for the things you wouldn't feel like doing alone. And you to accompany them. And I have a friend. Would I want more? I suppose you could do different things with different people, if no single person enjoyed all the things you wanted to do.

How much of my not having friends is due to me not being able to make them, versus me not wanting them? Friendships always sound nice in theory; books and stories make them sound like fun... but in real life? Real life isn't a book or a story, and real people don't tend to be from my preferred genres. I'm living in the Regular Fiction/Non-fiction section, not the Sci-Fi/Fantasy section.

.

I walked to a nearby store last week. Another day, I just went for a walk, to walk. There are places I walk by, which call to me.... wouldn't I like to walk into that section of trees? I bet it's magical in there, or spooky.... but I daren't. There may be people watching. There may even be people within that section of trees.. they would look at me or maybe even shout at me, and make me extremely uncomfortable. Better to just keep walking along the street. But I wonder, why do I seem to shy away from the things that most attract me?

That was always one of the rudest surprises... Walking along the paths through the trees, my private secluded areas, and suddenly catching sight of someone else... a solitary adult man sometimes, a potential danger (act confident; walk briskly; ignore them and they'll ignore me)... or hearing other people's voices.... making me anxious, destroying my peace... it's no longer my own private secluded area. I can no longer go there to get away from people... now there is the possibility that there may be eyes even there, watching me. Why does my feeling of belonging disappear, once I realize there are other people there too? Then I become just an interloper, myself.