Home

Sane password practices
Posted Wed 8 June 2011, 11:07am

Reading about the recent security breaches at Sony, Lockheed and HBGary/Bank of America, etc., as well as the apparent over-reaction by the Pentagon has got me thinking about my own day-to-day security practices. It was incredible how often those breaches could have been mitigated or prevented altogether by exceedingly basic security practices. I'm obviously not expecting to raise the ire of Anonymous any time soon, but I value privacy, and there are some real concerns.

The main one is that various state entities have made it clear they would like unimpeded access to everyone's data. Less than a year ago a US Wikileaks volunteer was flying back into the country when his encoded laptop was seized and authorities demanded he decode for them to read. He refused.

In Canada, the Harper regime is preparing to force all internet providers to develop means to let the police spy on all our online activities without needing a warrant, under a so-called "Lawful Access" provision.

To drive the point home further, one of the websites I host for a community group was compromised last year, luckily only by a spammer, who had invisibly injected Viagra ads into the site's source code.

After taking all this in, and reading an interesting but pretty heady Wikipedia page on password strategies, I remembered uneasily that all my email accounts, all my web forum logins, all my bank info for that matter, basically used variations on one of three passwords I had memorized, none of which was exceptionally strong. If someone gets ahold of a web forum password you use, which are often poorly protected, and it's the same one used for banking, that could be a bad thing. With Lawful Access (mentioned above), it's going to be dead simple for the Canadian government to gather any passwords transmitted as cleartext, as many are. For me to reliably remember more than about three passwords, I'd have to write them down, which leads to other problems.

I've now switched over to a piece of free password management software called KeePass (or rather KeePassX, which also runs on Ubuntu), and I only have to remember one password, the one to decode the KeePass database I created. That database stores all of the passwords to my other sites. Better still, it generates passwords automatically for you. Unique, 30 character passwords that use mixed case, numbers, and random punctuation (where allowed) have me feeling much better. Best of all it's fairly straightforward to install and use, and following some simple steps you can use it with a free Dropbox account, as described here, to have access to your passwords on any computer.

As is always the case with security, there is a tradeoff between advantages and drawbacks, so read the documentation before installing. The big drawback is that if you forget the password to your KeePass database, or lose the database, all of your passwords are gone forever.

I may at some point go further still and, like the Wikileaks guy, encode my entire laptop... if I ever own one.

Update 1:43PM: And just hours after posting this, the Dominion published an article titled How community organizers are working together for more secure online communications.

RSS feeds I follow
Posted Sat 7 May 2011, 1:22am

Someone recently asked me what RSS feeds I'm following in my newsreader. Here's what they are right now.

11 steps to better browsing
Posted Mon 16 August 2010, 1:57pm

There are a few Firefox tools I've come to depend on so much that I well up with anxiety at the thought of losing them. Others are just nice or handy. I thought I'd share for those who haven't already come across them.

#1 - Form Recovery

Have you ever spent half an hour composing a brilliant comment (or any other web form content), only to hit the wrong button and lose it entirely? It's even worse when it's the browser's fault. Even if this hasn't happened to you (and I find that hard to believe), there's no reason for you to not install this form recovery plug-in for Firefox as insurance for the future.

True, it raises some privacy concerns when anyone using your computer can pull up form data you've entered, but the security options provide a range of solutions, and I'm sure there's one you can live with.

#2 - Keyword searches

This is another crucial tool that I was ignorant of for too long. In Firefox, any time you're confronted with a search box, you can right-click it and select "Add a keyword for this search". The image here shows how you'd do it for quick Wikipedia searches, for example.

A dialog will pop up to add the keyword. You'll notice it's stored as a bookmark. The name you give it doesn't matter so much. I store all my keywords in a separate subfolder, but that doesn't matter much either. Make sure to put something in the "keyword" box, though. I use wp for Wikipedia. Then you can do quick Wikipedia searches by going to your browser's location bar (that's the one with the URL, get there quickly by hitting Ctrl+L) and type, for example, "wp molasses flood" to learn about the Boston molasses disaster of 1919.

I've got a whole pile of these set up. dc to look up words in the dictionary, th for thesaurus, of course, yt for youtube videos, gm to look up addresses in Google Maps, kj to look up things i'd like to buy off kijiji, wpl to search for books in the Winnipeg Public Library, mec to look up products sold at Mountain Equipment Co-op, gg for a straight up Google search, and on and on.

If you want to get fancier (this is probably not for the faint of heart) you can also set up keywords for searches that take multiple search inputs, no search inputs, or append default data to your search terms. I have a we keyword that brings up the current weather (no search terms needed). For searches that take multiple inputs, you can construct a URL for the keyword using the token %s where you want your search terms put in, and default values for the other terms.

If you want to get really fancy, you can actually set up keyword searches that take two user-specified inputs. For example, I often use the City of Winnipeg Assessment site to look up properties. Sometimes because I care about the assessment, but more often because they also offer maps that give you a much better idea of where a specific building is located than Google Maps. It takes two inputs, a street number and a street name, so I wrote a wrapper php script that accepts one input, breaks it into words, uses the first as the street number, the second as the street name, and throws the rest away. I then redirects you to the Assessment search result using those inputs. Feel free to try it out and use it as a keyword at the link above.

#3 - Download statusbar

Tired of that cumbersome Firefox downloads window? The download statusbar add-on unobtrusively keeps all of your downloads in sight at the bottom of your browser window.

#4 - AdBlock plus

The best way to eliminate annoying ads & pop-ups is AdBlock plus. If you want you can get rid of Google's text ads, a.k.a. "AdWords", also.

#5 - Canadian English Dictionary

It never hurts to have a spell checker that actually works properly. Here's the Canadian English Dictionary add-on.

#6 - HTTPS everywhere

The fabulous Electronic Frontier Foundation came out with the HTTPS everywhere add-on earlier this year. It's basically a privacy thing. Many folks aren't aware of how easy it is to "listen in" to what others are doing on the internet. In this age of widespread warrantless and illegal wiretapping, that's cause for concern for many people. HTTPS everywhere is basically a dead simple way to encode your web communication with whatever websites allow it. A snoop could still easily see which web sites you were connecting to, and how much information was being transferred, but all of the contents of the information being sent would be scrambled.

In practice, the add-on doesn't even do much but redirect you to, for example, encrypted.google.com, the encoded version of Google, whenever you try to communicate with its normal site at google.com.

#7 - Googlesharing

If you're worried about the power Google is accumulating and its ability to track and store your personal information, the Googlesharing add-on may be for you. It tries to hide your information and activities from Google, basically by re-routing it through a deluge of accounts so it's impossible for Google to track who's doing what. It doesn't interfere with your normal use of Google. IIRC, it's pretty limited, since it doesn't work when you're logged into a Google account.

#8 - URL fixer

This add-on tries to fix common typos you might make, like entering .cmo instead of .com, for example.

#9 - Stylish

Stylish lets you re-style web pages through their CSS code, which I would probably never do myself, but you can also install re-stylings other people have come up with. The one that's helpful for me is getting rid of an annoying little "2 users liked this" box they added into every item in Google Reader a year or two back that was driving me crazy.

#10 - Firebug

If you do any work with website CSS you can't live without Firebug.

#11 - Inline MP3 player

I recently came across this script that adds an mp3 player into your browser any time a link to an mp3 appears, so you can just hit play instead of having to download files and open them in some player every time you want to listen to something. To use it you need to have a Firefox add-on that allows custom scripts called Greasemonkey installed.

 

Crowd-sourcing analysis of the Afghan War Diary
Posted Sun 1 August 2010, 3:55pm

Justin Podur was blogging all day yesterday about the start of his computer-aided analysis of the War Diary. He managed to overlay maps of Afghanistan with references in the leak to locations of incidents involving various keywords or acronyms like "Canadian Forces", "Drug War", etc., then overlaying more maps to try to find underlying patterns, all with freely available data and free software. Tim Groves from the Toronto Media Co-op called for groups of people to come together to take a collaborative approach to analysing the references to Canada in the ginormous leak, which could be a really interesting new way to do analysis, especially given all of the free on-line collaboration tools like wikis now in existence. I'm excited to see where this goes!

Here's a brief update on how the whole leak has been unfolding over the past few days: the White House is now begging Wikileaks not to release any more documents. US border guards detained a Wikileaks volunteer (mostly known for his work on the fabulous on-line anonymizer Tor) and questioned him for three hours. They demanded he decode the files on his laptop, and he refused, so they just gave it back to him and let him go, though they kept his three cellphones, and FBI agents followed him around. Bradley Manning, the US sodier accused of giving the documents to Wikileaks, was transferred on Thursday from the military prison in Kuwait where he was held since May to a military prison in Virginia. It's expected he'll be kept there a long time in solitary confinement before being ever being put on trial.

Reboot
Posted Sun 18 July 2010, 4:32pm

I just re-did this site in Drupal. I think it'll be something of a blog.

Syndicate content

Recent tweets