Saturday, December 24, 2011

What I've Learned about Security

UPDATE: I started this because I did not practice what I preach for a long time about password security. When I did start I realized how difficult it actually was. I only started because I had a bad experience directly related to my bad practices--it could have been worse--I was lucky. After many days of figuring out how to implement what I've preached--this is the method I came up with. I know it's long, and it's a lot of information to throw at someone. I really feel it's worth while information though, and I sincerely hope it convinces others to practice better security on the net before they have a bad experience too.

So I'm a nerd, and people I know ask me computer related questions. With all the recent news of computer security breaches in big companies, it has been a popular topic.

The biggest problem with computer security is that very few people understand it. Including the experts. Full disclosure: I do not consider myself an expert, but I am not unfamiliar with the subject either. So in this blog post I will lay out what I have learned the hard way about password security for the average user.

It all started a  few months ago. Like most everyone  I had the same username and password for everything. Despite knowing it's bad practice; despite my own advice to others, I was lazy. I don't want to have to remember a bunch of different complicated passwords. Then one of the sites I used was compromised. The user names, emails, and passwords were posted in plain text on the Internet for all the world to see (it was MtGox for the curious--and what that is for is another post all together.)

I knew a little bit about how passwords are stored in a database. They're not plain text, they're run through an algorithm and stored as a bunch of garbled letters and numbers (known as hashing). When you type in your password it is run through the same algorithm to see if it matches the hash. I also know complicated passwords (like those that use lower case and upper case letters, numbers, and special characters) are harder to crack.

What I didn't realize is that computers have gotten pretty powerful in the last few years, and the ability to figure out that algorithm, or crack the hash, has gotten significantly faster. These hashes are so long and complex it used to take years for the most powerful computers to figure them out. That's not so anymore.

Just a quick note about passwords, length trumps complexity. There is a nice web comic that explains why. Really all you need to know, a long passwords (20 characters or more) all in lower case, is more secure than a complex 8 character password. There are a number of "password strength checkers" on the Internet, but almost all of them place more importance on complexity over length. Don't ignore complexity though. I recommend a capitol letter and number or special character in a long easy to remember password. Long sentences or phrases with punctuation and proper nouns are what I like.

In my case I had a 10 digit password comprised of lower case letters and numbers, that password is now out on the net right next to my email address. I've even received email from people sending to that list. Kind of interesting, but none-the-less an eye opener. I also knew I had to go through ever website I had a login on. There had to be an easier way.

First thing I did was  change my gmail password and enable two-step verification. The link will explain more, but the short version is: it sends you a text with a code when you log into gmail (don't worry there is a check box to remember you for 30 days). Waiting for the text verification is a minor annoyance when logging into gmail from another computer, like say from a neighbors house, but it doesn't happen often.

Screen shot of KeePass.
The second thing I did was find a program I can use to keep track of passwords since I knew all the passwords I would be changing will be different for each website. That way if any one get's compromised I don't have to do this again. I played with a few programs, but the one I liked best is KeePass. Yes it is slightly more tedious to open it every time I need to get into a website, but it can be set to start with Windows. I'll get to how to make KeePass more accessible later too.

I start the tedious process of going to all the websites I visit regularly, change the password, update KeePass, and make sure my contact info is set to my gmail account (you'll see why). KeePass can even create a password for me. Which is fine because it will also auto-type the username and password into a website for me. I don't have to remember any passwords except the one that lets me into KeePass. I also keep my gmail password one I can remember too; because if anything were to happen to KeePass most website will allow me to use a forgot password option (that's why I make sure they have my gmail address).

Obviously, I am not going to remember every site in the first sitting. It took me a while. In fact I still occasionally stumble on a site that is using my old password and not in my KeePass program yet. For the most part I have been diligent, and when I come to one I update it right away.

Now I have a new problem; I don't know a single password to anything other than my gmail account. When I'm at work, I can't log into Facebook (a tragedy I know). In addition to being a big nerd, I'm also an Eagle Scout, I like to be prepared and have options. So I came up with two ways to combat this problem.

The first way was through dropbox. If you are not familiar with dropbox, it can be a scary thing (it's the cloud, it's all scary right? not if you take a little time to understand what is going on). If you sign up for dropbox through my links here, you'll get an additional 500MB's of space--and I will too :) It's cloud storage, but what I really like about it is it has a hand little program that will allow you to upload to it and keep your files synced from multiple computer if you need it... and the key is that it actually works well. It just simply adds a folder to your Windows user profile called Dropbox. Just save your KeePass file there and you are in business.

Now you are going to ask me, "why is it okay to store all your usernames and passwords on a cloud service?" Is dropbox fool proof? Absolutely not! I don't trust them any more than any other service. I do trust KeePass though, and if someone was to get my KeePass file they would not have an easy time getting into it (because I used that long and semi complicated password I mentioned before). I also trust it because it is open source (another nerd term). When it comes to security, open source wins because it is transparent. If anyone wrote a shady open source program it would be outed right away because everyone can see the code that makes that program work. There are many arguments against it (most are rooted from a software company out of Redmond, Washington... but they have their merits so I can forgive them today) but it is the truth. I'll trust popular open source software when it comes to security over closed source any day.

So, dropbox, it's an okay way to keep your KeePass file updated across computers you use regularly. Personally I have it installed on my home computer, work computer, netbook, and a Linux VM (works great on Windows, Linux, and Mac BTW). But what if I am at a public computer? The same place we downloaded KeePass has two download options. The second is a portable version of the program that can run off a flash drive.

It's easy to use, download it, unzip in to a flash drive, copy your KeePass database file to the flash drive, now you can open that database from any Windows computer you plug the flash drive into. The downside is copying the database file to the flash drive. Unlike the dropbox version it will only be as up to date as the last  time it was copied. There are ways around that with programs like Allways Sync; it will keep files from your computer updated with a flash drive when it is plugged in (details on how to use that is a whole new post too, but it is well documented).

I've been doing passwords this way for a bout three months now. I've gotten used to having KeePass open while I'm on my home and work computer. I've even gotten pretty quick about alt-tabbing between it and Chrome and having it type in my username and passwords. I've only had to know the password to KeePass and gmail since I've made the switch, and they are easy to remember long passwords. I've even changed them once just because. I can also sleep at night too, not because I know I'm a little safer on the web, but because now my advice is backed up with experience.

Thursday, November 17, 2011

Dabbling in Linux again

A few days ago I needed to play with a wiki, and like everyone when I think wiki I think Wikipedia... and in turn  MediaWiki. Being this was for fun I thought it would also be a good time to try Ubuntu Server. I've used their desktop for years, and even though I find myself in the terminal more and more I've always been afraid to completely ditch the GUI.
That's no longer true.
In less than three hours I had a VM of Ubuntu Server 11.10 with Apache2, PHP5, MySQL, phpMyAdmin, and MediaWiki ready to go (that includes the time it took to download the iso). I either became a genius since the last time I tried, or they have really made this stuff easier to setup and administer. I suspect the latter.
True I did find myself looking up Linux commands and following how to instructions, but it all worked well. I know I'm not the only one who has followed a set up Linux instructions to the T only to run into errors.
The main reason I'm posting all this is to share this little tidbit of information from The Geek Stuff that made some things begin to click for me. The picture on the right sums it up well.

Also, while working on this project I came up with the idea sudo should be replaced with yo. Still makes me chuckle.

yo apt-get install whatireallywant

Tuesday, November 08, 2011

Geekwagon Logo


Here I am writing about my website again, but it's not really about me or my website. It's really about web design in general, and sharing the few neat things I've managed to figure out. I'll be able to post some good information about a site that is not my own, but I helped create, some time in the future. For now I created my own problem to figure out: a logo.

What self respecting website doesn't have a logo? What better way to recognize a brand than a well designed logo. It's part web part marketing, and let's face it I am no expert in either. I'm just going to make a post about it because I did learn some tricks tackling this.

The logo criteria I made up as I went along.
  • site name is dominate feature
  • more than 2 colors
  • selectable text
  • hidden meaning
http://geekwagon.net/logos/logo.html">

geekwagon.net logo


http://geekwagon.net/logos/logo.html

Because everything on geekwagon.net has bee coded by hand, it made since to make the logo look like a bit of code. The purple highlighted brackets was inspired from Notepad++, and gave it some color. To make the text selectable I knew there was going to be some combination of HTML elements styled with a sheet, perhaps in some sort of cascade. A view of the source will reveal it's just some HTML with a few silly class names and comments with all the CSS contained in the page (because this made it easy to copy and paste into http://htmledit.squarefree.com/ and manipulate). It uses all of two images. The blinking cursor I nabbed from an image search, the foreground fade I made with Paint.net.

Lessons Learned:

  • To get the fade to work right I had to use z-index, and it is a pain in the butt that requires position: relative; In some places. Experiment until it works (at least that's how I do it).
  • span and div elements really are different, but only by default.
  • The CSS shorthand for background is useful, but took a few trips to w3schools.com to get it down.
I'd like to take this time to reiterate I am a newb at all this. Despite that, it has been a fun learning process. I have found the only way for me to learn these kinds of things is to just sit down and do it over and over.

What about the hidden meaning?

I'm glad you asked, there are actually two. First, an observant person will notice the numbers on the left are line numbers. They stop at 1336 because geekwagon.net falls short of leet. Second, geekwagon.net is a self closing bracket because it is a self serving website. Not terribly cleaver, but they made me chuckle.

Wednesday, November 02, 2011

ahead of the curve

While I'm sure this picture was only possible (at least for me) on the first day new Portal 2 downloadable content came out, I was semi-excited to see I beat the curve by a good margin.


Tuesday, October 11, 2011

One of the goals for geekwagon.net was to master CSS well enough to make the site look similar across different web browsers. I had a rare opportunity to view it from Windows 2000 using IE6 at an amazing 16 colors. The thumbnail below (which isn't far from the screen capped resolution) is a screen shot of how it looked.


The only problems are all related to JavaScript (the +1 button and the advertisements), both of which I could care less about. Interesting enough was the JavaScript used to round the borders worked just fin in IE6.

Tuesday, October 04, 2011

Defining Jimmy's Law

Moore's law is one of those concepts often debated on whether is continues to apply to modern processors. Over the years I've noticed a different phenomenon and the other day, while installing a top of the line Intel Core i7, I made a law for it.

As the technology behind processors increases in power and complexity, the technology behind attaching the heatsink becomes flimsy and difficult to install.


I can only hope my law someday becomes a hot topic of debate with supporting evidence on both side. Even better, I hope the law becomes obsolete all together. However, the growing heatsink aftermarket could be solid evidence Jimmy's law will be around for a while.

Image courteously stolen from a webs site
that started with big red letters stating,
"WARNING: engineering defect in stock
Intel heastink/fan units for LGA socket."

Wednesday, September 28, 2011

Dear Acronis, You Let me Down


The short: Acronis makes great backup products for business use. If you are going to spend money, buy Acronis® Backup & Recovery™ 11 Workstation. Do not buy Acronis® True Image™ Home 20xx!

I debated putting the True Image icon with
the International Standards prohibition symbol.

Some quick bullets from my experience with True Image on two different computers.
  • Sometimes take 5+ minutes to connect with online service
  • Becomes unresponsive often.
  • Regularly can't suspend backup to online service
    • Tried stopping every service and program that has to do with Acronis, and no luck. Have to restart the machine, which is not a huge problem until you get to the next bullet.
  • Included "safety valve" that stops Windows from restarting during backup.
    • I'm sure this is great if you aren't doing the initial online backup that takes five days.
    • I have found I can manually stop Acronis services and restart, but seriously why should i have to stop services to restart my computer? Can't there be a check box that says "Dude, we can continue this back up after the 2 minute restart instead of trying to wait for the backup."

The rant: So I'm not a huge fan of customer support, the following are reasons why.

My issues aren't show stoppers so I chose to use the email customer support option. Only after I explained my problems thoroughly in the text box did it tell me I was limited to 1024 characters. I'm going to ignore how silly it is to limit a tech support email to 1024 characters and ask the hard questions. Would it really be to much to have a note about that? Better yet one of those nifty text count down things that changes as you type and tells you how many characters you have left.

SO I luck out, hit back, copy and paste my well thought out questions into notepad and fire up the "chat with customer support options". Not trying to be rude to the guy, I am a very patient person and I've got all day to keep the chat window open. When we started I specifically mentioned I have been through the forums and knowledge base (which is one of the things I love about Acronis) and could not find the answer to my questions. I even linked him the articles somewhat related to my issue, but didn't address it. I politley asked, in a less blunt manor, not to copy and paste from these articles I've already read. The very first response he gives me was right off the "initial backup to online services may take days." Duh? You don't say? Will it really take me days to upload ~30GB to an online service over my 512kb upload speed? I didn't exactily need a calculator to figure this out, but I certainly don't need tech support regurgitating what I told them. Don't get me wrong. I understand the guy is just doing his job. It's menontonus, he deals with people every day asking questions with answers available in the knowledge base. But if you aren't even reading what I write to you, how can I take what you tell me seriously? Now I know you're just blarbing out anything remotely reltated to what I'm talking about. 

THAT'S NOT ALL, I can actually over look all that ^ What really grates me is when customer support says, "I'm going to send this to a higher level of technical support, you'll be getting an email with all the information you need to talk to them" then I never get an email. It's not that it will take longer. It's not that you don't know the answer and I have to talk to someone else. It is simply that you said you would do something that never happened. This is pretty much the problem with the whole world. Many many people say many many things, but have no intention of actually doing anything they say*.

*I cannot claim this without recognizing some hypocrisy, but at least I am aware and apologize when possible.

Wednesday, September 21, 2011

That Light-bulb is Around here Somewhere

Finally got around to revamping geekwagon.net's main page with my new "structure is important" goal in mind. The more I get to know PHP the better I understand how powerful it can be. My infinite noobness actually had me going to all the pages and making changes. This was fine for a while, when I had 2 pages. Now that I am expanding and learning I know I can have a file named head.php with the line

link rel="stylesheet" type="text/css" href="http://geekwagon.net/home/common/stylesheets/current_stylesheet.css"


Then when or if I ever want to change my style sheet I don't have to go and change it on every page. Every page I make just does a file_get_contents. Then if I want to try a new style sheet just go change the line in head.php.


I'm sure I'm the last person on the planet to figure this out. It also feels like I'm reinventing WordPressAlbeit, a really simple version for slow people like myself. Either way, I am learning and that is what is important.



Side note: omgthx for updating post interface Blogger/Google/whoever you are. We can write post using most of the browser window instead of that little useless box!

Tuesday, September 06, 2011

Definition of Maximum?

I'd like to preposition this post by saying I am a fan of 7-zip. I couldn't help but notice in their Compression level options they have an option above Maximum.
Is there a definition of maximum I was unaware of?

max·i·mum/ˈmaksəməm/
Noun: The greatest or highest amount possible or attained.
Adjective: As great, high, or intense as possible or permitted.

Photo courtesy of my Print Screen button.
I suppose, because it's open source, I can fork it and make my own version that changes the position of Maximum and Ultra. Maybe just remove Ultra all together. There is a decent chance my programming skill is not good enough to do even that (though usually I can find and delete pretty good). I find this over site a little ridiculous for a whole community of logical thinkers, so I can only assume I am missing a key tidbit of relevant information.

Poor web design

One of my recent projects has been geekwagon.net. It's a website that is pretty much useless, but gives me something to code by hand to figure things out. Today I came across this article about bad html and css.

Other than the bullet about flash dependency, I think I've broken every one of these dang rules. I found the part about "visual thinking" the most eye opening. That is pretty much how I've always done websites. First figure out how I want it to look, then make a structure that conforms to it. That paragraph changed the way I will make websites from now on. Worth a read.

Wednesday, August 31, 2011

Redefining My Personal Blog


Long periods of time go by between posts, this is just something I've decided is just par for the course of most personal blogs. Besides, it's not like anyone reads them anyway.

I've been having fun playing around with websites lately; specifically geekwagon.net. One of the things I did with the domain was move my blog to a subdomain on geekwagon.net. It's time to redefine what I use this blog for.

  • Obscure Observations - The idea is to point out anything interesting not already on the Internet. Almost guaranteed to lead to short horrible posts like these examples.
  • Personal Achievements - Perhaps achievement is too strong a word. Things posted should be interesting in some fashion, but will end up being case mods or sketchup models of Rubik's cubes.
  • Helpful to Someone - Things I do, usually to help me figure it out in my own head, and make note of in hopes it might help someone. My only decent examples are financial, but maybe there will be post that branch out from that.
  • Rant - Who doesn't need to rant sometimes?