Oct 03, 2013

Deooglization

Here are the steps I've taken recently to cut down on the amount of free data I've been passing on to Google, and by proxy any unsupervised NSA contractors who may be running amok. I've taken to calling this project 'Deooglization'.

  • Uninstalled Chrome , switched back to Firefox for daily browsing
  • Switched the search bar to use DDG via the DuckDuckGo Plus addon
  • Shuttered the G+ account associated with my identity
  • Migrated away from gmail - Implemented most of Daniel Patterson's Hacker's Replacement for GMail (minus notmuch since I don't live in Emacs that deeply)
  • On StackOveflow, I stopped using Google for an OpenID source and switched to openid.stackexchange.com
  • Removed as many Google apps from my phone as I could.

Outside of Google, I also shut down the Flickr account associated with my identity. I haven't had a Facebook in ages so there wsa nothing to shut down there. I haven't shut down my Twitter account yet, but it's just a matter of time, I suppose.

I've also found that diversifying my passwords has helped a lot: in a few cases where I'd gone to google out of habit, it's been such a PITA to retrieve my password that I just do something else, like take a walk or catch up on the laundry.

Next steps: setting up a Dropbox replacement.

Aug 09, 2013

The case of the late night system boots

A few weeks back, at around 3:00AM I was woken up by the sounds of a computer booting. It turned out to be an old Ubuntu desktop in the study. Since it was storming at the time, I figured it due to a power outage so I shut down the machine and went back to bed.

A couple nights later the same thing happened. This time I made sure the BIOS on the machine was set to restore the machine to its previous state after an outage instead of turning it on. It turned out it was already set to restore the previous state. Odd, but it was 3:00AM so back to bed I went.

The third time it woke me up was soon during the time Thinkhost/Dreamhost dropkicked the old site in the gonads, and I start freaking out a little - I wasn't getting email, my corny vanity site had disappeared and I had a machine turning itself on in the middle of the night. It was coming out of hibernation when it started, so when I noticed it, I was already logged into the console and my 3:00AM self didn't notice any weird activity on the machine. I poked around on the BIOS again to make sure the Wake-on-LAN options were not set and powered down the computer. Still, I started pulling Ethernet cables out before going to bed until I had a chance to really figure out what was going on.

Then over the weekend I had started the machine up and then started some Laundry [*]. When I eventually got back to study, the machine it was still one. I'd been gone long enough that it should have gone into hibernation by then. I did a 'sudo /usr/sbin/pm-hibernate' manually and it went through its normal hibernate routine, but after it powered down, it immediately booted back up again !

Then it all made sense - the machine had been trying to hibernate and rebooting, then waiting some number of minutes with no keyboard activity and repeating the cycle. If I was sleeping lightly enough at the time , the beeps during the restart would wake me up, otherwise I was sleeping through all the restarts. Eventually someone in the house would notice the machine was on and shut it down gracefully. I have no clue how long hibernate had been failing like this. Weeks at least.

But onto the solution. I didn't find much on the Internet about the problem (hence this post), but the combination of the basic-pm-debugging.txt and the pm-hibernate man page led me to try adding an '/etc/pm/config.d/hibernate file with the contents:

HIBERNATE_MODE=shutdown

With that in place, pm-hibernate went back to working like it used to, and I haven't been woken up by late night restarts since.

[*]For purposes of this blog, 'Laundry' is any non-computer indoor activity and 'Going for a Walk' is any non-computer outdoor activity.

Jul 24, 2013

A Password Diversification Plan

(TLDR)

You shouldn't be using the same password everywhere You know this. Everytime some popular site gets hacked and millions of passwords are lost there's a flurry of news stories telling you never use the same password twice. There's even a xkcd comic about it.

But let's face it, if you are a reuser, this can be a pretty daunting task. It's like getting in shape or losing some weight: it's not something that's going to change overnight. It's going to take some time to switching all your passwords.

With that in mind, here's a plan you can use to move away from password reuse at yuor own pace. As a side effect, it should also get you in the habit of using stronger passwords and make it easier to remember to occasional change your passwords..

Pick a password manager

Instead of trying to remember multiple passwords, you should use a password manager. I like keepass, but there are others available. Pick one and start using it. If you don't like it switch to another one. Here are the important features:

  • Cross platform - it should work on all your devices which are likely to prompt for passwords
  • cut&pasting passwords - the plan is to eventually start using long passwords you can't possibly remember, so being able to copy the passwords into your clipboard and paste them into the password field is very useful
  • random password generators

Pick a password for the password manager's database. Use a different one from your normal password, since you're getting out of the habit of using the same password everywhere. Try to make it longer than your normal password.

Then enter your current reused password as the first entry. The manager most likely has a 'copy and paste password to the clipboard' feature. For a day or two, get into the habit of copy&pasting your password from the manager instead of typing it manually.

Set up Dropbox account

You can use Dropbox (or an equivilent service) to distribute your password database across multiple machines and devices.

If you're setting up a new account, don't reuse your default password. If you already have a Dropbox account, change your password. Add the new or updated password to the password manager.

Copy your password database into the shared directory. Make sure it's not in a publicly accessible folder. Now you can access your password database from any machine or device you can access with Dropbox

If your password manager supports keys, add key support, but don't store the keys on Dropbox. This way if Dropbox is hacked and your database is compromised, your database is still safe since the meenie weenies will not have your key.

Start Changing your passwords when visiting sites

If you visit a site and can log into a site with your default password, find the place on the site that'll let you change the pasword and then set it to a strong password and it to your password manager.

Try to change one or two accounts a day in the beginning, and then ramp up as you get more comfortable with the process.

When adding the new entries in the pasword manager an expiration date of something like 3 months. This is to also get yourself into the habit of changing your passwords as well.

Learn to love the password recovery pages

The first couple times you add a password into the manager, you may screw it up and need to recover your password for the site. This is a hassle, but for most sites it's not really that big a deal so that let that scare you off from changing your passwords.

Still, until you've changed a couple passwords, it might be good to hold off on switching the passwords for important services like email, which would be more disruptive if you had to have the pasword reset.

Backup your password database

After the first week or so, backup your password database to a USB drive or burn it to the CD or export the database to a CSV file, print that out and store it in the safe deposit box in your fallout shelter with your lifetime supply of canned creamed corn. Whatever your comfortable with. The important thing is you make the backup.

Also set up some sort of weekly reminder to update the backup.

Start using different usernames for new sites

If you're also using the same username for all your accounts, you could also start using differnet usernames as well to make it more difficult for folks to track you between sites. Your password manager should have a place to store your username, so you could cut&paste that field in addition to your password.

Start deactivating unused account

You probably have lots of accounts that you never use. Instead of changing the passwords for these sites, I suggest closing out the account entirely. Pull down whatever data you want to save from the site, then change your password to something random,and don't bother adding it to your password manager. Then deactivate the account.

Bacn is a good source of reminders about accounts you may want to close out.

After a site's been hacked

When an online service you're using is hacked, you should update your password on the site right away, making it more random if you already aren't using totally random passwrds.

You should also use this oppurtunity to look around and see if there's some other more secure site that you could be using instead, or if your technically inclined, if it's now possible for you to run a local version of this service on your own servers.

Change passwords that are expiring

Since you've been adding expiration dates to the password entries, when the manager starts warning you of an impending expiration, go ahead and change the password on the site. By this time you will have been using the manager for a few months, so try making the password longer and more cryptic. The password manager probably has the option of creating random passwords for you, so try that out. You should be very used to cut&pasting your passwords, so it shouldn't matter to you much by now that you can't remember the password.

Summary

  • Don't use the same password everywhere
  • Use a password manager - back it up regularly
  • Move away from using your reused password slowly at your own pace
  • Close out unused sites that are using the reused password
  • Set expirations on the passwords so you'll remember to change them regularly
  • Moving to more secure sites / self-hosting after sites are hacked.

Jul 15, 2013

'First' post

My previous provider Thinkhost is currently being rolled into Dreamhost, such that Thinkhost will be shut down at the end of the month. Apparently the old pwan.org site was dropped during the account migrations. First I noticed I wasn't receiving any pwan.org email, so I opened a ticket, then I realized the entire site was down and opened another ticket.

As far as I can tell all that's left of Thinkhost's tech support department is the liebot sending out the 'someone will get back to you as soon as possible' automated ticket responses. Blthhh. After 5 days of no site and radio silence, I finally got a response that said pretty much 'You're Dreamhost's problem now.'

By that time, I had already updated my domain records to point to a new VM on Digital Ocean. Bye Thinkhost/Dreamhost or web hosting in general. I have a full VM with root access now on a Linux distro of my choice for a third what I was paying for hosting.

I have the site backed up and maybe I'll eventually port some of it over, but I really hadn't been maintaining it, and it was super ugly. So in the spirit of shoshin I'm rebuilding the site from scratch filled with a beginner's enthusiasm.

I'm getting by with an email redirection service provided by my domain registrar, but the plan is to implement my own mail server based on Daniel Petterson's work with respect to building a gmail replacement.

Let's see how this goes.

← Previous Page 2 of 2