A few weeks back, at around 3:00AM I was woken up by the sounds of a
computer booting. It turned out to be an old Ubuntu desktop in the
study. Since it was storming at the time, I figured it due to a power
outage so I shut down the machine and went back to bed.
A couple nights later the same thing happened. This time I made sure the
BIOS on the machine was set to restore the machine to its previous
state after an
outage
instead of turning it on. It turned out it was already set to restore
the previous state. Odd, but it was 3:00AM so back to bed I went.
The third time it woke me up was soon during the time
Thinkhost/Dreamhost dropkicked the old site in the
gonads, and I start freaking out
a little - I wasn't getting email, my corny vanity site had disappeared
and I had a machine turning itself on in the middle of the night. It was
coming out of hibernation when it started, so when I noticed it, I was
already logged into the console and my 3:00AM self didn't notice any
weird activity on the machine. I poked around on the BIOS again to make
sure the
Wake-on-LAN
options were not set and powered down the computer. Still, I started
pulling Ethernet cables out before going to bed until I had a chance to
really figure out what was going on.
Then over the weekend I had started the machine up and then started some
Laundry1. When I eventually got back to study, the machine it was
still one. I'd been gone long enough that it should have gone into
hibernation by then. I did a 'sudo /usr/sbin/pm-hibernate' manually
and it went through its normal hibernate routine, but after it powered
down, it immediately booted back up again !
Then it all made sense - the machine had been trying to hibernate and
rebooting, then waiting some number of minutes with no keyboard activity
and repeating the cycle. If I was sleeping lightly enough at the time ,
the beeps during the restart would wake me up, otherwise I was sleeping
through all the restarts. Eventually someone in the house would notice
the machine was on and shut it down gracefully. I have no clue how long
hibernate had been failing like this. Weeks at least.
But onto the solution. I didn't find much on the Internet about the
problem (hence this post), but the combination of the
basic-pm-debugging.txt
and the pm-hibernate man page
led me to try adding an '/etc/pm/config.d/hibernate file with the
contents:
HIBERNATE_MODE=shutdown
With that in place, pm-hibernate went back to working like it used to,
and I haven't been woken up by late night restarts since.
For purposes of this blog, 'Laundry' is any non-computer indoor
activity and 'Going for a Walk' is any non-computer outdoor
activity. ↩︎
But let's face it, if you are a reuser, this can be a pretty daunting
task. It's like getting in shape or losing some weight: it's not
something that's going to change overnight. It's going to take some
time to switching all your passwords.
With that in mind, here's a plan you can use to move away from password
reuse at yuor own pace. As a side effect, it should also get you in the
habit of using stronger passwords and make it easier to remember to
occasional change your passwords..
Pick a password manager
Instead of trying to remember multiple passwords, you should use a
password manager. I like keepass, but there are
others
available. Pick one and start using it. If you don't like it switch to
another one. Here are the important features:
Cross platform - it should work on all your devices which are likely
to prompt for passwords
cut&pasting passwords - the plan is to eventually start using long
passwords you can't possibly remember, so being able to copy the
passwords into your clipboard and paste them into the password field
is very useful
random password generators
Pick a password for the password manager's database. Use a different
one from your normal password, since you're getting out of the habit of
using the same password everywhere. Try to make it longer than your
normal password.
Then enter your current reused password as the first entry. The manager
most likely has a 'copy and paste password to the clipboard' feature.
For a day or two, get into the habit of copy&pasting your password from
the manager instead of typing it manually.
If you're setting up a new account, don't reuse your default password.
If you already have a Dropbox account, change your password. Add the new
or updated password to the password manager.
Copy your password database into the shared directory. Make sure it's
not in a publicly accessible folder. Now you can access your password
database from any machine or device you can access with Dropbox
If your password manager supports keys, add key support, but don't
store the keys on Dropbox. This way if Dropbox is hacked and your
database is compromised, your database is still safe since the meenie
weenies will not have your key.
Start Changing your passwords when visiting sites
If you visit a site and can log into a site with your default password,
find the place on the site that'll let you change the pasword and then
set it to a strong password and it to your password manager.
Try to change one or two accounts a day in the beginning, and then ramp
up as you get more comfortable with the process.
When adding the new entries in the pasword manager an expiration date of
something like 3 months. This is to also get yourself into the habit of
changing your passwords as well.
Learn to love the password recovery pages
The first couple times you add a password into the manager, you may
screw it up and need to recover your password for the site. This is a
hassle, but for most sites it's not really that big a deal so that let
that scare you off from changing your passwords.
Still, until you've changed a couple passwords, it might be good to
hold off on switching the passwords for important services like email,
which would be more disruptive if you had to have the pasword reset.
Backup your password database
After the first week or so, backup your password database to a USB drive
or burn it to the CD or export the database to a CSV file, print that
out and store it in the safe deposit box in your fallout shelter with
your lifetime supply of canned creamed corn. Whatever your comfortable
with. The important thing is you make the backup.
Also set up some sort of weekly reminder to update the backup.
Start using different usernames for new sites
If you're also using the same username for all your accounts, you could
also start using differnet usernames as well to make it more difficult
for folks to track you between sites. Your password manager should have
a place to store your username, so you could cut&paste that field in
addition to your password.
Start deactivating unused account
You probably have lots of accounts that you never use. Instead of
changing the passwords for these sites, I suggest closing out the
account entirely. Pull down whatever data you want to save from the
site, then change your password to something random,and don't bother
adding it to your password manager. Then deactivate the account.
Bacn is a good
source of reminders about accounts you may want to close out.
After a site's been hacked
When an online service you're using is hacked, you should update your
password on the site right away, making it more random if you already
aren't using totally random passwrds.
You should also use this oppurtunity to look around and see if there's
some other more secure site that you could be using instead, or if your
technically inclined, if it's now possible for you to run a local
version of this service on your own servers.
Change passwords that are expiring
Since you've been adding expiration dates to the password entries, when
the manager starts warning you of an impending expiration, go ahead and
change the password on the site. By this time you will have been using
the manager for a few months, so try making the password longer and more
cryptic. The password manager probably has the option of creating random
passwords for you, so try that out. You should be very used to
cut&pasting your passwords, so it shouldn't matter to you much by now
that you can't remember the password.
Summary
Don't use the same password everywhere
Use a password manager - back it up regularly
Move away from using your reused password slowly at your own pace
Close out unused sites that are using the reused password
Set expirations on the passwords so you'll remember to change them
regularly
Moving to more secure sites / self-hosting after sites are hacked.
My previous provider Thinkhost is currently being rolled into Dreamhost,
such that Thinkhost will be shut down at the end of the month.
Apparently the old pwan.org site was dropped during the account
migrations. First I noticed I wasn't receiving any pwan.org email, so I
opened a ticket, then I realized the entire site was down and opened
another ticket.
As far as I can tell all that's left of Thinkhost's tech support
department is the liebot sending out the 'someone will get back to you
as soon as possible' automated ticket responses. Blthhh. After 5 days
of no site and radio silence, I finally got a response that said pretty
much 'You're Dreamhost's problem now.'
By that time, I had already updated my domain records to point to a new
VM on Digital Ocean. Bye
Thinkhost/Dreamhost or web hosting in general. I have a full VM with
root access now on a Linux distro of my choice for a third what I was
paying for hosting.
I have the site backed up and maybe I'll eventually port some of it
over, but I really hadn't been maintaining it, and it was super ugly.
So in the spirit of
shoshin I'm
rebuilding the site from scratch filled with a beginner's enthusiasm.
I'm getting by with an email redirection service provided by my domain
registrar, but the plan is to implement my own mail server based on
Daniel Petterson's work with respect to building a gmail
replacement.