Sep 032014
 

Yes, you read that correctly. Creating and using secure passwords can actually be simple. With an understanding of how to make a password harder to crack through brute force (i.e., multiple, repeated attempts at guessing) and a password manager, you can greatly enhance the security of your passwords.

tl;dr – Longer passwords + a good password manager = simple security.

Let’s start with a look at bad passwords. Seriously, people are still using ‘password’ and ’123456′ as passwords. If you wanted to gain access to someone’s account, there’s a relatively high probability you could get in with one of the commonly-used passwords. How common are they? Take a look at the top 250 passwords from a leak from 2010. Hmm, there’s ’123456′, ‘password’, ’12345678′, ‘qwerty’ and for all you Jackson Five fans – ‘abc123′. In 2011, 77 million of Sony’s PlayStation Network accounts were breached, followed by breaches at other Sony sites. An analysis of the passwords leaked shows similar issues with simple passwords. Even more interestingly, there is a significant correlation of passwords between Gawker and Sony users. While not entirely conclusive, it does support the idea that many people use the same passwords at many different sites. DON’T DO THAT. (I’ll suggest how to make this easy a bit later.) Of course, since then, people have gotten better at using secure passwords, right? WRONG! Take a look at the analysis of data from the Adobe data breach from late last year. While this can’t be confirmed 100% without Adobe releasing their encryption key, the analysis seems fairly likely based on the evidence provided. Given that caveat, it’s possible that nearly 2 million users used the password ’123456′ and over 300,000 used ‘password’!

Even if you didn’t guess someone’s password as being ‘password’, it’s pretty easy to use a computer to crack simple passwords like this. Steve Gibson provides a great perspective on how weak passwords can be and how easy it is to make them strong. You can read the details on his website, but let’s look at a simple example…

If you used ‘password’ as your password and a hacker used brute force to guess it online (1,000 guesses/second), it would take 6.91 years to crack. Keep in mind, this is an estimate of time required to go through all possible passwords leading up to ‘password’. In the real world, a hacker would likely try the easy passwords first, so it wouldn’t take 6.91 years to guess ‘password’. But, this number gives a good baseline. If you compare this to how long it would take if you made a few simple, but easy to remember changes – ‘password’ becomes ‘p4s$w0rd’. (That’s a zero instead of the letter O in word.) It still looks like ‘password’ which helps you remember it. If you substitute numbers and symbols for letters in a logical way, you can greatly increase security. ‘p4s$w0rd’ requires 1.66 hundred centuries to crack using the same brute force method! See, isn’t that easy? Well, unfortunately, we’re not done yet. Leaks like the one at Gawker and Sony (and many others) often start with hackers grabbing password files to try to crack offline. That same ‘strong’ password of ‘p4s$w0rd’ only takes 5.21 seconds if you have the processing power of one hundred trillion guesses per second – not too much of a stretch the way computing power is today. Using one hundred billion guesses per second, it would still only take 1.45 hours.

So, now what? That’s the main point of Steve Gibson’s article. You can greatly increase security of passwords simply by increasing their length. For example, change ‘password’ to ‘ppaasssswwoorrdd’ and the online cracking time goes from 6.91 years to 14.42 billion centuries. At one hundred trillion guess per second, the longer password takes 14.42 years to crack. But, all you did was double each letter!

Longer passswords with simple substitutions (and avoiding common words) are a huge step forward for the security of your passwords.

But, wait, there’s more!

Even if you come up with an easy to remember password like this, you shouldn’t reuse it. If by some means, a hacker gets a hold of this password and you use it everywhere, you’re toast. So, even if you have strong, but easy to remember passwords, you need a lot of them. How do you remember them? (If you said post-it notes, please don’t tell me!)

This is where password managers come in. A password manager is a secure vault that stores all of your passwords. You create one strong, but easy to remember password using the tips above and especially, the suggestions from Steve Gibson’s site. This is what you use to unlock the password manager ‘vault’. All of your passwords are secure, but you only have to remember one. Even better, most password vaults can generate secure passwords. Use this feature to create ridiculously hard to remember passwords for everything. You don’t need to remember them – the password manager will. Plus, most password managers plug into your browser to allow you to login with just a click. They’ll also remember passwords as you use them in different sites.

You’ll find a number of good password managers out there that work across major platforms – Windows, Mac, Linux, iOS (iPhone, iPad), Android, Blackberry, etc. The best ones provide a sync feature so you secure vault of passwords is available everywhere. Three popular password managers that come to mind are 1PasswordLastpass and Roboform. There are plenty of others out there, so you can do some research or try one of these three.

The concept may seem like too much work at first, but once you try out a password manager, you’ll find it’s far more convenient and secure than trying to remember, writing down, or stashing your passwords in a spreadsheet.

I hope I managed to avoid GadgetComa (for once) and make this information useful for you. Feel free to let me know what you think in the comments.

May 292014
 

Yay! Hip-hip-hooray! Awesome! Cheers!

So what?

Well, I like this new version. I hope you will too. I put a lot more thought into how to make it easier to maintain and make your Day One entries nicer. Here are the key new features:

  • Added functionality to create Day One entries directly. 
  • The Day One command line tool is no longer needed. 
  • Since I write directly to Day One, I can create native Day One tags, too! 
  • Saving photos to Day One works with any recipe that can provide a URL to a photo 
  • Large photos can be compressed to save space. This is configurable. 
  • IFTTT recipe requirements are simpler and more flexible.
I’ve created a bunch of new IFTTT recipes that are designed for 2.0 (the old recipes won’t work). 
I’ve also created a new website dedicated to GiftttDy. This is where you’ll find setup instructions, recipes, information on how to create your own recipes and documentation on older versions for those who can’t get with the times.
See you over at the new GiftttDy Home Page.
Feb 022014
 

Thanks to the good folks at Authy and a bit of UNIX foo, I’ve managed to enable 2-factor authentication to protect ssh sessions on my Synology DiskStation. If you’re not familiar with Authy and you use Google’s Authenticator app, you should go to the App Store or Google Play store and get Authy’s authenticator app. It’s a well-designed alternative with a better interface and more features like automatically (and securely) syncing tokens across devices. Authy provides authentication services to developers, which leads us to today’s adventure.

Authy provides the ability to secure ssh sessions and includes a simple set of instructions that worked flawlessly on my Mac. Installing on my Synology DiskStation required a bit of tweaking. This was because the Authy shell script relies on the bash shell and other tools that are not on the Synology by default. The setup also requires changes to the script to address the different location for tools the script tries to run. If you’re reading this and not wondering what language I’m speaking, you likely have the knowledge to set this up too. However, I make not claims as to whether this will work for you. Any and all risk of trying this is yours, so back up, back up, back up. As you install and test on the Synology, I suggest you temporarily enable telnet so you can login to fix things if you lock yourself out of ssh.

With all that liability stuff out of the way (remember, don’t blame me), here’s what you need to do:

  1. Make sure you have the Authy authenticator app installed on your phone. (iOS app link, Android app link)
  2. Set up of 2-factor authentication requires you to have an Authy API key. You can sign up for a free developer account that should be sufficient for personal use. (Well, actually, it costs 50 cents. In order to verify your identity, they charge a one-time 50 cent transaction to your credit card. We’ll get to that in a second.)
  3. Once you have your Authy account, create a new application.
  4. On the application dashboard, you’ll see that the Current Plan is Sandbox. Next to that is a link to upgrade the plan. Click that link, choose the Starter (Free) plan, fill in your credit card info and click Upgrade now.
  5. After you’ve upgraded, should see an API Key for your Production application at the top of the dashboard screen. You’ll use this API Key when you run the authy-ssh install script later.
  6. If you haven’t done so already, you need to bootstrap your DiskStation so you can install ipkg, a tool that makes it easy to install other useful utilities. Instructions for doing that are here.
  7. Once ipkg is installed, use it to install bash with this command: ipkg install bash
  8. Now, grab the authy-ssh files using the command: curl -O ‘https://raw.github.com/authy/authy-ssh/master/authy-ssh’
  9. Before you run the script, you need to make two changes to tell it where to find bash and the rest of the tools it will need. Use vi to open the authy-ssh file you just downloaded. 
    1. On the first line, you need to specify the full path to bash, so change bash to /opt/bin/bash
    2. Insert a new line above line 13 (the line that begins with export TERM). On this line, put the following: export PATH=$PATH:/opt/bin
  10. Now, you can run the authy-ssh script as follows: ./authy-ssh install /usr/local/bin
  11. Follow the prompts to complete the installation. This is where you’ll need your API key.
  12. Once completed, you’ll need to restart the ssh server. I’m running DSM 5.0 beta, so I don’t know the new command line command for this. I just go into the DSM Control Panel, uncheck and recheck the Enable SSH option.
  13. Log back into your DiskStation and follow the directions Authy provides to enable 2-factor. I used the command: /usr/local/bin/authy-ssh enable <user> <email> <countrycode> <phonenumber> (Be sure to use the email address and phone number you used to set up the Authy app on your phone.)
  14. If all goes well, you’ll see a confirmation that the user was registered. 
  15. Test it by logging out and back in. You’ll be prompted for your Authy token. You should see the new application you created on the Authy site showing up on your phone with a token, just like for all other 2-factor-enabled sites.
  16. Enjoy your enhanced security!
UPDATE: User packt on the Synology forums found that additional steps were required for this to work on the DS414. This may impact other DiskStation models too, although, since the 414 is newer, maybe older models won’t have a problem. Here is a link to what packt found.
Jan 252014
 

As a result of the theft of credit card, debit card and personal information from Target, my credit card company decided to replace my credit card. I don’t know for sure if they saw fraudulent activity, but I do shop at Target, so I’m glad they went ahead and did this. However, I am not so sure they helped all that much.

I received the new card Thursday, activated it and went online to start updating recurring transactions (magazine subscriptions, online services, etc.). It came as quite a shock to go out to the Netflix site and see that they already had my new credit card number in their system. I wonder how that happened? To find out, I called the credit card company. Here’s where the fun starts…
The credit card company rep checked the account and told me that they had gone ahead and provided the new account number for some of my recurring transactions. What?!! I expressed my concern about the security of this to which the rep responded, “Well, these are your recurring transactions.” I asked how they could be sure even if I did business with the merchant previously. Since credit card data and personal information were stolen, who’s to say an unauthorized person didn’t set up a service with my information but with delivery / access of their own? The credit card company just extended their illegal subscription! The rep clearly didn’t know what to say other than it was “for my convenience.” Wow. Potentially set me up to have my account fraudulently used again. Very convenient. Thanks.
Maybe the scenario I mentioned isn’t that likely. Still, why would a credit card company ever give my account information directly to a merchant. Oh, did I mention that they never told me they were doing this? I only found out when I saw the change at Netflix.
This is a good lesson to individuals and companies about how to deal with data. Never, ever make assumptions about convenience without considering security. A major cause of errors, defects, security issues, quality problems, etc. are done in the name of convenience – for the customer, for the manager, for the developer, for the shareholder – you name it.
There’s a reason why you have an information security team and it’s not just to clean up after the fact. They help you plan, too!
Now, I think I’ll take a break and watch something on Netflix, assuming I still have access…
Jan 202013
 

Inauguration Street Closures

The United States Park Police will put in place the following road closures on National Park Service property. These closures are necessary in order to secure Memorial Bridge and Independence Avenue for Inaugural Activities:
• All parade route security screening entry points will be able to accommodate individuals with disabilities.
Saturday, January 19 at 6 am
• Parkway Drive ( USPP Mobile Command ) Sunday, January 20 at 1 am • 23rd and Independence Avenue (No access to West Potomac Park) • 0600 hours • 14th and Jefferson Drive • 7th and Jefferson Drive • 4th and Jefferson Drive • 3rd and Madison Drive • 4th and Madison Drive • 7th and Madison Drive • 12th and Constitution Avenue Sunday, 6 pm • 15th and Independence Avenue • 15th and Constitution Avenue • 17th and Independence Avenue • 17th and Constitution Avenue • 18th and Constitution Avenue Monday, January 21 at 5 am • A, B and C lots (All traffic sent Southbound Ohio Drive to Buckeye) • Inlet Bridge • USPP HQ and NCR Parking Lot • East Basin and Maine Avenue (All traffic sent Maine Ave. or Freeway) • Maine Avenue and East Basin ( All traffic from Mandarin Hotel sent S/B 14th Street Bridge) • Rock Creek Parkway and Virginia Avenue (No traffic S/B Rock Creek Parkway) • Modified PM change into effect on Ohio Drive • Ramp from Kennedy Center to Rock Creek Parkway • 23rd and Constitution Avenue (No traffic S/B to LMC) • Henry Bacon And Constitution Avenue (No traffic S/B to LMC) • Rt. 27/Washington Blvd @ Route 50 Bypass ( at 0530 when ACPD closes Route 27 move closure to N/B GWMP ramp to Memorial Bridge) • • S/B GWMP @ ramp to Memorial Bridge • • S/B GWMP ramp to S/B Route 27/Washington Blvd • • S/B Boundary Channel Drive @ ramp to Route 27/Washington Blvd • • N/B 110 ramp to Memorial Drive (all vehicles forced to take left to ANC) All vehicles exiting ANC must take Route 110 South Closed Monday, January 21 from 3 am to 7pm:
• Pennsylvania Avenue, NW from 18th Street, NW to the US Capitol • I Street, NW from 18th Street, NW to 12th Street, NW • H Street, NW from 18th Street, NW to 12th Street, NW • G Street, NW from 18th Street, NW to 12th Street, NW • F Street, NW from 18th Street, NW to 12th Street, NW • E Street, NW from 18th Street, NW to 6th Street, NW • D Street, NW from 18th Street, NW to 6th Street, NW • C Street from 18th Street, NW to 2nd Street, NE • Constitution Avenue from 17th Street, NW to 2nd Street, NE • Madison Drive, NW from 15th Street, NW to 3rd Street, NW • Jefferson Drive, SW from 15th Street, SW to 3rd Street, SW • Independence Avenue from 14th Street, SW to 2nd Street, NE • Maryland Avenue, SW from 6th Street, SW to the US Capitol • 17th Street from I Street, NW to Independence Avenue, SW • Connecticut Avenue, NW from I Street, NW to H Street, NW • 16th Street, NW from I Street, NW to H Street, NW • Vermont Avenue, NW from I Street, NW to H Street, NW • 15th Street from I Street, NW to Independence Avenue, SW • 14th Street from I Street, NW to Independence Avenue, SW • New York Avenue, NW from 18th Street, NW to 12th Street, NW • 13th Street, NW from I Street, NW to Pennsylvania Avenue, NW • 12th Street from F Street, NW to Independence Avenue, SW • 11th Street, NW from F Street, NW to Pennsylvania Avenue, NW • 10th Street, NW from F Street, NW to Constitution Avenue, NW • 9th Street from F Street, NW to Independence Avenue, SW • 8th Street, NW from F Street, NW to D Street, NW • 7th Street from F Street, NW to Independence Avenue, SW • 6th Street from F Street, NW to Maryland Avenue, SW • 5th Street from D Street, NW to Independence Avenue, SW • 4th Street from D Street, NW to Independence Avenue, SW • 3rd Street from D Street, NW to Independence Avenue, SW Closed Monday, January 21 from 3 am to 5 pm:
• Louisiana Avenue, NE between Columbus Circle and Constitution Avenue, NW • Delaware Avenue, NE between Columbus Circle and D Street, NE • 1st Street between Columbus Circle and D Street, SE • North Capitol Street between E Street, NW and Louisiana Avenue, NE • New Jersey Avenue, NW between D Street, NW and Constitution Avenue, NW • D Street between New Jersey Avenue, NW and 2nd Street, NE • 1st Street between D Street, NW and Washington Avenue, SW • C Street, NW between 2nd Street, NW and New Jersey Avenue, NW • 2nd Street, NW between C Street, NW and Constitution Avenue, NW • 2nd Street, NE between Massachusetts Avenue, NE and C Street, SE • C Street, SE between 2nd Street, SE and 1st Street, SW • D Street between 1st Street, SE and Washington Avenue, SW • Washington Avenue, SW between South Capitol Street and Independence Avenue, SW • Independence Avenue between 2nd Street, SE and 3rd Street, SW • 3rd Street between E Street, SW and D Street, NW • Constitution Avenue between 2nd Street, NE and 3rd Street, NW • Maryland Avenue, NE between 1st Street, NE and 2nd Street, NE • East Capitol Street between 1st Street, NE and 2nd Street, NE • 2nd Street, SW between Washington Avenue, SW and E Street, SW • C Street, SW between 3rd Street, SW and Washington Avenue, SW • D Street, SW between 3rd Street, SW and 2nd Street, SW • South Capitol Street between E Street, SW and D Street, SW • I-295 South on-ramp from Washington Avenue, SW • I-395 North off-ramp onto Washington Avenue, SW • I-395 North off-ramp onto C Street, NW • I-395 South on-ramp from 2nd Street, SW • I-395 South off-ramp onto 2nd Street, SW • I-395 North on-ramp from Washington Avenue, SW • I-295 North off-ramp onto Washington Avenue, SW Emergency No Parking beginning 7 am, Sunday, January 20, through 7 am, Tuesday, January 22:
• South of K Street, NW from Washington Circle to 11th Street, NW • Washington Circle from K Street, NW to 23rd Street, NW • Pennsylvania Avenue, NW from Washington Circle to the US Capitol • I Street, NW from 23rd Street, NW to 11th Street, NW • H Street, NW from 23rd Street, NW to 3rd Street, NW • G Street, NW from 23rd Street, NW to 3rd Street, NW • F Street, NW from 23rd Street, NW to 3rd Street, NW • E Street, NW from 23rd Street, NW to 3rd Street, NW • Virginia Avenue from 23rd Street, NW to 2nd Street, SW • D Street, NW from 23rd Street, NW to 1st Street, NW • C Street, NW from 23rd Street, NW to 3rd Street, NW • Constitution Avenue from 23rd Street, NW to 2nd Street, NE • Madison Drive, NW from 15th Street, NW to 3rd Street, NW • Jefferson Drive, SW from 15th Street, SW to 3rd Street, SW • Independence Avenue from 23rd Street, SW to 2nd Street, SE • C Street, SW from 7th Street, SW to 2nd Street, SW • D Street, SW from 7th Street, SW to 2nd Street, SW • E Street, SW from 7th Street, SW to 2nd Street, SW • Maryland Avenue, SW from 7th Street, SW to the US Capitol • 23rd Street from Washington Circle, NW to Independence Avenue, SW • 22nd Street, NW from K Street, NW to Constitution Avenue, NW • 21st Street, NW from K Street, NW to Constitution Avenue, NW • 20th Street, NW from K Street, NW to Constitution Avenue, NW • 19th Street, NW from K Street, NW to Constitution Avenue, NW • 18th Street, NW from K Street, NW to Constitution Avenue, NW • 17th Street from K Street, NW to Independence Avenue, SW • Connecticut Avenue, NW from K Street, NW to H Street, NW • 16th Street, NW from K Street, NW to H Street, NW • Vermont Avenue, NW from K Street, NW to H Street, NW • 15th Street from K Street, NW to Independence Avenue, SW • 14th Street from K Street, NW to Independence Avenue, SW • New York Avenue, NW from 18th Street, NW to 11th Street, NW • 13th Street, NW from K Street, NW to Pennsylvania Avenue, NW • 12th Street from K Street, NW to Independence Avenue, SW • 11th Street, NW from K Street, NW to Pennsylvania Avenue, NW • 10th Street, NW from H Street, NW to Constitution Avenue, NW • 9th Street from H Street, NW to Independence Avenue, SW • 8th Street, NW from H Street, NW to D Street, NW • 7th Street from H Street, NW to E Street, SW • 6th Street from H Street, NW to E Street, SW • 5th Street from H Street, NW to D Street, NW • 4th Street from H Street, NW to E Street, SW • 3rd Street from Massachusetts Avenue, NW to E Street, SW • Henry Bacon Drive, NW from the Lincoln Memorial to Constitution Avenue, NW • Daniel French Drive, SW from the Lincoln Memorial to Independence Avenue, SW
• Parade Route Entry Points: The following public entry points will open at 6:30 a.m. on Monday, January 21, 2013, and will remain open until the parade route can no longer accommodate additional people.

• – 2nd Street NW and C Street NW
• – John Marshall Park at C Street NW
• – Indiana Avenue NW between 6th Street NW and 7th Street NW
• – 7th Street NW and D Street NW
• – 10th Street NW and E Street NW
• – 12th Street NW and E Street NW
• – 13th Street NW and E Street NW
• – 14th Street NW and E Street NW
• – 12th Street NW and Constitution Avenue NW
• – 10th Street NW and Constitution Avenue NW
• – 7th Street NW and Constitution Avenue NW
• – Constitution Avenue NW between 6th Street NW and 7th Street NW

• Individuals using Metro to access the Inaugural events, including the non-ticketed area of the National Mall, are advised to:
• Use Metro’s interactive “What’s My Best Route” tool at http://www.wmata.com/inauguration to find the best station to use near the National Mall.
• Exit at a station on the same line as where they started their trip to avoid transferring.
• Avoid high-traffic stations near the Capitol including Capitol South, Union Station, Judiciary Square or Federal Center SW stations

• An important reminder for all Metro riders is that the Smithsonian, Archives and Mt Vernon Square Metro stations will be closed on Inauguration Day. For additional information from Metro, including walking maps and travel tips, please visit http://www.wmata.com/inauguration.

• Downtown Area Road Closures: A map detailing specific road closures is attached. Vehicle restricted zones will be in effect beginning at 7 a.m. on Sunday, January 20, through 7 a.m. on Tuesday, January 22. Restrictions will be implemented on a rolling schedule, beginning at Pennsylvania Avenue NW from 2nd Street NW to 15th Street NW. All closures will be in place by the morning of Monday, January 21. All vehicular road closures in Washington, D.C., will be instituted by MPD. Inquiries pertaining to road closures should be directed to the MPD Office of Public Information at (202) 727-4383. Details regarding road closures will be available online athttp://www.inauguration.dc.gov and http://www.secretservice.gov.

Sent by DC HSEMA to e-mail….powered by Cooper Notification RSAN

- You received this alert because you registered for AlertDC.

- Go to https://textalert.ema.dc.gov/mygroups.php to change subscriptions.

- Go to https://textalert.ema.dc.gov/sendpassword.php to reset password.

- Reply STOP to unsubscribe from all alerts & service messages.

- Tell a friend about Alert DC! Text “DC” to 411911, or sign-up at https://textalert.ema.dc.gov/

Dec 292012
 

Okay, all you geeks and nerds out there… Or, anyone interested in the history of computing and Silicon Valley. This upcoming American Experience documentary, Silicon Valley, should be fascinating. Check it out on your local PBS station on February 19th. And, while you’re waiting, donate to PBS to keep great work like this going.

 

Dec 282012
 

For those who know, you can skip this post. If you don’t know what IFTTT is, you need to check it out. It’s like a programming language for the web, but it’s super easy. IFTTT stands for If This Then That. With this service, you can get emails based on weather conditions, save Facebook posts to Dropbox, save Google Reader starred articles to Pocket, and much, much more. Learn more at their web site.