WIL WHEATON dot TUMBLR, So any journalist passing through London’s Heathrow has now been warned: do not take any documents with you. Britain is now a police state when it comes to journalists, just like Russia is.

WIL WHEATON dot TUMBLR, So any journalist passing through London’s Heathrow has now been warned: do not take any documents with you. Britain is now a police state when it comes to journalists, just like Russia is..

This post by Wil Wheaton is a really great reminder that when you are traveling, and I wouldn’t necessarily just put this as international to Britain but even when visiting the next town or crossing state lines even. Rights are being trampled everywhere you go, wether it be from a out-of-control cop, a bloodthirsty Sheriffs deputy or even a sticky-fingered TSA agent there is no lack of potential thugs, enemies, and thieves in your midst.

There are ways to secure your data and keep it handy as well. Store everything in an encrypted disk image or TrueCrypt archive on a cloud service like Dropbox or Google Drive and duplicate the same things in your memory sticks. If the thugs take your devices then you can rest assured that all you lost was the material itself, but no content.

I’m surprised that journalists and people who know journalists don’t all use GPG to secure their communications. I would think that if you were a whistleblower or had contact with a whistleblower that these little checkboxes would be foremost on your mind and already checked off.

You can’t trust any government, any cop, or any Vampire to keep their word. This goes for everyone as well, including your carrier and service providers. What should Verizon know? Shit. How about Dropbox? The same. Trust nobody and you’ll be safer than someone who trusted someone else. Trust is earned and right now, very very few people have it.

Encrypt Everything

Lavabit and Silent Circle have given up when it comes to providing encrypted email communications. Mega plans on providing something to cover the gap and in general the only real way to deal with privacy-in-email is end-to-end encryption. There was talk that at some point email might give way to writing letters and using the US Postal Service but there as well you’ve got Postmasters writing commands taped to mail about how everything has to be photocopied and stored – so even the US Postal Service is full of spies, the only thing the US Postal Service can be trusted to carry is junk mail.

What is the answer? Pretty Good Privacy. PGP, or rather, the non-Symantec version of it which is the GNU one, the GPG. If you really want to keep what you write private when you send it to someone else, the only way to do that is for everyone to have GPG installed on their email system so you can write email using their public key, which converts your email to cyphertext, secure from even the NSA’s prying eyes, and requires your recipient to unlock the message using their secret key, which they have.

I’ve been playing with PGP and GPG now for a very long time and I decided I would at least make a route available if anyone wanted to contact me with privacy intact – my public keys are on my blog, they are also on all the keyservers including the one hosted and run by MIT and the GPG Keyserver as well. To send me a private message via email all you need to do is get GPG, set it up, create your secret and public key, get my public key, use it to write me an email and only I’ll be able to read it. The NSA will just flag the encrypted contents for later analysis and thanks to AES–256, they’ll be hard pressed to get to the plaintext in your message.

That’s the way around all of this. GPG for everything. GPG public keys for email, for chat, for VPN, for files, and HTTP-in-GPG. Everything pumped through GPG. Since the government won’t stop spying on us, it’s our duty as citizens to secure our own effects against illegal search and siezure, and technology exists to do so.

Encrypt everything.

Google Authenticator

Dial lockOver the long Fourth of July holiday weekend I received an email from WordPress.com detailing news that they were now fully compatible with the Google Authenticator Two-Factor security system. I haven’t thought of Two-Factor in a long while and decided to look into how Google had cornered the market in this particular security market.

First a little background. The term Two-Factor security means that when you want to prove who you are to some service, called authentication, you usually just have to present two pieces of information, a username and a password. This combination not only identifies who you are and proves your identity through the shared secret of the password, but allows systems to remain as open as possible to all clients who want to connect – assuming that everyone is playing by the rules and nobody is trying to be sneaky or clever. Passwords are notoriously wimpy things, most people give up on complexity because they can’t readily remember the password and it’s not convenient so they select simple passwords like “12345”, “password”, or “secret” and leave it at that. The problem with passwords is that people who make them up are either lazy or don’t care about entropy or complexity and since a lot of your work and identity is being controlled using these systems, using these simple passwords is begging for disaster. Another issue that plagues a lot of people, and goes in with how naturally lazy many of us are, is that people will use one poor password on every site they go to and keep their usernames the same as well. The risk here is that when one service is compromised, all the other services are compromised as well and it’s a huge upward climb to get out of that mess if you find yourself trapped in it.

Cleverness works both against people in general, with thieves, phishers, and hackers as well as for people in general, with things like hashapass or applications like 1Password. Hashapass is a free service that combines the web address of a service with one single complicated password to generate a hash, which is to say, a value that is easily calculated from the combination of the single complicated password and the web address but done so in a way that going backwards is very difficult to do. If any piece of the puzzle is missing, it’s technically unsolvable. As an alternative to this there is 1Password, an application that I have become very fond of, and it uses a similar approach to hashapass. In 1Password one master password unlocks a database of all the sites and their individual passwords so you don’t have to remember a constellation of passwords, all you need is to remember one very good secure password and you are all set. There are a few other nice features to 1Password that I like, being able to generate very long random passwords and store them for me allows me to establish plausible deniability when it comes to my online identities. Because 1Password randomly selected a 32-character password for Facebook, I cannot be compelled, even under torture to reveal that password to anyone else. I just don’t know it. I know 1Password, but that’s not the right question so my account remains secure.

All of this I have collected and use, and I use it everywhere. On my MacBook Pro, my iMac at work, my iPad and my iPhone. 1Password makes it very easy to manage the security database and I’m quite sure that it’s secure. In my life, any more security is rather like putting more padlocks on a firmly locked jail cell, it’s rather silly and feels a lot like overkill. Then again, more security is always better, especially if it’s really clever and somewhat convenient.

Two-Factor security adds another component to the process of authentication. It augments the username and password combination. A password is something I know (or store using 1Password) and the second factor is something called a Time-Based One Time Password (TOTP). This is where the free iPhone app called Google Authenticator comes in. The app records a secret key from a site I wish to prove my identity to in the future, for example, Google itself. I set up two-factor, request a security token for Google Authenticator and set it up in the app. The key is transmitted by QR code, which means you can quickly acquire the long complicated random (hard to type) secret key using the camera in your phone. Once this process is complete the Google Authenticator app displays a six digit number that will work to prove your identity to the site associated with that particular entry and this entry only exists for 30 seconds at a time. This six digit password exists only once in any one 30-second period and there is no way to divine this password without having the Google Authenticator application with it’s stored secret code.

Having two-factor enabled in this way means that my username and password are no longer as important as they once were. Even if my username and password are revealed or compromised without my knowledge, the secret key that I have in my Google Authenticator app remains secure with me and the 30-second-long one-time-password additions remain a secret with me. What I know may be compromised, but what I have (the Google Authenticator) most likely won’t be unless someone steals my phone and finds a way to best the security on that device before I have a chance to wipe it remotely. If in the case my Google Authenticator becomes compromised, my passwords will likely not be because they are uncrackable, and so I am still secure.

Practically how does this work? When I want to log into Google Mail using two-factor, this is what I do. I open a web browser, I type in the address “gmail.com” and press enter. Then I enter my username and my password and then in the third field under the password is a box labeled “Google Authenticator Token” and then I grab my phone, start my Google Authenticator application and then read the six-digit number from my phone and type it in. The service logs me right on and after a few seconds, that six-digit password is no longer valid and is meaningless. I’m authenticated and the system did as it was designed to do. One of the nice parts of Google Authenticator is that the entire app is a mathematical operation, it doesn’t require the network at all to generate these numbers, so this would be a good solution for people who may not have a reliable connection to the network or have a data quota on their phone.

Of course, online authentication is just the beginning. I found a way, yesterday, to embed the Google Authenticator system into my Mac OSX Mountain Lion installation so that when I want to login to my computer at work or my laptop I have to type in my username, my password, and read the six-digit code from my Google Authenticator application. The setup isn’t difficult to get it to work. You need a compiled PAM module which I have (just ask if you want a copy) and an application which you use to create the secret key on your computer. With it all set up, and a slight adjustment to a settings file, even if I were to lose security on my password at work nobody could login to my account without my username, password, and GA token.

This arrangement works quite well and I’ve set it up for my Google accounts, my WordPress.com and .org blogs, Facebook, Evernote, and Dropbox accounts as well. Everything is secure, obnoxiously secure. 🙂

photo by: MoneyBlogNewz

PAD 5/7/2013 – Key Takeaway

Give your newer sisters and brothers-in-WordPress one piece of advice based on your experiences blogging.

If you’re a new blogger, what’s one question you’d like to ask other bloggers?

The best advice I can give is to be honest but have control over what you say. Honesty is the best policy, as the old adage is fond of saying and it keeps blogging simple as you don’t need to remember any lies you’ve written in order to keep your blog internally consistent. However, honesty has it’s limits, and that has more to do with sharing and privacy. Depending on why you blog, sometimes you may find yourself wanting to write about something private. I think that assigning posts passwords is a great feature to WordPress and makes sharing securable.

Some things are worth talking about, writing about. Some things you share aren’t really meant for your coworkers of your employer and then the best policy here is to slap a password on the posts and keep them private from wandering eyes.

There are a lot of great reasons too, to blog independently from WordPress.com. Having control over your content, not having to worry about quotas or paying for extra services all make self-hosting with WordPress.org really worth it in the long run, especially with the right hosting provider. I’ve found a lot of the plugins that enrich the self-hosted option of WordPress.org makes the product really shine. Here are some things to look into if you think blogging may be for you:

1. Fixing your .htaccess file on your blog. This can be configured to restrict your blog from foreign browsers. I’ve decided to ban entire countries from reading my blog mostly because I don’t agree with their politics, and in the case of China, I’ve gotten quite tired of comment spam. By limiting incoming traffic from browsers using this file, you can preclude them from ever being a problem. Just because the Internet is global doesn’t mean that you should feel forced to respect that globality.

2. Blacklist & IP Filter – These two plugins help identify unwanted IP addresses that are unwanted on your blog and the plugin IP Filter helps you block those with more configurability than you can get with .htaccess.

3. Akismet and Jetpack really help protect and extend your blog. Every blog I host has these two plugins and once you get them configured properly they add so many wonderful features to your blog that it’s difficult to imagine using the blogs without them.

4. PhotoDropper – This plugin makes searching for and inserting pictures in your blog posts a cakewalk. It takes care of searching for the terms you want, only shows you Creative Commons licensed imagery so you don’t accidentally run afoul of image copyright holders and automatically includes credit lines to your posts to help respect the people who are sharing the imagery you are using on your blog. It’s about as turnkey as I’ve been able to find when it comes to finding and crediting blog pictures that I use to enrich my blog posts.

Beyond plugins it’s also worth it to mention AgileTortiose’s iOS app Drafts. This app makes writing anything, journal entires, emails, and blog posts a snap. You can update on any connected device until you are ready and the destination selector feature makes pushing your updates out to various service a snap. I journal with DayOne and I post to WordPress using Poster. Drafts has options for these other apps and a dizzying array of more just for the tapping.

C2E2: Creating Comics with Comixology

While sitting in listening to the Comixology staff hawk their Submit technology, which is quite nice to see especially for independent comic book creators there was a point raised at the end of the panel by one of the attendees. That some people are hesitant to engage with digital comic books because they perceive their purchases not as licensing but rather as chattel. When I buy an issue of Comic X for $1.99 in paper, I have that comic and I can put it somewhere safe and always go back and enjoy it. What then for the digital comics? What if Comixology collapses? This touches more than just comics and the real discussion is actually cloud escrow. Cloud services could collapse at any time taking their content with them, right down the drain. Evernote, Dropbox, Comixology, and even Google itself could founder and collapse leaving behind a smoking corpse and no way for customers to retain the data they consider as theirs.

The industry has perhaps accidentally selected this as a possibility by only conducting business in a cloud infrastructure way, it’s a thin veil on digital rights management — a way for content creators to secure their goods for sale (DRM) without driving away their customers, that veil works quite well. Except for when things utterly fail. What happens when fail comes to call?

When this fear pops up in other, more serious business discussions there is usually a section devoted to source code escrow services from escrow surety companies. So is there room for cloud escrow services in today’s world? Would that be enough to help keep people feel safer so that they would presumably give digital comic books a chance?

I can’t deny that this could be a great niche for a middleman company to step up and offer a kind of data presence insurance. The cloud products you buy are safe, permanently so, not by the companies that fail, but by the escrow service that vouchsafes the data in question.

What’s to keep the escrow service safe? This may be a irreducible hall-of-mirrors. There may be no way for people to feel absolutely safe until content is delivered in an open non-DRM format. I seriously doubt that DRM will go anywhere soon, so this may all have to be sidelined as an argument for some other time.

What started out as a blog post about escrow services has apparently turned into a railing against DRM. There may be no way out of the argument over DRM. It all comes down to “Who do you trust?” And “Can you?”.

C2E2: Digital Comic Panel

Attending a panel from a company called iVerse about Digital Comics. Lots of talk about price points, acknowledging the 800 pound silverback in the room, Apple, and talking about digital libraries. Social networking is still the red-headed stepchild, phrases like “… Twitter, whatever.” which I find *hilarious*.

What I find really interesting is when these digital comics will become so mainstream that they feel comfortable moving forward with a Netflix model where you pay a monthly fee and can access as much as you like.

Now we’ve entered the dimly lit world of licensing versus ownership, flooding, fire, or company collapse. How can you secure your digital goods if you lose access one way or another? Thinking about this topic with some of the things I’ve experienced in my professional life you would just need a source-escrow agreement so when the company fails, the content you purchased is made available to you in an open format. This doesn’t exist now, but it could.

IP Filter Plugin – Blacklist Page

Barricade SignsI came across two great plugins – WP-Blacklister and IP Filter for WordPress. The first lists all the IP addresses for all the spam comments that a blog gets. The spam is identified by Akismet, I grab the IP addresses and then put them into TextWrangler. I sort the lines, find the really obnoxious networks, the ones with the same three octets over and over again, so something like 5.5.5.1 and 5.5.5.2, and 5.5.5.3, these, depending on how they resolve in an IP lookup get a block, either 5.5.5.* or 5.5.*.* or 5.*.*.*. From the left to the right there you block off more and more of the network. The more *’s in the block, the more stations are simply thrown off.

And then there is IP Filter plugin, I assemble a list of naughty IP’s and then fill in the details for this plugin. If an incoming IP address matches any of my blocks, they get no content and a short blurb stating that their network was either a source of spam, malware, or otherwise is unwanted traffic. I applied this list to all my blogs and I had spam comment rates which were about 30 per hour go to zero.

I will be creating a new page on my blog that lists these bad networks and IP addresses. Feel free to get this plugin and enter these blocks for yourself if you wish. I’ll be updating it as I find more spam or Limit Logon Attempt Plugin lockouts.

There is a wee part of me that is toying around with blocking the 141.218 subnet. We’ll see. 🙂

photo by: The Tire Zoo

Limit Login Attempts Plugin

IMG_0025I recently added to my WordPress blog security now that blogs like these are being targeted by botnets. I’ve found a great plugin called “Limit Login Attempts” which allows me to set lockout values to people who try to guess what the ‘admin’ account password is.

First, lets just say that the level of entropy in my admin accounts is so high that there isn’t enough time left in the Universe to try every combination – but that being said, my values for this plugin would make this a non-issue. I give people 4 attempts to try the ‘admin’ account, after that they are locked out for 1440 minutes, a day. If they lockout twice, the lockout penalty goes to 720 hours, or a month. There is 4320 hour span until retries are reset, that’s 6 months.

Of course, the filter also captures the IP address, so I’m going to look into getting a IP blacklist plugin and adding these captured IP addresses to that blacklist. They’ll never be allowed to my blog. This line of reasoning led me to think about an immune system for the Internet. If an IP does something wrong, it is blacklisted and that fact is then sent to every other site and they blacklist it as well. One false move and you are suddenly banished from the network. I think this would radically change how people behave online. There would definitely be a lot of noise raised when people are suddenly unable to communicate with any host whatsoever because their systems were filthy, compromised, or malevolent. That would add a certain value of responsibility. It would only be a little bit more to establish a site like Digg where people vote on the malevolence of comment traffic, putting trolls right along with botnets and black-hats, out in the cold, banished where they all belong.

I can smell an RFC forming. 🙂

photo by: katerha

WordPress Security

Bank vault doorI run a gaggle of WordPress blogs, both for personal reasons and for work reasons. My SupportPress site runs on WordPress.org and the host I’ve been using all along, iPage sent me an email informing me that they have detected a botnet-sourced cyberattack directed at the login pages of WordPress.org installations. They also informed all their customers that they have installed network limits on these attacks, but that even though the attacks have been greatly reduced, that it shouldn’t lead to a flagging of security vigilance.

No time like the present to get things installed on all my WordPress blogs. The first thing I can think of since all my passwords are 16 to 20 characters long, randomized, stored for me in 1Password, and stored in such a way that even I don’t know them – is to install a plugin called Limit Login Attempts to all the WordPress blogs I manage. This will prevent people from screwing up their login attempts and it will email me when they try. So far this blog is covered and I don’t really expect any problems here.

Thanks to social networking, especially Twitter and my good friend @wyrdsmyth, and my hosting provider iPage I have been protected all along. More security is usually a good thing and in this case, warranted with this extra plugin. Next stop are all the other blogs I manage.

photo by: walla2chick

e-Cycle and Gas Station Sushi

Used 1985 Cadillac EldoradoI sent three old iPhone 4’s to e-Cycle for recycling, they had a relatively good buy-back rate for the old devices. Of the three that I sent, only one was accepted. The other two were shredded and I got nothing for them, other than the vague satisfaction that the hazardous materials in them were recycled, probably.

I can’t really blame the company, it’s all there in black and white. Don’t send phones with active lines on them. Oops, that was my fault, but after hearing that they had this problem I thought I could just go into Verizon’s site and mark the lines as suspended. That didn’t do the trick. So the phones were summarily destroyed and recycled. I think that’s the part I don’t get, the rush to obliteration. Then again, I do get it, it’s a company trying to maximize all their angles and this is a rather convenient angle. It strikes me that they could have simply shipped the phones back to me or perhaps told me that my attempt at suspend didn’t work. Instead, they took the silent and cheap way out – shred the phones and mark the Unit Price as $0.00.

So, do I do business with e-Cycle in the future? I don’t know. I have learned my lesson at least, a phone you haven’t used in six months may still have a line on it. I don’t think I’ll be doing any further business with e-Cycle. It’s not because of anything overtly naughty, but just the sense that they didn’t care to even get back to me after I tried to disconnect the lines – that haste to simply shred and zero-balance fills me with doubt as to whether I got a fair shake on that deal, or not. I’m thinking not. While it wasn’t against any of the fine print, it did leave a rather bitter taste in my mouth, and I did learn a lot dealing with them, so perhaps in the end, it was good for everyone. I got a lesson, they lost a customer, and I’m wiser next time.

Now, to see if e-Cycle has any competitors.

UPDATE: They do have competitors, so at least there is a wide field available. Also turns out that the reports of the devices shredding were perhaps premature. They were found in a box, waiting for Verizon to disconnect them, since I sent that little nugget to Verizon today, it may take a bit for those devices to register as disconnected. I’ll update more as events unfold.