Slogger

Memories.Slogger

Every once in a while I run across something I’ve seen before but ignored accidentally until I see it in great big headlines and neon and stop to pay attention to it and discover that it does something I really really want. This particular afternoon it was the product Slogger from Brett Terpstra. The software is a Ruby script, and Ruby is a delightful programming language that I’ve had the pleasure of dabbling in. Nowhere near the level of Brett and the people who help him, but here and there, little things.

The need came from a simple Google query, IFTTT and Day One. Looking for some way to bridge that divide between the automatic web service that I’ve fallen in love with, IFTTT and Day One, the journaling software that works quite well and renders DropBox a “Killer App”. Dropbox is the glue that keeps my Day One system together, on my laptop, my desktop, and all my mobile devices. When I found Slogger it was a definite Eureka moment, the answer all in one place. I downloaded the code as the author describes and tried to set it up.

Monumental fail. Pieces everywhere, error codes puking on the screen faster than I could read, pages and pages of interpreter and compiler errors, all surrounding one “Ruby Gem” module called hpricot. I knew why this was fail-town for me, it was because I had installed XCode CLI tools in order to get the mac_google_authenticator PAM module built. That CLI package rendered my system retarded when it came to processing gem requests. In the Ruby world there is a system established for distributing software written in Ruby, it’s called ‘gem’ and you run it much like apt-get in Ubuntu, it’s really quite straightforward and never has given me fits – until. Everything was complicated by the fact that I couldn’t really find where XCode was on my machine, all the likely targets to search didn’t have anything relevant and my find command returned pages of errors and I didn’t have the patience to pick through a thousand lines of “Permission Denied” to find the one spot where the file was hidden.

Didn’t need to complain, as I knew the solution. Download XCode for real. So off to Apple, download the monster and install it. That satisfied hpricot, and everything else installed quite nicely. I set Slogger up, pointed it at my Dropbox and configured the plugins that I wanted. The initial run crashed and burned but I figured out why, it was an errant space in the line that points to the Day One folder, a symbolic link fixed that and I was again off to the races. Of all the plugins that I configured these were successful:

  1. BlogLogger
  2. facebookifttt
  3. goodreadslogger
  4. lastfmlogger
  5. pocketlogger
  6. rsslogger

Then there were the plugins I tried to configure but couldn’t:

  1. fitbit
  2. flickrlogger
  3. getgluelogger

The primary problem with the fitbit plugin was that fitgem, the Ruby assistant program that you have to install is a phantom. You install it, it’s successful, and then it’s gone. No trace of it exists. You try again, poof, nowhere. Plus for the plugin setup there are API codes, User codes, and oAuth codes. I get the reasoning behind all of them and getting most of them was not an issue. I felt a little awkward creating an “Application” for just myself, it seems kind of a waste of effort to ferret all these bits and peices into a semiformal request procedure, but doing it wasn’t hard or cost anything, so what the hell. The part where it all falls apart for fitbit is where you have to get the oAuth token, since fitgem never worked and it’s invocation from slogger should have opened a web browser and asked for my approval, all of that never happened. I tried to be sporting and do the heavy lifting myself but all I did was irritate the API for fitbit and I figured, what the hell, I got most of what I was after and moved the fitbit plugin into the “unused” folder and forgot all about it. Abandon ship, y’arrrr!

Flickr is a pain in the ass. It’s Yahoo and as such, it’s kind of an Internet leper. You need your Flickr number, there’s a site that makes that easy, except it doesn’t work. Flickr username? Feh, either the one in Flickr or your linked Yahoo ID is meaningless. I half figured it was in the URL anyways, but then I thought about it and I don’t really use Flickr all that much beyond a solitary IFTTT rule and that’s precarious as it is. The only attractive part of Flickr is they gave out 1TB of storage. Still lepers tho. So, abandon ship! Y’arrrrr!

GetGlue was the last great effort. Much like Klout, it’s a site that makes sense sort of, but the name is utterly silly. GetGlue. What the hell? Why? Glue has nothing to do with TV or Movies. The only connection I could think of was celluloid and horses-processed-into-glue sort of connection. They give away stickers, what a wonderful bit of pollution that is, and as a gimmick seems dumb. The plugin needs an RSS feed for the GetGlue Activity Stream. It appears as though the GetGlue folks have moved away from RSS and towards “widgets” which seems stupid as in this application RSS is the answer and widgets are worthless. Alas, Google searching for the RSS feed method was fruitless. I was half hoping for something like http://getglue.com/user/bluedepth/feed.rss, where I could just craft it up and be on my merry way. No. You have to “View Source” to find it, which is stupid because that is so full of CSS flotsam and jetsam as to be utterly incomprehensible. Again, my ardor for that particular service was fog on a hot day. I don’t need it. I don’t use it. Whatever! Abandon ship! y’arrrrr!

So I tried the slogger script, it failed, tore out fitbit goop and then it worked. Then I went into my Day One app and mopped up all the mess that testing had made. The only oddity I noticed was the BlogLogger completely missed out on the text on my WordPress site that was between pre tags. Meh. Not really a reason to kick the entire thing to the curb, just something to honestly stop using. HTML is a right bastard, almost all of the time. CSS is a filthy abomination, but we won’t go there.

I would say that tonight everything will work as it should for Slogger, but I have to race to work tonight to turn everything off because work is going to exit-stage-left when it comes to the Internet. They are turning the entire thing off, at least for a few hours. I can’t wait for tomorrow, there will be lulz.

So, to Mr. Terpstra, thank you for slogger. I’m sorry the plugins didn’t work, that fitgem was a phantom, but at least most of what I wanted worked. So we sound a victory cheer, sort of. Yaaay!

Google Authenticator

Dial lockOver the long Fourth of July holiday weekend I received an email from WordPress.com detailing news that they were now fully compatible with the Google Authenticator Two-Factor security system. I haven’t thought of Two-Factor in a long while and decided to look into how Google had cornered the market in this particular security market.

First a little background. The term Two-Factor security means that when you want to prove who you are to some service, called authentication, you usually just have to present two pieces of information, a username and a password. This combination not only identifies who you are and proves your identity through the shared secret of the password, but allows systems to remain as open as possible to all clients who want to connect – assuming that everyone is playing by the rules and nobody is trying to be sneaky or clever. Passwords are notoriously wimpy things, most people give up on complexity because they can’t readily remember the password and it’s not convenient so they select simple passwords like “12345”, “password”, or “secret” and leave it at that. The problem with passwords is that people who make them up are either lazy or don’t care about entropy or complexity and since a lot of your work and identity is being controlled using these systems, using these simple passwords is begging for disaster. Another issue that plagues a lot of people, and goes in with how naturally lazy many of us are, is that people will use one poor password on every site they go to and keep their usernames the same as well. The risk here is that when one service is compromised, all the other services are compromised as well and it’s a huge upward climb to get out of that mess if you find yourself trapped in it.

Cleverness works both against people in general, with thieves, phishers, and hackers as well as for people in general, with things like hashapass or applications like 1Password. Hashapass is a free service that combines the web address of a service with one single complicated password to generate a hash, which is to say, a value that is easily calculated from the combination of the single complicated password and the web address but done so in a way that going backwards is very difficult to do. If any piece of the puzzle is missing, it’s technically unsolvable. As an alternative to this there is 1Password, an application that I have become very fond of, and it uses a similar approach to hashapass. In 1Password one master password unlocks a database of all the sites and their individual passwords so you don’t have to remember a constellation of passwords, all you need is to remember one very good secure password and you are all set. There are a few other nice features to 1Password that I like, being able to generate very long random passwords and store them for me allows me to establish plausible deniability when it comes to my online identities. Because 1Password randomly selected a 32-character password for Facebook, I cannot be compelled, even under torture to reveal that password to anyone else. I just don’t know it. I know 1Password, but that’s not the right question so my account remains secure.

All of this I have collected and use, and I use it everywhere. On my MacBook Pro, my iMac at work, my iPad and my iPhone. 1Password makes it very easy to manage the security database and I’m quite sure that it’s secure. In my life, any more security is rather like putting more padlocks on a firmly locked jail cell, it’s rather silly and feels a lot like overkill. Then again, more security is always better, especially if it’s really clever and somewhat convenient.

Two-Factor security adds another component to the process of authentication. It augments the username and password combination. A password is something I know (or store using 1Password) and the second factor is something called a Time-Based One Time Password (TOTP). This is where the free iPhone app called Google Authenticator comes in. The app records a secret key from a site I wish to prove my identity to in the future, for example, Google itself. I set up two-factor, request a security token for Google Authenticator and set it up in the app. The key is transmitted by QR code, which means you can quickly acquire the long complicated random (hard to type) secret key using the camera in your phone. Once this process is complete the Google Authenticator app displays a six digit number that will work to prove your identity to the site associated with that particular entry and this entry only exists for 30 seconds at a time. This six digit password exists only once in any one 30-second period and there is no way to divine this password without having the Google Authenticator application with it’s stored secret code.

Having two-factor enabled in this way means that my username and password are no longer as important as they once were. Even if my username and password are revealed or compromised without my knowledge, the secret key that I have in my Google Authenticator app remains secure with me and the 30-second-long one-time-password additions remain a secret with me. What I know may be compromised, but what I have (the Google Authenticator) most likely won’t be unless someone steals my phone and finds a way to best the security on that device before I have a chance to wipe it remotely. If in the case my Google Authenticator becomes compromised, my passwords will likely not be because they are uncrackable, and so I am still secure.

Practically how does this work? When I want to log into Google Mail using two-factor, this is what I do. I open a web browser, I type in the address “gmail.com” and press enter. Then I enter my username and my password and then in the third field under the password is a box labeled “Google Authenticator Token” and then I grab my phone, start my Google Authenticator application and then read the six-digit number from my phone and type it in. The service logs me right on and after a few seconds, that six-digit password is no longer valid and is meaningless. I’m authenticated and the system did as it was designed to do. One of the nice parts of Google Authenticator is that the entire app is a mathematical operation, it doesn’t require the network at all to generate these numbers, so this would be a good solution for people who may not have a reliable connection to the network or have a data quota on their phone.

Of course, online authentication is just the beginning. I found a way, yesterday, to embed the Google Authenticator system into my Mac OSX Mountain Lion installation so that when I want to login to my computer at work or my laptop I have to type in my username, my password, and read the six-digit code from my Google Authenticator application. The setup isn’t difficult to get it to work. You need a compiled PAM module which I have (just ask if you want a copy) and an application which you use to create the secret key on your computer. With it all set up, and a slight adjustment to a settings file, even if I were to lose security on my password at work nobody could login to my account without my username, password, and GA token.

This arrangement works quite well and I’ve set it up for my Google accounts, my WordPress.com and .org blogs, Facebook, Evernote, and Dropbox accounts as well. Everything is secure, obnoxiously secure. 🙂

photo by: MoneyBlogNewz