August 12th, 2017: Social Network Withdrawal
While some might jump to the conclusion that I'm referring to withdrawal symptoms similar to drug addition, this is quite the opposite. I'm pretty much done with social networks. There, I've said it.
It's not that I don't appreciate their value or their intrigue. The cons simply outweigh the benefits I get out of them. Particularly the exposure, the stalking, the security breaches, the psychological profiling, the advertising, the echo chamber, the fake news, the religious anything, and depending on the network the down right disturbing.
My decision to exit the likes of LinkedIn, Facebook, Twitter, GitHub etc are all rooted in varying causes from the above list. But the most important reason I left is because I began to feel like I was required to use those platforms to stay connected, employed, and informed.
While I think these services are still ephemeral in terms of lifespans, we should collectively be cautious how much weight we give to the importance/requirement of services like those in terms of hiring, socializing and exposure to current events.
To be clear I haven't officially closed my accounts, I just stopped logging in. Services like those are often so difficult to leave I just decided to leave them active. Reddit and StackOverflow are my last two bastions of public internet interaction. And I still anonymously murk around Slashdot, maybe once a week. I will eventually close those accounts as I create replacements for them on my website, just as I have done with my photos, status updates and blog posts.
In terms of quality of life I'm absolutely better off. But I recognize that quitting social isn't for everyone. Many people think TV will rot your brains and living without one is so much more rewarding. It might be so for them, but you can pull my 65" flat screen TV from my cold dead hands because to me there's nothing that beats it in terms of entertainment per dollar spent per hour.
May 28th, 2017: Modern Password Security Best Practices
With the ever increasing number of hacks and data breaches that hit large and established internet companies I have decided to share my personal strategy for preventing the disastrous consequences of a breach. While I'm fairly lucky to have not experienced the worst myself, I have had my identity and bank accounts stolen. And according to the recent news about LinkedIn I probably had my account password stolen years ago without my knowledge. But here's why I've been protected.
I don't use any 3rd party services to manage my credentials.
While those services do have a better than industry average record, even the big players like LastPass have been hit by hackers. As a software developer I'm well aware of the sheer volume of attack vectors that can be exploited. Services that operate on multiple platforms have a larger attack surface to penetrate - ie it's easier. While they do encourage other best practices they are not bullet proof.
I use unique passwords for every service, with one exception.
This is a very important feature of any password system. Using the same password you use for GMail as you do for any random internet service is a quick path to destruction. Once your email account is hacked, password-recovery hacks are childs-play.
My only exception to this rule is that I have a junk password that I use for junk services that require an account. I only use it for services that I would otherwise not care about a breach. And I will sometimes use the same password for companies that have yet to adopt single sign on for related services. But this latter issue is not as common these days.
I use complex passwords.
To be clear, I don't mean complexity in the sense of h4ck3rz!1 speak, but in terms of entropy. Randall Munroe sends this point home in a classic XKCD post:
To accomplish this feat I use a series of root words, decorated with memorable catch phrases. For example, I would start with something like:
"rubbernecker " + "eat my shorts man"
Then I append a series of digits required to meet whatever ridiculous and archaic password policy some random IT person came up with. So the result would look something like this:
"rubbernecker eat my shorts man!1A"
Which according to the internet would take a computer 824 quattuordecillion years to crack - so almost safe. Some people like to repeat a phrase or reverse a sequence to make the length... long, but that makes the entry more difficult to type, and password crackers know these tricks and they are easy to code against.
Unique and lengthy passwords are hard to remember, so I write them down.
In a computer file of course. I mean who uses paper anymore? /s
I only store parts of the password.
The problem with keeping your passwords in a file is that you risk losing all of your passwords in one go the moment you are hacked. Instead of keeping the entire phrase in the file I keep just enough to remind me what the real password is, along with other metadata about the account.
github, firstname.lastname@example.org, "rubberman!1A", 2014
Now there is a chance I'll forget that "necker eat my shorts" was the meat of these breadcrumbs, but a random password reset every now and then is a feature not a bug. The important matter is that I can find the password quickly with a grep for the service (github). And then when necessary I can grep for if the password was used on other related accounts if I have to reset it after a breach. I don't delete the password mind you I keep it in an archived list so that I can be sure that when I create a new password I didn't re-use a previous one.
I encrypt the password file with a long password that I'm sure to remember.
Personally I use an AES 256-bit encryption scheme salted with a random 32 character string that I have committed to memory. I don't use this password for anything else and I only enter the password on my personal laptop which I keep as secured as I possibly can given that it is Windows 7.
For the average user I would recommend using a password protected ZIP archive instead of learning to develop secure software. The point here is not that ZIP files are uncrackable, because they are, but that most people are not going to know how or bother with the effort/cost. Just like your average door lock keeps people honest.
But for those that are capable, cracking it will ultimately prove pointless because the passwords themselves aren't actually in the file :D
I keep a single paper copy of the master password hidden in my records.
While this might seem like a security breach by itself, it's a backup measure in case I ever lose my mind. Nothing like a car accident to wipe out 32 characters of randomness leaving you stranded without access to all of the other passwords you forgot. It's a stretch I know but then again we're talking about a system that needs to be sufficient for the rest of my life, and who knows if Alzheimer's is in my future.
I refresh my passwords every year.
You might have noticed the date appended to my line item entry. This allows me to update a password when I use the account again and the year has changed. Sometimes I lag on this one especially for my frequently accessed accounts because I eventually commit those to memory which means I don't see the expiration date. But I clean house eventually.
I don't use saved password features for my critical accounts.
While this is painful, I don't like relying on the security of a browser or operating system if I don't have to. This isn't a "just use linux" or "chrome is secure" world, heartbleed is a prime reminder of that misguided notion.
All of this of course isn't a guarantee, but it does limit your exposure. Learning to isolate yourself from trojans/viruses and knowing how to keep your software updated are also critical skills to develop. But there's no 9 step guide to making those happen.
April 25th, 2017: Preserving My Digital Life
About 7 years ago I started a process of centralizing all of my content to a single digital source. At the time I had about two thousand CDs and DVDs sitting on spindles slowly degrading with time. I had content on various social networks, email platforms and hosting providers. I had old hard drives (and a few floppy drives) sitting in bins in my office. Not to mention the 8 laptops that I run as servers for various purposes. I knew my data was in jeopardy of corruption, deletion, and illegal search and seizure, so I decided to get my digital house in order.
My requirements at the time were cheap, reliable, redundant, secure, and real-time capture. I had used a variety of backup solutions up to that point and knew from experience that they didn't scale efficiently over decades. Touch-less backup solutions bloated to gigabytes quickly. Backup services didn't always run in time, or at all if you didn't monitor it regularly. And I had already seen enough 3rd party services go dark without notice to know that I wanted to be responsible for the bits myself.
After weeks of research I concluded that a USB flash drive was the perfect solution. I had all but forgotten flash drives as a viable solution because up until then flash drives were SLOW. Even when USB2.0 had come out, market gaps and slow flash technology produced poor-performance options. Even when you had a decent (and expensive) 2.0 hi-speed option, you were still left with horrible write performance in the couple of megabytes per second range. But in 2010 USB3.0 was finally available and the performance was enough to work with. Flash technology was supremely better, and the cost had finally become competitive with traditional media thanks to solid state drives.
I started with a 32gb usb drive and slowly over those 7 years extracted the important bits of data from every CD / DVD / 3rd-Party-Platform that I could. I had about two orders of magnitude more data than my little drive would hold, but mostly due to duplication, lack of compression, and cruft that didn't need saving. So my process included the rigor of radically changing my data habits to match.
Along the way I was reminded several times that my effort was not in vain. Seeing people like @mat lose their entire digital life because a hacker wanted to see if he "could" kept me on task of selectively extracting data from a proverbial mountain.
I have since had to upgrade to a 128gb usb drive, but 512gb drives are only $250 at the moment and 2TB drives are available for a price, so I'm pretty much covered for the next 15 years. Since then I have managed to pull every piece of data I care about out of the cloud and onto my USB drive.
Here's how I roll when it comes to meeting the requirements I set out with. I work directly off my USB drive (real-time-update.) The drive is always with me so I don't have to worry about not having access to my data due to network loss or lack of my primary laptop (not that I would willingly plug the drive into a foreign computer, if I needed to I could.)
Every time I plug the device into a laptop or server in my house it mirrors any modifications made to the local drive in an encrypted and compressed form. The worst-case scenario is that I work on some files, forget to sync to my host before ejection. To have a drive failure (or lose it) at that point would leave me with a day's effort lost.
Lastly I also keep a second 128gb drive mirrored via a NAS port on my WIFI router. That router is daisy chained behind a second router to add a layer of security from remote attacks. I also rsync the compressed data once a week to an offsite host. All in all, I always have 4 separate backups on my local network, and two offsite copies in case my house burns down.
It's not 100% secure of course, but I feel pretty confident that I won't lose everything to a ransomware attack or freak act of nature. I'm running with only 4% free space right now, so I'll be upgrading to a 512gb drive soon.
Jan 13th, 2016: Satire & Irony On The Web
The other day I read a hilarious and accurate satirical depiction of web development in 2016. The author, Drew (@wob) pulled the article entirely, probably through an endless amount of ridicule and angst from social justice trolls. But the article has since been re-posted with several redacted parts.
Una Kravets, another medium blogger, also felt the need to publicly shame Drew, even though she had promoted the article as an insightful piece just a few days before. It's possible she was subjected to the same SJW bullying that made Drew redact his article, then publicly apologize, and then ultimately remove the article from existence. Regardless of whether she overlooked the personal insult or not, one thing is for sure, her entire response exhibits a great example of modern irony.
Just to cover our bases:
Satire: the use of humor, irony, exaggeration, or **ridicule** to expose and criticize people's stupidity or vices, particularly in the context of contemporary politics and other topical issues. Irony (modern): the expression of one's meaning by using language that normally signifies the opposite, typically for humorous or emphatic effect.
In Una's case, she wrote a blog post with the following outline:
Title: The Sad State of Entitled Web Developers Gist: It's **never** ok to criticize a web developer. Section 1: Ok, Let's be Real Gist: All the points Drew made were right. Section 2: Open Source Entitlement Gist: Tangential criticism towards impolite bug submitters. Section 3: Criticizing Software is a Good Thing Gist: People write shitty software all the time and criticism of software is good.
I'm not even sure where to start. Una, basically wrote a lengthy post personally criticizing Drew, because Una thinks it's wrong to personally criticize someone, and she justifies her points because she believes (incorrectly) that Drew personally criticized Sebastian. Then, in every supporting point of this "injustice" she either breaks this new cardinal rule, or defends Drew's actions from the context of everyone should criticize software... except Drew.
(Now's a good time to point out that I don't think it's inherently wrong to criticize people's opinions, actions or creations (in this case software.) I'll draw the line about criticizing people for Title VII stuff, but their opinions are fair game as a cultural system of checks and balances to radicalism... or just inanity. Sticks and stones right?)
Even if the community didn't have overwhelming self-awareness of how shitty everyone's code truly is, Una reiterates that mantra repeatedly in the post as if to point out we shouldn't get butt-hurt when someone expresses their opinion about a product because products are not people and there are factors beyond a person's control that influence the product.
Although Drew's section about Sebastian was redacted it was basically this sentence:
Besides the insult about Phabricator, Drew also shat on BabelJS's complete lack of real value or utility because all it does is convert a syntax that will be here in the future into code that the current JS VM's can compile. It was a perfect example of the producing-nothing-of-real-value trend that was created in the present, because waiting any longer for the community to release the future version (that can literally be coded using today's syntax) was too much to handle. It outlines the entropy of both Babel 6 and ES6/7/20XX.
Drew even said Sebastian seemed like a nice guy, but his software sucks - a criticism Una is "all for" and are "important conversations to have", except from Drew, I guess.
The real consequence of Drew's words were virtually nothing. Drew's article will not change the community, Sebastion will not forgo any association with BabelJS (or use a different issue tracking tool for that matter.) And in all likelihood Sebastion took no offense from the article (veterans in the community have heard it all.) But there are very real consequences for Drew, who has been wrongfully hounded by social justice warriors.
Well Drew, I don't think you were wrong, and I'm glad to have been one of the 360k people who truly enjoyed the unfortunately accurate satire. Oh, and start eating well.. seriously.
Perhaps I'm just tough skinned (I'm not, ask anyone who knows me.) I mean I am the sole developer of a JS framework that exists purely because people shit on Object.prototype extensions. And I have certainly received my fair share of criticism for even typing the words Object.prototype in OSS bug tickets.