This post is from the "random life-hacks department."
I don't like worrying about losing my wallet. I don't really carry anything of great significance in it...little or no cash, some ID, and a few credit cards. But in the past I also knew that if I lost it or if it was stollen, I'd spend some anxious time trying to remember exactly what was in it, and then even more time searching around for the right phone number to call to get things canceled and replaced.
And it felt like there were more important things to worry about.
SSL is one of the most important technologies in use on the modern web. It enables all kinds of business, collaboration, commerce, activism and communication to happen securely, and the Internet couldn't thrive without it. Yet for the average person, alongside domain name registration and management, obtaining and renewing SSL certificates has always been one of the least accessible and convenient parts of having a website.
Let's Encrypt is itself pretty amazing. A bunch of industry experts got together and decided it was time to make the process of obtaining SSL certificates free, automatic, secure, transparent, open and cooperative. This is a long way from what it looked like in the late 1990s, when just a few "certificate authority" options existed, you could expect to pay $100 or more for a certificate, and the application process was painfully slow and analog (think faxing your corporate articles of organization and a photocopy of your driver's license to a call center somewhere), and that's all before you had to mess around with recompiling or reconfiguring Apache to use SSL on your site(s). Even with Let's Encrypt and other modern options some of the concepts and steps remain too technical for many site owners to tackle, but it's getting better all the time.
I'm used to paying around $10/year for SSL certificates on a few of my personal sites, and I actually haven't minded that price point given that the rest of the process has been pretty easy for me to manage. But I recently decided to try using a Let's Encrypt SSL certificate on a site that didn't have one yet, and I'm sharing the steps involved here.
In the past 2FA was a kind of geeky thing that only the most security-conscious would bother with. Today, it's essential that anyone storing sensitive information online or using online services for anything remotely important employs the use of 2FA.
It's an imperfect security mechanism and there things about it that are inconvenient, but for now it's the best intermediate option for protecting against unauthorized access to your accounts and your information. Using it is much less inconvenient than trying to recover from having someone take your money, abuse your identity, or access your private data.
After ranting recently about the choices we make to give "big data" companies access to our private information in ways that might be abused or exploited by government eavesdroppers, I thought it would be worth sharing some of the options I've found for using "the cloud" while also retaining a reasonable level of control over access to the data stored there.
This post has information about tools and software you can deploy yourself to approximate some of the functionality that third party services might provide, but that might also make you vulnerable to privacy and security vulnerabilities. It's based on my experiences designing and implementing solutions for my own company, so it's mostly applicable to the interests of businesses and organizations, but may also be useful for personal projects.
A few important disclaimers: any time you make your personal or corporate data available on Internet-connected devices, you're creating a potential privacy and security vulnerability; if you need to keep something truly protected from unauthorized access, think hard first about whether it belongs online at all. Also, the tools and services I'm listing here are harder to setup and configure than just signing up for one of the more well-known third party services, and may require ongoing maintenance and updates that take time and specialized knowledge. In some cases, it requires advanced technical skills to deploy these tools at all, which is the reason most people don't or can't go this route. Hosting and maintaining your own tools can often have a higher initial and/or ongoing cost, depending on what financial value you assign to data privacy. Sometimes the privacy and security tradeoffs that come with using a third-party service are well worth it.
Still interested in options for using the cloud without giving up control over your data? Read on.
Need a powerful, free email account? Need robust calendar management and sharing capabilities? Everybody uses Gmail and Google Calendar, so just sign up for an account there, right? Unless you don't want Google having access to all of your email communications and usage patterns, and potentially sharing that information with advertisers, government agencies or other entities.
As revelations continue about the US Government capturing and monitoring online activities and communications, I'm glad (and, ok, only a little bit smug) to see that more conversations are happening about just what privacy expectations we should give up by using modern Internet tools and services.
Most of the mainstream conversation has been focused on what information "big data" companies like Google, Twitter, Facebook and Apple do or don't hand over to the government and under what circumstances, and debating where those lines should be.
The built-in assumption here is that it's inevitable that these are the companies that will continue to have access to our private information and communications. I grant that it's a pretty safe assumption - I don't foresee a mass exodus from Facebook or a global boycott on iPhones - but I do think it's important to note that this is a choice we are making as users and consumers of these services. We are the ones who click through the "terms of service" and "privacy policy" documents without reading them so we can get our hands on cool free stuff, we are the ones who are glad to entrust our intimate exchanges to technology we don't understand.
A certain amount of naiveté about the security and privacy implications of the tools we use is understandable here. When I've given presentations on email privacy and security issues, some attendees are legitimately gasping at the new understanding that their e-mail messages are traversing the open internet as plain text messages that can potentially be read by any number of parties involved in the management of those servers and networks. The average user probably assumes that the Internet was designed from the ground up to be a robust and secure way of conducting financial transactions and sending suggestive photos of themselves to amorous contacts.
I come to you today a recovering password management hypocrite.
I have over 190 accounts and logins for which a password or PIN is a part of my access: website tools, online banking, social media, email, internal company tools at Summersault, and so on. I used to pretend that I was maintaining the security of these accounts by having a reasonably strong set of passwords that I re-used across multiple sites, sometimes with variations that I thought made them less likely to be broken into if someone did happen to compromise one of my accounts.
But as I prepared to give a talk in December about email privacy and security issues, and really stepped back to look at my own password management scheme, I realized just how much pretending I'd been doing, and just how vulnerable I was making myself to the increasingly well-equipped and highly-automated attempts at compromising accounts, stealing identities and stealing funds that are being launched every day. I went and tested some of my passwords at the Password Strength Checker, and I was ashamed. The potential impact of this really hit home as I read Mat Honan's personal tale of woe and his follow-up piece Kill the Password in Wired magazine. Add in Passwords Under Assault from ArsTechnica and you'll be shaking in your boots.
So I decided that I was not going to be that guy who goes around telling people about how vulnerable they are with their simplistic password schemes while quietly living a lie in my own password management scheme. I might still be hacked some day, but I would not be found giving some teary-eyed interview to Oprah where I whined about how the pressure of the 190 accounts to manage just got to be too much and how I knew using a simple dictionary word plus a series of sequential numbers was wrong but I still didn't do the right thing.
That's when I found 1Password from AgileBits, a password management tool that alleviates the horrors of password management.
A number of mainstream magazines and newspapers have recently published reports on the increasing threat of "cyberwarfare," the significant resources being devoted to fighting that "war" and what we're doing to protect the critical national asset that is our digital infrastructure.
Unfortunately, most of the responses (and the ones favored by the Obama administration) are focused on paying insanely large amounts of money to private contractors to create and deploy complex technological solutions in hopes of addressing the threat.
What advocates of this approach fail to appreciate is that (A) most of the actual threat comes from uneducated human operators of the technology in question, and (B) deploying homogeneous, technologically complex solutions often makes us more vulnerable, not less.
As an employer, my company Summersault is required to withhold and then turn in federal taxes from our employee paychecks. In the past we've turned in those withheld funds by printing out a check, walking it a block down the street to the bank, and getting a receipt.
I recently took the IRS's advice and inquired into enrolling in "EFTPS" - Electronic Federal Tax Payment System. (It's too bad they didn't call it something really cool like "Maximum Velocity Pay" or "Blue Tiger," but I guess EFTPS is at least accurate.) The idea behind EFTPS is that it will save you time and simplify payment and filing of federal taxes. So far, here's what the process has involved: Continue reading "Super ultra mega-secure EFTPS enrollment"→
Some people think I'm paranoid when I shred certain documents, or when I lock my doors, or when I dart erratically down the street to avoid giving the snipers a clear line of sight. But if you've ever needed convincing that a little paranoia is good for you, especially when it comes to how you dispose of those annoying credit card applications you get in the mail, here's a great story from the folks at cockeyed.com: The Torn-Up Credit Card Application.
Basically, the guy took an application ("pre-approved credit line - just sign here and return!"), cut it up into many pieces, reassembled it with tape, filled it out with a change of address and change of phone number, mailed it in, and got the approved, ready-to-use credit card back in the mail at the new address.
Most people probably don't tear those things up, let alone shred, incinerate and bury them like I prefer to. And while I don't want anyone constantly living in fear that their identity will be stolen, there are some reasonable precautions to take. After all, it's not paranoia if they're really after you.
The Indiana Bureau of Motor Vehicles is restricting glasses, hats, scarves -- and even smiles -- in driver's license photographs. The new rules imposed last month were deemed necessary so that facial recognition software can spot fraudulent license applications, said BMV spokesman Dennis Rosebrough.
And then he had the gall to spin it as an improvement, since it would be horrible to admit that humans had done a better job:
The new technology represents an advancement of what the BMV already was doing, Rosebrough said. BMV employees always have looked at the old photo of a person to see if it looked like the person seeking a new license.
FAIL.
2) I was at a local video store yesterday, trying to rent a video using Anna Lisa's account. I gave the cashier her phone number and name, and he said he'd have to call her to verify that it was okay for me to rent on her account. When she didn't pick up, I offered to call her on my cell phone (in case she wasn't picking up the call from an unknown number), and the cashier said, "okay, yeah, just ask her if it's okay and then you can tell me what she said."
