Security: HeartBleed aftermath

Well, it was fun, wasn’t it?  The panic, the flying rumors, the denials.  “Massive vulnerability” in a protocol we use EVERYWHERE.  What is an ordinary person supposed to think when told your passwords could have been compromised?

As I've said before, this is the way of the world and you just have to plan to do your part to keep the bad guys at bay.  In my mind changing passwords should be easy.  It IS easy, if you have set up a data base.  See my prior post about how to create good passwords and manage them: http://lifecommaspiceof.blogspot.com/2014/02/security-password-basics.html

So, when word comes that a password might be compromised, you do the following:

1.  Log in to your password db and find the site/account’s record
2.  Open your browser and log into the site/account in question
3.  Navigate to your account preferences or find the change password link
4.  Enter your old password  (assuming you’re using your data base, this is a copy/paste operation from the db)
5. As a short-term protection from problems, copy your old password into the notes field of the record.
6. Tell the db to generate a new password.  In KeePass 2, there’s a button for this at the end of the PW repeat line.  I randomly choose one of the generation algorithm options that button gives me, on the grounds that almost anything it generates is going to be reasonably secure.    For high-stakes accounts like my bank account, I use the highest hex key.  Sometimes I look at the password and add symbols to the numbers and letters.    But I admit that probably isn’t really necessary most of the time.
   
7.  Save the db record, then copy/paste the new password into the password and repeat password fields in the account.  Save changes.
8. Log out of the account and log back in.
9.  Assuming the password change worked, open the db record again and erase the old password from the notes field.
10. Save the new version of the db.

Keepass2 entry with Generate Password Button Circled

 

All this actually takes a lot less time than it took to write up the steps.  Of course, that’s for one account.  If you have lots of accounts you need to change, the time it takes multiplies.  Do it anyway.  It would take a LOT more time to repair the damage if your passwords have been compromised anywhere.

Which accounts do you need to fix?  CNET has a list here, which they keep updating:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

The list is not in alphabetical order but that’s only a minor inconvenience.  You need to scan the whole list anyway; it might trigger action on an account you haven’t thought about in a while.  

I had to create and memorize a new mail password by hand.  That always takes a few minutes of concentration and a few days until I have it fully memorized and in my fingers.  Still worth it.  And now done.  

One thought worth repeating from my prior Security post: whatever you do, use a different password for every account.  You can’t control when vulnerabilities will happen.  But you CAN control the extent of potential damage done to you.  Use a data base, which will generate a different password for every account.  

You are responsible for your own data.  Do what you need to do.

Slideshows – articles for dummies

I really, really hate it when online sources turn lists into slideshows.  Maybe they think the pictures will make the list more memorable, but mostly it makes it a waste of time and bandwidth as the photos – or now, gifs! – load. 

To me, things are done as a slide show for one or more of the following reasons:

• The writer doesn’t have enough information to write a real article of substance, so is taking something short and making it long 
• The writer doesn’t really know how to write.  The pause of page reloads makes it less obvious that there's no flow.  Or even, no content of value. 
• The website wants every reader to have to click 5, or 8, or 10, or 50! times so that the page reloads and new ads can be presented along with the next photo
•  As above, the writer thinks the pictures will make the list more memorable.  But this implies that the list doesn’t stand on its own
• The writer thinks the article is funnier with the pictures

It’s not that I mind pictures as part of an article.  Even I do it occasionally.  See? 

Here’s the Brookfield Zoo’s new baby gorilla, Nora, with her mom, Koola.  It has nothing whatsoever to do with this article, except that I have significant respect for our gorilla cousins.  I doubt they’d communicate with slideshows.

What I mind is an article that essentially consists of One. Picture. At. A. Time. Each with a one-liner (the “list”) or possibly a short explanation along with it.  No matter how much the title intrigued me, I am very likely to X the browser tab and move on.  A picture is NOT worth a thousand words when it’s just a representation for a sentence of six.  

There are also “fake slideshows” showing up.  This is only slightly better.  You don’t have to click to see the next picture, but for every sentence there’s a picture.  Or two.  This morning I clicked on something and it took FOREVER to load.  It turned out to be because essentially for every 1-2 sentence “paragraph”, there were, side-by-side, one photo and one gif.  I didn’t even let it finish loading.  I no longer remember what the topic was. 

Boys and girls, when I just want to look at photos for fun, I’ll visit the Cheezburger network.  When I want information, I want to read it (okay, exceptions for TED talks, about which more in a future post).  If you don’t have enough to say, don’t go looking for pictures and then publish them.  Please. 

Gratitude part 1 of N

I’ve mentioned the word in posts before. Without being terribly formal about it, gratitude is probably my top spiritual practice. It keeps me grounded, fixes my attitude. I am convinced it makes me happier because it helps me realize I have so many reasons to be happy.

And I do.  Fundamentally, I am grateful to be living when and where I am living. In any other age, and even in this age in many other places, I could not have the life I have. I could have been dependent on the kindness of others and probably close to impoverished for the past 9 years. Instead, I have control over my life, a wonderful house,  many friends, opportunities for learning, growth, and interesting work.  

I am grateful to be living in in a time and place where I can live alone, choose my activities, ride a bike, re-invent myself professionally, make a living, own property, and many, many other things as a woman in her middle years. There are, in fact, very few constraints on me that I don’t place on myself.  

I look around the room, and interests tug at me – music, books, knitting, the garden (in the form of seed catalogs). There’s not enough time for them all. How lucky I am to be able to indulge in all these and more. Maybe I’ll talk about them, one at a time, in future posts. Each time I will remember to be grateful.    

My favorite information sources

I’m one of those obnoxious facebook friends who tends to look things up before I repost, and when I discover something is incorrect, or only partially correct, I don’t hesitate to post additional information in a comment.  I’d say about 70% of my friends are glad to learn more.  The rest, well….have you ever heard of “don’t confuse me with the facts”?  It’s really more like “don’t annoy me with the facts”.  

I find facts to be very handy things.  They are, however, tough to find on the internet sometimes.  The web is the ultimate democracy – anyone can post anything.   There is no Fact Police.  There can be plenty of pushback for a post, but there’s no guarantee the pushback has anything to do with actual facts.  

I tend to stay away from most news sites, especially the ones connected to television stations.  The ones with obvious political biases – BOTH left and right – are, to me, pretty transparently off base.  The only newspaper I read regularly is The Economist.  If you usually get your news from a US source of any kind, I encourage you to give it a try.  It’s very enlightening to read about us from a point of view outside the country.  And I also like learning about other parts of the world.  One of the things I really hate about American media is the apparent assumption that if it didn’t happen in the US or directly affect Americans, it isn’t really important.  The other source I trust for news is NPR.  Folks on the far right seem to think it’s very left leaning, but I find it pretty balanced, and it often has the detail I crave on a topic that interests me.  

For many other things, I might read them but unless an article feels solid and I can corroborate it with other sources, I usually won’t repost it.  Snopes.com and Politifact.com are good friends.  I love that Politifact pulls no punches: you’ll find “pants-on-fire” labels on untrue statements no matter who made them.

As a geek, I do my best to keep up with what’s happening in IT.  It’s tough. There are so many subspecialties that no one person can possibly stay current on everything.  Fortunately, there are lots of good blogs and news sites.  Here are some of my favorites:

• Sophos’ NakedSecurity keeps me up to date on what to watch and I find them mostly written in English rather than tech-ese.  I repost their articles a lot. 
• InfoWorld has several interesting blogs, especially Tech Watch
• TechRepublic’s multi-topic site
• Gizmo’s reviews of freeware, known as techsupportalert.com
• Wall Street Journal’s CIO Report
• My friend John Ahlberg’s blog at Waident.com, which also tends to cover many IT-related topics.  

Then there are the sites for cycling, for knitting, for gardening, for fun, and for inspiration.  Just having that list might make you think I couldn’t keep up with them ALL, all the time.  And you’d be right.  Still, I imagine there are good ones out there that I don’t know anything about.  What are some of your favorite sources? 

Happy Birthday, Mr. Handel

George Frederick Handel was born on this date (more or less – it was pre-conversion to the Gregorian Calendar in most of Protestant Europe) in 1685.  Famous for his Oratorio Messiah and his Water Music, he in fact composed hundreds of works in a wide variety of genres over his 74 year lifetime.  He lived in Germany, Italy, and England and traveled extensively.  He was revered by later famous composers – notably Mozart and Beethoven – and is generally considered one of the greatest composers of the Baroque era.

Prior to 3½  years ago, though, I would not have placed Handel in my top 5 even if asked to confine consideration to the Baroque.  I revere Bach and his mathematical precision, love the passion of Vivaldi and the brilliance of Purcell, and think Scarlatti’s sonatas are fun.  My long-ago pretense at being an organist included Buxtehude and Telemann.  Oh, I loved singing the Messiah and enjoyed hearing Music for the Royal Fireworks and had a passing acquaintance with parts of a few other oratorios.  But somehow Handel escaped my getting to know him well.

Then Mr. Handel’s legacy and my life crossed paths unexpectedly, in the guise of the Handel Week Festival (www.handelweek.com).  The festival, directed by Dr. Dennis Northway, was planning to present Handel’s oratorio Israel & Egypt. It requires a good-sized double chorus, and Dr. Northway was looking for an additional mezzo soprano.  I am grateful to Dr. Wilbert Watkins for the introduction.  The rehearsals and performance of Israel & Egypt, coupled with Dr. Northway’s enthusiastic, entertaining and enlightening stories about Mr. Handel and the work, opened my eyes to a whole new world. 

I have had the amazing fortune to remain with the Handel Week chorus since then.  I continue to learn about the man and his music and to learn to be a better singer and musician. I’ve made terrific friends in that chorus, even as I remain astonished that I am allowed to sing with musicians of this caliber.  And now I count Dennis as a friend as well as a teacher.

This season the Handel Week Chorus prepared two concerts.  Last Sunday we presented the famous Messiah as is traditional every 5 years of the Festival's life.  Dr. Northway chose Mozart’s 1789 orchestration of the work this time.  In addition to discovering there was much I still could learn about such a familiar piece, the orchestra accompaniment was refreshing and occasionally hilarious. You can feel the movement toward the Classical Period.  You can also catch Mr. Mozart’s sense of humor.  My new favorite aria is in Part III, just before the end: “If God be for us, Who can be Against us?”, for Soprano – and bassoon. 

Next Sunday, March 2, we will present a concert titled The Celebratory Handel. It includes two Coronation Anthems (including Zadoc the Priest, which is still performed at every British Coronation), Music for the Royal Fireworks, and The Te Deum for the Peace of Dettingden.  The choral music was all new to me.  The joy of the journey continues.  Happy Birthday, Mr. Handel – I am very selfishly glad you existed and were such a musical genius.  I am one of millions, perhaps, whose lives you have enhanced in unexpected ways

Security: Password Basics

Every single day, there are stories in the news about security breaches.  For every news story, there are thousands of unreported incidents, most of them limited to one or a few people. 

Astonishing as it continues to be to me, there are scads of people all over the world who have made a career of breaking into computers and accounts that don’t belong to them for the purpose or mischief, theft, or worse. I often wonder what the world would be like if we could somehow turn all that energy toward good instead of evil, but that’s a topic for another blog post.  

We have come to the point where computers are not really very useful unless they connect to the Internet.  But, if you’re going to connect to the internet, you’re at risk.  The key is how to minimize that risk so that you don’t end up being a target.

The biggest, and easiest, key is the use of passwords.  I continue to be surprised at how little priority people place on password management.  In case you’ve forgotten, here are the rules you absolutely MUST follow to minimize your risk of “being hacked”:

1. Every password should be more than 10 characters long.  Longer is better. 
   
2. There should be NO recognizable words in your password.  Let me say it another way: no string of characters in any part of your password should appear as a word in any dictionary.  In any language. 
   
3. Your password should contain numbers and special characters. Two of each is a good minimum.  There are still some accounts that don’t allow characters.  But where you can use them, use them. 
   
4. Every password should be unique.  In other words, do NOT use the same password for more than one account.  

 

Oh, I can hear the wailing and whining now.  I can’t remember all those passwords!  I can’t type them right if they’re that long!  XYZ company makes me change them every 30 days anyway!  

Okay. First of all, it's worth the effort.  Really.  How much will it cost you if someone gets into your bank account?  You really don't want to think about it.  So here’s how you make it [relatively] painless:

1. Create two  master passwords.  Use the rules above.  Here are two options and examples:
1. Pick two completely unrelated words, but ones you will remember. Substitute some of the letters for numbers or symbols.  Add additional numbers and symbols if necessary to create a password of more than 12 characters.
   Example:  Edition + Severity  = E41tions#v#rITY
2. Think of a pass PHRASE that you’ll remember.  Pull the 1^st letter from each word.  Substitute as above, again ensuring you have at least 12 characters.
   Example: Oh, I never remember passwords, but I will remember this one! = oinrpbiwrto = 0INr*,BiwR71!
   
2. Memorize your Master Passwords.  I mean it.  You’re going to use them every day, multiple times per day.  It should only take you a day or two before you can type them cleanly and remember them.  If you have to use a yellow sticky crutch, do it in the privacy of your home (and DON’T leave it where your teenager can find it).  If you’re still worried you’ll forget, put that sticky somewhere away from your computer.  In your jewelry box or something.  Don’t label it, especially if you keep it in your wallet.
   
3. Use one of your memorized Master Passwords to log in to your computer.  If you don’t know how, google “create password” or “change password” along with whatever operating system your device uses.  The instructions are simple. 

4. Use a Password Manager to keep your passwords.  I use KeePass (http://keepass.info/), but there are others out there that have good reputations and might be better for you, depending on what you do, and how many devices you use to access the internet, and what your favorite operating system is.   Use your other memorized Master Password as your password for your data base.  Then let your Password Manager generate ALL the rest of your passwords.
   This means, every time you log in to an account using your computer, make an entry in your Password Manager’s data base for that account, and reset the account’s password to what the Password Manager generates for the entry.  Occasionally you have to modify – amazingly, there are sites out there that won’t take the 20+ character passwords KeePass generates for me.  But do it, every time.  Pretty soon all your accounts will be in the data base.  Organize the entries so that you can find them easily.  Be sure to save a backup of the data base.  

If you do this, and get all your accounts re-passworded with complex passwords from your Password Manager, you can stop worrying about remembering them.  They’re there when you need them and safe when you don’t.   I like not knowing what my Facebook password is!  My KeePass data base is on Dropbox, so it's automatically up-to-date on all my devices.  KeePass also has a portable installation so that I can use it from a USB drive when using a computer that is not mine (at a client's office or the library) without installing anything or leaving a copy of my data base anywhere I don't want it.

An additional plus: most of the time, you’re using copy-and-paste to put your passwords in the appropriate field while logging in, thus foiling keystroke capture.  “ctrl-v” doesn’t help hackers  much. 

Do I follow these rules?  Well, no.  I don’t.  I make the following two exceptions:

1. I created and memorized a 3^rd Master Password, which I use for my email account.  Sometimes I’m too lazy to open up KeePass just because I want to check my email.  However, that password DOES follow the rules for complexity.
2. I have an “easy” password that I use on extremely low-risk sites, like forums.  It’s still a pretty secure password, but it doesn’t quite follow the rules above and I do use it in multiple places.   Although in recent months I’ve started replacing that password with one from KeePass in part because I also use KeePass to remember what accounts I have in the 1^st place.  Eventually I’ll probably also follow the no-duplicates rule because it’s so easy to let KeePass do the work.  

One other question to answer, and that’s about resetting your password.  There are indeed still a few sites that require passwords to be reset periodically.  Your Password Manager makes that easy – just generate a new one and use it to reset.  If I hear of a breach or a danger, I likewise go back to KeePass and set myself a new password for the account in question. Otherwise, frankly, I don’t worry about it much.  

The Security Community has slowly moved away from making people reset passwords frequently.  It only encourages folks to a)choose simple, short, easy-to-use passwords and/or b)use the same password for multiple accounts. Both of these are set ups for hackers.  If you create a complex, hard-to-crack password using my suggestions above, it stays complex and hard to crack. There’s no need to change it. 

There are other steps individuals – and IT departments – can take to reduce the risks of a security breach. But this one is far and away the most important.  It’s really not very hard.  And it’s in your hands.

Do you do these things?  What other ideas do you have for password management?  If you don’t generate unique and crack-resistant passwords, why not?  Tell me about it in the comments.

Cccccccolddddd….

Happy 2014.  And Welcome back. 
 

Probably half the bloggers in the USA have written about how cold it is this winter. I am using it as an excuse to start posting again.  Living in ChicagoLand, it’s been pretty interesting.  I can’t say I like temperatures below zero.  But I have enjoyed the cold a fair bit when it was less extreme – teens and twenties (farenheit).  I love to cross-country ski.  It’s my favorite winter workout.  It gets me outdoors and pushes me to the edge of breathless, a lot like a good Bulgarian Pajduško.  

Since it’s been so long since I wrote, of course a lot has happened.  Big things: Home Ownership (December 2012), loss of Leo (January 2013) and adoption of Coco (September 2013).  

I wrote about Leo in April of 2010.  I loved that boy.  He got me through some of my darkest times.  I had every reason not to expect him to live a normal Golden Retriever lifespan, but he did.  His end was fast and easy/painless.  For him, which is what counts.  My pain still exists.  But I am grateful to have had him for so long and that he didn’t suffer a long decline.  

Coco is a rescued poodle mix.  Recently I described her to facebook friends as “15 pounds of cute entitlement”.  

Photo Credit:  Margaret Loomis

She’s smart, sweet, playful, and snuggly.  She’s not Leo.  But she has her own special place in my heart, having wormed her way in overnight when I fostered her for a weekend in late September to “see if we’d suit”.  I try to maintain discipline and mostly I succeed. 

I bought a lovely house that I’m still crazy about.  The yard could be bigger, but it’s big enough to grow flowers and a small vegetable plot.  It is perfect in every other way.  I have been reunited with my piano and I have a real kitchen again (and my kitchen stuff!).  Leo got to live in it for 3 weeks before he died.  Coco is snoozing on the loveseat here in my office as I write. 

I feel pretty settled, now.  I have a small group of very dear friends here (you know who you are!) and a large group of activity buddies, conversation companions, professional colleagues, and assorted fellow audience members.   I have been thinking for a while about coming back, and I guess…I’m here.  I hope to hold forth on a new variety of topics in the same spirit in which I began this blog.  Variety is still the spice of my life.  Hope you’re getting started on a great year, too.