Saturday, August 11, 2007

One password to rule them all

I admit that I've had the worst web password hygiene until now. I've used more or less one password sprinkled over many sites. The number one reason for why this is a terrible idea is that I can't seriously trust all those sites (authors). Heck, it's not totally impossible that one or two sites actually store my username and password in cleartext somewhere (how horrible that would be). Imagine one of those sites being compromised. Add the fact that I'm typically olov, olov.johansson or olov.lassus on most sites. Impersonated!

The solution is to use one password per site (actually, even better is to ask for wide adoption of the OpenID identity system). All passwords should be reasonably hard to brute force or dictionary attack. I'd recommend at least ten characters, using a combination of alphanumerical characters [a-zA-Z0-9] and symbols (!"#¤%&/()=? ...). The longer and more obscure the passwords are, the better. All is well? Almost. How on earth will I remember all passwords? I have a terrible memory by the way. Solutions:
  1. The web browser remembering my passwords. I wouldn't dream of using this. It's way flawed. The default is to not use a master password and thus store the sensitive data trivially scrambled on the disk. ..drumroll.. It's also unconvenient since the data is bound to one computer.
  2. Writing down the passwords on post-its, in textfiles or similar. No comment.
  3. Storing all passwords in an AES encrypted textfile, on my USB stick. I could never remember a 128 or 256-bit key so I would use one of the better hash functions on my one-password-to-rule-them-all. This can be cross-platform automated using the excellent TrueCrypt tool, for instance.
  4. Storing all passwords AES encrypted on a site. A double SHA-256 on my one-password-to-rule-them-all yields the encrypt/decrypt key. Most important of all: all hashing and crypto should happen on the client side (on my machine). I use Clipperz. Even if the Clipperz database would be compromised I wouldn't worry too much (I would vote with my feet, though).
I was thinking about doing number three until I found the excellent Clipperz site (number four) and started using that instead.

Keep in mind though, if you opt for number three or four and lose your one-password-to-rule-them-all, then you're smoked! You need to remember it. You should also make darn sure that you don't write it down anywhere, in any form. It must be reasonably strong, see above.

Bottom line: My password hygiene is now so much better than before it's not even funny. I have to remember exactly one password. I have no idea what the password for my wordpress instance on this site is. To write this article I first opened Clipperz compact in the Firefox sidebar. I entered my username and one-password-to-rule-them-all. A couple of seconds later (after all client side JavaScript crypto operations were done) I just clicked the "Fancy blog" link, bam, logged in!

I can access and add passwords from any internet connected JavaScript enabled browser. I periodically download an offline copy from Clipperz (it's really more of a JavaScript application than a site) for being safe if Clipperz would go down.

Are you feeling guilty? Raise your hand and repeat after me. "I am a password sinner." Now go do something about it. Being lazy and/or having bad memory are no excuses anymore. The one-password-to-rule-them-all method might just be the silver bullet you have been waiting for.

One Password to rule them all, One Password to find them,
One Password to bring them all and in the darkness bind them

Monday, August 6, 2007

Visuals and more

Did some more Ruby on Rails fiddling on the CamDB site:
  • List of all known manufacturers, linked to queries
  • Recent added/edit sort order
  • Increased precision printout (per suggestion)
  • Blog integration
  • Better visual design
  • ..and a bunch of bug fixes

Friday, August 3, 2007

CamDB and repoviews

I deployed my first Ruby on Rails hack a couple of days ago: http://camdb.fancy.se.
The CCD and pixel geometries can be calculated for any camera by adding its most wide-angle focal length, the corresponding 35mm equivalence and its native resolution. The geometry won't be fully exact if the focal length parameters aren't. You are encouraged to add and edit!
It's also an experiment of a wiki'ish database. Anyone can add, edit and delete content. So far so good but for the future I will need to add user accounts and/or revision control.

I've been hosting Fedora package listings (repoview based) for some time now, check out the repoview page for more info. This can also be reached from the "Pages & Links" top-menu item.

Thursday, August 2, 2007

{name: 'Olov Lassus', was: 'Olov Johansson'}

The wedding was fantastic and yesterday I got a confirmation of my family name change. Will need to update this on a multitude of places, both in real and virtual life. Personal ID and VISA prio one, I suppose. My primary private Google mail and talk has changed from olov.johansson to olov.lassus.

Sunday, July 22, 2007

Thursday, July 19, 2007

Twenty-o-seven twenty-o-seven

Rings
We're getting married tomorrow, 20/07 2007!

Wednesday, June 6, 2007

Emacs 22.1

It has been a long time since a new major release of Emacs but here it is, Emacs 22.1. Lots of new features and bugfixes. I found a pretty nice guided tour which applies to earlier versions as well.

In other news Fedora 7 got released the other day and has Emacs 22.1 included out of the box.

Tuesday, May 8, 2007

Free Java just happened

Looking back a year ago (this was prior the announcement):

"..my opinion is that we can expect Sun to release Java as FLOSS a bit sooner with Schwartz as CEO. Yes, free (official) Java will happen, it’s just a matter of time."


Guess what! Some pieces are missing but many of those will be replaced quite rapidly. A world class (in many aspects, the GC being one of them) virtual machine (thank you SableVM, Kaffe and others for being there for us in the meantime), a (the) complete class library (Classpath will be remembered as a tremendous effort, although not complete) and a solid compiler (for which ECJ, the Eclipse compiler, still is a good alternative). Good stuff, thank you.

Monday, May 7, 2007

I want a penguin



That's irony for you, baby.

Saturday, April 21, 2007

Up again, blingier

Moving to the new flat meant lots of downtime for the server, now it's up again and has just come through a automated FC5 -> FC6 upgrade with one minor hickup.

The security support for FC5 is likely to end soon and my original plan was to migrate to CentOS 5, the RHEL5 clone (trademarks and logos replaced) since it has an awesome support period of 7 years. I also had Debian Etch in mind, having using Debian for this server before - Debian releases security updates one year after the next release which means a total support period of a bit less then 3 years (this varies since no-one can predict when Debian releases). Fedora Core (soon to be renamed Fedora) recently decided on releasing updates some month(s) after the second next release which means support for 1 year plus a couple of more months.

I ended up trying the automatic network upgrade the supported way (using the anaconda installer), booting from a FC6 rescuecd. When that finished I booted into my new FC6 system, ran a yum update and got a bunch of updates including the 2.6.20 kernel - rebooted and all set. Thus I'm calming down a bit on my thoughts of migrating the server to a longer-life distribution. Fedora 7 will release in ~one month from now and I plan to do the FC6 -> F7 upgrade shortly after - and won't have to touch the server again for the next 13-14 months until F9 has released.

Here's some help on evaluating lifetime/upgrades for a distribution:



  • How long is the (security) support period for a release?

  • How often does the distribution release since this will equal the average number of days between your upgrades? Most distributions can upgrade only from N -> N+1 in a supported way.

  • How easy is the upgrade to the next release?

  • Is predictable releases important to you?




The lazy admin may also be interested in things like:



  • How soon after disclosure does the security updates come?

  • What's the bug & security update policy? (backported patches only vs major/minor versions upgrades)

  • What's the robustness of the packaging and tools?

  • Is the software you need available in the repositories?

  • Does your bugs get fixed?

  • ...



YMMV

Thursday, January 18, 2007

growing older, wizer

27 today, learned a new word. slideware.