antipaucity

fighting the lack of good ideas

archivist

For a long time, I’ve been concerned about knowledge capture.

And archiving.

I’ve finally done something about my own public persona.

It’s not 100% complete, but I’ve created my own “online merikebi” of public content.

It’s over at https://merikebi.warrenmyers.com. It’s collecting posts from all of my blogs, Reddit, and Twitter.

As and when appropriate (and possible), I’ll add other public sources (for example, I cannot collect my Quora content anymore).

a semi-permanent psa on passwords

Passwords should never expire: https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

Passwords should not be changed often: https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html

Password “complexity” is – mostly – a joke: https://www.xkcd.com/936

You have been breached: https://blog.augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches

Passphrases are better than passwords – and https://password.ga will generate them for you (it will also generate random passwords that pass complexity requirements)

Use a password manager of some kind

what is “plan b” for iot security?

Schneier has a recent article on security concerns for IoT (internet of things) devices – IoT Cybersecurity: What’s Plan B?

We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference.

We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.

There are loads of great comments on the post.

Here’s the start of some of my thoughts:

There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.

Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.

We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).

A few things which would be good:

  • safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
  • well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
  • related to the above, notifications from the device as it nears end of support
  • notifications from the device as well as the vendor that updates/patches are available
  • liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
    1. here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
    2. patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
    3. patches / updates for 3 years ||
    4. patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
    5. patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc

There are probably other things which need to be considered.

But there’s my start.

david pogue’s 1996 mac holiday sing-along

Thanks, Archive.org!

God Rest Ye Copland Programmers
(to the tune of “God Rest Ye Merry Gentlemen”)

God rest ye Copland programmers,
It’s finally Christmas Day.
You’ve all worked 20-hour shifts
Beginning back in May.
No wonder after such neglect
Your spouses moved away.
The last real meal you had
Was late last year–
That’s what we hear;
And since then you’ve lived on
Pizza, Coke, and beer.

Your bosses change, and change their minds,
Is Copland off or on?
Are last week’s OS plans in place
Or now completely gone?
God rest ye well this Christmas Day,
You’d better sleep in late–
It’s the last sleep you’ll get till ’98.
Isn’t that great?
It’s the last day off you’ll have till ’98!

The Bill Gates Song
(to the tune of “The Christmas Song”)

Netscape roasting on an open fire,
Apple begging on its knees,
Photo popping up on Time magazine,
Yes, Bill Gates dreams of days like these!
Everybody knows he’s never fully satisfied,
Throws himself behind each task,
World dominion is his company’s goal.
Well, hey, is that so much to ask?
He knows the world is in his sway,
We’ll buy whatever software he might toss our way,
We’ll surf his Internet, watch his TV,
He’ll take us anywhere we ask him–for a fee.

And so we’re offering this simple prayer,
To Bill and all his MS grunts:
Since we all follow any standard you write,
Make it good, please,
Make it good, please,
Make it good, please, just once!

Gil Amelio’s Coming to Town!
(to the tune of “Santa Claus Is Coming to Town”)

You better watch out,
Absurd as it sounds,
‘Cause Apple’s about
To lose a few pounds–
Gil Amelio’s coming to town!

He’s making a list,
And trimming the rolls
Of projects that missed
Their revenue goals–
Gil Amelio’s coming to town!
He knows what’s losing money,
Like eWorld, PowerTalk . . .
You’d better make your project work
Or prepare to take a walk!

Though you follow his lead
Right out the back door,
You know he’ll succeed–
He’s done it before!
Gil Amelio’s coming to town!

Microsoft
(to the tune of “Jingle Bells”)

Nine-tenths of a gig,
Biggest ever seen,
God, this program’s big–
MS Word 15!
Comes on ten CDs,
And requires–damn!
Word is fine, but jeez–
60 megs of RAM?!

Oh! Microsoft, Microsoft,
Bloatware all the way!
I’ve sat here installing Word
Since breakfast yesterday!
Oh! Microsoft, Microsoft,
Moderation, please.
Guess you hadn’t noticed:
Four-gig drives don’t grow on trees!

I’m Dreaming of a Clean System
(to the tune of “White Christmas”)

I’m dreaming of a clean System,
Something that fits on one CD.
Each component matches,
Not bits and patches,
Unlike 7-5-point-3.
I’m longing for a dream System,
Small, stable, fast, and trouble-free.
What we want, I think you’ll agree,
Is called System 6-point-oh-3!

Violent Night
(to the tune of “Silent Night”)

Silent Mac, broken Mac!
System bombed, screen went black.
Books suggested things; I tried ’em all:
Shift key, desktop file, clean reinstall.
Now my deadline is tight,
This Mac’s been silent all night.

Violent night, horrible night!
Lost my cool, filled with spite,
Threw my Mac through the balcony door
Watched it fall from the 20th floor,
Now I’m sleeping in peace;
Thank God I had it on lease.

Prove It’s So!
(to the tune of “Let It Snow”)

Oh, the papers say Apple’s dying,
But before we start good-byeing,
We should call them all up and go,
“Prove it’s so! Prove it’s so! Prove it’s so!”

They say “Mac OS software’s scarcer.”
We say, “Read those numbers, there, sir,
Sales continued this year to grow.
There ya go, there ya go, there ya go!”

When they tell us Win 95
Made the Mac’s famed advantages ebb,
We’ll say, “Why, then, do Macs now drive
60 percent of the Web?”

We can win our PR reversal–
Make the Mac be universal–
Though we may have some years to go,
Make it so, make it so, make it so!

Happily Addicted to the Web
(to the tune of “Winter Wonderland”)

Doorbell rings, I’m not list’nin’,
From my mouth, drool is glist’nin’,
I’m happy–although
My boss let me go–
Happily addicted to the Web.
All night long, I sit clicking,
Unaware time is ticking,
There’s beard on my cheek,
Same clothes for a week,
Happily addicted to the Web.

Friends come by; they shake me,
Saying, “Yo, man!
Don’t you know tonight’s the senior prom?”
With a listless shrug, I mutter, “No, man;
I just discovered letterman-dot-com!”

I don’t phone, don’t send faxes,
Don’t go out, don’t pay taxes,
Who cares if someday
They drag me away?
I’m happily addicted to the Web!

on ads

My colleague Sheila wrote a great, short piece on LinkedIn about ads recently.

And this is what I commented:

I held off for years in installing ad blockers/reducers.

But I have finally had to cave – been running Flash in “ask-only” mode for months now, and just added a couple blocker/reducer extensions to Chrome recently (in addition to the ones on my iPhone for Safari).

I like supporting a site as much as the next guy (I even run a few highly unobtrusive ones on my sites) – but I agree: when I cann’t tell whether it’s your content or an ad, or even get through all the popovers, splashes, etc, I’m leaving and not coming back

I hate the idea of ad blockers/reducers. But it is coming to such a point where you can’t read much of what is on the web because of the inundation of ads.

And mailing list offers. Oh my goodness the mailing list offers. Sadly, the only way to block those seems to be to disable javascript … which then also breaks lots of sites I need it to work on – and whitelisting becomes problematic with something like javascript, since it’s usefully ubiquitous (in addition to being uselessly ubiquitous).

For Safari on iOS 9, I have three blocker/reducer apps installed (they’re free, too: AdBlock Pro, AdBlock Plus, & Refine (App Store links)). It’d be nice if they worked for Firefox, Opera Mini, and Chrome, too – but alas they do not (yet).

Also run two blocking/reducing extensions in Chrome (my primary web browser) on my desktop – Adblock Plus & AdBlock).

Shame the web has come to this. Schneier’s written about it recently. As has Brad Jones & Phil Barrett.

Wired and Forbes even go so far as to tell you you’re running an ad blocker and ask to be whitelisted or pay a subscription.

Forbes’ message:

Hi again. Looks like you’re still using an ad blocker. Please turn it off in order to continue into Forbes’ ad-light experience.

And from Wired:

Here’s The Thing With Ad Blockers
We get it: Ads aren’t what you’re here for. But ads help us keep the lights on.
So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.

If you’re detecting my adblocker, maybe instead of telling me you won’t do anything until I whitelist you (or subscribe), you think about the problem with ads first.

Just a thought.

time tracking is broken – and “hours” makes it worse

This recent Medium post irked me.

It’s by one of the creators / operators / owners of Hours, a “new” time-tracking and -reporting company.

The intro had such promise, because it is so true:

There is a reason why almost every time tracking service out there says it takes the pain out of time tracking. Time tracking stinks! For companies, unreliable time tracking is literally a multi-billion dollar a day problem. For employees, time tracking can be one of the worst parts of their job (hint: the two are related). You would think that by now someone would have come out with the ideal time tracking service that solves the fundamental problems.

But then Jeremy Olson explains how Hours is supposed to be better – completely missing the point that time tracking sucks: everything he outlines is already being done in some form by current time-tracking tools.

For billable work, such as what I do, a minimum billing increment is typically 1 hour. Which is stupid. Weekly billing for consulting makes worlds more sense – charging $187.50 per hour ($7,500 for 40 hours) plus travel and expenses is complicated (especially when T&E typically hit $2000-2500 every week (trust me, I’ve been doing this for most of a decade now)): charge $10,000 per week and be done with it. And, of course, that presumes you have the “discount” constant rate – you’re probably paying closer to $0.07/second (aka $250/hr) for a mid-tier technical consultant, and as much as $0.14/second ($500/hr) for a management or principal consultant.

$500/hr for a full week (and we consultants do our darnedest to make sure all of our time is utilized (aka “billable”)) is $20,000 per week. When you’re at the point of buying consulting time measured in hundreds or thousands of hours (as most engagements I am involved with are), “saving” an hour here or there is not a savings – being billed for four consultants for a total of 158 hours in one calendar week is not fundamentally any different from being billed for 160 hours (aka 4 full work weeks) – it’s a 1.25% difference; at most it’s a “savings” of $1000, and probably closer to just $300 or $400.

Even being billed for 38 hours from one consultant (plus T&E) is only a 5% savings over being billed for an entire week (plus T&E, so it’s probably more like a 2-3% savings, tops).

The problem Hours sets out to solve is the wrong problem: while there are some billable practitioners who truly need granular, partial-hour reckoning (lawyers working several “simple” actions at once, etc), the vast majority of salaried folks do NOT need to track their time more granularly than by the half day, and more likely only by the day or week (indeed, I’d say most salaried employees don’t really need to track their time at all – if they’re getting their work done, that should be all that matters) – which tools like Harvest handle very nicely (and, btw, which have an excellent mobile interface (including for expense reports), which blows the theory Olson tries to promulgate out of the water when he says, “[i]t baffles me that most major time tracking companies don’t invest more in mobile” – Harvest may not be a “mobile-first time tracking service”, but it is more than amply served in its mobile incarnation.

Is there a market for time-tracking outside the work place? Sure. Things like the Pomodoro Technique use timers and tracking to help optimize your day. But that market doesn’t need yet-another-time-tracking-app – which is all Hours appears to be.

What about the reporting end? I’ve seen reporting in Harvest, Footsteps, and many other tools – they all work (to a greater or lesser extent) the same, and they all produce relatively useful reports. Are Hours’ reports really “better”? Maybe – but it seems a tenuous claim to make, at best.

It seems like the Hours team could’ve spent their time either truly making time-tracking better, faster, easier, and less-invasive (as described in the article, Hours makes time tracking far more invasive than it should be).

But they didn’t.

Shame.

let’s encrypt centos 6 – truly free ssl

There’s been quite a bit of excitement surrounding Let’s Encrypt recently – a truly 100% free SSL issuer.

Last week I helped a friend of mine get his first Let’s Encrypt certificate generated and configured for his website. One of the things I found incredibly frustrating is that Let’s Encrypt does not have a package for Red Hat/CentOS/Fedora! Ignoring such a massive installed base seems monumentally dumb – so I hope that they correct it soon. Until they do, however, here’s a tutorial that should cover the gotchas for getting Let’s Encrypt to work on a CentOS 6 server with Apache 2.

The documentation (as of 06 Jan 2015) on the Let’s Encrypt website is in error in a few places (or, at least, not as correct as is could/should be). One big thing to note, for example, is that it says Python 2.6 is supported (the current release for RHEL/CentOS 6). If you run the certificate generator without the --debug flag, though, it will error-out saying Python 2.6 is not supported.

While I used an existing CentOS 6 server, I’ll start this tutorial as I have many others – by telling you to go get a CentOS 6 server from Digital Ocean or Chunk Host.

Preliminaries

Login as root (or a sudo-privileged account – but root is easier), and install Apache, Python, and SSLyum install httpd python mod_ssl.

Also enable the EPEL repository: yum install epel-repository (available from the CentOS Extras repository. I’m going to assume you are familiar with configuring Apache, and will only provide the relevant snippets from ssl.conf herein.

Now that the basics are done, let’s move to Let’s Encrypt. I ran the tool in interactive mode (which is going to require ncurses to be available – it’s probably already installed on your system) – but you’ll want to add a crontab entry since Let’s Encrypt certs expire after 90 days, so I’ll compact the interactive session into a single command-line call at the end, which you’ll need to “know” how to do, since the --help argument doesn’t do anything yet (that I could find).

Initial Certificate Creation

First, grab the latest Let’s Encrypt from GitHub:
git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt

Stop Apache: service httpd stop. Let’s Encrypt is going to try to bind to ports 80 and 443 to ensure you have control the domain.

Now run the letsencrypt-auto tool – in debug mode so it’ll work with Python 2.6: ./letsencrypt-auto --debug certonly.

Use certonly because the plugins to automate installing for Apache and Nginx don’t work on CentOS yet.

Enter your domain name(s) for which you want to issue a certificate. If you accept incoming connections to www.domain.tld and domain.tld, be sure to put both in the list (likewise, if you have, say, blog.domain.tld that you want included).

Enter an administrative email address.

When the tool finishes, it’ll put symlinks in /etc/letsencrypt/live/domain.tld, with the “actual” certs in /etc/letsencrypt/archive/domain.tld. We’re going to reference the symlinks in /etc/letsencrypt/live/domain.tld next.

Edit /etc/httpd/conf.d/ssl.conf (I prefer emacs – but use whatever you prefer), and add the following lines in your VirtualHost directive:
SSLCertificateFile /etc/letsencrypt/live/domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/domain.tld/cert.pem

Restart Apacheservice httpd start.

Try hitting https://domain.tld in your web browser – and you should be golden!

Automating Renewal

Create a small shell script called renew-LE-certs.sh somewhere you’ll remember where it is – like /root:
service httpd stop
# add additional '-d' entries for more subdomains
/path/to/letsencrypt/letsencrypt-auto --debug --keep --agree-tos --rsa-key-size 2048 certonly -m ssladmin@domain.tld -d domain.tld -d www.domain.tld
service httpd start

For your crontab entry, do the following to setup monthly cert renewal:
@monthly /path/to/renew-LE-certs.sh