Thursday, December 28, 2017

Alohomora: Simple Security for Muggles and Wizards alike

Two years ago, I wrote a post specifically about passwords.
However, these days there are a few more things that one should be doing to protect themselves so I will be going over a few digital security topics in this post.

Wait! Don't be scared, I know security can sound hard but it doesn't have to be. I'd like this guide to be easy to follow so even someone without an interest in security can quickly start being secure online.


I've covered this before but I'll summarize the post here.

Password Setup Steps:
  1. Create two very strong, but easy to remember passwords for you password manager and email.
    You can do this by:
    1. Rolling some dice to create a Diceware Passphrase
      Easy creation site (use 6 words minimum!) and EFF's explanation on how/why 
    2. Use the Schneier Scheme
  2. Write down these passwords and put them in a safe place.
    This may sound odd, but even Bruce Shneier has said:
    If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence - or better yet - a hint that will help you remember your sentence. Or use a [password manager]. Don't feel this is a failure; most of us have far too many passwords to be able to remember them all.
    - Bruce Schneier, Nov, 2008. Blog post link
  3. Choose a Password Manager
    There's a few choices out there but likely you'll look at the following
    1.  1Password (nicer on MacOS/iOS than Windows/Android)
    2. LastPass
    3. Keepass

Update Old, Insecure Passwords

This can be time consuming, but it's important to get clean up all your old passwords. You probably used the same password in multiple places, right? Use your password manager's password generator to come up with secure passwords, preferably as long as the service will allow.

This process can be daunting however, so unless you're ready to spend a lot of time doing it, let's make this easier. If you're using LastPass, I believe it will give you a password strength report to help you clean up.

I'd go about this slowly to make it easy. Whenever you log into a service, check the password. If it's weak, change it before you go about your tasks. Otherwise, grab a different password to update.

One day you'll have all your passwords updated!

Enable Two-Factor Authentication Everywhere 

Everywhere you can enable 2FA, and all other forms are better to chose over SMS. Here's a site that will help you find out what services you use that support 2FA.

There's a variety of Two-Factor Authentication (2FA) or multi-factor authentication (a guide by the EFF here) but the main two you'll encounter are:
  1. SMS.
    Which works, but isn't very secure. Without going into too much detail, it's possible for a hacker to pretend they're another phone number and intercept SMS. So if there's another option choose that. If this is your only option, it's still better than no 2FA.
  2. Authenticator/TOTP
    This form of 2FA gets you to punch in a 6 digit code when you log in. Authy is a popular app to use to manage these codes for many services, as-is the Google Authenticator. It's nice to keep all of your codes in one place.
Using any 2FA method means you may be offered the option to print out backup codes. If a service offers this, definitely do it and store those codes in a safe place!

Use a Secure Messaging App

I'd recommend using Signal, or (if you trust Facebook) WhatsApp for private messaging (as they implement the same protocol to secure your messages)
I would highly discourage use of Telegram (here's one reason why).

I'd go into more details, but the EFF is also re-thinking what secure messengers need these days, so I'll hold off on giving detailed recommendations myself.

Best Practices

Overall best practices are hard to write. I'll try and give some useful advice though:
  • Always think critically before taking action.
    Who told you to click or install something? Think about why you might want to do it.
  • Not sure? Ask.
    Hopefully you have a tech-savvy friend you can ask to confirm something. If not, getting better at Googling things is a useful skill!
  • Use an ad-blocker (such as uBlock Origin chrome firefox)

Saturday, April 8, 2017

The Keymaker: Simplifying Your Personal SSH Key Management

Image from here. Screen shot from film The Matrix Reloaded

If you are like myself, and ssh into multiple remote machines, or even simply use Github over ssh this is for you.

The Problem

SSH has a lot of settings you can use, but when you're a relatively new developer you're not going to go mucking around in a config file you don't need to when there's work to be done! There are also security concerns with some settings, and issues if you have a lot of ssh keys. Also typing long username@domain strings can be annoying.

The Solution

The Keymaker o——m, a small script (fewer than 250 lines) to help create ssh keys for remote machines.

What does it do?

First it helps you create a config file. If one exists already it will rename it with the suffix ".BACKUP".

By default all ssh connections will show a randomart image (VisualHostKey yes) based on the public key provided by the host. This randomart image can be used to visually identify the host's key. This is much easier than trying to identify something like 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.

Instead you get to look at a picture, which is easier to compare, and easier to remember. For instance, I've come to associate's key with this randomart that looks like a flame (note: this may and likely will change as github changes their public key)

+--[ RSA 2048]----+
|        .        |
|       + .       |
|      . B .      |
|     o * +       |
|    X * S        |
|   + O o . .     |
|    .   E . o    |
|       . . o     |
|        . .      |

The Keymaker's connections are also kept alive for an hour, in the event that you leave a terminal open it but need it open.

It also disables forwardingx11 (you may want to turn this back on for some keys) and only sends the keys it needs to (instead of sending all of your ssh keys to each host)

When you actually run the keymaker, it asks a variety of questions used to generate your ssh key, generates it, adds the information to the config file (for that specific host) and then finally attempts to copy the key to the server you are setting it up for. If you are connecting to a server such as github that won't let that command go through it will fail (and that's fine). You'll need to manually add your new public key via the web interface on Github (or whatever method the site/server uses).

One nice benefit is it works with non-standard ports and allows you to set a "shortname" (ie alias for that key/username/hostname/port combination)

This will allow for passwordless logins to that server with your newly created key!


Grab my script from github, place it in a folder that's in your $PATH (optionally rename it) and you're good to go!

When you run the script it will prompt you for information as you go.

Note: If you are creating an ssh key for Github you must use with no shortname.

Comments, feedback and PRs are welcome!