Category Archives: Liberty

Why You Should Use a Password Manager

Update 1/18/2016: There is a security flaw in LastPass’ Google Chrome extension. Don’t be fooled! You can mitigate this attack by:

  1. using Firefox with the NoScript addon (which eliminates the cross-site scripting vulnerability), and
  2. using a two-factor authentication solution that’s routed through your phone instead of your computer, like Duo or Transakt. This eliminates the possibility of a man-in-the-middle picking off the two-factor code entered into the same compromised browser session.

Update 10/16/2016: LastPass has been acquired by LogMeIn! Congrats guys! Don’t get cocky.

Update 5/13/2015: Edited for clarity, and for the change introduced in iOS 8 that allows browser extensions in Safari.

Update 5/8/2014: The Wall Street Journal ran another review of password managers.

Update 1/16/2014: Apple now incorporates a password manager, iCloud Keychain, in iOS7 and OSX Mavericks that has many of the same features as LastPass. I’ll stick with LastPass (since it’s a platform-independent solution), but Apple’s solution is probably easier to use for most folks. Here’s ArsTechnica’s coverage of it’s pros and cons.


 

The Wall Street Journal recently ran a review of PasswordBox, an online password manager. Many people don’t understand why using a password manager is vitally important to maintaining online account security. Consider for example Charleen Larson, who made the following comment:

“OK, so how again is this superior to me keeping a small notebook at home with my passwords? My husband knows where it is and doesn’t have to sign up for yet another account at PasswordBox. We both have too many accounts (free and otherwise) already.”

It was clear from this tidbit, as well as her replies to the responses she received, that she still doesn’t get it.

Password cartoon

Charleen, this one’s for you…

First, a password manager randomly generates passwords for you when you create a new account, and it makes them as long as you want (I use 30 characters.) It can also, of course, generate random passwords on your old accounts if you bother to change them. If you don’t understand why this is important, see this article. Random passwords for each account are especially valuable because they discourage the use of a single password across multiple sites, even for accounts you don’t care about keeping secure. Using the same password across sites is like using the same key for your office, house, car, gym locker, etc. If you don’t understand why this is important, see this article.

Second, you can use password managers from more than one machine at more than one place; you don’t have to be at home. I use LastPass, and have its browser extensions on my computer in Safari and Firefox, and in Safari on my iPhone and iPad (the same company also make an iOS app.) This is like having a copy of my virtual key ring on each device, and makes it easy for me to access my accounts securely from all of those platforms. And if I’m really desperate, I can reach my LastPass vault directly online (though I won’t do so from an untrusted machine except in dire circumstances, such as being forced out-of-town by a natural disaster.)

Third, using a password manager means you don’t have to type the password in every time you access an online account, which helps defend against keylogger attacks. If you don’t understand why this is important, see this article. (If you’re really paranoid, you can copy-and-paste your master password to avoid it getting keylogged, but then you’d better really know what you’re doing as far as security by obfuscation goes, as your password will have to be accessible somewhere in plain text format.)

Fourth, best-in-class password managers offer an optional two-factor authentication mechanism that’s linked to a physical device that’s distinct from the computer itself. If you don’t understand why this is important, see this rather eye-opening article. Use it if it’s available.

And finally Charleen, now that everyone who reads the WSJ article comments knows you keep your passwords in a handy-dandy notebook at home (hint: it’s near the computer, probably in a desk drawer), you’ve got a security issue you can’t easily fix. If you don’t understand why this is important, see this site.

Tagged , ,

On Newtown, and Non-Lethal School Defenses

Here’s an email I sent recently to Brad Rieger, the Superintendent of Sylvania Schools (and an all around pleasant and very smart fellow.) I thought it was worth sharing:

Hello Brad,

I’ve been giving some thought to the Newtown tragedy, and to the debate about whether to allow arming of teachers or posting of armed security guards in schools. In my opinion as a parent and CCW permit holder, there may be safer and more cost-effective means of defending a school against an armed assailant than firearms. I thought I’d run this suggestion by you to get a professional educator’s opinion, and in the hopes you’d spread this idea among your colleagues to solicit their opinions as well.

In particular, I’m thinking of devices such as the Torch, the Inferno (also see Wired’s article), the Dazzler (or an open-source variant), “less lethal” weapons or paintball markers, and others. These devices can be quite inexpensive — For example, the Torch is $199 and puts out 4400 lumens. (350 lumens is enough to blind an attacker for a second or two after exposure, even in broad daylight.) They also have other notable advantages, in particular, they are easier to aim for effect than a firearm, they require little (if any) specialized training, and they pose little or no threat of permanent injury or death to the students. If devices like these were placed in strategic locations throughout a school, the entire staff and/or student body could actively participate in their own defense against an armed intruder.

Please let me know what you think about this general idea when you get the chance. I’ll be looking forward to hearing from you.

Cheers,
Bill

Update: The WP put up an article a few days back on Pennsylvania schools hiring armed security guards.

Update: The Toledo Blade put up a similar article about the schools in Montpelier, Ohio arming their janitors.

Newtown Memorial

photo credit: NorthEndWaterfront.com via photopin cc

How Less Government Is Actually More Government

It used to be that the government did things itself. Put a man on the moon? Form NASA and get to work. Spy on the Soviets? Create the CIA and start sending fake nuns to St. Petersburg (Leningrad for you historical types.) Foment a revolution? Send the marines into the Bay of Pigs. (Oh, wait — That one we didn’t do ourselves. Sorry.)

The U.S. Capitol buildingOne of the big, highly unappreciated advantages of this approach is that, regardless of the inefficiency and red-tape inherent in the process, it provides accountability, both before and after the fact. If the NSA or the FBI or anyone else in the employment of government wants to directly collect information about American citizens, they have to deal with pesky things like warrants, court orders, and civil rights lawsuits.

Nowadays, however, the government is doing far, far less in the way of project execution itself, and the implications should be deeply troubling to anyone who doesn’t want the NSA looking at pictures of their butt taken the last time they were on the crapper. Why? Because the NSA doesn’t have to take the pictures, of course! Not only are big companies like Google, Apple, Facebook, and every other one you’ve heard of collecting this data in massive quantities and providing it to the government, they’re actively discouraged from admitting they’re doing so. The NSA is even building a massive data center in the middle of the country, right next to twelve major data centers and several cross-country fiber optic networks, to make it easy for these companies to send the data their way.

But wait! There’s more!

Because these are private companies we’re talking about, they’re not acting as government agents. Ergo, all those little annoyances like search warrants and civil liberties are completely obviated. And as it turns out, they’re even willing to collaborate with their competitors to make it easier for the government to do one-stop-data-shopping.

Consider for example this article about U.S. mobile phone carriers planning a massive centralized database of cell phone numbers and IDs. The purpose is ostensibly to make it easy to shut off services to a phone reported as stolen. However, it wouldn’t surprise me if this system were also used by the government to quickly and easily find any particular cell phone user in the country, without having to figure out which carrier he or she is using. (Also note how this article hit the papers shortly after the government lost the ability to do warrant-less location tracking via GPS device, which will likely eliminate their ability to do so via the victim’s suspect’s cell phone.)

I’m all in favor of a smaller, less expensive federal government. However, if we don’t introduce some accountability into this system of the feds using private companies to do their dirty work, we’re all going to live in a far less free society in the very near future.

4/27/2012 UPDATE: Slashdot is covering a story about how the FBI has an office located inside a non-profit whose specific mission is to pass information about us and our online activities from private companies to the feds.

The Lack of a Common Threat

If we all want to get along well enough to succeed, we need to be under threat.  Not just any threat — We need a common threat.

Consider for example the US Congress.  Back in the good old days when I was growing up (70’s and 80’s), they got along pretty well.  Not well enough to avoid yelling at each other, mind you, but well enough to compromise on just about everything that required passage (“required” as in ‘the nation will fail if we don’t do this’.)  Of course, they had a good reason: if we didn’t keep up the appearance of strength, the Soviets would blow us to smithereens.  Several times over, in fact.

There’s nothing like mutually assured destruction to focus the mind.  It makes it much easier for a congressperson to say to him- or herself “I may not like this solution, but if I can’t find a way to get along with the other side, we’ll be exposing a vulnerability in our clearly superior democratic, capitalist system.”

Nowadays, we (and in particular, our government) aren’t under a common threat, so there’s no incentive to compromise.  And until we are, the political gridlock and partisan warfare will continue to be the norm in Washington.

Tagged , , ,