Skills

“In all her life Laura had never tasted anything so good as that savory, fragrant, sea-tasting hot milk, with golden dots of melted cream and black specks of pepper on its top, and the little dark canned oysters at its bottom. She sipped slowly, slowly from her spoon, to keep that taste going over her tongue as long as she could.” — from By the Shores of Silver Lake by Laura Ingalls Wilder, pp 204

Anyone who knows me, knows that I have an uncontrollable fascination with the Little House series. It was my introduction to Christianity, and the reason why I invited the minister to dinner when we moved to New England (Ma insisted it was right and proper, so therefore it was what I ought to do, yes?). I’ve been through the series so many times that I’ve had to buy new copies on several occasions, the older ones having worn out. I learned morals and ethics from them. For me, Laura and Ma and Pa and the other people there are just as real as you and me.

Several years ago (several severals of years ago), I was living on the west coast and had managed to become unemployed and rather destitute. I was scraping by on unemployment insurance payments, but it was pretty dicey. My partner D and I were approaching the Christmas and Yule season with as much joy as we could muster. After all, we had a roof over our heads, heat, and each other. It was lean, but love fills a lot of gaps.

Some kind soul had told the local fire department that we were living lean over the season, and a soft spoken gentleman brought us a hamper of food. I tried to protest, but he insisted that it was alright, we weren’t taking anything from someone else. I’ll admit, once he was gone, I tore into that box like … well, like it was Christmas morning. D and I went through the rice and pasta, a tiny canned ham, some fresh vegetables, and then at the very bottom we found the single precious can of smoked oysters.

We could have eaten that can of oysters in two seconds. We’re both in love with them, their smoky flavor, savory and oily… But I looked at him and ran to the book shelf. I pulled out “By the Shores of Silver Lake” and went skimming through it to find the New Year’s Eve scene. There it was, Laura’s description of the oyster soup Ma had made for their guests. He and I started laughing, and we recreated that soup for Christmas Eve for ourselves. It was a wonderful meal.

A while ago (before I couldn’t handle dairy anymore), I wanted to make the soup again. I remember how delicious it was way back when I was barely an adult. Tastes change, though, and I wondered if it would still be as magical. I picked up three cans of cheap smoked oysters and sacrificed some of my coffee half-and-half, and made the soup as a starter to our Yule meal last night.

Everyone enjoyed it. I made enough that I assumed there would be much in the way of leftovers, but there wasn’t. Barely a drop was left in my soup tureen when we were done! It was just as Laura described it, with the oil and butter, the salty sea taste.
Read More

We are in the process of moving from the image above to the image below.

At least in terms of what the infrastructure looks like.

Today I decommissioned an EdgeRouter 4 which features a “fanless router with a four-core, 1 GHz MIPS64 processor, 3 1Gbit RJ45 ports, and 1G SFP port.”

When they say “MIPS64” you can think of it as being in the same class as an ARM processor. Not a problem for what it is.

The issue was that there are only 1Gb interfaces. That and I’ve come to hate the configuration language.

This has been replaced with a pfSense router running on a TopTon “thing.” I call it a thing because it is from China and intended to be rebranded. It doesn’t have a real SKU.

It is based on an N100 with 4 cores and 8 threads. 2 2.5Gb Ethernet ports, 2 10Gb SFP+ ports. It can be upgraded and has multiple extras.

Besides the hardware, this is an entirely different animal in terms of what it can do. It is first, and foremost, a firewall. Everything else it does is above and beyond.

It is running NTP with a USB GPS unit attached. It runs DHCP, DNS, HAProxy, OSPF and a few other packages. The IDS/IPS system is running in notify mode at this time. That will be changed to full functionality very shortly.

So what’s the issue? The issue is that everything changed.

On the side, as I was replacing the router, I jiggled one of the Ceph servers. Jiggling it caused it to use just a few watts more, and the power supply gave out. It is a non-standard power supply, so it will be a day or two before the replacement arrives.

When I went to plug the fiber in, the fiber was too short. This required moving slack from the other end of the fiber back towards the router to have enough length where it was needed.

Having done this, plugging in the fiber gave me a dark result. I did a bit of diagnostic testing, isolated the issue to that one piece of fiber. I ran spare fiber to a different switch that was on the correct subnet, flashy lights.

Turns out that I had to degrade the fiber from the other router to work with the EdgeRouter 4. Once I took that off, the port did light off. But that was a few steps down the road.

Now the issue is that all the Wi-Fi access points have gone dark. Seems that they are not happy. This required reinstalling the control software and moving them from the old control software instance to the new one. Once that was done, I could see the error message from the access point complaining about a bad DHCP server.

After fighting this for far too long, I finally figured out that the pseudo Cisco like router was not forwarding DHCP packets within the same VLAN. I could not make it work. So I disabled the DHCP server on the new router/firewall and moved it back to the Cisco like router. Finally, Wi-Fi for the phones and everything seems to be working.

At which point I can’t log into the Vine of Liberty.

I can see the pages, I can’t log into the admin side. It is timing out.

3 hours later, I figured out that there was a bad DNS setting on the servers. The software reaches out to an external site for multiple reasons. The DNS lookup was taking so long that the connection was dropping.

I think this is an issue that I have just resolved.

But there’s more.

Even after I got the DNS cleaned up, many servers couldn’t touch base with the external monitoring servers. Why?

Routing all looked good, until things hit the firewall. Then it stopped.

Checking the rules, everything looks good. Checking from my box, everything works. It is only these servers.

Was it routing? Nope, that was working fine.

That was one thing that just worked. When I turned down the old router, the new router distributed routing information correctly and took over instantly.

So the issue is that pfSense “just works.” That is, there are default configurations that do the right thing out of the box.

One of those things is outbound firewall rules.

Anything on the LAN network is properly filtered and works.

But what is the definition of the LAN network? It is the subnet directly connected to the LAN interface(s).

Because I knew that I would need to be able to access the routers if routing goes wrong, my computer has a direct connection to the LAN Network attached to the routers. The Wi-Fi access points live in on the same subnet. So everything for my machine and the wireless devices “just worked”

The rest of the servers are on isolating subnets. That are part of the building LAN but they are not part of the “LAN Network”.

I know this, I defined an alias that contains all the building networks.

Once I added that to the firewall rules, it just worked.

Tomorrow’s tasks include more DHCP fights and moving away from Traefik. Which means making better use of the Ingress network.

We’ve used the term “grey man” a few times over the last couple of years. There’s been a bit of debate over what it is, how useful it is, and when to use it. I wanted to address a bit of that.

For me at least, the “grey man” is the person who just blends in.  You don’t notice him. It isn’t that he dresses in grey, it’s that he’s dressed just like everyone else. He walks like everyone else. He talks like everyone else.

This means that sometimes, the grey man has a gun on his hip (when it’s common and everyone else does), and sometimes it’s concealed. It means sometimes the grey man wears a camo jacket (my neighborhood, for instance, is rife with people who do this), and sometimes a golf shirt and boat shoes. Sometimes he has a “two on the top and one on the sides” and other times he has hair to his waist. It depends entirely on where you are at any given moment.

The best grey man is the one who can switch his look to match his surroundings. We see this in movies, as people like Tom Cruise drop wigs and fake mustaches into trash cans, and turn jackets inside out. In reality, it’s a lot less dramatic. It means taking off your patches when going into big cities, for instance. Wear a plain jacket instead of a camo one. Slip your side carry into your waistband carrier and out of site, rather than having it under am arm or in plain view on your hip.

The big thing that I see right now is the desire to be grey man combating with the desire to just be ourselves and fuck the Left. I think there’s something in the middle, and that it’s important to find that central position. It allows you to swing both ways, to coin a phrase. I like the jacket that Chris has, which has velcro spots for patches. They come on and off easily, and you can simply add the correct camouflage to your outfit, be that a 2A patch, an American flag, or a rainbow.

Only you know what your area is like. I can’t judge that. No one but you and your family can, honestly. I know that in my neighborhood, it’s perfectly okay to be a firearms owner, to enjoy shooting and hunting, and to engage in a variety of household preps like gardening and such. No one gives us a second glance. In Chicago, I would not do a quarter of what I do here in New Hampshire. You have to look around you, and judge how to blend in based on who you are and what you do, and where you live.

My father taught me this recipe just before I moved out of the house, and he learned it from his mother, my Nagymama (Hungarian for grandmother). It’s one of those stick to your ribs recipes, and can be made with a variety of ingredients. This is the base recipe, and I’ve included some additions at the end, for inspiration. This is the perfect thing to make when you know you’re going to be shoveling snow for hours, or you have to do other outdoor work in cold or damp and chilly environs.

Ingredients:

• 16 oz kielbasa sausage, coined
• 6 to 8 potatoes, cubed
• 4 cups broth
• 3 to 6 tbsp sweet paprika (Szeged brand, please)
• 2 tbsp vegetable oil
• 1/4 package of bacon, diced
• 1 large onion, diced
• 3 to 6 cloves of garlic, minced

In a large soup pot, add the oil and heat on medium. Add onions, and cook until softened. Stir in half of the paprika. Add bacon and sausage, and cook until they are thoroughly browned and bacon is beginning to crisp. If necessary, pour off some oil (though it will lend a lot of flavor if you leave it in).

Add the potatoes to the pot (do NOT stir). Pour in the broth until it is just barely above the top layer. Add more paprika, to make everything quite red. Bring everything to a boil, and then lower the heat to lowest setting and simmer for about an hour. Please note, this may stick a bit to the bottom of your pot. Don’t stress. As long as it doesn’t burn or char, it’s perfect that way.

After an hour, check on your stew. The potatoes should be soft and beginning to fall apart. Stir well, and add some salt and pepper to taste. The end result should be a stew thickened by the potatoes, and filled with tasty sausage.

Notes:

You can make this with any sausage, or technically any protein. Kielbasa was my Nagymama’s way of making this meal, but it can also be made with Andouille, Polish sausage, and even breakfast sausage or hot dogs if you’re in a pinch. When stirring, use a wooden spoon or spatula. Bits of potato will stick to the bottom a bit, but they can be scraped up gently and will make the stew taste even better! Also, if you like a bit of spice, you can also use some or all HOT paprika, as opposed to sweet. Beware… good quality Hungarian paprika is very flavorful, and the hot stuff is quite hot. I recommend “Szeged” brand, which is available in Market Basket, Shaw’s, and most other big box grocery stores.

I’ve made this with pretty much every kind of cheap meat out there. You can use any protein at all, but if you’re using a raw meat, cook it first. I prefer to use sausages and pre-cooked meat because it makes this trivial to pull together quickly. You can also make this in the crock pot by cooking up the onions and meat, then tossing everything into the crock pot and cooking on low for 8 hours, or high for 4. This freezes well, too, so if you have leftovers you can make up single serving packages and toss them in the freezer.

I serve this up with dill pickles and bread, because it’s what Nagymama always did. It goes well with just about everything, though.

I have hundreds of dollars worth of GPS equipment. Not counting the cell phones we all carry with us.

I wanted to try to create a Stratum 0 NTP clock.

The last time I attempted this, I used a Garmin handheld GPS. Time to sync was in minutes and while the power draw as trivial, by the standards of the day, it would still burn through AA batteries.

Because you, kind readers, told me that there were cheap options, I went looking.

What I found was a GPS module that is about an inch square. For $15 I could have one delivered. It comes with a header containing VCC, GND, TXD, RXD, and PPS. I figured I could solder in the provided header then run them to a GPIO that has an attached UART.

Well, the darn things showed up a day early, and I didn’t really want to do any soldering. I plugged it in via the USB port, put it in the window. A few minutes later, it had a hard lock.

After installing gpsd and configuring, chrony I now have a system that is locked at less than 1ms accuracy, NOT using the PPS option.

That will be next week’s project. Getting that PPS signal to the motherboard.

If I had a Raspberry Pi with a good interface, not wifi, I can see that this would make a darn nice little timekeeper.

My wife read my article on passwords and “got it”. Which is nice. I was attempting to explain how password crackers use rule sets to modify input dictionaries to create more guesses from a single word list.

I decided to see how much things have advanced. To say I was shocked would be an understatement.

In 2013, the game “Battlefield” was hacked and the entire password database was captured.

This is not the major security threat you might instantly leap to, but it is bad.

Stealing Passwords

I worked in the Systems Group at my University. We were tasked with all software maintenance, installations, upgrades, and in house improvements to the operating system.

The systems group had taken the original manufacturer’s operating system and extended it to the point where it was no longer the same operating system. Having done this, we gave back all the code we had written to the manufacturer, who incorporated what they liked into their next release.

We had developed a long term backup plan. This plan was three tiered. We took daily backups of the entire file system. This was a rolling tape backup. There were 30 days of daily backups performed before the first tape was overwritten.

We also performed weekly backups. There were 52 weeks of weekly backups. So a total of 82 backup sets.

In addition to this, we did end of term backups. These were done just after the term ended. These tapes were kept.

What this meant was that if your file were to live for at least 24 hours, you would be able to recover to any particular day in the past 5 weeks of your file.

If your file were to exist over a weekend, you could recover that file to how it was on the weekend it was dumped for the past year. And if your file were to exist over the term break, it would exist for the lifetime of the storage. 9 track tapes now being dead, I’m not sure what the University did to preserve those old tapes.

In addition to these backups, we took a separate backup of the “password” file once a day. There were 30+ days of password file backups.

That is the setup. The actual story:

We used to give tours of the machine room. The operators enjoyed bragging about the quality of our backup system.

One of these tours, a little monster took one of the password backup tapes and put it in his backpack. He walked out of the machine room with that tape. Nobody noticed the missing tape for the next 30 days.

Said monster took that tape over to the engineering department, where they had their own 9 track tape drives. He read in the file.

He was presented with 10s of thousands of clear text passwords.

This had financial implications because we sold computer time.

We changed our policy to always encrypt the password file before it was written to tape. I have no idea if that encryption standard was any better than Sunday comic page ciphers.

No more Plain Text Passwords

The number of times somebody in a movie has gotten the idiot to give them somebody else’s password is astronomical. The truth is that most passwords are stored in an “encrypted” format. We don’t have access to your password.

We can reset your password, but we can’t tell you what it is because that isn’t recorded.

At the university, they were still storing passwords in plain text. They only encrypted the password when it was written to tape.

Modern systems store that password in an encrypted format. The old method was what is called “descrypt”.

The first two characters of the encrypted password is the “salt” and the rest is the DES hash of the password. This is NOT the same as encrypting your password with a secret and then being able to decrypt it with that same secret. Instead, we use your password to encrypt a given, known, piece of text. The encrypted result is what is stored.

When you provide your password, we encrypt the same text string with your password. If the resulting text matches what we have stored, you have proven you know the password.

Here are a couple of hashed passwords: SD2PFyBHY1oUY, q5M9nJsU/JSwI, sTd5NrAIMrisU, 8MbLuguRAeo92, $1$OcbNKu2y$l9faj.aCWodfonXiSlgnV0, $1$hh765lOJ$lrZ4jkCtUkG3qPBuFJQ/2., $5$2W0fdlfY.a/iXErF$xbzHcX8CfPc89vJkxsiC/BjDmqxI20Yk.Vj9OLL/6e2, and $5$HxfQ9B30d8GdmyPo$J6FWaeGKSez2cLbw3cktvaYgPvsTFaXdMzYp4yDcQjD.

These are all hashes of the same password, “hello world!”

Slow Them Down

Storing passwords in plain text is stupid. But computers are faster than you think. Thus, we want to slow down the speed at which computers can make guesses.

We do this by using a salt.

Consider the situation where you had 74,577,451,608 guesses you wanted to try. If you were to create the hash for each of those guesses, it might take you a bit of time. In the end, you would have them all. Now it is only seconds to look up the hash in a database/file and get the plaintext password used to generate that hash.

To fight this, we use the salt. The salt modifies the hashing process such that for any given password, there are many possible hashes to represent that password.

As shown above, even when using the same “hashing algorithm” we got many results.

This is to slow the guessing of passwords down.

And the results

In 2013, the game “battlefield” was cracked. They escaped with around a 1/4 million password hashes. These are not clear text, you can’t just type them into an account and get in, they are still “protected”.

I used a starting source of 184,000 known passwords. To this, I added an American and a British word list. I didn’t bother to get name lists for a total of 282,000 unique test words.

In the simplest case, with no salt applied, that is 184,000 * 282,000 different combinations to test.

In 2 minutes and 50 seconds, on my medium GPU and medium CPU, we tested 74,577,451,608 different passwords against 282,546 password hashes.

We were able to guess 7.30% of the passwords, or, 30943 passwords.

That is more than enough to make money.

And you can see how bad they can be.

Security is a concept that Chris talks about a lot in his computer babble. I want to talk about a different kind of security, though. Prepping security is a multi-layered woven mess of gods-only-know-what. Still, it’s vitally important to untangle the knots and figure out what you’ll do should shit go south.

The first aspect of security is always the most simple and visible. How do you protect you, your family, and your stuff? We’re all 2A folk here, and so firearms and other munitions are a part of what we do to keep ourselves safe. Firearm security requires a lot of practice and information, ranging from knowing how to use your firearm in a safe and rapid manner to how to store it both safely and securely. Along with firearms, you have other lethal and non-lethal methods of physical protection. These include knives, IEDs, tasers, bear spray, bows and arrows, slingshots, atl atls, and other fun “touch them from a safe distance” tools.

For grounds security, I always recommend the usage of high decibel horns. A friend of ours was having problems with teens defacing her garage with swastikas, and it was very disturbing to her because she’s Jewish. I suggested an air horn as a non-lethal response, something she very happily used. The first (and last) time the miscreants came back, when they opened her gate they got blasted with a huge air horn that alerted the entire neighborhood, and apparently left behind a fecal sample for the cops to work with. This is a “works once” sort of thing, of course, because once Bad Guys know its there, they can find a way around it. Still, if you have hidden trip wires, change them on the regular, and switch things up, it works, and works well.

Glitter bombs and shit bombs also work wonders, while the popo is still at work. Again, this is a non-lethal response so you’re unlikely to get into trouble. It does mark the offender well, though, and makes it very easy for the popo to find them. It’s also disturbing when it happens, so anyone who’s stupid enough to trip it is going to be freaked out. And I’m here to tell you, as the parent of children, glitter is forever, like herpes. That person will never be able to show their face in your neighborhood again, because no matter how much they bathe, you’re going to notice your signature color sparkling in their hairline or up their nose.

Read More

What we are talking about is “authentication.” Authentication is the method of confirming that you are who you say you are.

There are three methods to determine authentication:

1. Something only you know
2. Something only you have
3. Something unique about you

In the old days, when people carried checkbooks with them and wrote checks for things, you would be asked to prove your identity before you could use a check. Proving your identity was a process where a person would first authenticate your identification card, and then they would verify that the identification card matched you.

A state issued identification card will have different aspects about it that should make identifying fakes easier for the trained person. In the those olden days, they would often have your Driver’s License number be a SoundEx of your last name. SoundEx was a simple encoding method that could be generated from a name.

If the SoundEx didn’t match the DL number, it was a fake.

For the most part, people trusted DLs. They were relatively difficult to fake, and it was often easy to spot fakes.

This is an example of something you have, your DL, and something unique about you. Your picture and description.

Computer Authentication

Computers authenticate you with the use of two pieces of information, the first is your “name”. The second is your password.

Your name can be an email address or a username. While the pair, username and password, are required, only the password is a secret. Or should be a secret.

In a perfect world, this would be good enough. In this imperfect world, see Password Security/Password Managers

We will assume that your password is strong and will not be cracked in this century.

What we want to protect against is people stealing your username and password. Be that by phishing or by tricking you, or by lifting your keyboard to read your password on a PostIt note.

We need to improve our overall security posture by adding something besides “something only you know” to the equation.

Biometrics

This is just a fancy word for something unique about you. What you look like. What you sound like. What the patterns of ridges on your fingers look like. What the blood vessels in your eye look like. These are things that are unique about you.

The super fancy eye scanner in NCIS is a myth. While it might actually work in practice, it will be expensive and is only part of the equation.

Fingerprint scanners are a joke. Facial recognition has more downsides than positives. And don’t have a sore throat if you are using vocal recognition.

Most low-cost fingerprint scanners don’t do a good job. They scan something they think is a fingerprint on a finger. That scan is processed and turned into a series of identified markers. That is turned into some sort of “value”. That value is what is actually compared and authenticates.

To reduce false negatives, these scanners often do a poor job of discriminating. They are also fairly weak at detecting live vs. Memorex.

Finally, if you have a fingerprint scanner or some other sort of biometric authenticator, bad actors can forcibly use your body to unlock your stuff.

It is far too common of an occurrence to have customs or law enforcement hold your finger to your phone’s scanner to unlock your phone. Don’t use biometrics to secure your devices. Oh, currently the courts find this to be legal and not a violation of your civil rights.

This takes use too:

Security Devices

A security device is a device that only you have that can communicate with other devices to help authenticate you.

Notice it is a helper, it is not the be all, end all.

The most common security device in use today is a mobile or cell phone.

The assumption is that you are the person holding your phone and that your phone can only be unlocked by you. This means that they can send you a text message, and you will have to unlock your phone to get the code they sent.

Except… Often the code is visible even when the phone is locked. The phone might be unlocked for other reasons. Or somebody cloned your phone and is getting the same SMS messages that you are.

In addition to that, some people have their devices configured to read messages to them. Or worse, they have configured their phones to read messages on command.

My favorite example of this was when I was working on a female friend’s car. She had a new boy and they were texting hot and heavy. Every time she received a new message, her phone would announce “To hear the message say “read message”.

At one point her phone announced, and I spoke up, “read message”.

She ran when her phone started to read the message out loud. It was just as spicy as I expected.

While the phone is very convent, it isn’t very secure.

Still, phones can be used as an authenticator.

This is a magic pseudo random number generator. The authenticator reads a seed from the remote device and attaches it to a particular site or device.

The two can generate the same pseudo random number at any point in time, based on the shared seed.

The site requests you provide the code from the authenticator. You unlock your phone, run the authenticator, find the correct device, copy the code from your phone to your computer to log in.

It is a fairly cheap and easy method and requires very little extra.

A number of my clients use this type of authenticator, and WordPress/WordFence does as well. It is an acceptable option if your phone is kept locked.

Better still, turn on extra security. The authenticator I use allows me to set a PIN for the application. Without the PIN, something only I know, the authenticator will not run.

Security Tokens

These supply a different form of security. They are designed to prove to a remote system, or local, that you have something that is unique.

A key.

One type of security token generates is a physical rendition of the phone authenticator. The one that I used required me to enter a PIN. It did not matter what PIN you entered, it generated numbers. If you entered the numbers from a correct PIN, you were logged in. If you entered the numbers from an incorrect PIN, the system would alert administrators or security, depending on how it was configured.

In other words, the system administrators and security personal could set them up to provide “panic” or “distress” codes.

Mine didn’t have that feature. If I put the wrong code in I couldn’t log in. Guess I wasn’t that important in the grand scheme of things.

Which takes me to my favorite authentication key, the YubiKey.

This is a small device, about the size of a thumb drive, but much thinner.

They have USB-A or USB-C connectors and some have NFC capabilities. They are small enough and light enough that I carry one of them attached to my key ring, along with a magic USB drive that contains a working version of Linux.

When properly configured, when a website needs a 2FA action, it will request that you insert the device. A small LED flashes, you touch the LED and the flashing stops. Some magic happens, and the website confirms that you have the right device.

If you have the NFC version, you can just tap the key to the back of your phone to accomplish the same thing as plugging it into a device.

In general, you should have two of them. Just in case you lose one.

Conclusion

Two-Factor Authentication adds a significant improvement to your security stance. They can almost completely stop phishing attacks.

Even if you are tricked into providing your credentials to a phishing website, when they attempt to use those credentials, they do not have the second factor to complete the authentication process.

Using your phone as your security device isn’t as strong as an authenticator. Using an authenticator application on your phone, is.

Combine these with a good password manager and you have a strong, secure system.

Until you find that the bad guys just ignore all that authentication stuff and took your computers.

Password Security

There are four ways of cracking a password.

1. Guess the password
2. Brute Force the password
3. Go around the password authentication
4. Trick the password from the owner

If your password is easy to guess, then it is a weak password. Examples of weak passwords are: password, 1234, YOUR_NAME, BIRTHDAYS. Many things use a four digit PIN. When guessing them, the best place to start is the set of numbers between 1950 and 2005, followed by 1930-1949, and 2006-2024. Years of importance to you.

Brute force is when you try all possible passwords. Back in the days of the TRS-80, there was a password on some part of the operating system. I wrote a simple brute force cracker for it.

Once it was running, my host and I got ready to go to dinner. Before we got out the door, the program stopped.

I assumed the program failed. Turned out that the password was so weak, three or four characters long, that it only took a few minutes to try all the passwords to that point.

Going around a password is sometimes easier than it should be. People don’t bother to log out. When I was visiting my father, I sat down at his computer. It was unlocked. I was able to “be” him if I had wished. I didn’t have to bother with a password.

There is an entire industry devoted to tricking people into handing over their passwords. It is so bad that it has its name, “phishing”.

And anybody can get caught in the net. I was caught just once. My wife’s school was phished, hard. The entire school got an email that looked legitimate from an administrator for the district. Her account then automatically sent it to me because I was in her address book.

I opened because it was from my wife. It had a good subject line. It looked legit.

It didn’t do anything to me because I run Linux, but it caused a great deal of damage to the school district.

Besides phishing, there is looking for the passwords that people have written down.

Again, using my father, the password for my mother’s computer was written on a PostIt note stuck to the inside of her laptop.

There is no need to guess, force or phish when the password is just given to you.

The Balancing Act

It is rather oxymoronic that the harder it is to remember a password, the harder it is to crack the password. If your password is “happyfaces” it might be easy to remember, but it is also easy to guess.

On the other hand, “wynt>Otchib5” is difficult to remember and difficult to guess. The password generator I used gave that to me as “wynt-GREATER_THAN-Otch-ib-FIVE” as how I might pronounce it and remember it. Still, it isn’t going to work

When passwords get too difficult to remember, people need to write them down. You would be amazed at the number of personal, and business, computers which have a file named “passwords”. People write them down.

The other thing that happens is that people remember one “good” password, then use it over and over again. If they ever lose that password, they lose access to everything, or the bad hat gets access to everything.

Many people think they will be tricky and use character substitution. Instead of “password” they write, “p@55w0rd”, and think they are clever. They aren’t.

There is a scene in Schindler’s List where they have just cleared the ghetto. Now they are searching for hidden Jews. The German’s come in, and they know where to look. They are experts at finding people. They’ve done this before. They know all the hiding places.

If you think you have found something clever that will make your password “unguessable”, you are mistaken.

Long Passwords Are Better(?)

Let’s assume that you are going to use a password that can’t be guessed easily. This leaves the brute force method.

This is a matter of mathematics. The larger the symbol set, the better. Longer passwords are better.

Consider a four digit pin, there are 10,000 possible PINs. As a password, that sucks.

But if we increase the symbol set to digits and letters, we get a slightly better result: 36^4 = 1,679,616. Still not strong.

But let’s say you go all out and have a symbol set of all ASCII printable tokens. There are 128 ASCII tokens, of which 94 are printable. This gives us 81,450,625 different passwords. Which still sucks, but it is getting better.

Now, let’s just make the password longer, call it 8 characters, at that point our results would be: 6,634,204,312,890,625. This is a strong password. Unfortunately, it is likely to be nearly impossible to remember.

My default is 12 characters.

Creating Strong Passwords You Can Remember

When we go back to that original statement, “The larger the symbol set, the better.” What if I told you that there is a symbol set of approximately 100,000 symbols, that you already know?

That symbol set is the set of all common English words.

What we would like to see is a number near 6 Quadrillion. With a symbol set of 100,000 words, 3 words give you 1 Quadrillion and four words give you 118,495,929,354,657,605,136.

This doesn’t consider word separators or case. Here is one such random password, “farm particularly wild refer”. If you modify the spaces to be different characters, or capitalize some letters, even if it only the first letter, you get even better results.

So what’s the problem? The issue is that it doesn’t look like a strong password. Many password checkers will see that long password and reject it because it doesn’t have special characters.

For me, a programmer, I can put together a simple program, take the string above, feed it into sha256sum to get 256 bits of pseudo noise. Extracting the printable characters, I get “dLuxo8x’H54MBd”

Now I have a good password I can remember, which can be used to generate a password which the rest of the world will accept as strong.

Password Managers

Password managers are supposed to fix much of this. They exist to store your passwords in a “secure” form, which you can then extract when needed. In addition, they will generate strong passwords for you to use.

I, personally, use four password managers and have used a fifth.

The first, most people are aware of, is the password manager built into your browser. I use Firefox and Chrome, so those are two password managers. My Linux system has another password manager built in. Finally, I use “Keeper” and have used “Last Pass”.

I love Keeper, I pay for the version I use, but there might be a free version. For me, it is worth it. One of the reasons it is worth it to me, is that with the paid version I can share access to password folders or individual passwords.

I never liked “LastPass” but I can’t say why. I do know they were cracked within the last few years. Because of their security model, when they were cracked, the bad guys extracted all the passwords.

Keeper stores all passwords encrypted. Only you have the decryption key. Thus, if they were to lose everything, they would not expose your passwords.

The browser managers are there because I was using them before Keeper. I’m slowly phasing them out.

I’m also looking into a self-hosted version of a password manager. I have not decided on which one, if any, I will try.

Chicken and Egg

The problem with all password managers is that there is a single point of failure. That is the password to access your password manager.

Which takes us back to “Long passwords work better”. Generate a random four – word password, I used xkcd Password Generator but you can just open a physical dictionary and randomly select four words.

Memorize those four words. Then you can use that as your master password.

Make the move to a good password manager. Use one that distrusts the government.

Two Factor Authentication

I need to look at my articles to see if one already exists, if it doesn’t, I’ll write something up.

I love my bagels. I love everything about them. You could use homemade bagels for this, but if you want to buy them, that makes it SO EASY. This is very much a throw-together meal that could be made the evening before then just heated up in the morning if you’re feeding a crowd. And if you can’t find everything bagels, use plain, and pick up a bottle of “everything bagel” seasoning and just sprinkle it throughout!

Ingredients:

• 4 everything bagels, chopped
• 1-1/2 cups shredded cheese
• 1-1/2 cups halved cherry tomatoes
• 8 oz block cream cheese, cut into 1/2″ cubes
• 1/2 red onion, thinly sliced
• 10 large eggs
• 2-1/2 cups milk
• 2 green onions, sliced, plus more for garnish
• salt to taste
• freshly ground black pepper
• a pinch of cayenne
• 1 tsp poppy seeds
• 1 tsp dried minced onion
• 1 tsp sesame seeds
• 1 tsp dried garlic
• 1 tsp coarse salt

Preheat your oven to 350°F and grease (or no-stick spray) a 9×13″ baking pan. Distribute half of the bagel pieces int he pan, and top them with half of the cheese, tomatoes, cream cheese, and red onion. Repeat to make another layer.

In a bowl, whisk together your eggs, milk, and green onions. Season with the salt, pepper, and cayenne. Pour the egg mixture over the bagels, making sure to coat each bagel piece. Sprinkle the top of the casserole with the poppy seeds, minced onion, sesame seeds, garlic, and coarse salt. Cover the pan with aluminum foil and bake for 45 minutes.

Remove the foil, and continue to bake until the bagels are golden and the eggs are cooked through. This may take up to 25 minutes more. Allow it to cool for 15 to 30 minutes.

Garnish with green onions before serving.

Notes:

You can add spinach to this if you like! Sprinkle it through with the tomatoes and onions. Any kind of cheese will work. You should cater to your intended audience. This can be made dairy free by using a dairy free milk substitute like oat milk or Silk, and by using a non-dairy vegan cheese. It can’t really be made vegan, however, because the egg is the binder for the casserole.

If you want to make this ahead, bake it for the first 45 minutes, then set it somewhere to cool, and refrigerate overnight. In the morning, bake it for the final 15 to 25 minutes, so it’s warm throughout and everything looks delicious.

Some people prefer more eggs and some prefer less. The casserole should have enough egg incorporated to allow the bagel bits to “stick together.” If you like more egg and want it to be more solid, feel free to add as many eggs as you think you need to get it there. Be aware that it may change the baking time. Be prepared to add an extra 15 or so minutes to make sure the egg is cooked through before taking the foil off.