Archive of posts with tag 'Security'

1Password X

September 6, 2019 • #

For a long time I’ve used the full 1Password desktop app and its browser plugin that installs alongside for support inside of Chrome. But recently I set up the 1Password X browser extension they first released a couple of years ago, and I’m converted. Since access to accounts is most useful in a web browser context, implementing it as an extension makes sense. I don’t know much about the tech backend or advantages of building a Chrome extension versus a “thick-client” browser plugin, but it seems like it’s certainly a benefit to conform to the browser’s best practice for building add-ons; and extensions are the way to go in Chrome. One of their big motivations here was deepening the cross-platform support since you can install Chrome (and Firefox) on so many OS platforms, including Linux.

The full features of the 1Password desktop app are available from within the extension — access to multiple vaults and all your accounts, editing and organizing your accounts, and creating new ones. In addition to the same handy integration for filling 2FA codes and their helpful password generator for new sites, X adds a built-in form filling utility, similar to the “autofill” capability that browsers have had for a long time, but with access to your 1Password account if you’ve got it unlocked. The feature even supports an inline generator and account creation wizard for when you’re signing up for new services, which in my experience is one of the biggest barriers to getting new users to understand and use 1Password: they don’t add new accounts they sign up for into their vault. Helping users make sure things are always added (and updated!) in their vault is one of the key steps to reaching the “wow” moment as a user. Once you’ve got a few dozen (or in my case hundreds) of entries set up and well-organized in your vault, it’s magical to never have to worry about losing access to accounts.

The one thing that’ll take getting used to is that you can’t unlock the vault with the Touch ID sensor on my MacBook Pro anymore using the X extension. It’s been surprising to me how much I must’ve relied on this, as well as the Cmd-\ shortcut to autofill. You never realize how baked-in a behavior is until you upset the routine! This should just be a muscle memory thing to get used to.

One of the things I admire about 1Password is that it’s clear their product team are all constant users of their own product. Every time I think of something that’d be slick, it seems they’ve already thought of it, or if not they eventually build it. And not only that, they’ll even go the extra mile and tie in keyboard shortcuts and all the other accoutrements that demonstrate that they themselves are power users of their product.

My appreciation for their effort doesn’t stop at the technology or product. From a business standpoint, I admire what they’ve been able to do with their pivot from desktop app to SaaS with their Business and Family plan offerings. Many app developers have made moves over the last few years toward subscription pricing, sometimes with mixed results. I’ve always been a fan of SaaS models for services I rely on — without continuous funding, how will they make their excellent product even better? It’s not just about changing the billing model from perpetual to recurring either; they’ve actually converted to a hosted service that offers something distinctly different than what a desktop app can do.

✦

Weekend Reading: Rhythmic Breathing, Drowned Lands, and Fulcrum SSO

July 20, 2019 • #

🏃🏻‍♂️ Everything You Need to Know About Rhythmic Breathing

I tried this out the other night on a run. The technique makes some intiutive sense that it’d reduce impact (or level it out side to side anyway). Surely to notice any result you’d have to do it over distance consistently. But I’ve had some right knee soreness that I don’t totally know the origin of, so thought I’d start trying this out. I found it takes a lot of concentration to keep it up consistently. I’ll keep testing it out.

🏞 Terrestrial Warfare, Drowned Lands

A neat historical, geographical story from BLDGBLOG:

Briefly, anyone interested in liminal landscapes should find Snell’s description of the Drowned Lands, prior to their drainage, fascinating. The Wallkill itself had no real path or bed, Snell explains, the meadows it flowed through were naturally dammed at one end by glacial boulders from the Ice Age, the whole place was clogged with “rank vegetation,” malarial pestilence, and tens of thousands of eels, and, what’s more, during flood season “the entire valley from Denton to Hamburg became a lake from eight to twenty feet deep.”

Turns out there was local disagreement on flood control:

A half-century of “war” broke out among local supporters of the dams and their foes: “The dam-builders were called the ‘beavers’; the dam destroyers were known as ‘muskrats.’ The muskrat and beaver war was carried on for years,” with skirmishes always breaking out over new attempts to dam the floods.

Here’s one example, like a scene written by Victor Hugo transplanted to New York State: “A hundred farmers, on the 20th of August, 1869, marched upon the dam to destroy it. A large force of armed men guarded the dam. The farmers routed them and began the work of destruction. The ‘beavers’ then had recourse to the law; warrants were issued for the arrest of the farmers. A number of their leaders were arrested, but not before the offending dam had been demolished. The owner of the dam began to rebuild it; the farmers applied for an injunction. Judge Barnard granted it, and cited the owner of the dam to appear and show cause why the injunction should not be made perpetual. Pending a final hearing, high water came and carried away all vestige of the dam.”

🔐 Fulcrum SAML SSO with Azure and Okta

This is something we launched a few months back. There’s nothing terribly exciting about building SSO features in a SaaS product — it’s table stakes to move up in the world with customers. But for me personally it’s a signal of success. Back in 2011, imagining that we’d ever have customers large enough to need SAML seemed so far in the future. Now we’re there and rolling it out for enterprise customers.

✦

Weekend Reading: RoboSat, the State of Security, and the Equal Earth Map

January 12, 2019 • #

🛰 Buildings from Imagery with RoboSat

This excellent guide shows how to combine take imagery from OpenAerialMap and buildings from OpenStreetMap, and combine to train a model for automated feature extraction. It uses an open source tool from Mapbox called RoboSat combined to compare a GeoTIFF from OAM with a PBF extracts from OSM. Very cool to have a generalized tool for doing this with open data.

🔐 The State of Software Security in 2019

An excellent roundup (with tons of ancillary linked sources) on the state of various parts of computer security, from programming, to browsers, to social engineering.

🌍 The Equal Earth Map

From Tom Patterson, the Equal Earth map uses the equal earth projection to show countries with their true relative sizes. No more ginormous Russia or Africa-sized Greenland.

✦

The Personal Security Footprint Review

December 12, 2018 • #

Once a year around this time I like to do some “winter cleaning” of my personal security footprint, mostly covering passwords and internet service accounts I have that may be out-of-date, unmaintained, or unneeded.

1Password is a dream for things like this. If you don’t maintain an account, it’s well worth setting one up for the family with their 1Password for Families product tier. Worth every penny¹.

Good hygiene with passwords has been a perennial problem in internet-land, and the security risk only goes up with seemingly-daily announcements of the next hack or data breach. While those risks are part of our current reality, it’s possible to lower your risk profile with some simple maintenance tasks with 1Password. Here are some general best practices and my personal annual review process.

Raise the complexity

There’s no excuse not to be using highly complex passwords these days. When creating new 1P entries, you can autogenerate complex passwords. Sometimes you’ll need to tweak the generation parameters to create passwords that are acceptable for certain sites², but it’s worth making sure you’re maximizing the complexity where you can. When I review my accounts, I look for any entries that have less than 1P’s “Fantastic” rating, and sign into those and update them.

Complex Passwords

Watchtower

1Password has a feature called Watchtower that helps you conduct targeted review to keep yourself secure. Things like compromised or vulnerable logins, reused or weak passwords, or where 2FA isn’t enabled. It’s nice because it checks against a couple of known databases to help keep you on guard. This is the go-to spot to look for areas of attention in the review. It’s worth setting yourself a reminder (quarterly or so) to check here for any changes. If services you rarely use have security incidents, you probably won’t know, so this helps.

1Password Watchtower

Two-factor authentication

I wrote previously about 1Password’s native two-factor authentication. Wherever possible and recommended I go through my account entries and enable 2FA setups with the one-time passwords configured. Another tip for this is to use a password field type to store the “recovery codes” that most services will generate for two-factor, which allow you to recover your password if something gets hosed. Web services commonly generate these codes in a text file for safe storage, which you can do in 1Password if you want, but I’ve never been a huge fan of the way file storage and linking works in the app. I prefer to copy the codes directly into the 1P database entry anyway.

Purge unused services

Shutting down accounts for services you don’t use is another good practice to reduce your exposure to breaches. If you aren’t using or no longer need a service, might as well not have it hanging out there. Since you can sort entries by “date used”, it’s straightforward to comb through ones you haven’t used all year and assess. When I go through my annual review, I always find a couple not worth keeping, so I sign in and spin them down if possible. If they don’t have a public-facing way to delete my account, I usually reset the password to something huge and delete whatever unrequired personal info might be on file (like credit cards and the like).

Other scattered tips

A few other pointers that factor into my annual review:

Change any duplicates — I don’t intentionally create dupes, but it happens occasionally, especially when creating accounts from my phone when I just want to type a password in signup
Check for https — This isn’t a huge problem these days, but a nice recent addition to 1Password will alert you to entries with insecure URLs
Assess shared accounts — Using the 1Password for Families account, we have a single shared vault for accounts we both need: bank accounts, credit cards, kid-related stuff, Netflix, Amazon
Organize — I go through and change entry names, make things consistent, and just generally scan through for any junk to keep it all clean

With the review done, it feels good to have a renewed sense of security having checked your digital footprint. A well-organized, clean 1Password setup can also be a huge productivity boost. The more services you work within (and the more secure you want your behaviors to be), the more a clean, healthy passwords vault will help you.

All of the following I do in 1Password, but other services like LastPass or KeePass presumably can do similar things, but I haven’t used them. ↩
It’s still mind-boggling that in 2018 so many sites can’t handle any string of characters as a password. I shudder to think what the software or database structures behind the culprit services look like. ↩

✦

High Security, High Usability

October 4, 2018 • #

As computing platforms get more complex and critical to daily life, maintaining secure usage gets more challenging.

I’ve written about this before, but it’s a known mantra in the product and IT space that security and usability are inversely proportional. That is, a gain in one is a loss in the other. This has long been visible in enterprise software that is perceived as annoying or frictional in the pursuit of security (password rotation every n days, can’t reuse, complexity requirements). It’s what gives employees a bad taste in their mouth about enterprise systems, among other things. That reduction in usability begets bad behavior on the part of users — the proverbial Post-It note on the monitor with the last 3 passwords in clear text.

Those of us that make software never want to compromise on usability, but us realists recognize the need for secure data and privacy. There are exciting developments lately that might be closing this gap.

Password managers like 1Password already have done a lot to maintain secure computer usage behavior by simplifying the “secure defaults” — primarily not reusing passwords across services and enabling realistic use of longer, random strings. Two-factor authentication adds a wrinkle in usability that (unlike many other auth wrinkles) affords a powerful layer of security, albeit with a cost. The two-factor support within 1Password makes it shockingly smooth to deal with, though. So much so that I enable two-factor auth on any service that offers it, without hesitation.

What got me thinking about this topic again was a specific new addition to the personal security workflow. I just got an iPhone XS; it’s my first experience with Face ID (which deserves a healthy dose of praise in its own right). But the real breakthrough is the integration of 1Password into the built-in Password Autofill facility in iOS 12.

Here’s a before and after example of signing into GitHub on my phone:

Before: Go to GitHub, see that I’m signed out, switch to 1Password, copy password, return to GitHub, paste credentials, tap sign in, go back to 1Password, copy 2FA code, go back and paste it in, success.

After: Go to GitHub, tap “Passwords” in browser, Face ID, pick account, it autofills, paste 2FA code, success.

This seems like trivial stuff, but given how many seconds/minutes of each day I spend doing this process, it’s a big deal. Before, making this process smoother would require a dent in its security. Now we get to have a friction-free process without the compromise.

✦

Weekly Links: LiDAR, WannaCry, and OSM Imagery

May 18, 2017 • #

🗺 LiDAR Data for DC Available as an AWS Public Dataset

LiDAR point cloud data for Washington, DC, is available for anyone to use on Amazon Simple Storage Service (Amazon S3). This dataset, managed by the District of Columbia’s Office of the Chief Technology Officer (OCTO), with the direction of OCTO’s Geographic Information System (GIS) program, contains tiled point cloud data for the entire District along with associated metadata.

This is a great move by the District to make high value open data available.

🖥 WannaCry and the Power of Business Models

Ben Thompson breaks down the blame game of the latest zero-day attack on Windows systems. This article makes a great case for the business model being to blame rather than Microsoft, their customers, the government, or someone else. a SaaS business model naturally aligns incentives for everyone:

I am, of course, describing Software-as-a-service, and that category’s emergence, along with cloud computing generally (both easier to secure and with massive incentives to be secure), is the single biggest reason to be optimistic that WannaCry is the dying gasp of a bad business model (although it will take a very long time to get out of all the sunk costs and assumptions that fully-depreciated assets are “free”). In the long run, there is little reason for the typical enterprise or government to run any software locally, or store any files on individual devices. Everything should be located in a cloud, both files and apps, accessed through a browser that is continually updated, and paid for with a subscription. This puts the incentives in all the right places: users are paying for security and utility simultaneously, and vendors are motivated to earn it.

🛰 DigitalGlobe Satellite Imagery Launch for OpenStreetMap

DG is opening up access to imagery for tracing in OpenStreetMap, giving the project a powerful new resource for more basemap data. Especially cool for HOTOSM projects:

Over the past few months, we have been working with several of our partners that share the common goal of improving OpenStreetMap. To that end, they have generously funded the launch of a global imagery service powered by DigitalGlobe Maps API. This will open more data and imagery to aid OSM editing. OSM contributors will see a new DigitalGlobe imagery source, in addition to imagery provided by our partners, Bing and Mapbox.

📷 Updating Google Maps with Deep Learning

If you’re in the mapping space, seeing any of this R&D that Google is doing is mind-boggling.

✦

Touch ID and Security

September 17, 2015 • #

I recently wrote a review on the Fulcrum blog for one of my favorite pieces of software, 1Password. It’s a password management app to help you keep better organized with your hundreds of passwords, codes, and secure data that you typically have laying around in emails, documents, and post-it notes on your desk¹.

I’m a heavy user of 1Password on my iPhone to look up accounts while I’m mobile. Because 1Password vault security is only as secure as your master password, the natural tendency is to have a long, complex, intricate passphrase to type to unlock the vault. And from the iPhone, you want your vault to re-lock pretty rapidly so the door to your digital safe isn’t left swinging open while your phone’s sitting on the table. The net result is having to constantly type a hard-to-type passphrase on a hard-to-type-on device. No good and no fun.

My problems were solved a few weeks ago I finally enabled the Touch ID functionality in 1Password 5 for accessing your vault using your fingerprint, versus typing the 30-character password². After using it like this for a few days, it seemed less secure to me, since it wasn’t even requiring my impressively-complicated password to get in. I dug into some of the documentation to find out how secure the implementation of Touch ID authorization is in 1Password, and how Touch ID works in iOS.

The app documentation has a great article outlining exactly how Touch ID works within 1Password. For a long time it had a “PIN Code” feature to have a quick access code for unlocking the vault after you had recently unlocked the vault with your master password, and the Touch ID feature works similarly. The data is still encrypted with the master password. It’s designed explicitly as a mechanism for adding convenience to the process, which is a critical component to maintaining good security best practices:

“Just as Apple has designed Touch ID not as a replacement for a device passcode, we do not use Touch ID in 1Password as a replacement for your Master Password. Touch ID is a convenience mechanism that provides a way to quickly unlock 1Password after there has been a full unlock (with your Master Password).”

The intersection of convenience and security is interesting. They’re fundamentally opposite: a totally secure system is extremely inconvenient to access, a convenient one is insecure. The best systems strike a balance somewhere in the center. The problem with highly secure but inconvenient systems is that they entice users to defuse the security of the whole system by taking shortcuts. Think of the corporate IT environment with all the bells and whistles on security—password strength requirements, required resets every month, can’t reuse passwords, minimum lengths—it’s this massive inconvenience that results in the post-it note on the monitor with the keys to the kingdom written on it.

The security of how Touch ID’s technology works is another matter, one of hardware and storage. With the release of the A7 processor in 2013, Apple introduced something called the Secure Enclave³, which allows applications to store bits completely outside the scope of the kernel on a physically isolated area of the chip. This is where biometrics get stored, along with cryptographic data for other applications. Apple’s technical documentation about Touch ID security covers in minute detail exactly how iOS devices store your fingerprint data on the Secure Enclave, and the ultimate reason why Touch ID is actually more secure than not using it:

“Since security is only as secure as its weakest point, you can choose to increase the security of a 4-digit passcode by using a complex alphanumeric passcode. To do this, go to Settings > Touch ID & Passcode and turn Simple Passcode off. This will allow you to create a longer, more complex passcode that is inherently more secure.”

This is a key point that’s relevant at the OS level and within apps like 1Password or banking apps using biometrics. If, because of the convenience factor, biometrics enable people to keep their encryption passphrases more secure at the core, then we’re all better off.

It’s utterly essential to modern computing, so go buy it right now if you don’t have it already. ↩
The Agile Bits team released this functionality a year ago, but for some reason I never bothered to try it. ↩
Apple has an in-depth security document covering Secure Enclave and the entire security architecture of iOS and the hardware. Worth a read if you can stomach the geeky stuff. ↩

✦

Dropbox and Backups

June 13, 2013 • #

I use Dropbox as the nerve center for all of my digital goods, keeping data, configurations, histories, log files, and anything else I need access to centralized and available from my Mac or iOS devices.

Here are a few of my daily tools or information trails I want to keep synced up, so anything here can be a few clicks or a search away:

Instant message chat history
iTunes library
Histories + log files
OmniFocus backups

Chat Archiving

I use Messages on the desktop for all chat conversations with my Jabber and Google accounts. I access the transcript history daily to find things I told people in chat conversations, look up links I sent, and other things. So much of my communication happens via instant messaging that I rely on it to keep logs of interactions (albeit securely).

Backing up chat transcripts is simple with symlinks. For me, I want all chat logs to be archived into a Dropbox directory continuously, so I don’t have to remember to back them up. Messages stores its transcript files here:

~/Library/Messages/Archive/

Since I want my chats to all be instantly backed up to Dropbox, I symlink the directory into a ~/Dropbox/backups directory, like this:

ln -s ~/Library/Messages/Archive ~/Dropbox/backups/chats/

Linking those files to a Dropbox directory will automatically sync them to your account in real time, if you have syncing enabled. These files are then backed up for good, in case I need to search later. A downside with Messages is the transcript files are .ichat files, not plain text. So they can’t be searched from the Dropbox iOS app or mobile text readers. The in-app search works okay, but hopefully we’ll see some performance improvement there in the upcoming OS X Mavericks release. This piece from Glenn Fleishman has some other good tips on instant messaging with Messages.

iTunes

My iTunes media is mostly secure at this point, with iTunes Match and iCloud, but I still like to keep a backup of the raw XML library data. This contains a ton of stuff I don’t want to lose, like playlists, ratings, and other metadata. ID3 tags and album art are safe with the MP3 files. A couple of symlinks make it so every time I close iTunes, the latest changes to my library get backed up. The .itl file is the primary iTunes database, and the XML file adds a software compatibility layer for other apps that read from your library (like Garage Band and others):

ln -s ~/Music/iTunes/iTunes\ Library.itl \
  ~/Dropbox/backups/iTunes/iTunes\ Library.itl

ln -s ~/Music/iTunes/iTunes\ Music\ Library.xml \
  ~/Dropbox/backups/iTunes/iTunes\ Music\ Library.xml

History + Logs

On a daily basis, I’m all over the place with my machine — working with data in Postgres or SQLite, writing Ruby scripts, and just generally working on the shell doing tons of different things. I love having my command history for anything that has a CLI archived somewhere, so when I need to pull up some command or see how I had built a package from source, it’s as simple as searching a history file. Many Linux & Mac applications keep themselves a history file inside your home directory, typically hidden, like .bash_history for the bash shell environment. I use zsh, with the awesome oh-my-zsh environment framework, highly recommended. Here’s a few I keep around for posterity and convenience, in a “histories” backup¹ directory:

~/.zsh_history
~/.irb-history
~/.psql_history

With those backed up, I can always search the logs for when I installed something with Homebrew:

history | grep "brew install mapnik"

As for OmniFocus, backups are cake. Just check the preferences for the database backup location and frequency settings, and change it to somewhere within your Dropbox folder.

In addition to the convenience of keeping this stuff linked into a secure, synced place like Dropbox, using an online backup service (like the fantastic Backblaze) is a no-brainer for keeping your stuff safe. You should be using one. Even though Time Machine is super simple to get going to an external HDD, I don’t trust the hardware enough to rely solely on that.

Remember, history files can often contain passwords and other secure data. Make sure if you keep them around they’re somewhere secure. ↩

✦

Browse the full archive →

✦