Security and LastPass (and Yubikey)

I am "behind" in terms of what I've wanted to write over the past two weeks as I have been extremely busy with, well just about everything.

But, I wanted to mentioned something I found recently related to internet password management and password security. As I have mentioned in other posts, besides being security and backup paranoid when it comes to all things computer, internet security has become somewhat of a hobby of mine. I actually hope to take a graduate program in "Network Security and Information Assurance", a program the U of M starts this year. We'll see where that fits in...

Anyway - one of the podcasts I listen to regularly is "Security Now" with Steve Gibson and Leo Laporte. I highly recommend that anyone with even a small interest in how the internet and security works listen to this weekly 1-hour show - they go into topics that are quite advanced but break them down into fairly simple pieces. Plus, every week they cover the latest in security news, what patches you should make sure to apply, etc.

Last week, they covered a password management tool called "LastPass" (http://lastpass.com). Password management for internet sites is a very difficult thing to do in this era where we all have many, many site accounts, userids, passwords, etc. Just keeping track of what sites you have userids on is hard, much less what the userid and password is. This drives many people (including myself up until now) to use the same password for many sites, sometimes all sites, which is a VERY bad thing to do - if someone gets a hold of your one password, it wouldn't take too much to start trying to hack into every account you have. I admit that I was doing this to some degree (even though I know better!) and was keeping an excel spreadsheet to keep track of everything. I kept this on a thumb drive that was physically in my possession, but that's still not a good solution (and if you don't have the thumb drive with you you're out of luck).

Lastpass solves all of these problems, and does it brilliantly and securely. From the convenience/management side of things, when you set up an account with Lastpass, they create an online database which can be accessed by signing in from any web browser anywhere. Additionally, there is a plugin for pretty much any browser or platform known to man - for me, Firefox on Windows and the Android mobile phone operating system were what I needed, but the list was huge. Once you install the plugin, and add your sites and passwords (it actually does this automatically too the first time you visit a site - more on that later), when you visit the site again, you can either have Lastpass auto-fill the userid/password fields from the database, or you can manually select "fill" when you are at the site login page if you're uncomfortable with them automatically doing it.

So, storing passwords in an online database sounds scary...let me tell you why it's not in this case. What Lastpass stores on their servers is an encrypted version of all your data - even the password to your Lastpass account is encrypted! Everything is encrypted on the client (your browser) side, with a key based on your userid and password, meaning only you can generate this key and decrypt the data that is obtained from their server or encrypt the data stored in their server. Their documentation and forums are very clear on how they do this (I read a lot of it) and several people have done independent tests and verified that they are doing what they say they're doing. What this means is, there is no way that they, or anyone, can get your stored passwords with the data stored on their servers. Only you (or someone with your Lastpass userid and password, which is only you if you're careful with it) can do anything with the data they store. Meaning that, for example, FBI could get a warrant and ask Lastpass to give them some password data from their database, and Lastpass literally could not comply - there is no technical way they could give them anything meaninful.

Now here's the kicker. All of this is free. Well almost all of it - if you want to set up your smart phone browsers to do this, there is a premium version which costs $12/year, and gives you a few more features. But most people wouldn't need to do this (I got it because I wanted to do some of their advanced stuff but that's because I'm a geek :) The premium version also gives you the option of adding a Yubikey/Yubikeys to your account. If you want to know more about what a Yubikey security key is, go to http://yubico.com/ and read about them (it's complicated and far too much to write about in a blog entry, but basically it's a second authentication factor which makes this even more secure). I have pictured the 3 I bought below - they're small USB plug-ins with one button.

For anyone who's interested, I'd be glad to show them how my Lastpass account works.

A pile of used bandaids

I'm way behind in all the things I want to blog - I hope someday I can blog straight out of my brain, because a lot of my best writing ideas come when I'm not by a computer.

I really need to start reading more fiction and less history, biographies, and especially news, because, even though I find them fascinating, I also find them frustrating. (I believe I get my fascination with history and humanity from my dad...)

Today I read an article in "Time" (one of the few news magazines I find to be the most objective) about the economic situation that states are in right now, having to look at cutting all sorts of stuff. I didn't know that only the federal government is allowed to run a budget deficit, states are required by law to balance their budgets. I guess most of the time, the normal ups and downs of the economy balance each other out and usually don't cause problems. Apparently this "down" has been a lot longer and deeper than most and states are having to make what they call "real cuts" now - into services that are ingrained like education, medicaid, etc.

The situation the state governments are in sucks, and I don't really know how they're going to deal with in the very short term. But I don't understand why no one will stand up and say out loud what the truth really is about all of this. We have overinflated and artificially grew our economy for many many years (not just one president and congress, but many) and now we're going to have to pay for it. And that means if we want to continue some of these fundamental services that make our country good and strong and secure (and I'm not talking militarily secure, but secure and "sound" as a society) we are going to have to pay more taxes. Stuff costs money. We can pay less in taxes and have lesser quality of everything and have stuff run down, or we can pay more in taxes and have higher quality public services and infrastructure. It's not rocket science.

Most people probably don't want to hear that from the guy with a good job, but they should hear it from the guy that pays more in taxes as a single (at least from a tax standpoint) person in a higher tax bracket. Certainly I'd rather pay less in taxes and keep more money for myself, but if paying taxes means better education, better infrastructure, better stability, etc. then I'm willing to do it. Certainly that means our governments should spend wisely, not be wasteful, and get the most value out of our tax money as they can. But in the end, stuff still costs money.

What we seem to be doing now (getting to the explanation of the blog title) is that we keep altering laws, doing magic with budget numbers and the money supply, etc. to band-aid whatever the problem of the moment is. But we're getting to the point where all we have is a pile of used bandaids.

For example, just on the way in to work this morning I heard a commercial advertising a firm that can help you "settle" your credit card debt, and how if you have over $10,000 in credit card debt, there are government programs that can settle it for a fraction of the cost. Seriously? This is an example of another bandaid - banks get their money, and people who were irresponsible (yes, I'll say it out loud - an individual who charges up more credit card debt than they can really afford cannot just blame bad bank laws and deregulation) get set back to $0 and get to start spending more money and buying things which artificially stimulates the economy again...until somewhere down the road we have to pay for that bailout.

I realize that every situation is different, and someone who buys a house and then loses their job a few years later was not being irresponsible. But that is not everyone. I guess I've always been under the assumption that if I take out a loan for something, or charge something on a credit card, I actually have to pay for that at some point.

Why a salad costs more than a Big Mac...

Thanks to my friend Christian for sharing this one:

http://contexts.org/socimages/2010/05/18/federal-subsidies-vs-nutritional-recommendations/

I've always wondered about this too - I realize that land, weather, environment dictate to some degree the types of things that can be raised in a given area, but probably not the degree of the disparity in our country.

Thursdays on First

I really love that Rochester has done so much over the past few years to promote downtown and community events like "Thursdays on First". Whoever says there's nothing going on in Rochester is selling the town short. Sure there isn't a huge amount of "night life" but there are a ton of people from all walks of life out having fun at things like this.

I had the opportunity again last night to come down and jam with some other great musicians, thanks to my good friend Dan who I've known from various musical things including the salsa band. We all jammed by Sonte's for 2 hours and had a great crowd of people watching and enjoying the beautiful Minnesota summer weather. I hope we have the opportunity to do it again!

Happy 4th

Not an especially nice weather day, but a fun weekend, and especially nice that it's on a Sunday and I get Monday off of work too!

We've had a fun weekend of wedding rehearsal, wedding, and a fun evening out downtown with all the friends back for the wedding.

This morning was also very cool, as for church I played "America The Beautiful" as a bell solo - the third solo I've done. It was really neat and I think everyone enjoyed it.

Hilarious Bonnie Tyler video

If you never watch any of the others ones I've shared, you should watch this one - especially if you were of the era when Bonnie Tyler's "Total Eclipse of the Heart" song was hugely popular om the 80s. This video is the actual original video with "literal" lyrics put to it. I never really thought about how scattered and mindless the video actually is :)



Happy 4th everyone!

iPhone 4: If at first you don't succeed....

I have to chuckle a bit when reading about this whole iPhone 4 "don't hold it wrong" antenna thing:

http://finance.yahoo.com/news/Apple-stunned-to-find-iPhones-apf-1175483258.html?x=0

Now, I actually do believe them in this case, that they're probably not doing signal strength calculations correctly - in fact I've read some more objective, credible articles about researchers having determined that on their own. But the phrase my friends and I in college used a lot still comes to mind - "If at first you don't succeed, redefine success." And as funny as that is, it happens all the time - benchmarks, performance tests, and, yes, signal strength calculations :)

Some related phrases, "Politics is perception" (from one of my all-time favorite movies, "Te American President"), and "So what I told you is true...from a certain point of view" (Obi-Wan Kenobi to Luke Skywalker in "Return of the Jedi" when he tells Luke that he wasn't actually lying when he said Darth Vader betrayed and murdered Luke's father), come to mind. Really, so much of life IS how we make it - and some (a lot?) of how we perceive things is our own choice. So if it makes us feel better to see 4 bars instead of 2, even if ABSOLUTELY NOTHING has actually changed with our signal strength, maybe that's ok? I guess one of my other favorite phrases may apply here too... "Ignorance is bliss" ... often true.

Google

I like Google for a variety of reasons, but I'll add this one now:

http://www.msnbc.msn.com/id/38037689/ns/business-careers/
(the title is somewhat misleading...you have to read the first paragraph at least to understand it)