Tag: mozilla

Securing Your On-line Life with a Password Manager and Two-Factor Auth

The Internet was ablaze last week with discussion of the hacking of Mat Honan. For those not up to speed about what happened, hackers were able to use social engineering and weaknesses in the security policies of Apple and Amazon to obtain access to Mat’s on-line accounts and to reset all of his Apple devices. Scary stuff!

With this incident on everyone’s mind, I thought it would be a good idea to share the techniques I use to secure my on-line life. I encourage you to adopt these practices if you haven’t already.

Use A Password Manager

My favorite password manager is LastPass. It’s cross-platform and cross-browser. There is a free version and a very affordable premium version at $12/year.

Other options include KeePass and 1Password.

With LastPass, your data is stored online in an encrypted format. To access your information, you unlock your “vault” with a master password. On the desktop, LastPass isn’t a stand-alone program. Rather, you use it as a browser plugin. On mobile platforms there is a stand-alone program that includes an integrated web browser. Because your data is stored online, it is synchronized across and available from multiple computers. This is great if you use more than one system, which I do. LastPass also offers the ability to access your vault when you’re off-line (though two-factor auth is limited in this case).

LastPass allows you to securely store:

  • passwords for all your sites
  • secure notes, which you can use to store misc information like server logins, credit card and bank account info, passphrases and more
  • form data, including credit card information (makes online buying a snap)

It also provides a password generator.

Here’s an example of what it looks like to retrieve passwords in LastPass:

Free Image Hosting at www.ImageShack.us

And here’s how I login to sites that I have saved with LastPass:

Free Image Hosting at www.ImageShack.us

Using a password manager, be it LastPass, KeePass, 1Password or another solution, allows you to easily follow the best practices I outline below.

Use a Unique, Strong Password for Every Site

You should never re-use a password. Use a unique password for every account that you create everywhere. This limits a security compromise from spreading to one site to another.

Make sure you pick a strong password. Better yet, use a computer generated password rather than one you make up on your own. Many password managers, including the ones I have mentioned in this post, have a password generator built in. Use it!

Here’s LastPass’ generator:

Free Image Hosting at www.ImageShack.us

How Do I Remember All These Unique Passwords?

At this point you might be asking, “how will I remember all these difficult passwords?” You won’t! The only password you’ll need to remember is the master password for your password manager.

Stand-Alone Password Generators

Don’t like or want to use the built-in password generator? There are plenty of stand-alone options.

My favorite password generator is actually the one that ships with OSX. It’s a bit difficult to get to, however, because you have to open the keychain and then click on some additional buttons. However, this app will call the password generate dialog directly.

If you’re on Windows, there’s pwgen-win. If you’re on Linux, try apg or pwgen.

Don’t Use Real Information in Security Questions

Security questions are those additional questions you fill out when you set up web accounts, especially for on-line banking. Some examples:

  • childhood nickname
  • name of first pet
  • first school attended
  • place where you met your spouse
  • favorite sports team

Most of the security questions I’ve encountered are absolutely terrible in that answering them honestly does nothing to protect your account. Why? Because we live in the age of social networking and answers to these questions are almost always readily available to anyone who’s willing to spend a few minutes searching on Google.

The solution is to provide bogus answers. Favorite Sports Team? The Bangalore Bananas. Or xFLXw99X62ONsPFU. There’s no way someone can use social engineering to come up with answers like these (unless you post them online for some reason). In order for this strategy to work, don’t rely on your memory. Instead, use your password manager to save the security questions and answers just as you do with unique, strong passwords. LastPass makes this particularly easy because on any webpage with a form you can use the “Save All Entered Data” to capture your questions and answers.

Enable Two-Factor (or 2-Step) Authentication Wherever Possible

Two-factor authentication means that in order to login to a site, you need to provide two pieces of information instead of just your password. Most two-factor authentication schemes involve providing your password and a unique code generated by a separate program, usually on a physical device.

For example, when I log in to Google, I first login the usual way and am then prompted for a verification code:

Free Image Hosting at www.ImageShack.us

And then I open Google Authenticator on my phone in order to retrieve a special code:

Free Image Hosting at www.ImageShack.us

Enabling two-factor authentication adds an extra level of security because it means a hacker can’t login to your account even if they have your password. They’d also have to have the physical device that generates the second authentication factor.

In this post I’ll cover enabling and using two-factor authentication with Gmail and with LastPass.

Enabling Two-Factor Auth for Google

To enable two-factor authentication for your Google account:

  • Login to your account and navigate to your Account page.
  • Navigate to security settings.
  • Click ‘edit’ next to 2-step verification.
  • If you haven’t already verified you’re phone, you’ll need to do so now.
  • After this, 2-step verification will be enabled.

Free Image Hosting at www.ImageShack.us

You should now set how to receive your verification codes. You can enable one or more of the following methods:

  • Mobile application (Google Authenticator, for Android and iOS)
  • Backup phone (not your Google voice number)
  • Print backup codes (keep in your wallet or somewhere else safe)

Free Image Hosting at www.ImageShack.us

I recommend setting all three, especially if you have a smart-phone or tablet. The method I use most often is the mobile application.

When you select mobile application, you’ll see the following screen. Scan the QR code with your phone or table. You’ll then be given a key to enter into the form to verify your device.

Free Image Hosting at www.ImageShack.us

Note: You can install Google Authenticator on multiple devices, but you  must do so at the same time. If you wish to add a device later, you’ll need to turn off 2-step authentication and go through the whole process again. You do not need to do this in order to add another Google account to Authenticator, however.

Generating Application-Specific Passwords

What happens if you want to use an email client like Thunderbird, Mail.app or Outlook? Or a chat client with your gTalk? You still can, but you have to generated application-specific passwords. What this means is that for each application you would like to allow to access your mail or chat, you generate a password for. This password is revocable at any time should you loose control of that application (e.g. you loose the laptop on which it’s installed) or suspect that the password has somehow been compromised.

Free Image Hosting at www.ImageShack.us

Enabling Two-Factor Auth in LastPass

LastPass offers a few options for two-factor authentication:

  • fingerprint reader
  • grid authentication
  • Yubikey
  • Google Authenticator

I selected Yubikey. A Yubikey is a USB device that generates a unique, one-time password. Once you link a Yubikey to your LastPass account and enable two-factor authentication, you need to use your Yubikey along with your regular password each time you want to log in (although you can specific which computers are trusted and therefore do not require secondary authentication).

I bought 2 Yubikeys and an additional year of LastPass service for $50. Because you can associate your LastPass account with multiple Yubikeys, I have one for regular use and one for a backup in case I loose the first.

Here’s what it looks like when I log in to LastPass with Yubikey authentication enabled.

First I’m prompted like usual for my LastPass email and password:

Free Image Hosting at www.ImageShack.us

And then prompted from my OTP from Yubikey:

Free Image Hosting at www.ImageShack.us

Have a Recovery Email That is Not Easy to Guess and Keep it Private

Both Google and LastPass allow you to specify a recovery email address. I strongly recommend that you setup a second email account that is dissimilar to your regular, public email address, keep it private and use it as the recovery email for your critical accounts (like Google and LastPass). The reason for using a private, separate email is so that hackers are less able to guess your recovery email and be able to launch an attack against it.

Also, if you are uncomfortable having all your on-line eggs in one basket like I am, consider paying for a backup email account from a service like FastMail, HushMail or Pobox.

Change Important Passwords Periodically

You should change the passwords on your critical accounts on a regular basis. Quarterly is probably a good target. Even twice or once a year will be better than never. For best results, link it to some other deadline. Self-employed? Change your critical passwords when you send in your quarterly estimated taxes.

What are critical passwords? Your Google account and password manager, certainly. Probably also your on-line banking, too.

Check Access Logs Frequently

Most systems provide access logs that you are able to check. You should periodically examine this information for anything that seems strange. Look for connections that don’t match your usage because this could be a sign someone is accessing your account without your permission or knowledge.

To see your Google access logs, log in to Gmail, scroll down to the bottom of your inbox and look for “Last account activity.” Then click on details.

Free Image Hosting at www.ImageShack.us

You’ll see a screen like this where you can see which IP addresses have been connecting to your account:

Free Image Hosting at www.ImageShack.us

Make Regular Backups

The above steps are not a guarantee against your data being compromised. You should make sure you’re regularly backing up any data that’s important to you, including your password information.

 

O’Reilly Open Source Award

O'Reilly Open Source Award

Last Friday I was presented with an O’Reilly Open Source Award. The award recognizes  “individual contributors who have demonstrated exceptional leadership, creativity, and collaboration in the development of Open Source Software.” Wikipedia has a list of previous winners.

Not only did I get the very awesome sharpie-enscribed lightbulb award you see above, but I also received my very own Eggbot! The Eggbot is an open source CNC artbot and was used to create the awards.

I’m honored to be recognized by O’Reilly for my work getting people involved in in Open Source through events like BarCamp Portland and Open Source Bridge via my governance of Stumptown Syndicate.

However, these efforts are by no means singular. The projects I’m involved in are successful because of the awesome people that choose to volunteer their time to help make them a reality. I would have liked to be able to recognize a dozen or more people on stage with me last Friday. Thank you Audrey Eschright, Reid Beels, Jim Eastman, Kirsten Comandich, Amy Farrell, Chris McCraw, Igal Koshevoy, and Melissa Chavez for working with me on these projects year after year. And, thank you to my lovely wife Sherri Montgomery for supporting my work and joining in herself.

If you’re curious what Edd and Sarah said about me, check out the video here:

I feel as if my work in open source and free culture is just beginning. There is so much more to do. If you’d like to join me, get in touch!

 

Mozilla Now Has Guidelines for Community Participation

Mitchell Baker announced today on mozilla.governance that Community Participation Guidelines have been posted.

While I remain critical of the version that has been put forth (for reasons I don’t have time to articulate now, but will try to later), I recognize adoption of any standard for participation as a step in the right direction.

Thank you to all those involved in moving this forward and getting it published.

Note: If you haven’t been following this issue, read my previous posts on the subject here and here.

To the Anonymous Mozilla Member Making Threats on My Blog

Update (31 December 2016): This person was identified easily via their IP address, which matched that of one used regularly by a Mozilla staff member. After a protracted effort on my part, our head of HR assured me the person had been appropriately reprimanded. (As was I, incidentally, for not being able to “work things out” with this person.) I left Mozilla in August 2015. The staff member who threatened me, on the other hand, was rewarded with a promotion and now manages a team of seven people. 


I’m not going to publish any of your comments, so you might as well stop leaving them. Also, you’ve been reported to Mozilla leadership.

I will, however, share this bit with everyone here so they understand what kind of crap I and others receive simply for speaking out about the issues that are important to us.

mozilla@member.com writes (emphasis mine):

Or, to put it another way, we don’t want you two around, really. You’ve spent months creating drama and attacking anyone who disagrees with you in the most passive-aggressive “I’m a poor victim” fashion.

Feel free to find the door to more perfect folks who agree with your politics and allowed means of expression.

Still No Code of Conduct at Mozilla

It’s been nearly four months since events at Mozilla lead several of us to call for adoption of a code of conduct. And yet we do not have one.

I can’t tell if progress is stalled, or if we’re just not hearing of updates. The last post to mozilla.governance on the topic occurred in early May. What’s going on? Why does this appear to be a non-priority for our leadership?

Regardless of the reasons, four months is a long time to wait for something that was long overdue to begin with. It’s a long time to wait to have reassurance from my community that I, and others like me, are welcome, and that discriminatory behavior against us will not be tolerated.

The (Overdue) Need for Community Conduct Standards at Mozilla

Next week marks my sixth-month anniversary as a Mozilla employee. I have been planning to write a post to mark the occasion and to share with everyone what an awesome (albeit challenging) experience it is working at such an innovative, mission-driven organization.

However, recent events on Plant Mozilla (see Hate Speech Is Not Free Speech and Concerns with Planet Content for context) compel me to speak to another issue first: The urgent need for the Mozilla community to work together to develop, implement and be held accountable to standards for participation.

The syndication on Planet Mozilla of discriminatory content and ensuing discussion is just one symptom of a larger, systemic problem. The greater issue is that we have failed to set forth guidelines about what constitutes acceptable and unacceptable behavior within our community. We have operated far too long under the false assumption that individuals can do this entirely on their own.

Frequently, this failure to put forth standards manifests as slightly less than civil interactions. I’ve also seen it displayed in the offhand dismissal of other’s ideas or needs. Most recently, on Planet Mozilla, I’ve seen it threaten and alienate those contributors who are queer.

As Mozilla grows in scope and size and we facilitate more and more in-person events, the harm incurred due to the absence of community standards will increase. No one should have to endure an assault or harassment at an event we host before we take action on this matter. Already, there are a number of us who question whether or not we are safe at Mozilla and if our contributions are valued.

Setting and enforcing norms is a usual and necessary function of community. Our community managers and long-time contributors have abdicated their responsibility to us by not ensuring such norms are set, and in some cases by actively blocking progress on this matter. It’s time for that to change.

Will it be easy? No, of course not. Some will be unhappy at any implied restrictions on speech or behavior. The point is not to make everyone happy. The point is to provide clear guidelines so that everyone can operate within a common context and to provide a support structure to those who need it.

To be absolutely clear: the heart of this recent issue is not what type of content should be syndicated on Planet Mozilla, and it is not about differences of opinion. Focusing our discussion solely on Planet Mozilla is a distraction.

The issue is that Mozilla resources (the server and bandwidth that provides Planet) were utilized to attack a vulnerable group. This group includes Mozilla employees and contributors and it made it harder for them to do their jobs. That they were attacked using Mozilla resources is what is unacceptable and needs to be addressed directly through the implementation of community standards. Indeed, part of the process of developing these standards will be to make it clear that attacking vulnerable groups is unacceptable.

Community standards are not about limiting anybody’s free speech, but about limiting people’s ability to make their coworkers feel unsafe and unwelcome without consequence or accountability.

Fortunately, we have a lot of resources to draw upon in developing our community standards. Several groups not unlike our own have already done so: Ubuntu Code of Conduct, Citizen Code of Conduct, Drupal Code of Conduct, Wikimedia Foundation Friendly Space Policy.

Let’s get to work.

Update:

1) I’m not going to publish any more comments related only to Tim’s comments and whether or not they would violate a Code of Conduct. I’m also not going to facilitate any more conversation about whether or not Gerv’s recent post on Planet Mozilla was discriminatory.  There’s been plenty of back and forth on those topics in other forums and I’d like to have a more productive conversation here. If you want to talk about how we can work together to develop a code of conduct for Mozilla, then that’s fine.

2) To whomever submitted the anonymous comment (from a Mozilla IP): calling someone here an asshole is never going to be acceptable, so don’t even try.

Joining Mozilla

Today is my last working day at ShopIgniter. After a two week break, I will join the Web Development team at Mozilla as a Web Product Engineer.

I’m thrilled to be joining Mozilla and to be help to contribute to its mission to “promote openness, innovation and opportunity on the web.” I will continue to be based in Portland (where Mozilla already has several remote employees) but will travel to Mt. View, where Mozilla is headquartered, as needed. My involvement in the Portland tech community will continue.

To understand a bit more why I’m so excited to be joining Mozilla, check out Pragmatic growth: from 2 to 40 in 4 years, and then watch the video What do you want the web to be?

Thank you to all my co-workers at ShopIgniter. I’ve enjoyed working with you all over the last year and a half. I look forward to hearing about ShopIgniter’s continued success and hope to see you around Portland.