Look, I’m a tech guy. I work on a lot of computers. I work on a lot of web sites. I try out new web services and products all the time. I pay my bills online, I bank online, and to a great extent, much of my life and work is preserved online.

I have a lot of passwords. I need to keep track of them all, and keep them safe.

I’ve had a password strategy which worked for me for years; I kept several base passwords, which I mentally sorted by level of secrecy necessary, and I’d use variants of those basic passwords to create new ones at the right levels.

So I had a low-security password which I could use across sites to try out new services. I had a medium security password for accounts that were associated with my public face — i.e., Twitter, Facebook, etc. And of course, I had a high-security password which nobody at all knew besides me, and that secured my online banking and financial accounts.

Like I said, this worked for years. If I changed jobs, or if I could no longer ensure the security of a given password, I just had to change that one in my rotation.

There were problems, of course… sometimes I couldn’t remember which variant I had used at which site, what the user name might be, etc.  But overall, it worked pretty well, and I’ve never had one of my accounts hacked.

But we live in a different world these days.

I’ll admit, it was the LulzSec leaks that convinced me to re-think my password strategy. They dumped 62,000 email/password combinations on the web, for a wide variety of sites, and let people run wild with them. My email/password weren’t included in the leak, but it got me thinking about how devastating it would be, should my passwords get out in the public sphere like that. It could compromise not just my own security, but the security of my client’s sites.

So I knew I had to smarten up. I needed a way to secure my ever-growing list of passwords, and furthermore, I needed to ensure that I was using different passwords everywhere.

Beyond that, I work on different machines in different locations, and I needed all my passwords to be accessible to me no matter what machine I was using at the time.

And I needed to secure the whole list in a way which was bulletproof, hacker-proof, snoop-proof.

So the solution I found works pretty well, and I figured I’d share it around. There’s nothing really novel about this solution, but there’s certainly no harm in sharing what I’ve learned. Perhaps it’ll inspire you to do the same. The more people who take their digital security seriously, the less harm hackers/viruses/data leaks will be able to do for all of us.

Step 1: Storage in the cloud.

I need access to my passwords wherever I am, on any machine I’m working on. That means either a) a private server or b) a public service or c) a USB key. I opted for the public service, specifically Dropbox. Dropbox has caught a lot of flack over the past few weeks for significant security breaches, but I knew a way around that (see step 2, below). The important thing was Dropbox would give me access everywhere, and two gigs of storage for free. I toyed with the idea of using a USB key, but I abandoned the idea because it meant I’d have to back it up regularly, just in case I lost my key. I can’t imagine the horror which would befall me if I should lose my only copy of my entire password database down a drain, or something. No, better to rely on Dropbox, backed by Amazon’s cloud storage. But something had to be done to make it more secure.

Step 2: Military-grade security

If I’m going to store my most sensitive information in the cloud, I needed to ensure, for my own peace of mind, that it was really, really, really secure.  I couldn’t just rely on someone telling me it was secure.  I needed to do it myself.

Enter TrueCrypt.  TrueCrypt is free, cross-platform, open source, military-grade encryption software which allows the user to create encrypted virtual disks, or even to encrypt entire drives.  It was perfect for my purposes.

So, after getting my Dropbox account all set up and working on my various computers, I installed TrueCrypt.  The fact that it’s cross-platform is particularly important, since I use a PC with Windows 7 at home, and a Mac running OSX 10.6 at work.

After installation, I created a new TrueCrypt volume in a data file in my Dropbox folder.  I set it up with 256-bit AES encryption, which is approved by the US government for documents up to the Top Secret level.  I also made sure to put both Mac and PC-installable versions of TrueCrypt into an unencrypted Dropbox folder, in case I needed them on a new computer at some point.  I could just install without having to download the packages anew.

Step 3:  A secure password database.

Once again, cross-platform compatibility was absolutely key.  Once again, the open-source community came to the rescue with the really excellent program, KeePassX.  It’s got Mac, PC, and Linux flavors.  It stores your passwords in configurable groups.  It includes a password generator for creating and storing really long, really strong passwords on the fly.  And it stores the database in an AES 256-bit file.

I downloaded both a Mac and a PC version of KeePassX, and dropped both of them into the encrypted container that TrueCrypt created.  Again, this is so if I’m on a strange computer, I won’t have to download new copies of the software.  But you won’t know they’re there unless you’re already looking inside my TrueCrypt volume.

You can unlock a KeePassX password database with a master password.  I chose a really long password (~ 30+ alphanumeric characters) for this purpose.  Actually, this was the hardest part of the whole set up — I wanted a master password which I could remember and type, but which would be long and complicated enough to be virtually un-breakable.

At this point, I felt like there wasn’t much more I could do to ensure security, so I started dumping all my passwords in to KeePassX.  Over the last week, I’ve slowly been adding accounts to the database, and I’ve been changing passwords as I go, to ensure I’m not using the same ones for multiple accounts.  I organized them into groups for work, banking, consulting clients, etc., which makes it easy to find the one I’m looking for.

And so far, so good.

So, how secure is it?

Well, let’s pretend I’m a determined hacker, and I’m trying to get at these passwords. Here’s what I’d have to do:

  1. Compromise the Dropbox account. Considering the security issues, let’s just say this a given.  For the sake of our argument, it may as well have no password on it.
  2. Locate and compromise the secure data file created by TrueCrypt. This part is really tricky, because it’s very, very secure.  It’s extremely unlikely that it could be broken by anyone outside of the NSA, and even then, it could take them years and years of computer time to crack it. However, if they did, they’d still have to …
  3. … Compromise the KeePassX database. Again, AES 256-bit encryption with a very, very long passphrase would protect this file from brute-force attempts for longer than the life of the universe.

What about other vectors? Like, say for instance someone was sniffing my network packets trying to pick up the passwords as they passed over the network?

Well, what’s getting transferred over the network is the TrueCrypt file, which is secure.  Local, cached copies are saved on each of the computers which have connected to it, so the only thing that would be sniffable would be the entire file, which would still leave you with steps 2 & 3 above.

What about if they compromise one of the machines that I have Dropbox installed on?  Again, the TrueCrypt volume would be visible to them, but unless they could get into it, and past still another level of encryption, my passwords are still safe.

Keyloggers?  Well, yeah, this is a possible vector.  If one of the machines I was working on were to have a keylogger installed, then a determined attacker could indeed get both the TrueCrypt password and the KeePassX password, which would let them get into the file.  But honestly, that’s the case no matter what steps you take to secure your information.  Best defense there is to keep the ol’ antivirus software up to date, and to regularly scan the system for malicious software.  Of course, that probably wouldn’t help if, for instance, a government agency were to break into my house an install a surreptitious keylogger on my machine, but if that’s what I’m up against, I have bigger problems than whether or not someone can get into my Twitter account.

Caveats: It seems profoundly unwise to have multiple machines accessing the TrueCrypt file at the same time.  That could, potentially, corrupt the encrypted volume irreparably.  Dropbox does do versioning, so this may not be a gigantic problem, but still, I’m not going to try it.  One machine at a time.  Dismount the TrueCrypt volume before logging out.

Another caveat is mobile access.  TrueCrypt and KeePassX don’t work on Android devices, so I can’t see my passwords through my mobile phone.  I can live with that, however.

So, while there may be no perfect security in the world, I feel pretty confident now that my passwords are all safe, accessible, and secure.  Perhaps that’s the best any of us can hope for, as we watch the continuums of privacy and technology shift under our feet.

Did I forget something? Got a better idea? Let me know in the comments.

 

 

Stacks of resumes, CC-licensed image by woodley wonderworks, via Flickr

As I’ve posted below, I’ve left my position as IT Specialist/Web Developer at Leslie Hindman Auctioneers to start my new gig with the American Bar Association Journal.

I made it clear to my outgoing employers that I wanted to do everything I could to make the transition to the next person as seamless and pain-free as possible.  Since they needed to hire a replacement, and I’m the only one with lots of knowledge about technical work, and insight into the brain of techs, I was charged with sifting through the résumés and determining who might be a good fit, and who we didn’t need to bother talking with.

So I’ve been looking at a lot of résumés, and I’ve been assisting in the interview process, and I’ve learned a few things about job hunting.  Most of these are common knowledge, but some might be non-obvious, so take it for what it’s worth to you.

Your résumé is important.  Don’t skimp on the time you spend on it. A no-brainer, right?  But you’d be surprised about how many résumés don’t seem to have had even one proofreading.  Your résumé is the first and most important document the person doing the hiring is going to be looking for.  At least, it was for me.  Make sure your current address and phone number are there, at the top.  Are you applying for a web job?  Include a URL for your personal site, and your facebook/twitter if you use them.  If I’m interested in you, I’m going to google you and find that stuff anyhow.  Don’t have a personal web site?  Then you have no business applying for a web job.  Seriously.

Don’t use one of the built-in templates in Microsoft Word to make your résumé. They don’t look good, and everyone else uses them.  It says, “Hey, I know how to use wizards, but I don’t care enough about this to really spend the time to make it myself, so I’ll be content to look like everyone else.”

On cover letters: Really, shouldn’t we be calling them “cover emails” these days?  Does anyone send a resume in by mail anymore?  First rule: Don’t copy and paste the same cover letter for every job you apply for. Second rule:  CHECK YOUR SPELLING AND GRAMMAR.  Third rule: A bad cover letter won’t keep me from calling you if your résumé is good, but a really good cover letter might get you an interview, even if your résumé isn’t so good.

Guess what?  I don’t need to know every model of Cisco switch you’ve ever worked with.  Familiarity with Cisco hardware is sufficient.

If your educational background includes a school which advertises during re-runs of Judge Judy, and your current job is working at a deli counter at a supermarket, I’m probably not going to believe you have the technical skills I’m looking for.

During the interview, I know you’re nervous, and you’re trying to make a good impression. But if you’re relaxed and conversational, I’m going to like you more. Check out the company’s website before you go in.  Learn a little bit about them.  Have a couple of questions to ask.  Be personable. Let’s have a conversation, not an interrogation. And, while it’s not really necessary, if you send a follow-up email after the interview, it’s going to make me think you care enough to put in a little extra effort.

You’ve had six jobs in the last two years?  Thanks, but no thanks.  Next.

And finally, headhunters are useless. Seriously.  I’ve tried going through headhunters while seeking employment, and it always turns out to be a waste of my time.  Now, I’ve been on the other side of the equation, and I can say that they’re pretty useless for finding good help as well.  They cost too much, they do too little.  Avoid them.

CC-licensed image by Samuel Huron. Source - Flickr

Here’s a great series of articles about how to structure and present information on news websites.

The link will take you to the first of a series of seven posts outlining some pretty advanced thinking about content management, the semantic web, and what makes sense for consumers of web content in terms of navigation, metadata, tagging, and how we generally treat information online.

“Each of the four parts (and two addenda) will look at the current state of things, criticize what’s wrong with our websites and what should change, but I’ll also provide a first stab at a solution. We’ve had enough “journalism is in crisis but I don’t know how to get us out either”-type blogposts lately, so I’m not looking to add any verbiage to that pile.”

This link came my way via Brian Boyer, the guy in charge of news apps for the Chicago Tribune.

Source - Flickr, image by Nathan Wells

I searched around on the internet this morning and I couldn’t find an example of exactly what I wanted to do, but I DID figure it out, so I thought I’d post it  here in the hopes that it would be useful to others.

Here’s the situation:

  • You have a new printer on your network.
  • You’ve set up a shared printer queue on your Windows-based server, and it’s printing just fine.
  • You can connect to the shared queue from other computers, and it works alright.
  • You now want to deploy the printer to all the other Windows machines on your network, but it’s a pain in the ass to walk around to every single machine and set them up by hand.

Solution — remotely deploy the printer to your clients by means of your login script.

And here’s the magic formula:

rundll32 printui.dll,PrintUIEntry /in /b “{Printer Name}” /n\\{server}\{shared printer name}

Put that line into your login script, replace {Printer Name} with the name you’d like the printer to have on the client machines, and replace \\{server}\{shared printer name} with the correct UNC path to the printer queue on your server, and BAM, you’re done!

Now, the next time your users log in, they’ll get the new network printer automatically set up on their machines, all ready to go.

Your mileage may vary, of course, and this solution won’t work for Mac client machines.  Those you still have to touch.

Was this tip helpful?  Leave a comment and let me know!

I have been on verizon for over a decade now, and honestly, I have been pretty happy with them. Problem is that until now, their phones sucked. I had some thoughts of getting an iphone when they first came out, but they were way too expensive, and besides, AT&T is horrible.

But now, there is the Droid.

Just got it this morning, and I love it so far. The camera is better than my dedicated camera, the mp3 player is better than my dedicated mp3 player (pandora!) and the gps is better than my dedicated gps.

In fact, I’m writing this post from the Droid. It’s correcting my capitalization as I go. :)

Good work Google. And Motorola. And Verizon, for once.

Oh, man.  This is a really, really bad idea from Microsoft.  On the other hand, it’s going to mean some easy money for me.  Let me remind you, my friend, that my computer-fixin’ rates are quite reasonable.

“…Windows XP users, including the millions who have recently snapped up cheap, XP-powered netbooks, will first have to wipe out everything on their hard disks in order to install Windows 7. on their current machines. In fact, Microsoft doesn’t even call migrating to Windows 7 from XP an “upgrade.” It refers to it as a “clean install,” or a “custom installation.” This disk wipeout can be performed manually, or automatically during the Windows 7 installation process.

If you’re an XP user, the disk-wiping will cause you to lose your current file and folder organization, and all your programs, though not necessarily your personal data files themselves.

via Replacing Windows – WSJ.com.

Author Howard Rheingold demonstrates his Social Media Classroom project on Friday.  Photo: Kathryn Murphy/Medill

Author Howard Rheingold demonstrates his Social Media Classroom project on Friday. Photo: Kathryn Murphy/Medill

Whether it’s mapping an ancient Roman burial route over time, constructing a homemade flashlight or learning how to make art from recycled materials, HASTAC and the MacArthur Foundation are helping fund the digital media experiments that could provide innovative learning opportunities for youngsters.

In an effort to bring education up to speed with the digital era, the John D. and Catherine T. MacArthur Foundation along with HASTAC, a consortium of humanities, arts and science professionals, awarded $2 million dollars in grants in the second annual Digital Media and Learning Competition on Thursday.

Howard Rheingold, futurist and author of the book “Smart Mobs: The Next Social Revolution“ was a winner in last year’s competition, and served as a judge for this year’s applicants. “The educational model that is 1,000 years old, that is based on handwritten books that are chained down to lecterns that some old guy stands up and reads to you, is severely challenged when all the students in the room are online and you’re competing with the rest of the internet,” Rheingold said.

“Young people are changing as a result of digital media,” said Julia Stasch, the vice president of human and community development at the MacArthur Foundation, “This has huge implications for teaching and learning.”

To celebrate the announcement of the winners of this year’s grants, HASTAC brought together 17 of last year’s winners to demonstrate what kinds of projects the grant money helped produce, develop and expand. The event kicked off with a reception and performance by PLOrk, the Princeton Laptop Orchestra at the Newberry Library and concluded with an expo Friday afternoon at the Palmer House.

“[PLOrk] was one of the winners last year,” said Cathy Davidson, professor of interdisciplinary studies at John Hope Franklin Humanities Institute and co-founder of HASTAC. “And they’re not only a performing orchestra. When they teach students, they’re teaching students everything from computer music to atonal music to signal processing.”

Both creativity and user-involvement are key factors in determining winners for the competition. The winners of this year’s grants will display the results of their projects at next year’s reception.

“We were looking for things that were not one-off’s, that can replicate and influence,” Rheingold said. “We’re looking at projects that have some degree of ingenuity regarding the technology and particularly projects that are centered on participatory learning.”

Some of this year’s grant recipients included: DigitalOcean, which will connect 200 classrooms worldwide to help observe and monitor declining fish populations; PlayPower, which will use an inexpensive ($12) TV-computer for interactive design of learning games; and Global Challenge, an online competition using media and social networking tools to develop and propose solutions to problems such as global warming and the future of energy.

The emphasis on interactive learning was evident in last year’s winning projects on display at Friday’s expo.

LEDs, resistors, and origami illustrated Ohmwork's winning entry in last year's Digital Media and Learning Competition.  Photo: Ian Monroe/Medill

LEDs, resistors, and origami illustrated Ohmwork’s winning entry in last year’s Digital Media and Learning Competition. Photo: Ian Monroe/Medill

Hypercities, scheduled to publicly launch this summer, allows users to take real maps of cities and overlay both geographical and time-based information. A HyperCity can include everything from its architectural history to the stories of residents past and present.

This has uses in both general education and for high-end research, according to Diane Favro, director of the UCLA Experiential Technologies Center.

“You can go through time and see the different maps and add your own content,” she said. “So you could add somebody’s trip through the city, or where riots had occurred in a particular historical time, or other events, and link that with music or pictures or, as we did with the Rome one, with 3-d models, so it just depends on what your goal is. It’s going to be open for everyone to use, and serve as a platform where everything gets geo-temporally tagged.”

Some of the projects, like Ohmwork, brought students in to help develop the projects. Ohmwork is a social networking site centered on do-it-yourself science and technology projects.

“About 70 kids helped develop the prototype, start and run the project,” said Corbett Beder, director of high school programs at Vision Education and Media. “We let them run wild with it.”

The site, directed primarily towards middle-school-aged kids, offers podcasts about experiments kids can try on their own, as well as the ability to comment on and contribute to the experiments of others.

The grants awarded in last year’s competition were also used to expand projects already in place. The Global Fund for Children created a hub for information and story exchange between grassroots organizations and vulnerable children.

“The grant allowed us to buy flip cameras to send to our partners,” said Monica Grover, a digital media projects manager for the fund. “It helped build this hub and post training in digital storytelling, so these people can share their stories, get their voices heard and help empower them.”

These stories can inspire additional learning, Grover said. People in India can learn from people in Honduras about how to cope in a food crisis, for example.

The MacArthur Foundation’s Stasch was confident the digital media competition would continue to produce innovative opportunities for learning.

“We’re looking around the corner at the best ideas of tomorrow,” she said.

[flashvideo file=”flash_video/PLORK_slideshow.flv” /]

An audio slideshow illustrating the concert by the Princeton Laptop Orchestra (PLOrk) on Thursday.  The performance was to celebrate the winners of the Digital Media and Learning Competition.  PLOrk was a winner in last year’s contest.

Note:  Kathryn Murphy and I co-wrote this piece.  It was first published on the Medill News Service website on 4/21/2009, and is republished here for my own archives.