Monday, April 21, 2014

Password security hall of shame

With the recent Heartbleed vulnerability (wait, why am I even making that a link), I figured it was time to upgrade my password security. Like all proper nerds, I have dozens of accounts all over the web. And like most humans, I am unable to remember distinct passwords for all of them. I'll admit, I have sinned, and reused passwords all over the place. Today, I repent.

So far, my strategy has been to have three tiers of passwords:
  • a very strong one for my email and banking
  • a moderately strong one for accounts that I somewhat care about
  • a laughably weak one for throwaway accounts
The reason that these aren't all strong passwords is that I started using increasingly strong passwords over the years, but never bothered to update lesser-used accounts.

After some research and asking around, my new strategy will be random unique passwords, stored in the password manager LastPass. There are several other password managers, but LastPass is the only one that ticks all but one of the boxes that I care about:
  • Easy to use.
  • Passwords are encrypted locally and never leave your computer.
  • It's available as a browser plugin.
  • It's available on Linux, OS X and Windows.
  • It's available on mobile devices.
The one box it doesn't tick is being open source, which makes me a bit sad. Open source alternatives would be KeePass or Password Safe (the latter by security expert Bruce Schneier) but neither seems to have great usability.

So I spent a few hours today changing passwords on over 40 websites, and got a nice overview of how different sites approach password security. Here is my bottom-3 of the worst ones.

#3: Steam

You can log in to your account on the web, view purchases, chat with friends, and do many more of the things that nobody ever uses Steam for... but you cannot change your password on the web. You have to use the client for that. (Also, why haven't they bought yet?)

#2: HSBC

HSBC, the large multinational bank, have a very... interesting approach to login. Some banks use a username/password combination for their online banking. Most will then require two-factor authentication to actually do transactions. Some banks use username/OTP for logging in, where you sometimes need your bank card to generate the OTP.

HSBC does none of these things. Their login flow uses a username, a memorable question, and a 6-digit OTP. The admissible memorable questions are:
  • What is your eldest child's middle name? (I don't have any children.)
  • Who was your first employer? (Easy to find on LinkedIn.)
  • What is your father's middle name? (Somewhat harder to find, probably not impossible.)
  • What is the name of the street you grew up on? (Easy to guess if you know where I went to primary school.)
  • What was the name of your first school? (And the name of that school is probably on the untrimmed version of my CV.)
  • Name a memorable character from a film or book or TV (I wouldn't remember what I'd answered to this one.)
  • What is the make and model of your first car? (I never owned a car. And if I still had it, it'd be parked outside my house for all the world to identify. Maybe even on Street View.)
  • Name a memorable meal (What?!)
  • Name a memorable restaurant (Actually, this one might work for me. But for close friends, my answer would be easy to guess.)
  • What is your memorable answer?
Yes, really. The self-referentiality almost makes the entire banking world disappear in a puff of logic. But of course I chose this option, and just entered a password. I can only imagine how this option came about.
Management: "Passwords are too hard. I forgot the password to my email for the third time this month. IT people, make our site use a secret question instead."
IT person: "But they are less secure. They're easy to guess for outsiders. We're a bank, right? We manage people's money."
Management: "I have to rush off to a meeting. You know what to do."
IT person: "Just one more question – what secret questions should we use?"
Management: "You're the expert. Figure something out."
IT person (trying to suppress a grin): "OK, will do."

#1: Charles Schwab

Schwab is a big investment firm that manages stock portfolios, so you'd expect them to be secure, right? Let's take a look at their password policy:
  • The password must be at least 6 characters. So far, so good.
  • The password must contain at least one digit. OK.
  • The digit must be between the first and last characters. What?
  • The password must be at most 8 characters. What?!
  • The password may not contain any symbols. WHAT?!
  • The password is case insensitive. WHAT?!
Even LastPass had some trouble coming up with a password for that.

Well, at least they have recently added the ability to change your username, so I can stop being THOMAS3722. Or was it THOMAS9560? I forgot.

Sunday, June 30, 2013

Hodor qualification

In the world of creative programming jargon, we already knew about Yoda conditions (“if three the size is”):

if (3 == size) {

And about Pokémon exception handling (“gotta catch 'em all!”):

try {
catch (Exception ex) {

Now I recently ran into a new antipattern, and decided to name it Hodor qualification after the character from Game of Thrones who can only say his own name.

Hodor qualification is to needlessly prefix calls to static methods by their class name, even from within the same class:

class Hodor {

  private static int foo(int x) { ... }

  private static void bar() {
    return + +;



Tuesday, February 19, 2013

Uninstalling old kernels in Ubuntu

One would think that Ubuntu would be smart enough to remove obsolete kernel packages by itself. One would be wrong.

I think the Computer Janitor can clean them up but you still have to run that manually. So I prefer the following command:

uname -r; sudo apt-get remove $(dpkg --get-selections 'linux-image-*' | grep '\binstall' | head -n-3 | cut -f1)

This removes all kernels except the latest two. It prints the currently running kernel version so you can easily check that it's not removing that one.

Sunday, October 21, 2012

Turning off the screen saver in Ubuntu

TL;DR: xset s off

“That's easy,” I could hear you think when you read the title. Well, it took me hours to figure it out. It drove me crazy that I'd have to get up and move the mouse every 10 minutes while watching a movie¹, and I couldn't figure out how to disable this behaviour. And when something takes that much effort, I blog about it so that other people might find the solution more easily.

Of course you can easily disable the screen saver through the control panel thing. But I'm not using the Gnome panel, so I never know how to get to that GUI in the first place. Also, you may find, like me, that it just does not work and your screen will still turn black after 10 minutes.

From the console, you can disable the screen saver with:

$ gsettings set org.gnome.desktop.screensaver idle-activation-enabled false

This probably does the same thing as the check box in the GUI. But for me, it wasn't enough: the screen would still blank after 10 minutes!

As it turns out, this is a default built into Xorg itself. Try this:

$ xset q
Screen Saver:
  prefer blanking:  yes    allow exposures:  yes
  timeout:  600    cycle:  600

Yep, that's the problem. Once you've found it, the solution is simple:

$ xset s off
$ xset q
Screen Saver:
  prefer blanking:  yes    allow exposures:  yes
  timeout:  0    cycle:  600

This only works until the X server is restarted; put xset s off in your .xsession file to make this change permanent.

¹ At least for some movies. mplayer disables the screensaver automatically, but Flash doesn't.

Sunday, July 15, 2012

Switching default PulseAudio device when USB microphone is plugged in

I have a PlayStation Eye for a USB webcam and microphone, which is supposed to be supported by Linux. Unfortunately the microphone won't work until I unplug it and plug it in again after boot.

But the unplugging causes PulseAudio to change its default device back to my on-board sound card, which doesn't have a microphone plugged into it. It won't change the default back to the Eye on its own. Here's a workaround, which took me several hours to develop, and isn't for the faint of heart. But it works now, dammit.

All we need to do is nudge PulseAudio a little via a udev event. First, install the daemon package:

sudo apt-get install daemon

Then create a new file /etc/udev/rules.d/99-pseye.rules with the following content (all on one line!):

SUBSYSTEMS=="usb", ATTR{idVendor}=="1415", ATTR{idProduct}=="2000", RUN+="/usr/bin/daemon -- /bin/su thomas -c 'sleep 1 && /usr/bin/pacmd set-default-source alsa_input.usb-OmniVision_Technologies__Inc._USB_Camera-B4.04.27.1-01-CameraB404271.input-4-channels'"

OmniVision is apparently the manufacturer of this camera. Reports around the internet have slightly different version numbers; type pacmd list-sources and use the name of your particular device (which shows up as name: <...>). You also want to replace thomas by your own username; this is used to find the running pulseaudio daemon.

There shouldn't be any need to restart the udev daemon, but if you find otherwise, do sudo restart udev.

The daemon command is needed because we need to delay the pacmd command a bit; if we run it right away, PulseAudio hasn't picked up the new device yet. The trouble is that udev tries very hard to wait for completion of all child processes of the RUN command before firing its events into userland, so PulseAudio will always get its event only after our script has already finished and failed. Even various combinations of & and nohup wouldn't convince udev not to wait, but daemon does the trick.

If this doesn't work, here are some debugging methods that I used. Try adding -o/tmp/daemon.log after /usr/bin/daemon and inspect the output. To watch udev events happen in real time, use udevadm monitor. Another good source of information is /var/log/syslog; do tail -f /var/log/syslog | grep pacmd to filter it. Also check the output of pacmd dump to see whether the set-default-source command has taken hold.

Oh, and the upstream PulseAudio people in all their wisdom decided (bug report) that 4-channel microphones like this one don't deserve to have a default profile, resulting in the message Failed to find a working profile in /var/log/syslog. The result is that PulseAudio will retry loading, and retry, and retry … causing brief and hard to debug system freezes once every minute or so. To make the microphone work at all in Ubuntu 12.04 (bug report), you also have to add the following at the end of /usr/share/pulseaudio/alsa-mixer/profile-sets/default.conf:

[Mapping input-4-channels]
device-strings = hw:%f
channel-map = front-left,front-right,rear-left,rear-right
description = 4 Channels Input
direction = input
priority = 5

[Profile input:mic-array]
description = Microphone Array
input-mappings = input-4-channels
priority = 2
skip-probe = yes

Then type pulseaudio -k to reload the daemon (it will be restarted on demand). Yes, this will be overwritten on upgrades. I've found no way to work around that yet.

Sunday, August 14, 2011

Heathrow runway alternation in Google Calendar

I moved to London recently, and unfortunately I found out too late that my new flat is right in the flight path of Heathrow's northern runway, causing quite a bit of overhead noise. However, I noticed that some periods were very quiet (including when I was viewing the flat). Was there some method to this madness?

Turns out, there is. The Heathrow runway alternation schedule is nicely documented on the Heathrow website. Basically: one week has noisy mornings, the next week has noisy afternoons/evenings.

But it's a PDF file, which is only useful for printing and sticking on walls, which is sooooo 2010. So I turned it into a public Google Calendar, for use by myself and anyone else who might be interested. But alas, Google removed the ability to search for public calendars back in 2009, which forces me to post about it here to make it findable.

Here's the ID of this calendar: 
Copy this, head over to Google Calendar, and paste it into the box labelled “Add a friend’s calendar”. Simple as that.

That's only for the northern runway, known as 27R (when landing/departing towards the west) or 09L (when landing/departing towards the east). Since landing and departing probably make the same amount of noise, I lumped them all together. If anyone would like a similar thing for the southern runway, let me know and I'll put one together.

Friday, February 18, 2011

Exporting slices from Inkscape, part 2

I previously wrote about how to export slices from an Inkscape file, using a bash script. Here's a better script, using Python, which doesn't require you to give your slices any special label.

The new process is as follows:

  • First, draw your image as usual.
  • Then, add a layer that will hold the slices; name it slices (this is important). Set the layer's opacity to about 50% to be able to see what you're doing. Enable the grid, and make sure it is set to pixels: you want your slices to align with pixel boundaries.
  • Draw your slice rectangles onto the slices layer, aligned to the grid. Ensure that the rectangles have no border; the fill is irrelevant (I use red).
  • Right-click a slice, and choose Object Properties. Change Id field to the name of the eventual PNG file, without the extension. The area defined by a rectangle named foo will be saved to foo.png. Repeat this for all slices.
  • Hide the slices layer. If you forget this, the script will print a warning.
  • Save your image. Let's say you called it layout.svg.
  • Run the script as follows:
    ./ layout.svg
    You should see each of your slices being exported to a PNG file in the same directory.

Here's the code for the script. Save this to a file and make it executable.

#!/usr/bin/env python

import sys
import os
from xml.dom import minidom

if len(sys.argv) < 2:
    print 'Usage:  %s filename.svg' % sys.argv[0]
input_file = sys.argv[1]

dom = minidom.parse(input_file)
groups = dom.getElementsByTagName('g')
for group in groups:
    if group.getAttribute('inkscape:groupmode') == 'layer' and group.getAttribute('inkscape:label') == 'slices':
        if 'display:none' not in group.getAttribute('style'):
            print 'Warning: slices layer might still be visible'
        for element in group.getElementsByTagName('rect'):
            export_id = element.getAttribute('id')
            filename = '%s.png' % export_id
            print 'Exporting %s...' % filename
            os.system('inkscape --export-id="%s" --export-png="%s" --file="%s"' % (export_id, filename, input_file))
    print 'No layer named "slices" found; not exporting anything'