JDPFu.com 2024

As another online website got hacked today and leaked userids, email addresses and passwords, I started thinking about what would solve this issue basically forever.

1. don’t use the same password anywhere online. Always unique per login/website.


2. if you can, use a unique login for every online identity. No need to let anyone connect-the-dots or get a hint about your email login from a blog website. This is more important for logins to financial services. I couldn’t tell you my brokerage userid – don’t know it – it is random.


3. if you can, use a unique email address for all identities. These do not need to be anything more than email aliases, since receiving email and redirecting it to a real account is easy. No need to support “send”. If you don’t know what an email alias is, don’t worry.


4. Definitely have a few different email addresses – 1 for social stuff online and a different 1 or 3 for financial stuff. If the social email gets hacked, that shouldn’t impact your financial email accounts at all.


5. Lie on all password reset questions. Never tell the truth or the same answer for different websites. Keep your lies inside a password manager.

How to do these things easily? Use a password manager. Try it for a week, see if you don’t become addicted. More on KeePass

There are other uses for password managers too. Well worth your time.

If we do these things, no need to panic over having any social/google password db out there. Even if it were leaked as plain text, I wouldn’t care. It doesn’t matter. Don’t let any social website know your real email address or a password used anywhere else. Unique, random matters.

Prefer F/LOSS security tools over commercial offers. Historically, commercial security vendors have mislead their users or the marketing department simply lied.

keepass and keepassx are good. The source code is available for download and review by anyone. Security of the tool is not through anything hidden, just good encryption which currently cannot be broken when normal best-practices are used.

KeepassX is amazing.

This week, I got a shock in my snailmail box. It was an offer from my current health insurance company for a different policy which meets the new federally mandated requirements.

For the least 3-4 years, my premiums were $148/month. That was manageable.

The new premium is $321/month and raises the annual deductible 20%. I checked both my current provider’s other plans and those from the Obama-Care website. The Obama-Care website didn’t have any plans from my current insurer and were about the same 2x price. I didn’t look too closely at the options. I use Costco’s Insurance marketplace now and did look over the different options there. The cheapest plan which was significantly worse than what I have today was $280/month. I compared a few other plans against the one picked for me by the insurance company. Found one that was $302/month, then tried to change my current plan over to it, but couldn’t login. Reset the password (I use a password manager, so it shouldn’t have been necessary), and wasn’t able to login still. It was late, so I decided to try later. I have until Monday (2 days) to pick a different plan.

That offer had an increase of 2.1x and will all but destroy the extra household budget for entertainment. My hobbies will simply have to take a back door to health insurance premiums. I suppose we will eat out less too.

I’m confused how a service that I barely use that has monthly cost of $138-$148 can justify doubling in a few months? Is this fraud or do the federally mandated changes, which don’t have anything to do with my needs, really require that much more money?
Or are the insurance companies using this to make everyone pay more?

Perhaps 100% free health care in the USA would be better?

It seems that I’m not alone with the premiums going up. Washington Post

Perhaps I can qualify for government assistance for these premiums? I think this is doubtful.

The fantastic t-mobile payg (Pay As You Go) plan that I’ve been using for 8+ year is gone. It was $0.10/min, no monthly minimum.

Now they’ve made it $3/month and include 30 minutes. For many years, I’d spent about $20-30/yr total, so this is about a 50% price increase to me at 12 x $3/mon = $48/yr. It won’t kill me and my prepaid account is active for 365 days still (I assume). Most people would talk at least 30 min worth in a month, which is fine.

When I’d travel, the plan would be changed to

$2/Day Unlimited Talk, Text & 2G Web

For example, just returned from Phreaknic and enabled the 2G unlimited stuff (talk/text and 2G data) for $2/day over 4 days = $8 total. Talked about 45 min in that time and used about 60MB of data for maps, GPS, directions. The signal always said 3G, but there were many places where no data flowed.

None of these PAYG plans provide any international roaming. So sad. Looks like picking up a €10-15 SIM after landing will still be the std procedure.

Update – 2015

Took a trip and was able to enabled a 7-day $10 1G data plan on the $3/month pay-as-you-go plan. For some trips, this would definitely be useful, but not for my last trip. I visited family and knew the area a little. Using offline map too – FreeNAV and preloading a few highly-rated restaurants into the favorites removed any need for data. Basically, I used the data to check emails during the 4 days I was at a conference. Meh. Those could easily have waited until the evening. Even when driving, the data plan wasn’t very useful – FuelMyRide – a cheap gas android app has stopped providing service, so that wasn’t useful. I did look up a discount chain when on the road, but that definitely wasn’t worth $10.

In summary, t-mobile has made their add-on data plans too expensive to be useful for short trips. The $2/day plans were just right – not cheap, but I could justify it easily. $10/wk seldom makes sense for me.

I really miss the pure pay-as-you-go plan that didn’t have a monthly minimum charge. Oh well, they are still the best deal for my needs.

Update – April 2015

I feel screwed again by t-mobile. I’ll explain.
Normally, I add $10 to my PAYG plan every year. This has been working since 2007-ish. I never really checked the balance, since adding that $10 annually added to the prior balance and extended the length for another 365 days. Last fall (after I added minutes), there was $30+ on the account. My expectation was these were good for 365 days, just like they had been for years. I don’t really talk on the cell phone, not my nature.

Jump forward to March 2015 and a trip out of town so I add the $10/wk for 1G of data to my PAYG plan. Notice the account balance is $5.xx AFTER the $10 is taken out. Fine, time to add some more money, it will be good for a year after all. Looked at a retailer for a $100 card and not finding it, picked up a $50 card.

Today, added the $50 to my account and it said the minutes were good for 90 days!!! WHAT?!! What happened to 365 days? 10 minutes later and I found lots of other people like me pissed off at t-mobile – basically they remove the 365 day period and didn’t tell anyone. Further, they left all the old advertising up on their website. I can’t spend $50 in cellphone use within 90 days. Can’t be done.

So a few people are claiming that prior gold rewards accounts are grandfathered. I hope so.

Pulled this from the t-mobile website today – Apr 2, 2015

How can I get the most value for my refill money?

A: If you are a pay by the minute customer, add $100 in refills to attain Gold Rewards status. Customers who have reached Gold Rewards status get 15% more minutes with every refill and keep access to service for a full year.

When do my Gold Rewards rates take effect?

A: Once you have activated $100.00 in refills on a pay by the minute plan, you automatically qualify for Gold Rewards and will receive 15% more minutes with every future refill. And you’ll retain access to service for a full year!

EFF Security Starter Pak

Sections:

1. An Introduction to Threat Modeling
2. Communicating with Others
3. Creating Strong Passwords
4. What Is Encryption?
5. Keeping Your Data Safe
6. Protecting Yourself on Social Networks
7. Choosing Your Tools

Lots of great tips and techniques in that article.

LXC is getting easier and easier to use.
Flockport seems to be the easiest way to stay mostly standard, yet still be LXC-based.

It doesn’t seem to be as flexible or complex as Canonical’s Juju’s or Docker’s highly advertised stuff. Docker is great at advertising, just sayin’.

Flockport seems to be exactly what I needed – mostly standard, easy to use, LXC deployments for development and testing. Not planning to use any for internet-facing needs. Just too new with LXC to be comfortable trusting the security and my skill to know about the unpublished issues (security and others) with containers. For spinning up a quick internal web-app instance … perfect.

Sometimes you just need a simple DLNA server.
Rygel is just that. Easier than miniDLNA, lighter than all the others like Plex Server.

I didn’t have to configure anything – it sorta just worked.

It works with the BubbleUPnP Android DLNA server/client/renderer and with every other DLNA client that I’ve tried – though we use a plex server most of the time.

Every time I read the ssh manpage, I learn something new. This is after over 15+ yrs of using ssh. It is an amazing tool. It is the sonic screwdriver for UNIX systems connectivity.

But ssh does more than just normal connectivity stuff. Much more.

Everyone could learn a little more about ssh and stop doing things the hard way – PLUS using ssh is likely more secure than whatever we are doing today. Win-Win. Both more efficient AND more secure. How often does that happen in the real world?

For example, did you know that vim supports remote editing of files through ssh and rsync?

$ vim rsync://dev/projects/gallery/src/templates/search.html.tt

Smylers’s article SSH Can Do That? Productivity Tips for Working with Remote Servers is a great resource for all these magical techniques. I won’t repeat it here – let’s just say that in 15+ yrs using ssh, I learned 4 new, useful, things from that article. Time to get modifying my ~/.ssh/config files now.

If you are completely new to ssh features, here’s a nice, short, article from diogemelo to get you started. These are fairly standard uses.

ssh is enough for

• secure remote access to files via sftp
• secure remote filesystem access via sshfs
• secure remote CLI/shell access to systems with plain ssh
• secure remote desktops via x2go/freenx
• secure remote file replication with rsync (ssh is the default rsync protocol)
• secure port forwarding of selected ports
• secure remote editing with vim/gvim and other editors
• pseudo-VPN with sshuttle <— this may be helpful.

ssh really is the toolbox for remote connectivity.
A good resource about all things ssh is the wikibooks OpenSSH Client Conf entry.

Of course, ssh security doesn’t start and stop with using keys. We need to do more.

Are there great ssh things that you know NOT in his article?

From Bruce Feiler’s book, The Secrets of Happy Families :

The Do You Know Scale

Please answer the following questions by circling “Y” for “yes” or “N” for “no.” Even if you know the information we are asking about, you don’t need to write it down. We just wish to know if you know the information.

At CloudSlam’14, it has been presented that 1 of 3 companies experience data loss from their cloud providers. That’s 1/3rd of them!

• 64% is due to user error – we are our own worst enemy!
• 20% is due to malicious intent. Hackers, sometimes insiders are just being mean.
• 7% is due to application sync errors. These are integration providers that hook into other SaaS apps.

If you have an Acer C720 – GREAT! These are amazing systems. But some of the hardware support out-of-the-box from Linux isn’t perfect. What if running 1 little script can fix that?

Verified to work with Ubuntu 14.04 x64 on a C720.