Posts

Posted on

It’s password management turtles all the way down

Since I mentioned password management in passing yesterday I recall a question I haven’t seen answered yet: how do you manage your password management passwords?

My setup is this: as advocated by, eg Bruce Schneier and Troy Hunt (but not, apparently, by Florêncio et al 2014, although I’ve only read the abstract and some of the press) I use a password manager, which stores huge long random passwords for all the sites I use and is in turn password protected.

While I’ve been doing this for several years, a few flaws have emerged:

  1. Google passwords. You have no idea how often you need to enter a Google password on an Android phone until… you do. And you’ll be reminded for every new device and then every password change, even if you’re a Heartbleed-level-or-greater password changer. It’s very very difficult to survive setting your Google password to F]U8NScS+RP7eL5)v=gj7f*/bX~$&` or even F]U8NScS+R frankly as an Android user. (Especially since if you have two factor turned on, the way you authenticate to an Android phone involves entering your password twice.)
  2. shared passwords, often required in business in particular but also in (cough) personal households, and not handled by most password managers in a model other “a password database for you” and “a password database for you and your boss” and so on for potentially combinatorial values of “you and [colleague]”

There are some services that attempt to solve that second point within an organisation, eg, Lastpass Enterprise but even allowing for that, let us enumerate the password manager passwords that a hypothetical individual called Mary currently has:

  1. personal password manager password
  2. work password manager password
  3. household password manager password
  4. volunteer organisation password manager password

And at the point where this hypothetical individual is remembering four separate extremely complex and secure passwords it’s beginning to look like the promised land of “the last password you’ll ever need” is, well, turtles all the way down.

Posted on

It’s 2014 and the Internet is still atomising my household

Here’s some electronic things my household owns collectively:

  • our main camera
  • our television
  • our games consoles
  • our Kindle and Nexus tablet

Here’s the services I use almost daily that do not have any notion of collectively owned content or multiple publishers wanting to manage a single account:

  • Flickr
  • Google Play, or any other Google service
  • Xbox Live (to the extent I’ve explored it)

And this is epically frustrating, because here’s some use cases that these websites don’t handle well.

  • we share parenting of our children. We would like to be able to play one or both of them Frozen or Cars or whatever without both owning a copy from a streamable service or someone needing to leave a logged in Android device with a known password in the house at all times.
  • we both take photographs on our main camera. We sometimes can’t remember who took which one and in any case, it’s always me who post-processes them. We would like to be able to publish them on a photo sharing website and maybe sometimes attribute authorship (if one of us is especially proud of a shot and actually remembers taking it) and sometimes not!
  • we read the same books because I read them first and Andrew reads some subset of them on my recommendation, and we’d like to do that without both buying a copy.
  • we listen to the same music because Andrew listens to it first and I listen to some subset of it on his recommendation, and we’d like to do that without both buying a copy.

I mean, it’s disgusting really. One day we could even do the ultimate in simple gross violation of normal and healthy relationship boundaries some day and want to play each other’s saved games.

Right now we do pretty much what everyone does to some degree, as far as I can tell, which is to have a shared Amazon account and a shared Flickr account and still buy movies on optical discs for now even though five minutes of unskippable sections at the start are annoying and put our music on a fileserver and awkwardly manage our photos on a USB hard drive that can get plugged into different laptops and really not stream much stuff at all. Maybe one day we’ll have some kind of dedicated device that is logged into someone’s Google account and streams movies that are always bought through that account, or something like that.

Now traditionally when I make this point, someone will show up and say “yes, my dear, but something extremely complicated is going on here, much too complex and subtle for your delicate sensibilities, called making money through an advertising revenue model requiring demographic information and the entire world will go bankrupt if we allowed multiple people to share accounts even for content they produced in any recognised way, so don’t worry your pretty little head about it and let your husband buy the clicky button things from now on.”

To which I answer: this blog is (to the best of my knowledge) not owned by any of Yahoo!, Google or Microsoft and does not especially care about their revenue models. Moreover, if your comment boils down to “please try and see this from the side of the websites” I will replace your comment with the one from the previous paragraph, sexist content and all. (Also don’t explain to me that one can share passwords in various ways. I know. I do those things.)

I will concede one point: households don’t have continuity in the way that individuals do. My household will split into at least three and perhaps four someday. This is pretty much impossible to model in the present intellectual property+licencing rights model as far as I can tell.

And all the same, I’m annoyed that the software world is really hostile to the (very normal) way I live my life and is (surprise!) set up for a world in which each of the four people in my house sits in their own room with their own TV + gaming system + speakers + phone/tablet + ereader interacting with content they purchased entirely separately, and in many cases, in duplicate (possibly) maximising your revenue since whichever unfortunate day someone came up with the idea of an “account” on a computer system.

First ecosystem to fix this gets to sell me Frozen or something.

Posted on

A short theory of under-committing to things

I’ve been listening to a lot of podcasts lately, and I keep being tempted to start my own. Except, yikes, I need to do hours for four years or something?

Sumana Harihareswara suggested to me that maybe I should start aggressively small and uncommitted like Leonard Richardson’s podcast: when I feel like it, in whatever style I choose. And that was close, but I’ve realised the closest fit for my personal style is to aim high, but to limit my run. This doesn’t always work out as I’d hoped, but it still seems like a good model. Do four ‘casts (say). And then done. No promises when or if I’ll be back.

I wish more things in my life could be structured that way.

Posted on

Handling harassment incidents swiftly and safely

This article was written by me and originally published on the Ada Initiative’s website. It is republished here according to the terms of its Creative Commons licence.

As anti-harassment policies become more widespread at open technology and culture events, different ways of handling harassment incidents are emerging. We advocate a swift process in which final decisions are made by a small group of empowered decision makers, whose focus is on the safety of the people attending the event.

Open technology and culture communities, which often make decisions in a very public way, can be tempted to also have a very public and very legalistic harassment handling process, a judicial model, but we advocate against this. It prioritises other values, such as transparency and due process, over that of safety. Alternatively, because many members of such communities find ostracism very hurtful and frightening, sometimes they develop a caretaker model, where they give harassers lots of second chances and lots of social coaching, and focus on the potential for a harasser to redeem themselves and re-join the community.

But neither of these models prioritise safety from harassment.

Consider an alternative model: harassment in the workplace. In a well-organised workplace that ensured your freedom from harassment — a situation which we know is also all too rare, but which we can aspire to, especially since our events are workplaces for many of us — an empowered decision maker such as your manager or an HR representative would make a decision based on your report that harassment had occurred and other relevant information as judged by them, and act as required order to keep your workplace safe for you.

A well-organised workplace would not appoint itself your harasser’s anti-harassment coach, have harassment reports heard by a jury of your peers, publish the details of your report widely, have an appeals process several levels deep, or offer fired staff members the opportunity to have their firing reviewed by management after some time has passed.

Like in a well-organised workplace, we advocate a management model of handling harassment complaints to make events safer: reasonably quick and final decisions made by a small group of empowered decision makers, together with communication not aimed at transparency for its own sake, but at giving people the information they need to keep themselves safe.

The management model of harassment handling is that:

  1. you have a public harassment policy that clearly states that harassment is unacceptable, and gives examples of unacceptable behaviour
  2. you have a clear reporting avenue publicised with the policy
  3. you have an empowered decision maker, or a small group of decision makers, who will act on reports
  4. reports of harassment are conveyed to those decision makers when reported
  5. they consider those reports, gather any additional information they need to make a decision — which could include conduct in other venues and other information that a very legalistic model might not allow — and they decide what action would make the event safer
  6. they communicate with people who need to know the outcome (eg, with the harasser if they need to change their behaviour, avoid any people or places, or leave the event; volunteers or security if they need to enforce any boundaries)
  7. they provide enough information to the victim of the harassment, and when needed to other attendees, to let them make well-informed decisions about their own safety

Further reading

Creative Commons License
Handling harassment incidents swiftly and safely
 by the Ada Initiative is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Based on a work at https://adainitiative.org/2014/07/23/handling-harassment-incidents-swiftly-and-safely/.

Posted on

Opt-in Creative Commons licencing plugin for WordPress?

Does anyone have a recommendation for an opt-in Creative Commons licencing plugin for WordPress. That is, one where the default state is not to CC licence something, but when some action is taken, an individual post or page can be so licenced.

As background: I have no desire to write, maintain, or even debug a WordPress plugin. I want to know if there is something for this use case that Just Works.

I want opt-in, because it is too hard to remember, or to train others, to find an opt-out box when posting, and thus end up CC licensing things that weren’t intended to be, or can’t be, released under such a licence.

Some options I’ve already looked into:

WP License reloaded: was pretty much exactly what I wanted but doesn’t seem to be actively maintained and is now failing (possibly because the site in question is now hosted on SSL, I’m not sure, see above about not being interested in debugging).

Creative Commons Configurator: seems to be the most actively maintained CC plugin, but seems to be opt-out, and even that was only introduced recently.

Creative Commons Generator: opt-out.

Easy CC License: perhaps what I want, although I’d rather do this with an options dialogue of some kind than a shortcode.

Posted on

The Sydney Project: Luna Park

This year is my sonÂ’s last year before he begins full time schooling in 2015. Welcome to our year of child-focussed activities in Sydney.

Luna Park entrance
by Jan Smith, CC BY

Luna Park is, honestly, essentially cheating on this project. Do children like amusement parks? Yes. They do. There you go.

In addition, I think four years old is basically about the right age for them. It’s old enough that children are aware that a giant painted face, tinkly music, and carousels aren’t a completely normal day in the world, young enough that the carousel is still just as magical as the dodgem cars. And too young to have horror-film associations with amusement parks, I think that helps too.

Luna Park ferris wheel
by Kevin Gibbons, CC BY

It’s also more accessible to a four year old than some more thrill-oriented parks. V isn’t scared of heights or speed, so he loves the Coney Island slides, and was annoyed to find out that he was too short for the Ranger (the ship you sit in that gets spun upside down about ten stories in the air) and the free-fall ride. He is, however, apparently afraid of centrifugal force parallel to the ground, and refused to go on any “octopus” rides.

Even the four year old who wants to go on the free-fall ride is still young enough for, well, frankly dinky rides like the train that goes around about five times in a circle while you pretend to drive it, and the space shuttles that turn in gentle circles and which slowly go up and down when you press a button. His big draw is the ferris wheel, which I found fairly horrifying this time as I read the signs about keeping limbs inside to him and then had to answer a lot of questions about “why? why do I have to keep my limbs inside?” while giant pieces of metal calmly whirled past us with their comparatively infinite strength. In a similar vein, V also enjoys the roller coaster past all reason and sense, whereas Andrew and I react with “this seemsÂ… flimsyÂ…” (I love coasters, but I like them to look overengineered).

Luna Park, where there's still a space shuttle

The only things V really didn’t like were the organised dancing groups who were encouraging children to learn their (cute!) 1930s-ish moves, and the process of choosing a child from a hat to press the lever to light up the park at night (he refused to let his name be entered), because there’s some specific types of performative attention that he really loathes. But there’s plenty of children gagging to dance along and to light up the park that an objector goes unnoticed. It’s not coercive fun.

Cost: entry is free. Rides aren’t, an unlimited rides pass for the day starts at $29.95 for a young child and goes to $49.95 for a tall child or an adult. There are discounts for buying online. (The entry is free thing sounds really useless, but it’s actually good if you have several adults, not all of whom are interested in the rides and/or are looking after babies.)

Recommended: indeed. We’ve considered getting an annual pass, in fact.

More information: Luna Park Sydney website.

Disclosure: because of a prior complaint to Luna Park about opening hours (we showed up several months ago at 2:15pm to find that an advertised 4pm closure had been moved to 3pm), we were admitted free this time. No reviews were requested or promised in return for our admission.

Posted on

Are your lulz low quality? Valerie Aurora is here to help

This article originally appeared on Geek Feminism.

Warning for mention of sexual assault, and extensive discussion of harassment.

In May, my GF co-blogger and Ada Initiative co-founder Valerie Aurora posted Handy tips for my Internet harassers on her blog. They included:

Threatening my job: Unfortunately, I am my own boss. Try emailing one of the Ada Initiative sponsors? Although they might take that as a sign that the Ada Initiative is doing important work and make another donation. Hmmmm. Maybe create a Yelp page for my file systems consulting business and leave bad reviews? Endorse me for CSS on LinkedIn?

Rape and death threats: Run spell check! There’s nothing more jarring than reading an otherwise creative and well-written death threat and then seeing “decapetate.” Also, chain-saws are so last year. Remember, Gmail won’t display images by default. P.S. I happen to know one of the members of Nirvana and your bright idea has already been done.

Why did she do such a thing, and what resulted? Geek Feminism obtained an exclusive tell-all interview.

Q. Have you received any harassment as a result of this post? Was its quality indeed improved?

Sadly, no. Part of the problem is that my friends loved it — I’ve never had so much positive feedback on a post — but they didn’t want to share it with other people online. I like to joke that it’s the ultimate in dark social since people only talk about it offline using vibrations in the air called “sound.” I think that my friends are more afraid of me being harassed than I am.

Q. The post is pretty out there! Why did you put this post up? What point are you trying to make?

“Self-doxxing” myself (thanks, Kate Losse for the term) was inspired in part by how incompetent and bad the online harassment that I’ve received has been. Most people doing online harassment are just trying to impress other online harassers, at the same time that what they are doing is, frankly, totally unimpressive. The reality is, anyone can spend $25 and get another person’s home address and a bunch of other personal information, but we act like it is some kind of amazing act of computer hacking. By showing how bad people are at online harassing, I’m hoping to remove some of the motivation for people to do the harassment, or at least make them spend more time on it before they get the reward of “so cool, bro!”

I was also inspired by Krystal Ball , who ran for U.S. congress in 2010. When her political opponents tried to slut-shame her into quitting her political campaign over “sexy photos” of herself that they published, she turned around and shamed THEM — both her opponent and the media outlets that published the photos. It was glorious, and it hit home for me: if we let the existence of sexy photo of a woman prevent her from serving in political office, then I and every woman born after 1990 were out of luck. Women’s representation in political office would go down.

Q. Should other people do this?

For most people, no, I wouldn’t recommend it. It was okay for me for a lot of reasons: I already went public about sexual abuse in my family, I’m white, I’m my own boss, I don’t have children or a partner, I have skills that are in high demand, I have lots of friends and a huge support network — my emotional, physical, and economic safety is pretty good. Most women have a lot more to lose.

However, I think it is a very good exercise to think about worst cases like this: what if the thing I am most afraid of other people finding out got published all over the Internet? Because a lot of times, that thing actually doesn’t reflect on you – the shame is on the person who did the original act or publicized a private matter. It can be healing to plan what you might do, even if you don’t actually go public with it yourself.

Q. Why won’t you accept my endorsement for CSS on LinkedIn? I taught you everything you know, dammit.

I’d hate to embarrass you by letting anyone else know that you are the source of my mangled <div>’s! [Ed: good point, well made.]

Q. When are you monetising this? How can investors contact you? How big is your Series A and at what valuation?

Actually, that is a great idea. Instead of vetting a political candidate and saying yes or no, you investigate them and then publish everything that might be a problem in a funny blog post.

Or better yet, here is my favorite idea: If I ever run for political office, I’m going to scan in all my embarrassing naked photos, then watermark them with the email addresses of various journalists. Then email them anonymously to said journalists. Then when the photos get published (it’s “news,” someone else would have, etc.), I can expose the specific person who decided that slut-shaming a candidate was “news” and put the shame where it belongs. Sexism-shaming as a service, SSaaS. I’m accepting funding now.

Posted on

The Sydney Project: Tyrannosaurs Big and Small at the Australian Museum

This year is my sonÂ’s last year before he begins full time schooling in 2015. Welcome to our year of child-focussed activities in Sydney.

The Australian Museum has two programs for kids: Tiny Tots and Mini Explorers, which are patterned something like Art Safari, with the children doing an activity themed to match a current exhibit.

V did Tyrannosaurs Big and Small, which went with the Tyrannosaurs: Meet the Family exhibit. The Tyrannosaurs Big and Small activities ended in June, although the Tyrannosaurs exhibit is continuing through to July 27.

Paleontology

This activity benefited compared to Art Safari in the amount of time available to the children. They started off in an education room with several activities. They first had a short talk about dinosaurs, specifically, working out how big dinosaurs are based on one or two bones. Honestly, this seemed to thoroughly lose most of the children, V included. Most of the remainder revolved around a very shallow imitation of archaeology: finding plastic dinosaurs hidden in sand, or in jars filled with dried lentils. V has not yet absorbed any awe of archeology and regarded this as an exercise in playing with sand rather than a moment of entering into the noblest profession a child can conceive of. The other activity was taking dinosaur shapes cut out of paper (necks, legs and such) and gluing them together into one’s very own dinosaur, which V got quite into.

So no great educational inroads were made, but fun was had. And it didn’t manage to trigger V’s perfectionist tendencies and cause a lot of flouncing and dramatic self-recriminations.

Dino art

All the children were then given a dinosaur tail to wear — I appreciated the staff saying that wearing one was entirely up to the child, although V was perfectly willing — and a giant mass of children and parents headed down to the main exhibit. In theory we were supposed to be measuring the various tyrannosaurs and otherwise filling out an activity sheet, in practice we were mostly keeping tabs on our children and keeping the fossils safe from them. Or I was, anyway.

The exhibit itself is great, I’m intending to go back by myself before it’s up to properly appreciate it. The main attraction is Scotty. Andrew was very impressed by the faked shadow they’ve put behind Scotty, which moves and roars periodically. They’ve also done an amusing video which is mock security footage of the museum being invaded by dinosaurs, including live footage of the viewers themselves, surrounded by invading dinos. This took up a lot of V’s time. Less good for children — and what I’m going back for — is the bits about how, for example, the coloration of dinosaurs is being determined.

The sad thing about taking a young child to this sort of thing is that you cannot impress on them how unusual it is. Australian museums are not full of world-class T. rex skeletons! You won’t get to see this very often! Appreciate it while itÂ… oh never mind.

The only downside was that the ticketing was rather poorly integrated into the massive assembly line that is admittance to the main exhibit. Andrew arrived late and without a phone, and they had to page me down to the information desk to explain that he had a ticket to this workshop, not one of the timed tickets to Tyrannosaurs. We also didn’t know for sure if we were even going to see the main Tyrannosaurs exhibit and nearly bought separate tickets to it. Whoops.

Cost: $12 children and $24 adults, which was reduced a lot for museum members. The year-round equivalent is Mini-Explorers, which is $10 children and $15 adults.

The exhibit alone is $13 children and $22 adults. Odd.

Recommended (kids’ activity): cautiously. They’re well designed programs with a fair amount of thought put into them, but they are, basically, a craft activity and an “opportunity” to chase your child through a museum exhibit. It might be best saved for an exhibit that your child is likely to be unusually interested in.

Recommended (Tyrannosaurs exhibit): hell yes, circle July 27 on your calendar with danger signs and scary notation.

More information: Mini-Explorers and Tyrannosaurs: Meet the Family websites.

Posted on

Your crontab file should start with “crontab -l”!

I’ve never personally had this problem, but a number of people have told me that they’ve, often repeatedly, accidentally deleted their crontab by typing crontab -r (which silently removes a crontab) rather than crontab -l (which shows you what is in it) or crontab -e (which lets you edit it). It doesn’t help that “e” and “r” are next to each other on QWERTY keyboards.

Create a single backup of your crontab contents

Since I realised this was an issue, I’ve made the first line in my crontabs the following:

@daily crontab -l > ~/crontab.backup

If you ever accidentally use crontab -r, you can use crontab ~/crontab.backup to reinstall your crontab!

Adjust @daily to a time at which your computer is likely to be on, if it’s not always on, eg 0 10 * * * for 10am daily.

For bonus points, writing this entry reminded me that I hadn’t reinstalled my laptop’s crontab on my new machine, and meant it was easy for me to find and install!

Create timestamped backups of your crontab contents

The above is simple and suffices for me, but if you don’t have a backup routine that will grab ~/crontab.backup regularly enough for your needs, you could do something like this instead:

@daily mkdir -p ~/crontab-backups; crontab -l > ~/crontab-backups/crontab-`date +%Y%m%d-%H%M%S`; find ~/crontab-backups -type f -ctime +7 -delete

Explanation:

  1. mkdir -p ~/crontab-backups makes a directory crontab-backups in your home directory if it doesn’t already exist (and doesn’t complain if it does exist).
  2. crontab -l > ~/crontab-backups/crontab-`date +%Y%m%d-%H%M%S` puts your current crontab into a file named with a datestamp (eg crontab-20140711-124450 so that you can easily have more than one
  3. find ~/crontab-backups -type f -ctime +7 -delete finds all files (-type f) in ~/crontab-backups that were created more than 7 days ago (-ctime +7) and deletes them (-delete)

Warning: you don’t want to put anything else in ~/crontab-backups, because it too will be deleted after seven days.

Posted on

Use python-flickrapi 1.2 even after the Flickr SSL transition

On June 27 2014, Flickr changed their API to be SSL-only. The Python flickrapi library was one of many pieces of software that used HTTP to connect to Flickr’s API, and that therefore broke for some users on June 27.

flickrapi supports HTTPS connections as of version 1.4.4, released on June 18 2014. If you are able to upgrade to a new version of flickrapi, you can get the latest flickrapi version from PyPI and ignore the rest of this post.

However, as of mid-2014, many Linux distros, including Ubuntu 14.04 (supported until 2019), still package flickrapi version 1.2, which cannot connect to Flickr’s API over HTTPS and is therefore now non-functional. Since developers may for various reasons choose to use their distro’s version of python-flickrapi, I’ve written a very very small Python class that overrides flickrapi’s FlickrAPI class to connect to Flickr over HTTPS rather than HTTP, and allows continued use of the Flickr API.

You can download my Python module that allows this: flickrapissl. See the README for usage.