More posts are available in the Blog Archive

A Lesson in Mac and Data Security

/ 3 February 2018

Over the past few weeks I have had relatives and others ask questions about Macs and viruses, as well as data security regarding Macs and the cloud. I’ve been responding individually, but thought that posting those answers here would be a great idea.

We’ve long ago left the time where the myth that Macs don’t get viruses was believable. They do get viruses. But you still don’t really need to install huge expensive malware scanning products. macOS has a few aspects to it that help prevent viruses from being contracted that not everyone is aware of.

macOS has for a while had a feature called Gatekeeper which restricts what is allowed to run on the Mac without explicit approval to, by default, just Mac App Store apps plus apps digitally signed by Apple-approved developers. You can further restrict your Mac to just apps delivered by the Mac App Store if you want (I don’t know why Apple’s own tech doc linked above hasn’t been updated since the Anywhere option was removed…). I actually have my Macs set to App Store-only, since it is most secure and, well, due to this next part… You can always override the settings for specific apps, but nothing can just run unless it is from a trusted source. Viruses would definitely not be on the Mac App Store, and rarely come from trusted developers, and if they do Apple is quick to pull that trust. This setting is in the Security section of System Preferences (in the Apple menu) if you want to change it. gatekeeper preferences For a little shorter of a time period there has also been a feature called System Integrity Protection. This disallows anything on the Mac other than Apple-signed OS updates from changing anything that is a part of the core OS and Apple software, even if that thing has root administrative privileges (when you type in your password). So viruses, if they did get on your Mac, simply could not modify the OS. SIP also does a number of other things to keep Macs running securely, like only running specially-signed third-party kernel extensions, and only with explicit administrative approval. The only way to change this setting is by booting your Mac to the Recovery OS and typing something in at the command line prompt in Terminal.

macOS automatically gets security updates pushed to it from Apple, so long as you keep the appropriate checkboxes selected in the App Store preferences. app store preferences These include updates to Gatekeeper configuration, as well as the built-in virus scanner Xprotect, and the built-in malware removal tool MRT, so long as the Mac is connected to the internet. Apple doesn’t really publicize when updates to these are pushed, but they tend to happen weekly or bi-weekly. If you want to check on what versions of security software and configuration you have I’d recommend LockRattler. Such updates help ensure that your Mac stays secure. Still, also always update to the latest software yourself as new OS releases come out.

Any file downloaded to the Mac via Safari, Chrome, Firefox, Mail, or Messages, among other apps, is automatically quarantined and transparently undergoes a security check before it gets opened for the first time. The Mac will insist that you trash any download that fails this check. This is where Xprotect comes in, as part of this check. Gatekeeper is also only triggered on executables that are quarantined. It is partly because of these security checks that I use Apple’s built-in apps wherever I can, or at least use quarantine-aware apps, and recommend the same for others as well.

It is worth noting that these security measures apply to any executables. For most people these will only ever legitimately be apps. For advanced users there will be others you run into, like command-line tools. But under no circumstance should document files (like Word, Pages, Keynote, PDF, JPG, etc.) have executable code. If when opening such a file any of these measures get in the way then definitely be suspicious of the file, its origin, and delete the file. It is also worth noting that Windows executables (.exe) are harmless to the Mac, as the Mac simply isn’t able to run them.

If you still feel like you want some additional virus protection, the only one I’d recommend is the open source ClamAV. This is a command-line engine, so really is for advanced users. Anyone else I think is just fine with the built-in tools, and even advanced users don’t need anything more. Just, if you want something more, that is where I’d look.

Most well-built Mac apps these days, and a requirement of Mac App Store apps, is to be sandboxed. Sandboxing means that the app lives in its own contained universe so it cannot access files that it hasn’t either created or been given explicit access to. I try to make sure that most of the apps I use are sandboxed, but it really isn’t up to users. If somehow a malicous app that is sandboxed got on your Mac it couldn’t hurt anything beyond itself, but I doubt any malicious app would ever let itself be sandboxed. You can use RB App Checker Lite to check the sandbox, codesigning, and other security-related states of executable code (mainly apps) on your Mac. In general I recommend using mostly apps that are designed in as secure a fashion as macOS allows.

A security feature that can stop viruses from being able to take orders from remote command-and-control servers is the built-in Firewall, also accessible from the Security section of System Preferences. For the average user, though, turning the firewall on probably isn’t really worth it. With it on, depending on its settings, every non-signed executable will need administrative authorization to accept incoming data over the internet. This isnt bad at all, in fact it is secure, but it just may become a nusiance to most users, and the security benefit probably doesn’t outweigh that. In fact, though the average user doesn’t do this, the firewall is something that’d actively hurt if you were trying to host certain services on your Mac for other computers on your network.

While viruses are something some folks worry about, they also are not the entire picture of Mac security. Another strand of security features center on actual hardware security. Unlike what I’ve discussed above both of these need to be actively enabled, and that is because they are both advanced features that do come with real downsides, especially if you aren’t careful.

Also found in the Security pane of System Preferences is FileVault. This may actually be on if you have a recent Mac laptop, as it was made default on new laptops with OS X Yosemite (well, something you could uncheck in the initial setup). This fully encrypts your internal storage device, so you’ll need a login password even just to start up the Mac. It is pretty similar to what all iOS and watchOS devices have, in that your Mac is just as encrypted as your phone. I see why Apple made this default on laptops, as those have SSDs and are quite portable, but for desktops, and anything that is purely a hard drive, it really isn’t important. On SSDs it has no performance cost, but on spinning hard drives one very much may exist. Since a login password is needed just to decrypt the internal storage, if you forget that password and also either forget your iCloud credentials or lose the recovery key (depending on the choice you make at setup) you are out of luck with no access to your files. This would make it physically impossible, or at least very improbable, for someone who steals a Mac to access its files (depending in part on the strength of the login passwords). However, the Mac needs to be shut down for the files to be fully secure, because when alive the Mac stores the encryption key in memory (though I believe that is a hidden setting that can be changed). When on the Guest User is its own special boot that provides only Safari and no access to the files on the Mac.

You can set a Firmware Password should you wish. This can be done by booting to the Recovery OS (hold down Command-R while booting your Mac) and using the Startup Security utility in the Utilities menu. What this does is set a password that your Mac, at the logic board level, will require to do anything at boot (including accessing the Recovery OS) other than booting from the internal storage. It would prevent someone who may steal your Mac from starting it up in such a way that they could erase it, or create a new admin user, or gain access to the files on its internal storage (though, FileVault does this part as well, and both features can work in tandem), etc. But it really is not something that every Mac needs on. If you forget the password there really is no way to reset it besides bringing the Mac in to an Apple Genius and presenting them with original proof-of-purchase to validate that you are its owner, as they won’t reset the password without that, and you cannot reset it yourself without knowing it.

In the future Macs will have a lot more boot-time security. The iMac Pro is at the forefront of this, with the T2 chip (a variant on the chip inside the iPad Pro) enabling advanced security. This includes the ability to refuse to boot from insecure versions of macOS, which are likely deemed any version a few months out of date after an update has been released. It can also prevent booting from external media. I hope, too, that Macs eventually gain Face ID, which also would be an advancment of general Mac security (and, given the underlying tech, possibly also ways of interacting with the Mac).

While security itself is one thing, privacy is another area that is worth paying attention to. For that I have some other tips as well.

Another thing to note and keep tabs on, across all your Apple devices actually, would be the Privacy settings. On macOS this is another tab in the Security pane of System Preferences. privacy preferences On iOS it is in the Settings app at the top level of options. Just be aware of what is allowed to access what, and especially be skeptical of apps that can see your location. You just don’t want to give away too much information. I’m not saying disable all of them, but I am saying make sure that you are aware of what the settings are, and what has access to what information.

Similarly Safari on macOS has a tab in its Preferences window labeled Websites. This lists a series of website features that can be set per-site. Here too I recommend being especially aware of what has access to your location. I’m not saying disallow everything, but be aware of what is allowed. I recommend the default behavior for other websites to be Ask, for Location, Camera, and Microphone, at least. safari web preferences That same tab in Safari preferences would list any web plug-ins you have installed. I strongly recommend that everyomne keep the number of installed plugins at 0. Certainly, for the sake of security, don’t have either Flash or Java installed. Both have had constant security vulnerabilities. Beyond those, the more plugins you have the less stable web browsers will be. That is why I keep my Macs at a pristine state of no web plug-ins installed whatsoever. If you need a web plugin, I’d recommend that you at least make sure it is sandboxed (the Websites tab will tell you).

You should also at least be aware of the preferences set in the Security and Privacy tabs of Safari preferences. Also keep as few browser extensions installed as you can. Keep what you really use (like 1Password and AnyList in my case), but keep those extensions lean as well. This same basic advice flies for all web browsers you have installed.

As general communication advice, unless you go out of your way (which I very much don’t) email is in the clear and anyone can read your messages if they stumble on them. However, iMessage (the blue chats in Messages on all your Apple devices) are encrypted end-to-end, so only the members of that chat can read the contents. Keep that in mind when communicating with people. I never send passwords or other sensitive information in email, but feel perfectly safe doing so if needed over iMessage.

Another tip would be to keep tabs on what is in your Login Items list (under your user in the Users & Groups pane of System Preferences) to be sure that only the apps you know, trust, and want launching at login are listed. There are other ways for software to get itself started at boot and/or login, using a part of macOS called lanuchd, but that is trickier for average users to keep track of.

People have also asked about data security in relation to the cloud (Dropbox, Google Drive, etc.). Is it safe to store files in these services, and such. One of the questions to ask yourself is who are you trying to keep the files safe from. For the most part, unless you go out of your way, it is likely that the company running the service could access you files. Their terms of service and privacy policy probably lay out access to the files, and hopefully they only will if they receive law enforcement requests to do so. The files probably are accessible to the company. If that alone is a real roadblock then I don’t think that the cloud is for you. The exception would be if you first encrypt the files locally, like with an encrypted disk image, and then upload that to the cloud. Remember that having FileVault on is encryption of the files on your Mac, but the copies synced to the cloud (or copied to any other device) will not be encrypted unless that destination is encrypted, and are encrypted with the destinattion’s key.

Beyond that the security of files in the cloud falls onto your own account security, and being careful with only sharing documents with people that you trust. Also, if the sharing gives you the option to let others share the files, be wary of that option so that only those you absolutely trust can share files further.

I wrote an article about higher personal online security a few years ago. The advice there are the primary things to do in order to secure your cloud storage accounts:

  • Strong passwords
  • Two-Factor Authentication

All the cloud services that I use support Two-Factor Authentication. I strongly recommend turning it on everywhere it is offered (not just cloud services, but everywhere). Doing both of these will make it much more difficult for someone to hack into your account and subsequently gain access to your files.

Of course, the other part of securing files stored in the cloud is securing the copies you have on your devices. That is, securing your devices. The features and advice above help give you ways to do that, to whatever extent you are confortable with. Macs are inherently secure, and only moreso if you use the additional optional security features. Just, those features have downsides, so you shouldn’t enable them on a whim. iOS and watchOS devices are just as secure as a Mac with both FileVault and a Firmware Password by default and don’t have any lower security tier.

We use the cloud to store files specifically so that if our devices break or get stolen we haven’t lost the data. An added bonus is that the data is available on all of our devices. The cloud is a form of security and insurance on the data in this way. You have tradeoffs either way. If you decide that the cloud is not secure enough for your tastes then you risk data loss with device loss. Otherwise you risk data maybe being stolen with account hacks (which can be mitigated somewhat with my above advice), but can also not just access the data anywhere, but share it with those that you trust. My view is that the cloud is a very good idea and a necesary part of my digital life for these reasons, but not everyone holds those views. I admit that even I would be somewhat more hessitant to use cloud storage as much as I do if it weren’t for strong passwords and multiple factors of authentication.

Strong passwords cannot be memorized by humans, that is part of the point. Hence my advice in my other article about 1Password and iCloud Keychain. But are those secure themselves? Yes, in fact quite a bit.

Let’s tackle 1Password first. I link in my other article to their detailed description of their security archetecture. Basically, the data is all encrypted with your Master Password and Account Key. Decryption is only ever performed locally. Their website uses JavaScript, so only the specific authorized browsers can decrypt the data. Only you have access to the data stored in your 1Password vaults (or you plus others you give access to in your 1Password Team or Family), not AgileBits, the company behind 1Password.

Likewise, iCloud Keychain encrypts its data locally on devices, and the only way a new device can be accepted into the circle of trust is by an existing device confirming it, or sometimes you type in the passcode from another device on the new device. Apple cannot decrypt your iCloud Keychain. They take this circle of trust further than just your keychain, too. Health data, Siri profiles, and Safari bookmarks, maybe others, are secured using the same trust. Apple cannot see what your scale tells you, how many hours of sleep you got, or what websites you go to often.

Ultimately, though, there is only one thing preventing lapses in security and privacy: ourselves. We are the weakest link. We may reuse passwords, unwittingly download malware, or let others share sensitive files we shared with them, etc. I hope that this article gives you a better understanding of what preventative measures are in place, and other best practices, but it will still be up to each of us individually to ensure that our digital lives stay clean and safe. Feel free to add any additional suggestions, comments, or questions about this topic in the discussion area below.

Website Unification

/ 19 January 2018

As anyone who has looked at my blog in a web browser in the past month has probably noticed, it looks very different than it did in early December. The purpose of this post is to alert readers who use the feeds to this fact, as well as to introduce the new website a bit to everyone.

If you have not yet seen my new website, I encourage you to go take a look, starting at the blog page (given what you are reading right now). Poke around, explore, and if you have any questions, comments, or concerns, please contact me. You can comment here, or use my email address which is at the bottom of every page on my website.

One important advantage of my new website is that it is a single unified entity. In the past I had what served as my main website as part of my family’s PmWiki website, this blog was hosted in the WordPress Network my family runs, and assorted other pages were individual pages that actually lived under the alex.clst.org domain. Now all of that is under one roof, so to speak, completely hosted on the single domain where previously just individual pages lived. Everything shares a single unified design, and it all is clearly part of a single entity. This makes for a website that is much easier to maintain, and one that is more sensible to visitors.

I’ve built this new website using Jekyll, which unlike PmWiki or WordPress, generates static websites on your local machine and then all that is on the server is HTML, CSS, JavaScript, and other static resources. There is no computation going on like PHP (the language both PmWiki and WordPress are written in) inherently is. This provides a few awesome benefits. First, for visitors, the site is extremely fast and responsive (it is also, unlike my old websites, responsive in the meaning of that term that the website looks great on all sizes of devices, too). Every page should load near instantly. If it doesn’t, then there are issues with the server itself or your coonnection to it, not with the code of the site. Nothing computational running on the server doesn’t mean a boring website, it just means that the liveliness of pages, where it exists, is all done in JavaScript, within your web browser.

Another key benefit to static websites is security. WordPress, unfortunately, is susceptible to hacking, and even as bug fixes come out, new vulnerabilites become known. That in part is a fact of the technologies behind WordPress. However static websites, because they have no server-side computation, really cannot be hacked. This is an extremely convieient feature of this website for me. I won’t be dealing with hackers breaching my own website, even though I now and again do have to deal with that for clients.

Working with Jekyll is basically a matter of Markdown, HTML, and Liquid on a regular basis. SCSS for design, that then gets built into CSS. JavaScript for interactive elements. Plus Ruby, a language I’ve barely used but am interested in using more, for additions to the website building process (new Liquid tags, etc.). In simpler words, it feels like a breeze to work with my website compared to any of the three previous systems my website was using. The benefit of this is that I expect to be changing my website more often moving forward, so it will stay fresh for visitors.

As with every major transition there are also things that get dropped. Progress requires some sacrifice. In this case, one such thing is that I’ve made a conscious decision to retire the Day by Day name for my blog. Instead, the blog portion of my new website, which is the direct successor to Day by Day is simply known as Blog. This matches better the layout of my website, where a single word in the navigation bar at the top makes sense, and also as it is part of one entity that shares my name. But also, let’s be honest, I haven’t written on my blog daily in years, so that old name really does not match what it is any longer. Today my blog is usually a fewer number of longer pieces of writing, a very different thing from the daily journal of an elementary school kid, which is where it began.

Since the site no longer has anything computational, it also has dropped the email-based subscription mechanism that WordPress.com lent it. I don’t forsee implementing a replacement for that. Instead, the blog still has an RSS/ATOM Feed, and has carried forward the JSON Feed format that has recently emerged. All those feeds should just redirect from their old locations, and news aggregators ought to recognize the permanent redirects and update your feeds for you. If not just paste the website URL in to your reader and choose the feed you want to subscribe to again.

I like to allow my blog posts to be potential spurs for conversation. With no computation, I’ve migrated the commenting (now known as Discussion) aspect of my website to Disqus. This means to comment you’ll need an account there, or to log in via a social network. An advantage is that discussions on my website will be included in the wider community that Disqus is creating, and comments you make across Disqus-linked sites will be connected together. Since the web in general should foster wider conversation, I do like this aspect of the new discussion features. To access the discussions for any post just click the Discussion button below the post content.

Besides writing another area of content I built this website to showcase is the artwork that I do. This grew from a similar, but far more hard-coded, section on my old website, into including all the other artwork that was previously spread around my website. As I do more digital art over time I intend to post it here. Art, like posts, also have discussions.

I have done my best to maintain all old URLs and have them redirect to the appropriate new locations. Yet, I am pretty sure some have been missed, just because of how many there are. Let’s face it, I have had a large website for most of my life. I’ll fix them as I am made aware of broken links, but hopefully everything you try to access is still there.

My website is just as big and content-rich as ever, but now that everything is visually and systemically unified it will be far easier to update over time. I’ve made simplifications to site structure everywhere I could, so hopefully as new content is added organization will stay logical and not break down like it did in the past.

I hope that you all enjoy my website, and its deep integration of all the content that came before it into this single website I have moving forward. I, for one, was getting embarrassed by my old websites, and this new one at least is technologically and with regard to content fresh and has a bright future, and therefore something to be proud of. If you run into any issues with it, or have any questions or comments about it, feel free to reach out.

Sysdiagnose for Mac Issues

/ 13 January 2018

When an app on your Mac freezes, or otherwise something problematic happens before force quitting the app or working to remedy the problem you can first collect diagnostic data. This can then be used later to try and figure out more information about what may have happened. You can do this using the built-in sysdiagnose tool. This is something that is included in macOS for developers, and is part of Apple’s bug reporter infrastructure that developers use to submit bugs to Apple.

It can also be used by anyone at any time. Running sysdiagnose in the middle of your Mac misbehaving may collect useful information that can shed light on what is going wrong.

Running Sysdiagnose

Open the Terminal application. The fastest way to do so is to start typing “Terminal” into Spotlight, and press return when the app appears in the results.

If you’re not an Administrative user type

login <your admin user’s short username>

and press return, then when promoted type in your admin user’s password. Note that the text you enter for the password will not show up at all when typing it in, for security. This will log you in to your admin user in Terminal, which is necessary for sysdiagnose since it has to be run from an admin account.

Run

sudo sysdiagnose

You will be asked for your admin password again (as before, for security the password won’t be visible at all as you type it in), and then follow the on-screen prompts to start diagnostic gathering. This process will take a few minutes.

When complete a Finder window will open and reveal the file of gathered diagnostic information. You can close Terminal when the Finder window comes up. If you logged in as an admin user, don’t worry about the additional termination warning Terminal gives, it is just fine to close the window. Alternatively, you can run

logout

first to log yourself out of your admin account. Doing so will put you back in Terminal as your own user, where you can close Terminal without the warning.

I recommend copying the file to some other folder on your Mac for safekeeping if you intend to examine it later. Sysdiagnose saves the file to a temporary folder that usually gets erased at reboot, so to keep the file around for the long term and examine its contents later copy it elsewhere. Be aware that each diagnostic file is generally no smaller than 1/4 GB (and almost a full GB when unarchived), so you probably don’t want to be saving the file anywhere that is synced via cloud services (iCloud Drive, Google Drive, Dropbox, etc.). Finder will ask for admin credentials to complete the copy. You can save to an external drive if imminently worried about your Mac, but usually just saving to your Documents folder is fine.

Once you have saved the sysdiagnose file you can force quit the problematic app or otherwise remedy the problem your Mac is experiencing. At this point you have collected diagnostic data from your Mac during the time it was misbehaving and so can examine the state it was in later, and should do whatever it takes to get back to work as normal.

Remotely Running Sysdiagnose

From time to time our Macs can get stuck in such a way where nothing appears to be functioning. You cannot move the cursor, nor does any key on the keyboard appear to be responsive. In these cases the usual troubleshooting step is to hold the power button down until the screen goes black, forcing the Mac to shut down. Then if all goes well the Mac will start up normally when you next press the power button. But when the Mac is in this state it may still be mostly functional, and in these cases you can, in fact, still run sysdiagnose, and even shut down the Mac without the forced shut down that basically just cuts power to the machine.

This uses the ssh command at the command line. In order for your Mac to be available for ssh you need to first turn on the Remote Login option under Sharing in System Preferences (access via the Apple menu, then choose the Sharing option from the main screen of System Preferences). Simply ensure that the appropriate option is checked in the preference pane:

sharing preferences

I recommend that you limit the users that can access the Mac via ssh. Generally just admins and others who would really need access, but certainly not kids or visitors. Having Remote Login on is something I consider a bit of a safety feature for my Mac, precisely because it allows me to tap in to it even if the standard interactions don’t work to run troubleshooting and at the very least shut down cleanly. Take note of what the computer name of your Mac is, as it is labeled in the small print below the field (my Mac’s is Quad.local).

To log in to your Mac from another Mac open Terminal and type (as an example)

ssh apple@Quad.local

where you use the appropriate admin user and Mac names. When prompted for the password type it in.

From there you can run sysdiagnose as normal:

sudo sysdiagnose

You can then copy the resulting file from the command line. First you need to navigate to the directory where the sysdiagnose was saved:

cd /private/var/tmp

Then you can list the contents of that directory to determine the filename of the saved sysdiagnose:

ls

From there you can copy the file. For example:

sudo cp sysdiagnose.gzip /Users/Shared

I’m using sudo (which forces the task to be done as the Root user) since the file is owned by that user, which is why Finder requires admin credentials to copy it.

You can then run

sudo shutdown -r now

to tell your Mac to restart appropriately. Unlike holding the power button down, this will be a clean shut down where apps all close up as if you selected Shut Down or Restart from the Apple menu. Depending on the nature of your Mac’s problems, though, you may not see any visual feedback that the Msc is shutting down, at least until the screen goes black (which if that never happens wait a few minutes to ensure the Mac should have shut down normally, then proceed with holding down the power button).

If you don’t have an extra Mac around any UNIX-based computer will have command-line access you can use. There are also numerous apps on the App Store that allow you to access remote computers via ssh, for example I use Terminus, but there are dozens out there.

Examining a Sysdiagnose

Now that you have saved a sysdiagnose you may eventually want to explore what it holds. Now, grant you, saving them can also just be additional evidence for Apple Geniuses when you bring your Mac in, but you may want to explore yourself. To do so just double click the file and it will be unarchived into a folder. Here are a few things that are in a sysdiagnose folder I recommend looking at:

  • top.txt shows the most active processes. Especially look for any that are using abnormal amounts of CPU, abnormal amounts of memory, or that are in the stuck state.
  • system.log in the logs folder is the system log of the time around when the problem happened. It may shed some light on what was causing the problem.
  • The crashes_and_spins folder will contain logs of processes that have crashed.

That is just a start, even I have not explored a sysdiagnose fully, and cannot claim to understand what every bit of data means. What I can say is that it is way more information than we’d ever normally need or want to know. But even just saving these as evidence for a genius is a decent idea, as they will be able to paint a better picture of your Mac’s problem then you can. If the issue is intermittent then these may also be the only real way to “show” a genius the problem your Mac is having.

Conclusion

This post gives you instructions on how to go about saving diagnostic data on your computer using the sysdiagnose tool. It gives you a method of remotely saving this data if your Mac is unresponsive. Lastly, this post gives you a starting point for examining the collected data. While this is admittedly not something that everyone will want to do, and it isn’t something we’ll be doing every time necessarily, it is a technique worth adding to your toolbox of Mac troubleshooting methods. I mention sharing these with geniuses, but to be fair, sysdiagnose is intended for developers to share data with Apple’s engineers, so it is possible that Apple Geniuses haven’t had a ton of exposure to this knd of data. Still, it is a wealth of information on a Mac during a problem, so it is a helpful step in recording what is going on, and hopefully shedding light on the problem.

Docker and Visual Studio Code for Local WordPress Development

/ 24 February 2017

Last night Eric and I gave a presentation at our local WordPress user group, MSPWP, about using Docker to run WordPress sites locally for development purposes. Running local copies of WordPress is the kind of thing we do for all of our client websites to be able to mess around with everything while developing themes and plugins without affecting the live websites (each of us have our own copies of each site, and we then use the remote Git repos the themes and plugins are in to get the code between our Macs and on the live websites, for those who are interested). We had only started playing with Docker about a week and a half earlier, but within 2 hours had been convinced that this was the future of running local development copies of websites. It has been a fascinating week and a half learning about this technology while in the midst of real client work. I posted the notes from our presentation, which are in the form of a tutorial, over on the Tenseg website for those who are interested.

Importance of Building Peace

/ 16 January 2017

Today is Martin Luther King Jr. Day, a day when we remember one of the key figures in the Civil Rights Movement here in the United States. This year the week we’re starting today also marks the presidential transition from Barack Obama to Donald Trump, with the Inauguration this Friday. On this holiday of remembrance and as we look ahead with inevitability to the upcoming administration, I feel it is important to take a moment to rekindle everyone’s understanding of just how important the task of building peace, not just being peaceful, is in our society, and to give some resources worth keeping track of in what I’m not alone in feeling will be a possibly darker time for our country and world than we have had over the past eight years.

This week will be interesting in that we move from remembering a figure of the Civil Rights era to having a presidential administration whose proposed policies (from the prospective of Democrats anyway, but notably also many international communities) run largely counter to the values of a modern democracy that is a post-Civil Rights Movement society, which are ostensibly where we’ve been for the past more than a decade. Dare I say we’ll have the opposite feelings of a standard workweek. Joyous remembrances today and sorrow this Friday. At least, I suspect that those I surround myself with will be feeling that way…

I know that I have emphasized this here before, but the difference between simply the absence of violence, or Negative Peace, and the building of a society that has equal and just policies, or Positive Peace, (to vastly water down the differences between those) is important to note in this context. While Negative Peace is the simpler goal to achieve, it is not the kind of society we really need and is not what is necessary to sustainably move forward. While establishing a system void of conflict is important, there need to be those of us around thinking of the further goal of a Positive Peace in our society. I would hope that we can seriously start to define how that may be worked on, as we begin to see what 2017 and beyond bring us.

Here are some assorted resources to help think about the kind of peace we need in our society that are worth keeping track of:

  • The resources published by the Albert Einstein Institution, where Gene Sharp's work is
  • Local organizations working for peace and in many ways even just ones working on the general betterment of society are worth knowing about and, if possible, helping out with. I won’t give any specific suggestions of such organizations here, since I do not want to favor any over others nor favor any specific geographic regions.
  • The work and philosophy of Tich Nhat Hahn
  • Erica Chenoweth’s research
  • I don't mean to toot my own horn so to speak, but the posts in the Peace Studies category here on my blog provide some inspiration and resources. Particularly the research I undertook on Peer Mediation is one way we could use to introduce some concepts of peaceful resolution to conflicts to children, and as such the next generation.

Finally, I want to encourage you all to share this post with anyone who’d appreciate it, and to add resources and ideas yourselves in the comments here (as well as alongside sharing this post) for each other to find as no single person can create an exhaustive list. I mainly mean to provide a starting point here for us all to add to. Throughout Donald Trump’s impending presidency we must be a light keeping the ideals of a peaceful society alive, even if we find our country and society plunged into something less than peaceful in the coming weeks and months.

Mother Teresa’s Canonization

/ 4 September 2016

Earlier today (as in, at 3 am where I am) Pope Francis canonized Mother Teresa. Despite not a peep about this occasion at the liturgy I was at earlier this morning this nevertheless is a moment worth noting. It is worth noting not just as any old canonization would be, but since Mother Teresa is unquestionably one of the “modern day” saints for whom there are still people alive today who were around her. Since that group includes one of my grandmothers and one of my aunts it is even more appropriate that members of my family take special note of this canonization. I actually do have a closer link to Mother Teresa than many because of them.

Among the myriad of Mother Teresa related things worth revisiting today I’ve read over a biography paper I wrote on her back in 2011 for one of my Peace Studies classes at CSB/SJU. I haven’t touched that project since then, despite apparent aspirations at the time that I may eventually add to it, but it is definitely appropriate to read what is there today of all days. Who knows, maybe it’d be worth reworking the last part of that paper to reflect today’s canonization and/or actually put up some of my other original research notes. But still that seems somewhat unlikely to happen, we’ll see if I ever do that. Still, what is there is worth a read. For those interested, you can also read the blog post where I first linked to this paper, back on the 10th of October in 2011.

Regardless how much or little you know about Mother Teresa as you read this, I encourage you all to at the very least take a moment to recognize this new saint. If you have more time on your hands this Labor Day weekend then perhaps reading over the links above and whatever else you can find on Mother Teresa would be something worthwhile to spend some time on.

Thoughts Following Orlando

/ 12 June 2016

When it comes to what happened in Orlando, well, there is nothing simple any of us truly can say, because it is not a simple thing with a trivial fix. Something is severely broken in our society that we find ourselves all-too-often seeing (mass) shootings as a refrain of what the United States is. We’re in the midst of a presidential election where the entire world is focused on us given the sheer amount of power our nation holds, and this is part of what they see of us. That is far from a good thing. Putting aside what we as Americans believe about ourselves, how many people who live in other nations and ways of living may increasingly be hearing of these events and start questioning our abilities as true, peaceful, world leaders? In some ways this falls right in tune with the constant refrain the military’s actions have on other regions of the world as a mascot of our nation.

Many of us woke up to news of Orlando this morning. Since there is barely anything we can do individually to truly sway the forces that lead into events such as these we as a society need to wake up and figure out how to change what needs to change. Lives are worth enough that we cannot just stand idle as they’re torn apart. We must make real attempts to change our society.

Of course, perhaps depressingly, all we can honestly do is make attempts. We can individually change behaviors, but we cannot individually be certain that such behavioral changes will lead to societal shifts. The analogy of society to the very human bodies we each inhabit comes to mind. Countless organs and systems make up the human body, each of which plays a role in sustaining us and keeping everything with at least the appearance of working. In the same way we are these organs for society. We hold the power to make or break society, fall into violence or maintain peace, in the same way that our bodily organs hold the power to make us sick. In this sense, mass shootings are a plague that has been hitting our societal body for way too long. Where is our societal immune system?

Each one of us has had multiple moments burned deep into our long term memory such that we will never forget details of those moments. I’m probably correct in saying that 9/11/2001 is one such date that has such a hold on each of us. For me, Barack Obama’s first presidential inauguration is another example, as too would be when I was taking care of my great-grandmother the day she died. We all can list dozens of such moments. Of note, such moments need not be negative at all. When will these mass shootings, each and every one of them (because, as much as we feel sick thinking of it, this will not be the last in all likelihood), become moments burned into our memory? When will we start remembering forever exactly where we were and what we were doing when we heard of this mass shooting or that mass shooting (gosh, even that phrasing makes me a bit sick)? I fear that only once these moments are burned into our memory in a way like 9/11/2001 is, even for those of us on the other side of the country who are not directly affected (though, as one societal being none of us truly remain unaffected), will we all gain the necessary drive to actually change our society. But with so many such shootings the past few years, we naturally become too used to this sort of thing (too numb to it in some ways, perhaps?)  to have such vivid recollections. So we’ve reached this conundrum where one of the drives to heal our society of this plague is itself to have less of it, that is not a good thing because what are the chances of that actually working out?

We therefore must work to heal society in other ways. So, the task laid before us is that. In some ways a basic task, but in many ways a complex one. Let us each go to bed tonight dreaming of ways in which we can work as healers of our society. These need not be monumental achievements, and to be successful individually probably shouldn’t be, but standing idle is not an appropriate response.

Thoughts on Force Touch and Haptic Feedback in OS X

/ 11 January 2016

Back at the end of October I couldn’t resist getting a Magic Trackpad 2 for my iMac due to all three of its advancements over the earlier model:

  1. Force Touch and Haptic Feedback, the real topic of this post
  2. Built-in Lightning-rechargeable battery (which I have since on at least one occasion found the usefulness of the trackpad using USB for data while recharging when my iMac’s bluetooth refused to work until a reboot because I could still use a real trackpad in those minutes, even postpone the reboot if desired)
  3. 30% larger (which comes in handy in many ways, now that I’ve retrained my hand to remember its larger size)

In this intervening time as I’ve been at the forefront of this new input (Force Touch) and output (Haptic, or as Apple calls it Taptic, Feedback) dimension in OS X I’ve begun to recognize some of the ways Apple could expand this technology as it becomes more ubiquitous to literally add new dimensions to the OS without really needing any, or at least few, further hardware advancements.

The Taptic Engine is used most prevalently in the trackpad to mimic the “physical click” without anything moving (or, more specifically, nothing moves by what we do, things move slightly by what the trackpad itself does). The trackpad senses how much pressure your fingers put on it and when enough pressure is applied (unless you’re in a drawing environment, where it affects tool thickness in many apps much like a drawing tablet does, which is also why Apple puts the trackpad alongside such products in a feature on the Apple Store iOS app I’ve noticed) “clicks” your fingers using the Taptic Engine and sends a click command to OS X. It also introduces the deeper second-level “force click” for additional functionality on certain items in the OS. I describe this clicking with the trackpad as it clicking you instead of you clicking it. Not what we’re previously used to with input devices!

But you recognize this device as an output device when you realize that there need be no pressure put on the trackpad for it to use its Taptic Engine. In this manner it truly adds a new dimension to OS X. Apple uses this in Pages, Numbers, and Keynote alignment guides, and in iMovie to alert you to the ends of clips when editing in the Timeline. But beyond that they seem to not use it anywhere else (surprisingly, this includes in their own interface layout editor in Xcode, among other omissions). A few 3rd-party apps have added this kind of physical dimension to alignment guides, as they too have adopted the pressure-sensitive drawing functionality Apple seems to only have in the Markup extension (and its host, Preview), but really haptic feedback as pure output in OS X basically ends at that point. One thought of mine: Apple should standardize GUI [1. Graphical User Interface, for the uninitiated in software development.] elements like these alignment guides so every app both uses a recognized look for them, and, oh, can also just have “for free” haptic feedback on them. Doing such a thing would bring this dimension of output to some maturity and first-class citizenship in OS X.

Another place the Taptic Engine could be utilized across the board in OS X: The Find functionality in apps. Just think about what it would (literally) feel like if you searched for a word in Safari, or Pages, or really any app, and your finger was tapped when scrolling through the document and the searched-for phrase was on the same horizontal line with the cursor (yes, slower than the standard keyboard shortcuts, but there are times when scrolling the document to the highlighted phrases makes sense). Apple could probably do this universally if implemented in the lowest-level of content display elements (text views, web views, and such). Okay, in all likelihood Microsoft Office wouldn’t work with this given their slow adoption of standard OS X elements, but most other places you’d want this functionality would have it.

Those are both ideas that would just enhance everyone’s use of OS X, by adding a new dimension to specific areas. But one other potential use of the Taptic Engine in OS X would strive to enhance the entire experience for a specific yet important subset of users: Those who rely on the Accessibility features, and specifically those with impaired vision. At the moment, and most potential uses of haptic feedback in OS X, are, while not short-sighted, definitely compartmentalized into specific use cases. One word could be used to sum up this final Taptic-specific thought I’ve had in these first months using a Force Touch-enabled trackpad: Texture. What if everything about OS X were textured, using perhaps more subtle and specifically placed taps than the current Taptic Engine can do but still worth thinking about and striving towards, to mimic real-world textures? What if you could feel when the cursor was over a button, or passing into a new window? There could be different tap patterns for normal versus destructive buttons, and so forth. The shadowing of windows and GUI elements? Those would literally be felt when moving the cursor around on screen. To most people this would be a cool feature (and sure could be something game and creative app developers take advantage of) albeit one even I may grow tired of and disable, but would have the potential to be life-changing for anyone who really cannot see the cursor quite as well. This being added to OS X’s Accessibility features would be just amazing and also show that the haptic technology truly has reached a point of maturity it definitely doesn’t have on OS X today.

There are still inconsistencies between this technology across Apple’s platforms that I feel also need to be smoothed out. Among other things, Live Photos show their life when 3D-tapped. Yet force clicking them in Photos on OS X doesn’t do the same thing (in fact, can you even see the live part of Live Photos in the app?). My point is, name of feature aside, regular users expect this level of deep feature parity and continuity between their devices, not just the higher level each Apple device is a phone (quite literally if you’re on AT&T), can access your text messages, and so forth. These are different teams, I get that, but we maybe shouldn’t expect deep advancements on Taptic integrations in OS X before more things even out across the ecosystem. On the flip side, OS X Safari has deep Force Touch APIs but Mobile Safari doesn’t have any 3D Touch equivalent to. Why seems strange indeed, because certainly the iPhone 6S(+) could handle them. I really might just integrate such APIs into websites I write (some of) the code for if such things had wider availability.

It is also worth remembering that most Apple laptops don’t have this hardware in them (only the recent MacBooks and retina MacBook Pros do), and few desktop users in the scheme of how many of those Macs are around have this trackpad yet. Also, OS X El Capitan did come out with the laptops having this hardware, but even the Magic Trackpad 2 came a week or more later, so technically OS X 10.12 will be the first OS to be released after every Mac has the potential for Force Touch and Taptic hardware being a main input device. Perhaps we will see some advancements along these lines when the next OS versions are announced this June. But for now, more so than on iOS or watchOS, Force Touch and Haptic feedback on OS X remain somewhat of a niche feature. It will take both the hardware being ubiquitous and an OS under development from day one with any Mac being able to have the hardware such that it is given more attention at the OS level before we’re likely to see this new frontier of OS X interaction truly mature.

That said, I for one love having such an input/output device, even if the pure-haptic features are far and few between and the rest has all just become second-nature already. Feel free to comment on my thoughts regarding the potential Force Touch and the Taptic Engine have in OS X, or to add your own. I’d love to hear what others who are using a Force Touch trackpad think.

Overview of Centralized WordPress Site Management

/ 29 December 2015

Somewhat following after my post regarding online security over the next few weeks I may be posting articles that branch off of that with more details about one item or another mentioned in that article.

A few days ago Mary asked me to guide her through understanding the full functionality of WordPress.com, especially given how much it has expanded its helpfulness towards anyone running self-hosted WordPress sites. No longer is it just for running WordPress.com-hosted sites, as I do none of that yet consider WordPress.com a very helpful tool. It is no joke that for lots of site management when I’m partly responsible for managing many different WP sites (over 6 different sites, all self-hosted) WordPress.com has become quite a central tool that makes many common management tasks more streamlined since it is one place I can go to accomplish many tasks even on more than one site at a time. In writing up notes to guide me in helping Mary, and to leave her with, I came to the realization that those notes may be useful to others (not the least being, potentially, some of the very clients I work with and others who may be helping to manage multiple WordPress sites either for personal and/or professional reasons). Those notes are after the break.

The WordPress.com website itself has 2 major sections that organize its core functionality, and then has some assorted other functionality:

1. My Sites

This lists all the sites, both hosted at WordPress.com and self-hosted running Jetpack with at least the Manage and Single Sign-On modules activated, that your WordPress.com account is authorized to access/administrate. Each site has the following parts to it (with some of these being only for self-hosted sites):

  • Stats
    • Shows you the most important statistics about your website
    • This includes that which Google Analytics also does, but also things like Followers and Publicize data points among many others
      • Followers are those who follow your site using their WordPress.com accounts or by email subscriptions
      • Publicize shows you the reach your posts have gotten via social media, including the like and share counts from FB, and so forth
    • Stats are viewed by ranges like Day, Week, etc. and keeps a number of data points under an Insights tab
  • Plan
    • Mostly applies to WordPress.com-hosted sites
    • But applies to self-hosted sites for premium backup and security scanning functionality
  • Under Publish are lists of Blog Posts, Pages, and links to any other post type
    • Blog posts and Pages show up in lists on WordPress.com and can also be edited and new content written right from WordPress.com
      • I'm actually writing this very post from WordPress.com rather than directly on Day by Day, just to see what doing so feels like
    • Other content types are links to the content lists on your website for management
      • My guess is that WP 4.5 will bring support for custom types to Calypso (the codename for the new WordPress.com) as long as those types allow themselves in the RESTful API
  • Personalize->Themes
    • Choose the theme for your site
    • Access the Customizer for the selected theme
  • Personalize->Menus
    • Change menu selections and options
  • Configure->Sharing
    • Set up the Publicize connections for your site
    • Change the options for your site's Sharing Buttons
  • Configure->People
    • Look at lists of both your Team (Users on self-hosted sites), Followers (WordPress.com users who follow your site), and Email Followers (those who just signed up to be sent every new blog post in email upon them getting published)
      • Search these lists as needed
    • Change details about your Team members
    • Add Team Members
    • Remove Followers and Email Followers
  • Configure->Plugins
    • Review what plugins are installed, active, inactive, have updates, for self-hosted sites
    • Activate or deactivate plugins
      • No longer do you need to have filesystem access to forcibly remove a problematic plugin if you cannot access the local admin area to deactivate it
    • Set plugins to be automatically updated by WordPress.com as updates are released
    • Add new plugins
    • Remove existing plugins
  • Configure->Settings
    • General has these options
      • Site Profile (name and tagline)
      • Visibility (search engine settings)
      • Jetpack (monitor email settings and follower migration tool)
      • Related Posts (settings regarding if and how related posts are shown below post content)
    • Writing has these options
      • Default categories and formats
      • Press This bookmarklet
    • Discussion has these options
      • Default article settings
      • General comment settings
      • Email notification settings
      • Moderation settings
    • Security has these options
      • Whitelisting of IP addresses for Jetpack Protect
      • Jetpack Monitor settings
  • Configure->WP Admin
    • Takes you to the site's local admin Dashboard

A handful of these site-specific sections are exposed for bulk management of multiple sites when All My Sites is selected, these are:

  • Stats
    • Useful to compare the stats on your sites to each other
  • Publish
    • Blog Post and Page lists, organized by status and either just your content or content authored by everyone
  • Personalize->Themes
  • Configure->Plugins

2. Reader

This is essentially another RSS reader, but one that has special treatment for when you Follow a WordPress site (self-hosted WordPress sites will need to manually add a Follow button while WordPress.com sites have it built in) as your WordPress.com user, but generally just pasting a connected WordPress site’s URL should get WordPress.com to recognize the site as one to Follow rather than use its RSS Feed. The main advantage of Following versus using the RSS Feed is the option to automatically receive new blog posts in email as they are published. It is only logical for a service that started out as a content creation platform to also contain a way to read content that is published across the internet.

There is a section for what you’re following, and ways to manage your subscriptions. Each post and site is formatted quite simply with a decent white background and simple fonts, making the content wholly match the WordPress.com aesthetic. Anyone who has used any RSS reader will feel familiar with Reader.

There are two sections of content discovery: 1. A curated Discover area with content the WordPress.com staff have found and put together; 2. A Recommendations area that recommends new content based on what you’re already following and perhaps also using what you write as another feeder into its determinations.

Once you have a WordPress.com account and are logged in to it on your computers nearly all the time (as I now am, and would recommend for pretty much anyone who uses WordPress in any way as the account is free) you’ll begin to notice what other sites across the web use WordPress by seeing either your admin bar above all WordPress.com-hosted sites, by not needing to further identify yourself when leaving comments, or by recognizing things like the Like button on sites and posts. Reader also has a section called My Likes which brings together all the content across the web that you have liked.

You have the ability to further organize what you follow into lists. Perhaps you’d have a Family list, a Politics list, and a Technology list. The way you choose to organize is entirely up to you. Rather than just following sites you can also choose to follow tags as a way of following specific topics that interest you.

Assorted other WordPress.com site functionality

  • Post Editor accessed from the new post button on the right of the admin bar
    • Select a site and you're instantly taken to the post editor interface on WordPress.com
  • User profile accessed from your avatar (managed with logging in to Gravatar using your WordPress.com account) on the right of the admin bar
    • Profile information
      • Includes defining a list of your websites, be them WordPress sites or otherwise
    • Account settings
      • Includes selecting your primary site (the site other WordPress.com users follow when they follow your user) and other general website settings that will also end up applying to any site you visit that is hosted at WordPress.com
    • Manage Purchases
      • For paid WordPress.com services
    • Security (the usual suspects)
      • Change Password
      • Two-Step Authentication using either standard 2FA app or the WordPress mobile app
      • Connected Applications
      • Checkup
    • Notifications (see next assorted functionality for more details)
      • Choose which kinds of notifications you get from each site, what notifications you get from comments you leave on sites using your WordPress.com user, promotional email from WordPress.com, and defaults for your Reader subscriptions
      • Extremely granular controls for where what notifications from what sites get sent to (email, WordPress.com, each of your devices)
    • Next Steps has suggestions for what next to do with your account and sites in order to spruce things up
    • Help is the WordPress.com help center for any questions you may have
  • Notifications drawer accessed from the bell on the right of the admin bar
    • Notifications you've gotten from sites based on your aforementioned settings
    • This same drawer will appear on any WordPress.com, or self-hosted site with the Notifications module of Jetpack active, when you're logged in to an account associated with your WordPress.com user account
    • Click on a notification to see its details and act upon it
    • Notifications are organized into categories along the top as tabs and show up chronologically

WordPress Mobile App

Has all the same functionality of the website, packaged onto your mobile device, with the additional benefits of geotagging posts and being able to take pictures right into your posts, among other things. Good for on-the-go comment management as well. Receives push notifications for all Notifications you let WordPress.com send your device. Definitely worth installing if you regularly post to any WordPress site, though for easiest setup and operation you’ll need to first install Jetpack to your site and link your local site account to your WordPress.com account.

Jetpack

A plugin provided by WordPress.com for self-hosted WordPress sites to get many of the same features and benefits that WordPress.com-hosted sites get. To me it increasingly feels basically like a given that all self-hosted WordPress sites, be them personal or professional, have no to very little excuse not to be running Jetpack. This is due to these among many other features:

  • For visitors:
    • Social network (including WordPress.com) sign-in for commenting
    • Infinite scrolling
    • Social sharing options, including those tied to the WordPress.com community
    • Connects site to the larger WordPress community and ecosystem of sites
  • For site managers and authors:
    • Single Sign-On
      • Even if you don't turn on 2FA for your WordPress.com account you still ought to get into the habit of always logging into your WordPress sites via WordPress.com (there'll be a button to do so on your site's log in screen) because where you type your username and password will be encrypted while the majority of websites today, and virtually all of the WordPress sites I help maintain, that people like us run aren't yet using a secure connection themselves
      • Also, 90% of the time you won't be challenged for any credentials because you'll already be logged in at WordPress.com
      • You connect your local site account to your WordPress.com account from your User Profile on your site
    • Protect
      • A cloud-powered network run as part of WordPress.com to block brute force login attempts that will instantly blacklist IP addresses from being able to even attempt logins on all connected WordPress sites if they try a brute force attack on any single WordPress site
    • Monitor
      • WordPress.com continually checking your site's reachability and will send you an email if the site goes down and when it comes back up
    • Manage
      • Well, the whole My Sites section above explains why this feature of Jetpack is so beneficial
  • Lots more for both visitors and site managers

WordPress.com as an emerging community

Overall WordPress.com has really become a community in the past few years, more so than I think it was at its inception, thanks to these features. When anyone logged in to WordPress.com can comment on nearly any WordPress website with no effort whatsoever (as can anyone logged in to Facebook, Twitter, or Google), no need to re-identify themselves, you begin to build a community feeling around this 25% of the internet. Reader, and tagging content being able to bring together these topics from across the internet, begins to push content into new heights of interconnectedness and community. Since Reader exists we also have WordPress.com not being merely for content creators, but also for content consumers, and as such may also be a simple blog content reader to use for anyone who is starting out in the community of blogging by running or being a part of a WordPress.com-hosted website. I’ve begun to place my WordPress.com account as not hugely far behind my Google account in its standing as a overarching account under which many of the things I do online fall, because well, with so much of my consulting work and personal website work utilizing WordPress almost all of those I access using this one account. Even if you only are a part of one WordPress site that is self-hosted, taking a dive into having a WordPress.com account would both make logging into that site more secure and let you explore more fully the emerging community of websites that WordPress is well on its way to being.

The Gift of Strongly Recommending Higher Personal Online Security

/ 25 December 2015

Today is Christmas, a day when a substantial portion of western humans celebrate by giving one another gifts and sitting by trees that we’ve brought into our home. If you know me well, you know how little that part matters to me anymore. So, in part, let me give all of you the gift of explaining just why taking advantage of a few higher security measures for online accounts of yours is actually something you should do, perhaps even making it a prior-to-2016-actually-starting New Year’s resolution to start doing. Before I go any further, for those who may ask, I wrote this across the weeks ahead of today, and it merely automatically posted itself this morning. Also, for those who celebrate it, Merry Christmas!

There are two major steps I’ll be recommending here, though you could say that a third is woven in the midst of those: Strong Passwords and Two-Factor Authentication.

Before I dive in let me say a few things. Firstly, it has been well over 2, maybe even 3.5 or so, years that I have consistently been using strong passwords with every new online account I set up or password I need to change, I even changed many passwords to be strong just because that is more secure. It has been at least since early 2013 that I’ve been using two-factor authentication everywhere I can. So, it is safe to say I’m doing everything in my power to secure my online accounts, and write these suggestions from that experience.

Secondly, a key part of committing to doing strong passwords everywhere is using a password management tool you trust so you can actually keep track of the passwords. The one I use on all my devices (from my watch to my iMac and everything in between) is 1Password, so my examples will be using it. The other major option I’ve heard great things about is LastPass. Recent versions of Safari have this ability built-in and synced over iCloud to all your devices, with you being able to view the passwords on your Mac in the Keychain Access application that is built-in to OS X (as well as in Safari preferences). Many other options exist as well. Any should be adequate. There are advantages and disadvantages to each software option. The important thing to understand is how your data is stored, encrypted, and synced. I can’t clearly speak for anything but 1Password here, but I know 1Password’s entire design is around your privacy and security, with your master password being required to decrypt the contents of your vaults, which it only decrypts what it needs of at any given moment, and never stores the actual text of the master password anywhere. Even with data in Dropbox, iCloud, or any other folder area for syncing no one running those services can access the data. These kinds of software use proven standards to encrypt your data using much the same technology that banks keep their digital data secure with. Partly from the above link, partly from Googling, you could spend a ton of time reading up on the security of 1Password, to start off.

Now on to my primary recommendations, starting with Strong Passwords. Why hold yourself to strong passwords? Any of you could tell that the password “-BVbtP4,B}xtFD4G” is much stronger than “billy”. One could be guessed, especially by computers, nearly instantly, the other would be a larger effort to crack. None of us want unauthorized people (anyone but ourselves) into our online accounts, so using strong passwords is quite important. By strong I don’t simply mean something where you replace letters with numbers, because software trying to get into online accounts tend to quickly test those variations.Strong Password Generator That is why a combination of length and type of characters (alpha, numeric, symbols) is important. An alternative to using something like 1Password’s built-in generator (seen in the image above) or that of whatever your password management software has (I use about 70% 1Password and 30% the iCloud Keychain password generator built into Safari these days, and use both tools to keep track of my passwords) is to find a website that can generate strong passwords, like this one, but then you run into potential concerns of the whole notion of a website generating these passwords, and are they possibly, even unintentionally, storing them in logs somewhere? It’d be hard to tell for the average person. Either way, using strong passwords everywhere you can handle doing so is one way you can make your online digital life a bit more secure.

My second recommendation is to use Two-Factor Authentication (2FA) with every online service that has the option. This is on top of using strong passwords, though I’ll admit to using slightly less strong (hence, memorable) passwords on some sites where I also have 2FA enabled. When 2FA is enabled you not only need your password, but also a code sent to your mobile phone (via SMS, sometimes voice call), authenticator app (Google makes a good one, but 1Password also supports this), or for some services (FB, iCloud, etc.) their own custom mechanisms in order to log in. The codes are on average 6 digits. You say this is too much of an inconvenience. But is it really more of one than if someone gets at your Google account, or your iCloud account, or your FB account? I think not. Anyway, many of these sites have an option to whitelist devices when first logged in with a 2FA code, so for your own devices this won’t be much of a nuisance.

So, what sites support 2FA you ask? My go-to resource for what websites support 2FA is the Two Factor Auth website. That site has a clear list of sites, organized into categories, that lists websites that do and don’t have 2FA, with what type of 2FA marked and links to the sites’ 2FA documentation. I glance back at this site every so often to make sure that if other sites I use have gained 2FA I know about it and go to set it up. That site would be a good place to start if you’re convinced that 2FA is something to try out.

Two-Factor Logins

As the screenshot provided here is evidence, I have a lot of my online accounts backed by 2FA. But that list isn’t even the full list of sites. That is partly because I mostly only tag logins with 2FA in 1Password that either have their code generation in 1Password and/or have other recovery data in 1Password and/or are important accounts of mine that use 2FA, but a few more actually do have 2FA enabled. But it is also because a handful of those accounts (namely Google, Microsoft, and WordPress.com) are ones I use to sign in to other websites and services too, hence effectively backing those logins by 2FA. Skype uses my Microsoft account, Zoho (and a few others) my Google account. Nearly every WordPress-based website I play any sort of administrative or managerial role in has the awesomely powerful WordPress.com-linking Jetpack plugin running, and as one feature of that I (and anyone else with accounts on those sites) can log in to those sites using their WordPress.com account, and hence, depending on their account settings, log in backed with 2FA. That is how I logged in to my own blog a few days ago to set this up to post. Many of the sites I help maintain don’t (yet) use HTTPS, so even without 2FA logging in through the WordPress.com portal means that your actual login credentials are passed through a secure page.

It is certainly true that online accounts of mine with weak passwords (I define weak passwords as anything not created using a strong password generator) and/or no 2FA are a rarity these days. Though conceivably hackers could still get into my online accounts, the chances of that is much slimmer than for Joe Schmoe with the password “queenstown1278”. Actually, the chances basically are nil for all of the 2FA accounts by the very nature of what 2FA is.

So, on this Christmas morning I leave you with the gift of the inability to be ignorant of these two important things you can do to greatly enhance the security of your online accounts. Further, I hereby challenge everyone who reads this to at least experiment with both strong passwords and 2FA before 2015 bids us farewell. I’m not saying that you need to go all-in with only strong passwords and 2FA everywhere it is an option the way I have, but definitely let yourself try both out and see how it goes.

Merry Christmas and have a Happy New Year!

More posts are available in the Blog Archive