Tuesday, December 13, 2011

CSA 48 - County Fire Funding Around My Home

Today I attended a Santa Cruz County Board of Supervisors Meeting. What fun. Not.

I did so to keep tabs on an issue near and dear to my heart... maintaining fire and EMS response service in my area during the non-fire season. I've mentioned that on Facebook and in a couple of other places, and people were curious, so I wrote up my thoughts on the meeting this evening and am posting them here.

I don't claim this is complete, correct, or consistent. It's the best I could do given the situation, the contents of the meeting, and my temperament. I hope it isn't entirely wrong, and I will try to correct it somehow if I find I am wrong about things.

With that disclaimer...

Board Of Supervisors Meeting - Partial Writeup - Dec 13, 2011
A somewhat inflammatory and editorialized document by Jeff Powell.
These are my impressions and opinions. Your mileage may vary.
Remember, though, that government is like making sausage, in a very big and slow factory.

8:15 am: park car in 3 hour free parking lot across the river from the county building.

In the meeting room I pick up a copy of the official agenda, which lists our item as #56. Seems like it will be forever before we discuss funding for County Fire, but that doesn't do justice to what really happened. In any case, for reference, here is what we were at the meeting to discuss, word-for-word from the agenda:

56. Consider report on the state budge and associated impacts on the California Department of Forestry and Fire Protection (CAL FIRE) and further discussion of County Fire Service Area 48 (CSA 48) service delivery options for changing the contracted level of service with CAL FIRE commencing in the fiscal year 2013-2014, and taking related actions.

All clear now? Hope so. But I have NO idea what that really means.

8:30 am: meeting begins.

A sea of red shirted citizens (numbering 50 or so) concerned about CSA 48 is present, but that doesn't matter yet. First we get some technical preliminaries followed by open comments from the public about things not on the agenda. During the preliminaries at least one agenda item related to PG&E smart meters was removed from the "consent agenda" (things that are just "accepted" but not commented upon by the board or the public as far as I can tell) and moved to the "regular agenda", which allows for comment by anyone that can fog a mirror when they exhale. Despite that, quite a few members of the public wanted to discuss smart meter related issues during the comment period allotted to things not on the agenda, and wasted a lot of time as a result. In addition concerns were raised about Occupy Santa Cruz and the county's recent moves towards it, and there were many requests for a moratorium on foreclosures in the county. Oh, and some comments about a program that helped people working for the county make better choices about food and lifestyle.

Then we had 15 minutes or so of thanking a retiring county employee.

Then the Board of Supervisors recessed to run a second meeting - one related Zone 5 of the Santa Cruz Flood and Water Conservation district to happen. No, really... they stopped one meeting and changed it to another one, just like that. The BOS members are also members of this new group along with a few others, but there wasn't much happening here. Done in 15 minutes.

10:30 am, give or take: morning break. During this time I go move my car since it is clear that 11:15 is going to come and go before we're done. I put it in the 2 hour lot in front of the county building. After all, we should be done by 12:30, right? (Hint: not.)

10:45 am-ish: They start up again and immediately recess for a different flood control meeting: this one about zone 7 instead of zone 5. This one was much more contentious and went on for nearly an hour. However, in the end, I think nothing of great import happened - everything they voted on passed unanimously - and the project they want to do (to improve flood control down near Watsonville) wasn't impeded or slowed down as far as I can tell.

Editorial comment: by this point there are quite a few people I think should never be allowed to speak in public, and I am pondering how to make choking some of those people to death legal. But I digress.

It is important to note, however, that for over 3 hours the group of people that had come to speak and hear about the County Fire issue is dwindling. People have - gasp! - lives and jobs and commitments. Three hours after the meeting started we hadn't gotten to our issue despite being told we'd be "first" by someone. Go figure.

Approximately 11:45 am now, and we finally get to the County Fire related issue. Surprisingly I have not gnawed off any of my own limbs in a desperate attempt to keep myself awake.

Chief Ferriera and someone else (didn't catch her name) made some initial comments about the situation. As far as I can remember these were the high points (for me) of the discussion that ensued:
  • County fire will run out of money sometime around the summer of 2013 - 18 months or so from now.
  • Funding for County Fire comes from two primary sources, both tied to home values: 1.x million per year from property taxes directly; 2.x million per year from CSA 48 tax that is also paid via the property tax bill. I don't have exact numbers, sadly.
  • The county has done polling and (surprise, surprise!) when they ask people something like "Are you willing to pay more for the fire service you already get?" the answer has only 60% of people saying yes, and we'd need 66% to pass a tax increase. Argh! I'm honestly surprised support is that high. Clearly a lot of education is needed, and not just of the voters. How about a poll question like: "The dedicated fund that pays for your County Fire service is running out of money and it will shut down completely during the off season in the fall of 2013 as a result. Would you support an increase in a dedicated tax or fee to keep it running instead of shutting down? And note that if you don't have fire service you probably can't sell your home and its value will be less than that of dog spit." Oddly I suspect that support would be a bit higher than just 60% if the question is phrased properly. I apologize if I have misrepresented the polling work, but in reality polling is just about as close to a black art as you are going to find, and the answers you get are inescapably related to the exact wording of the question you ask.
  • Governor Jerry Brown is looking to impose an additional fee on home owners in SRA (state responsibility area) land of $180 per year to make up other lost funding sources. There may be a $30 reduction in that fee for those who are covered by another fire protection district like CSA 48. That fee, however, would probably not come back to County Fire in any way to support their activities as far as I can tell. Many of those living in CSA 48 will wind up paying that fee to the state, making many wonder about the public's willingness to stomach a tax increase in addition to that fee.
  • There are a few ways to save some money other than shutting down county fire entirely. As with everything (except the agenda itself) I have nothing in writing, so I am doing my best from memory to remember these. They might move some people around from administrative jobs to fire fighting roles. They might offload the program to name driveways and renumber houses to some other department. They might shut down a single station. They might shut down all of County Fire. Remember, this is off-season only... during the summer the state picks up the tab for the entire thing. (Editorial comment: the program to name driveways and renumber houses is the least liked - and possibly most stupid - program in existence. Why it still gets any funding is beyond me entirely. It should have been killed years ago. Technically it should never have been started.)
  • During discussion Chief Ferriera says something about costs vs. income. This was off the cuff, and so I wouldn't hold his feet to the fire, but what he indicated was that costs (for personnel and so on) have gone up about 3% over the last 3 years, but home values have gone down substantially during that same period thanks to the economy and housing crisis, dropping revenues. (I can confirm that last from deep, personal, and costly experience.) That may explain some or all of the reason that CSA 48 funds haven't kept up with the expenses of County Fire, though I would like a real accounting of that, and I may ask John Leopold for that information separately. We'll need it to justify any tax or fee increase to homeowners eventually in any case.
  • There was no discussion of how (or if) the volunteer fire department would continue to operate with Cal Fire shut down.
Then the public was then allowed to speak. I think those that were still left present, alive, and in possession of their full faculties made comments were reasonable and on point, suggesting to the supervisors that shutting down County Fire during the off season was not something we wanted to see. (I, personally, expressed the hope that we could actually improve our situation and get 4 fire fighters back on each engine in the off season, not just 3. Then I fled to purchase a parking pass to avoid a ticket and returned to the meeting only when that was done.) On my return I heard one nearly incoherent comment about not building cell phone antennas on top of fire stations, but I don't think that person was with "us" per-se. The last comment was from Alex Leman. He thanked those of us that were still there - and those that had arrived earlier but had to leave - and indicated that we all knew there was a long road ahead. He also provided an order on some of the proposed cost saving measures from the FDAC (Fire Department Advisory Committee?).

With the public comments ended the supervisors made more comments themselves. John Leopold thanked us for showing up en-mass and indicated he would help champion the cause. Supervisor Pirie took pains to point out where the public comments were wrong or misleading in various ways, but she did also ask someone else (name unknown to me) to discuss where county funds come from and go to. That was interesting, at least to me. Summarizing that and a few other things that were said leads to this:
  • Proposition 13 froze property tax revenues where they were when it was passed. So Santa Cruz County gets $0.13 per dollar of property taxes collected put into its general fund. Santa Clara county, by contrast, gets over $0.60 per dollar collected put into its general fund. This sort of inequity has never been addressed, and years later is causing all kinds of pain.
  • Of the $400 million or so dollars that Santa Cruz County spends per year, something like 90% comes with strings, requiring it to be spent in certain ways. Thus the supervisors are left with 10% or less that they supposedly control.
  • Of that 10%, though, there are all kinds of mandated spending that has to happen, which means there is substantially less flexibility in how they can spend money in general.
  • In short, there isn't enough money in the general fund - or anywhere else the county supervisors can get at - to "fix" this funding problem for County Fire. We have to pay for this ourselves, somehow, and to do that we're going to have to pass a tax measure of some sort in the next 18 months.
Then we came the actual voting. On the original agenda item. That blob of text up top that didn't mean anything I could understand.

With one change - asking Chief Ferriera and/or others to tell the state folks that the County of Santa Cruz needs some of that $150/$180 annual fee back somehow, or at least mention the possibility - the supervisors voted "aye" on the agenda item.

I honestly don't know what that means. As I say, the agenda item almost isn't actually written in English, and I am not at all sure what was accomplished today in any formal sense.

Less formally, though, I think the supervisors saw a lot of people from the Loma Prieta area show up on their door step and say "this sucks". How (or if) that will translate into fixes and plans over the longer term I don't know. We will, however, have to do this again and again and again. We'll have to continue to show up at these meetings and telling them that shutting County Fire down during the off season is not an option.

We will also have to campaign for whatever tax or fee finally comes out of this. We'll have to lobby our friends and neighbors over this issue, trying to get 66% of those that live in the CSA 48 area to vote yes and pay a small tax instead of paying huge fire insurance premiums and finding our houses worth next to nothing.

I hope you're all ready for more work. It's coming, whether you want it to or not.

Sunday, November 20, 2011

Dumber than a box of rocks...

Yes, I am.  Really.

In this post I discussed some surprising rainfall numbers.  Turns out, though, I totally misread the official rain gauge.  It seems that 0.20" and 0.02" are very different numbers. Go figure.


So... overall, this means that things are more-or-less normal with the gauges.  The evaporation issue is still real, and the butterfly gauge still reads a lot more than the others.

I will go hide now.  Well, once I get a disclaimer on that original post.  The spreadsheet has been updated to reflect reality.

Saturday, November 19, 2011

Unexpected Rainfall Numbers

UPDATE ON 11/20/11: this post contains an error of vast and troubling proportion: 0.20" is not the same as 0.02".  Yours truly apologizes and retracts it here.

We had something that might have been called rain yesterday.  It was very tiny drops, off and on, for hours.  My wife might have called it "measurable fog."  It was still going after dark so I left reading the gauges for this morning.  The results, though, are a surprise:
  • The "official" gauge - the one I trust the most so far - read 0.20".  That seemed to make sense to me on the level of gut feel.  Everything was wet for some time yesterday.
  • The old yellow, weather.com, and wedge gauges, though, were all either empty or showed just a trace.  Nothing measurable in any of them.
  • The butterfly gauge - which usually reads at least twice what the others claim - contained just 0.10".
How to explain that?

Well, my best guess is that we had plenty of evaporation overnight.  Things were dryish this morning, which means the water went somewhere.  And the three gauges that had only a trace also have the largest openings, making it easy for evaporating water to escape.

The butterfly gauge had more in it earlier in the day, yesterday, than 0.10".  I noted it in the afternoon when I picked up the mail, but I wasn't taking readings as it was still raining at the time.  So it must have evaporated out of there.  No one emptied it, I know that.

The official gauge is interesting.  Because it is a small cylinder enclosed in (and protected by) a larger cylinder, and since there is a funnel covering most of the interior cylinder and all of the outer cylinder, I suspect evaporation is slower.  It's a pretty small hole for the water to evaporate out of in any case, so while it can happen, it takes more time.

In short, though it seems counter intuitive, I think the official gauge wins again, and that it is design flaws in all the others that made them read too low this time around.

Not what I anticipated - particularly with the butterfly gauge - but it makes sense.

The spreadsheet has been updated with the new numbers.

Wednesday, November 16, 2011

Rain Data Now Available

So... just because a few may be interested, I have added a link to get a PDF version of the current rain totals for my home to the right hand column of this blog.  I keep the data in google docs and Google claims it gets updated within five minutes of any of my changes to the underlying spreadsheet.

This way you don't have to ask if you care.  Just go to http://powelltriangle.blogspot.com/ and click on the link.  You can see how the various gauges compare and what the total rainfall for the season is so far.  Interesting, eh?

That link, by the way, is also right here.

I should also link to the two earlier posts about this silliness:
Those posts document what I am doing and why.  Necessary background material if you are going to understand this particular oddity of my behavior.

Saturday, November 12, 2011

Rain Gauges - actual data from actual rain

As per the earlier post about rain gauges we are testing several to see how they compare.  While this isn't a scientific test, it is fun, and some people even expressed interest in it.  We had some rain yesterday, so I took pictures of the gauges this morning as I read them, and figured I'd write that up.  In summary, and in order of apparent accuracy, the gauges read:
  • 0.33" - official gauge
  • 0.32" - wedge shaped gauge
  • 0.3" - old yellow gauge
  • 0.3" - weather.com gauge
  • 0.8" - butterfly gauge
Below are the pictures of each one with some comments.

The "official" gauge, which I keep wanting to (incorrectly) call the NOAA gauge:

What you see here is the easiest gauge of all to read if the total amount of rain is less than one inch.  I didn't even remove it from the mounting bracket or pull out the central tube.  All I did was wipe the outside of the big cylinder to get rid of the condensation, point the camera, and click.  0.33" is pretty simple to read, don't you think?

Note the bird dropping in the bottom of the tube.  That might add a tiny bit too much to the total, but much less than the accuracy of 0.01", so I ignored it.  The funnel has a diameter of three or four inches, so stuff like this will fall in from time to time.

Also note that the scale on the central tube is simple and linear.  Very easy to read, and the meniscus is easy to see, even through the outer tube.

The only problem with this gauge is what happens when you have more than one inch of rainfall.  It overflows into the outer tube and you have to pour it into the central tube in portions to get the total amount.  Accuracy is still good, but convenience is not.  Then again, it can measure up to 12 inches of rain in one shot that way, which is better than anything else I've found so far.

The wedge gauge:

This is the bottom of the wedge shaped gauge.  I'm not quite holding it vertically in the picture, but it claims 0.32" of rain when held properly.

Looks a bit hard to read, don't you think?  It is, for a few reasons.

First, the embossed numbers are pretty small.  If you need reading glasses in general, you will need them to read this gauge.  Not so nice if it's still raining when you're trying to read it.

Second, the embossing isn't all that pronounced.  Getting it to show in the picture was tough.  (You can click on the picture to see the full sized view, which helps, but it still isn't easy to read.)

Third, there is no paint on the embossing.  that would make this a lot easier to read, but also add to the manufacturing costs.

Finally, and most critically in my opinion, the scale on this gauge is not linear.  Since it is wedge shaped there are places where the embossed numbers change from what you might expect.

Here's the same picture that I have hand edited in an image editor to make the English scale more obvious.

Note the numbers getting closer together as you head up the gauge.  Also note that we go from increments of 0.05" to 0.1" after the 0.2" mark.  And there are other places where similar changes happen farther up the gauge.

Reading this one isn't nearly as simple as it should be.

Accuracy is probably pretty good.  The difference between 0.33" and 0.32" is pretty much in the noise range.  Most if not all of this rain fell yesterday and in the evening, but the gauges sat out in the fog all night before they were read.  If the wedge gauge collects less fog than the official gauge, it might read slightly less just for that reason, for example.

Anyway, some paint would sure help this one.

The Old Yellow gauge:

This is the 19 year old gauge we've been using all along.  It's nice and simple, but as you can see it's a bit hard to read.

If you remember your chemistry class, though, you read the bottom of the meniscus, so that (when held vertically) is about 0.3" of rain.

The embossing is easier to read on this one than on the wedge, but still no paint.

And don't plan on reading this to anything more accurate than 0.05".  Even that is a guess in most cases, since even the slightest tilt of your hand will move the meniscus around a fair bit.

The weather.com gauge:

This gauge has a strange combination of things that make me wonder about it.

The large numbers on the front (1, 2, etc) are painted and embossed, but useless for anything except to remember which inch you're "in" when reading the thing.

The lines on the sides are painted only - not embossed - which means that they will flake off and the gauge will be unreadable as soon as the sun does it in.

When held vertically - which I am not quite doing in the picture - the meniscus was right at 0.3".  Like the yellow gauge, though, reading anything other than 0.05" increments isn't going to happen.

In all I am not sure why weather.com put their name on this thing.  I suspect a season or two and it will be unreadable, and I wonder about its accuracy.  Determining that will require a storm that gives us 3 or 4 inches of rain, so the linearity of the scale and the accuracy of the painted lines can be compared with the official and wedge gauges.

The butterfly gauge:

This is the last - and least accurate - gauge.  Though it is hard to tell from the image that tube is held just about vertically, and yes it really claims we got 0.8" of rain, where the others all said 0.3" - 0.33". 

Like the weather.com gauge, the marks on the tube are only painted on, not embossed.  That, however, is because the tube is made of glass, not plastic.  Kind hard to emboss glass like this on the cheap.

The paint will, no doubt, come off with enough UV exposure, so it would probably be useless in a couple of seasons, even it it wasn't wildly inaccurate, which makes it effectively useless now.

But why is it inaccurate?  Simple... look at the top of the tube, which is what it is hung from in that brass holder:

See that lip?  Much of the rain that lands on it runs into the gauge, but the scale is calibrated only for the inner diameter of the tube.  The net result is that the gauge collects a lot more water than it should given the scale, and the numbers are way off.

And since that lip is curved, I suspect wind has interesting affects too.  If there is no wind as the rain falls it is possible that more of the water that hits the lip winds up in the tube.  if there is wind, though, some may blow off the lip and result in a different - though still inaccurate - reading.  This is speculation on my part, but so far this gauge doesn't consistently read as a multiple of any other gauge, so there is something odd going on.

Anyway, good rain gauges have a knife-like edge at the top to clearly define the collection area, not a hazy, rounded boundary like this one.

I will keep this gauge in the set and collecting data from it though I know it is useless for real record keeping.  It is actually kind of fun to see just how far off it can be.  More than 2X in this rain, obviously, but the range of differences is fascinating to a nerd like me.

There you have it... some information on the various gauges so far.  Interesting to me, at least.  Hopefully you too.

Monday, November 7, 2011

A Man With One Watch...

How many rain gauges does one person need?

Good question, eh?  We are currently comparing five.  Yes, really.


Well... The amount of rain we get during the rainy season matters to us, since it helps us anticipate how much water we can expect our well to produce during the following Summer and Fall.

In the picture above you can see the yellow plastic one that we have been using for about 19 years. It is starting to degrade due to constant UV exposure over the years, so it will only last so much longer.  In addition, it's only good to 5" rain before it overflows.  Believe it or not we get storm systems that dump more than that on us in 24 or 48 hours regularly, and that makes it inconvenient to deal with on occasion.

My wife bought the 8" rain gauge (with the decorative butterfly) on the right some time back in the hopes that it would give us a better reading on things, but the first few rains it saw - a couple last season and the first two this season - caused us to suspect it is wildly inaccurate.  It regularly read twice what the yellow gauge showed, which caused me to start researching these things.

Eventually I settled on the other three gauges:

The one in the middle is a wedge shape, capable of measuring 6" of rain, with (apparently) high accuracy.  However, accuracy drops as the amount of rain being measured in one shot goes up.

The 6" gauge with bronze numbers is from weather.com, and while it doesn't look any more accurate than the old yellow gauge, the actual accuracy remains to be seen.

And finally the large cylinder on the left is the official gauge that every weather reporting station in the country uses.  It is capable of measuring 12" of rain, snow, or hail with (apparent) great accuracy, but it is harder to read if the total amount is over 1".  A funnel directs rainfall into an interior cylinder, which overflows into the outer cylinder.  The inner cylinder measures amounts up to 1" - easy to read down to 0.01" amounts - but you have to pour out the inner cylinder after reading it, pour the overflow into it, read, add to the total, and repeat until the outer cylinder is empty.  So it is accurate, but not simple to use in a bigger storm.

Anyway, none of these is especially expensive, so I am testing them all, right next to each other, until I know which one(s) we like the most.  Then I will get rid of the others and reduce the set.

Yes, I am insane.  Yes, I am a data nut.  But the only way to know what is going on is to have data, and unless all five gauges are wildly off, I will know in another few weeks which ones I like and why.  I'll provide a detailed report - with numbers - and links to suppliers at that time.

Sunday, September 25, 2011

Living With A Chromebook, Part 3

My other posts about the Chromebook are available here:
This post contains some additional notes on my Chromebook experience and isn't quite as upbeat as the others, I am sad to say.

Yes, I am still using my Chromebook heavily, but some flaws are more obvious to me now.

The single biggest problem for me is the feature that make the Chromebook more useful than any tablet: the keyboard.  I continue to get key bounce - duplicate letters, numbers, or symbols entered when I am sure I typed only one.  I cannot figure out the cause of this problem, and I am perpetually backspacing to delete the second appearance of whatever character it happened to this time.

Additionally there are issues with the trackpad.  I've mentioned before that the button built into the trackpad is hard to click, so I turned on tap-to-click, which helps usability overall.  That setting, however, may be the source of another problem, or it may just be my own sloppiness, but I regularly find myself staring at a screen in which large chunks of just entered text have gone away.  Perhaps one or both of my thumbs (or wrists) hit the track pad as I was typing, but whatever I did, suddenly one or more paragraphs of text just vanish, as if I had selected an area and then replaced it with my continued typing.  Except I didn't do that, at least not deliberately.

On top of all that, there is the keyboard feel itself.  The Samsung Chromebooks have a  keyboard similar to the newer Apple keyboards, with flat keys and limited key travel.  Now that I have lived on it for a couple of months I know that it is not an acceptable substitute for a "real" keyboard, at least for me.  The action is wrong, the feedback is poor, and my typing is worse on it than on a normal keyboard.

Yes, I could plug any USB keyboard into the Chromebook, but that reduces portability, and would require a mouse as well.  The combination would probably eliminate the issues mentioned above, but then I might as well use my desktop machine, which, in fact, I find myself doing when I have substantial text to type.

The combination of those issues gets old.  Perhaps some other Chromebook design will have a different keyboard and trackpad combination that works better, but I cannot claim to be happy with what Samsung built into my machine.

Another physical issue is display size.  I need a bigger screen when I am doing anything complicated, and that just isn't an option with a Chromebook.  Then again I think I would have the same problem with any laptop, so we can chalk that one up as my own issue, not one specific to the machine.

One place I can point to the machine and/or OS as having a real issue is in powering down.  The Chromebook has a very nice feature that just lets you shut the cover to turn it off, and open the cover to restart it, right where you were.  It's a sleep mode, effectively, and while it isn't new (many laptops have done it for years in other operating systems) it is very much faster than any other system I have used in this way.  But sometimes - maybe 1 out of 20 - when I close the cover it doesn't shut down.  Instead it continues to run as if nothing happened, and reopening doesn't prompt for a password, since it missed the shutdown signal entirely.  Very odd.

A work around is to actually power down, which is still quick, though not as quick as shutting the cover.  The boot is fast - another good Chromebook feature - but still not as quick as the restart, so while it will shut down this way it isn't as nice in all cases.

I continue to see some memory leaks, I think, and so I reboot once a week or so, at a minimum.  Whether that helps or not is less than clear to me.

The machine also slows down at times that make no sense to me.  My Internet connection isn't exactly speedy, so why is it that sometimes I cannot scroll a web page in one tab - possibly for two or three seconds - while the only other open tab is buffering a paused YouTube video?  It's like interrupts for incoming network traffic - or perhaps memory allocation to buffer the incoming data - are heavy enough to slow the entire system way down.  I can see this when loading non-video pages as well, but in those cases the pages I am loading tend to be large and complex, with lots of items for Chrome to fetch.  These slowdowns aren't crippling, but they do cause irritation.  I would be curious to know if others are seeing them, or if they are an artifact of my slow network connection in some way.

Finally, I think Google needs to add at least a few visual indicators to the system.  I'd like a way to know if I am getting network traffic or not, how busy the CPU is, and whether or not a reboot is required to get updates to Chrome OS installed and running.  As things stand there are no blinking lights or system monitors available, which means I don't have the feedback I need to know where problems are, or if a reboot would be a good idea.  I can't even tell if the system is in the middle of downloading an OS update when I shut down.  Not good design.

Despite the above issues I still use the Chromebook for most of my online activities.  I don't have many apps installed, but that's my usage pattern.  Overall it is quiet and adequately fast, and certainly good enough for handling email, social networking, blog reading, and the like.  That's where most home users spend their time, and I think it will work well for that audience, but there are still some rough edges and I'd really like to see Google address them.

Sunday, August 28, 2011

Up on the roof

When we had our house painted - last January, for reasons I won't go into here - we had all the seams in the vertical siding caulked up.  (Vertical siding is a PITA.  Yet another lesson learned only after buying a house with that particular "feature".  But I digress.... )  When the spring came, though, and the siding dried back out, a lot of the seams popped open, which looked ugly and was going to let water into places I didn't want it.   So a major project to complete before the rains return is to recaulk and repaint all the seams that opened up.

Most of that effort involves only paint, a brush, and a ladder of one sort or another, but there is one wall over a fairly steeply pitched roof which took a bit more care.

That roof is shingled with Hardishake (another product that sounds a lot better than it actually works out to be, sadly, and another lesson learned only after buying a house using it, but again I digress.  Oh, and the picture shows day two of the effort.   I have already been up there to recaulk the seams, but yet again I digress.)  Hardishake is slippery and fragile, so climbing on that slope without safety gear seemed like a bad idea.  The above picture shows the roof with that gear in place.  Here's what it looked like to my wife, from the ground, while I was working up there:

That's about a 10 foot fall off the roof onto concrete - if it happens - and I really wanted to avoid that particular fate.  Alas I am not a professional climber of any kind and my gear is pretty limited.  I have two good - but not locking - carabiners, some cheap rope, some nylon webbing, and I bought a climbing harness specifically for this job.  That's it.

The rest of this writeup is for Chief Alex, who wanted to see pictures of what inanity I was doing to keep myself from being his next 911 response.  The rest of you may wander off or read on as you see fit now that you've seen the above pictures.

First, I anchored my safety rig to the house, around a half inch threaded rod that is exposed and goes through multiple redwood beams before being held in with nuts & washers.  Two independent webbing anchors (orange and yellow in the picture below) are tied with doubled webbing on either side of the beam.  Each terminates in a loop tied with something similar to, but not actually, a figure 8 knot and several safety knots.  Through those two loops I tied in my safety ropes.  I had only one, but it is 100' long, so I doubled it, and tied a figure 8 knot - the world's ugliest, I admit - with a loop that went through the loops in the webbing, and then a safety not or two and then tape.  Here's the resulting mess:

The webbing anchors look like this up close:

It's not obvious - our house is an architectural oddity - but the beam and threaded rod seen above are about eight feet above a flat roof, so I can easily get there to do the setup.  Then the lines go up and over onto the roof you cannot see from those pictures, and trail down on the shingled side as seen in the first picture above.  A pad is put over the corner of the roof just above the beam to protect the ropes.  Next I put on my climbing harness and clipped in like this:

Note that each rope is paired, and that each pair ends in a figure 8 knot with a loop and a safety knot.  The white and green tape seen above was for me to track which was which if needed, and each loop is really a pair of loops, so it's all redundant.  The carabiners clip each of the loops to the harness independently.

The goal was that for nearly all the time I was working any one thing could fail and nothing bad would happen.  If I lost a webbing anchor, I had a spare.  If I lost a single rope, it was doubled to the harness.  If I lost both ropes in a pair, I had a spare pair to catch me.

As the second picture shows, the risk was that I could slip, fall, and slide off the roof.  What I needed was something to stop my slide if that happened, rather than catch my full weight on a vertical drop.  The rig I arranged managed to do exactly that, and gave me an extra bit of leverage to move around on the roof with.

A challenge was that I had 15 feet of wall I am painting, and I had to move up or down the length of the wall as I worked on it.  I managed that with the dual, paired lines.  When needed I could move uphill a bit, unclip one of the lines, tie a temporary knot with a loop in it, and clip back in on that loop as well as the end loop.  That let me keep the rope short so that if I fell I would only slide a foot or two before stopping.  And, of course, I could work the other way, starting at the top with two shorter, temporary attachment points, work, then lengthen the ropes one at a time, always being clipped in to one or the other while doing so, then moving down the roof and working some more.

The biggest risk - I think - is that I was using non-locking carabiners, and that when I unclipped from one line to reset the length I was left on a single carabiner.  At all other times I think everything was at least doubled up.  Well, I suppose the harness itself counts as a single point of failure, but it's built to take some strain.

Anyway, the work on the sloped roof is done now except for putting a ladder up to sweep the debris down with a broom.  No more walking on fragile shingles.  I already had to glue a bunch back together as a result of this excursion and numerous others that have been done by painters, roofers, Internet connection installers, and exterminators over the years.

Thanks to Chief Alex for his training when I was part of the VFD - even if I only remember a fraction of it now - so that I could setup a system that let me get this job done with confidence and some measure of safety.  He would have done it very differently, I know, but given what I had to work with I think I did OK.

Lots more projects remain to be done before the rains get here, but I don't think anything will require this sort of rig again.  

Monday, August 22, 2011

On Passwords

Multiple people have recently asked for information about how to create, use, and protect passwords.  We all have them, but - oddly - no one teaches us anything useful about them.  Some of us figure these things out, but most people never do.  And if you don't think about it, it is very easy to get into real trouble.

My goal is to help you avoid having your accounts hacked and your identity stolen.  There is a lot of information here, I know, but the topic is important.  Please read on.

First, the obligatory disclaimer:  I am not a security expert, and would never claim to be one, though I have spent enough time in high tech to be able to discuss this issue in some depth.  Hopefully I can make it clearer to you, but the subject is much deeper than even I know.  If you are interested there is a lot more to learn.  It's also important to note that even if you follow all of the best practices you can still have a password stolen or cracked. Sorry, but that's the truth.

Please consider this entire piece my opinion only, and note that your mileage may vary.

Begin At The Beginning:

The first problem with passwords is their very name: "password".  Many people think a "password" has to be a word because that's what it says.  Nope.  And, in fact, a single word - any single word - is just about the least secure thing you can use for a password. To explain why, and eventually get to how to create and protect good passwords, I will cover the following things:
  • How Passwords Work - A short overview of how a simple password system actually works.
  • How Passwords Are Compromised - How the bad guys get them without much work, without even having to guess or decrypt them, and how to protect yourself from at least some of those issues.
  • How Passwords Are Cracked - How a password is actually figured out "the hard way".
  • How To Create Good Passwords - What makes one strong and another weak.  How to create good ones reliably.
  • How To Manage Too Many Passwords - How do you remember 50 different passwords?
  • Other Thoughts on Passwords - Some other things to note in the world of passwords and security.
  • In Summary - A very quick recap.
Here we go...

How Passwords Work:

On any well designed system, passwords are stored in a text file or database table that contains your login name and an encrypted version of your password, among other things.  Here's a made up example table with those two fields separated by a colon.


Part of a password system involves some complicated program code to encrypt passwords.  An encryption routine takes a string as input and returns a different string as output, with the intent that the output string cannot easily be associated with the input string.  In the example, we can see that jeff's encrypted password is "IY67kH_1".

I won't bother with the math behind encryption, mostly because it is way beyond me.  Suffice it to say that it is very, very complicated, and there are many ways it can be done.  The goals, though, are easy to understand:
  • No one should be able to look at an encrypted string and find out what the original string was.  Even with a super computer capable of doing math very quickly and knowing the code used for the encryption, the problem - going backwards from the encrypted string to the original password - should take hundreds of years.  Incidentally, this is why you can't just get someone to look up and tell you your password on a well designed system.  It's encrypted in such a way that no one can practically reverse it.
  • The encrypted output needs to be in some standard format.  The simple example above has the output string limited to 8 characters, and allows both alphanumeric and a few special characters.
With that background, here's how a very simple password system works.  First, the system looks in its table for the user name.  If it doesn't find it, it emits an error of some kind (usually saying it's an "invalid user") and lets the user try again.  If it finds the user, it takes the password that was entered, encrypts it, and compares the result with the encrypted password that user has in the table.  If they match, the user is logged in.  If they don't match, an error is emitted saying something like "bad user name or password", and the user gets to try again.

As an example, we'll use my made up login - "jeff" - and the corresponding made up (and very poor) password "obvious".

If I enter "julie" and "bad_password", I get "invalid user" because there is no user named "julie" in the password table.  Note that the system didn't even both doing anything with the password I entered because there was no matching user.

If I enter "jeff" and "bad_password", I get an "invalid user or password" error message.  The system isn't sure if I entered the wrong user name or the wrong password.  (It is true that I entered a valid user name, but I might have entered the wrong one.  Perhaps I meant to enter "jeffa" and didn't type the final 'a' in the user name.)

if I enter "jeff" and "obvious" the user name matches a valid name, and the password, once encrypted to "IY67kH_1" matches the entry in the table, so I am allowed into the system.

Note that you cannot enter the encrypted string as your password.  If I enter "IY67kH_1" as my password when I log in, that string will be encrypted to something else, and the result won't match, so my login attempt will fail.

That's it, a very simplified version of how a password system works.  There are many wrinkles, or course: how to create a new user and their password, how to change a password, and various ways to make passwords more secure, among others, but the core of the system is there.  Your password gets encrypted into a string that can be safely stored in the system, and that string is compared with the encrypted version of the password you enter when you want to log in.  Most importantly, no one can read or see your actual password.

How Passwords Are Compromised:

The first and biggest risk most of us suffer from is making our unencrypted passwords readily available to the bad guys.  Hopefully a lot of this is just review, but the following are some of the common errors people make when dealing with passwords
  • We give our passwords to the wrong people.
  • We let others see us enter our passwords.
  • We write our passwords down.
  • Even worse, we send our passwords to others in email.
  • We use insecure computers where malware has been installed.
  • We respond to phishing attacks.
  • We enter our passwords into insecure systems or use insecure protocols to send our passwords to systems.
  • We use the same password for many systems.
These are all common sense things, but they turn out to be ways that passwords are regularly stolen by people who aren't above doing bad things with them.  Note that none of these cases talk about what your password actually is.  Though there are important issues related to password selection, the first thing you have to do is develop good "password hygiene".

The most important, and yet simplest rule of password management is never, ever, tell your password to someone you don't trust, 100%.  Period.  Can you count on that person to keep it a secret, and not let it out?  Even accidentally?  Probably not.  Even for a friend or a spouse the chances of letting it slip are high, particularly given the above list of issues. The best way to protect yourself is to keep all your passwords private all the time.

This isn't always obvious, though.  An example: someone calls from your phone company, claiming they are doing some system maintenance on your account and asking for the password you use to get into their online system.  Do not give it to them.  They should not need it.  Ever.  If for some reason you are inclined to believe them, hang up, call the company yourself, and ask someone in customer service about it.  If you make the call - to the company's 800 number - and the new person you talk to says the request is legitimate - and they do need the password - it is safer.  It's still stupid, but safer.  After all, you are about to tell your password to another human, who could easily write it down and do bad things with it later.  Any well designed system should never require a user to divulge a password to a human, particularly via some non-secure route, like over the phone.

Note that you cannot just ask the original caller for a phone number to verify things.  They could give you a number for a collaborator who will tell you exactly what they want you to hear.  Get the phone number for yourself - from the company web site, perhaps - and call that.  Only when you initiate the call to a known good phone number and are told that the request is legitimate should you consider complying.  And even then you should ask to speak to a manager and tell them that their systems are poorly designed and they should not be requiring their customers to give their passwords to strangers over the phone.

Assuming you are keeping your passwords to yourself, the next step is to avoid having others see you enter them.

When you go to the ATM you look over your shoulder before entering your PIN, right?  That's the idea, but you have to think about it all the time.  When you enter a password into your smart phone - even just to unlock it - while standing in the terminal at an airport, how many people just saw you enter that number?  And if your phone is stolen 10 minutes later, they have access to everything on it, right?  If you're in the library using a computer and someone watches you login, that account is compromised.  Your boss watches over your shoulder as you login at work... compromised.  And so on.

Those who are paranoid about these things might seem crazy.  That ATM on the street in town is risky because someone standing at a window 3 floors up across the street with a pair of binoculars and a good digital camera can read the account number off your ATM card as you put it into the machine, and see your PIN as you enter it.  Yes, really.

You have to be certain that when you enter your password - for any system - no one sees you do so.  While that sounds simple, most people don't think about it much, and the results are all around us.

Next: do you write your passwords down?  You might have dozens of them, for various sites at work and on the Internet.  Can you remember them all?  Of course not, so you write them down.  And where is that paper with the passwords save?  Under your keyboard?  In the pencil drawer of your desk at work?  Taped to your monitor?  Any passwords that are written down are, by definition, already compromised.  If you have to write them down, at least put them someplace no one can see through your windows or passing by your office door, and where they won't ever be looked for, even by a determined thief with time to kill.  But, in truth, a written password is a compromised password, and you should never write them down if you can avoid it.  There will be more on how to manage large numbers of passwords later on.

By extension, sometimes people or systems put passwords in email.  The problems with that are much, much worse than just telling the recipient the password, or writing it down.  Unless you do something special - which most people never figure out - email isn't encrypted, and it can be routed through many different computers between you and the recipient.  It can be copied, left on disks along the way, and read by various people with access to those computers along the route.  Any password in an email should be assumed to be compromised.  If you encounter an online system that sends your password out in email, first change it immediately, then send the site a note complaining about it.  Better yet, cancel your account with the site and tell them why you did so.

An exception to passwords in email is if you are resetting a forgotten password.  The site may send you a new password in email in this case.  When they do, login IMMEDIATELY and change that password to something new that was never in an email.  There are limited options in a password recovery setting, and emailing out a new password - often one that will expire quickly or that can only be used once - is acceptable, but you must follow through and change it quickly to reduce the risk that someone will get into your account with that new password before you do.

Assuming you're careful about all of those risks, then you must consider the computers you are using.

Computer viruses, key loggers, and other malware are a significant threat, and probably account for the bulk of compromised passwords.  These risks are more severe for any computer running Windows simply because there are so many of them in the world.  Some argue that Windows itself has more security holes for various reasons, and so is inherently unsafe.  My opinion is that was demonstrably true years ago, but it may be changing for the better lately.  Still, if you want access to a lot of passwords you go where they are, right?  That's Windows.  Macs are starting to get attacked as well, though, so don't rest on your laurels if you're a Mac user.  And other operating systems will eventually have the same problem if they don't already, so use caution.

As a rule, don't do anything critical on a public computer, or one whose status you don't know.  Library computers are handy, but do you know they are up to date, virus scanned, and free of malware?  Probably not, so don't do your banking there. Always exit and restart the web browser completely before using it on a public computer, and check to see that the operating system and anti-virus software are up to date as well.  If you can't tell it is up to date, I wouldn't enter any passwords - or do anything personally identifiable - while using that computer.

On your own computers you should always keep the operating system up to date and install patches as they come out, since they fix vulnerabilities that can make your machine open to viruses, key loggers, and other malware.

A key logger is a program that runs in the background and stores all of your key strokes, sending them off to someone else when something interesting happens.  If it sees a request from your web browser to a bank, stores the next 500 key strokes you enter along with the URL it saw, and sends it all to the bad guys, your bank account could be empty in the morning.

To avoid this, always run a good anti-virus program.  These can help reduce the risk that you are compromised, though they cannot completely eliminate it.  New viruses - ones not yet recognized by anti-virus software - are always popping up, so while they are a good defense, they are not perfect.  Still, they are a requirement.

Keeping your software up to date is critical.  Anyone still running IE6 or Windows XP is in serious jeopardy of having their identity stolen.  Old versions of any browser or operating system have similar issues, though.  If you are running Windows, consider running any browser other than Internet Explorer.  For a long time IE was the most used browser out there, and therefore the biggest target.  Security problems were often found in IE as a result of that market dominant role.  There are security problems in FireFox, Chrome and Opera as well, but they are different, generally less commonly encountered, and less likely to be taken advantage of.  Install one of those other browsers, keep it up to date, and use it for anything critical - like online banking - at least.  In my opinion, IE has improved, but not enough that I would trust it yet.

Another layer of protection comes from practicing "safe software".  That's an old term for being careful about how you handle data and move it between computers.  If you get an attachment in an email, don't open or run it, even if it comes from someone you know.  The sender might have an infected computer that sent you that email without his knowledge, and it could easily contain a virus.  If it is important that you view or run it, save it to disk, scan it with your up to date anti-virus software, and only proceed if it is clean.  (Some anti-virus software scans email attachments as they arrive, which is great, but caution is always best.)  If you are given a disk or thumb drive, scan all files on it for viruses too, before running or opening any one of them, for the same reason.  In fact, if you move a thumb drive or disk from a computer you don't trust to one you do, scan it for viruses before running or opening anything.  There are viruses that travel via thumb drives, for example, and can hide on the drive without affecting the files on it.

This may seem like overkill, but the number of infected computers is huge, and the number of security holes in any operating system or program is high.  You have to be as careful as possible to avoid infecting your computer with something that will give your passwords - and your identity - to someone else.  As a bonus it helps avoid viruses that do damage to your computer and files, so it is good practice in any case.

And while we're talking about these things, be extra careful about email.  Never "click through" an email to get to a website and login, even if you think it looks OK.  This is particularly critical for banking related sites.  The specific attack is called "phishing", and it is deceptively simple.

The bad guy sends you (and 10 million other people) an email that looks like it comes from your bank.  The return address is your bank, all the usual graphics are there, and so on.  You click on a link in the email and wind up at a web page that looks just like your bank's login page, so you enter your name and password.  What happens next doesn't matter, though, because you've just given your login details to the bad guys.  The email was a fake, and the web site didn't really belong to your bank.  You can bet they will be getting into your account quickly, though, and taking all the money they can get from you.  Or they might wait six months and hack you then, when you've totally forgotten about this incident.

To avoid this, do not click on links in an email, or at least don't login from pages your get to by clicking on links in email.  Bring up a browser window and enter the URL for your bank manually, then login and do whatever the email said you need to.  If you have any concerns about the validity of the email call the company in question on the phone - using a known number you got from someplace other than the email you're not sure of - and ask about it.

Sadly, there are other ways passwords are compromised, and some are harder for the average user to notice.

Some programs don't encrypt passwords when they go over the Internet.  Such systems are nearly as bad as putting your password in an email.  And if you use such a system on a wifi network you're totally hosed.  Reading packets on a wired network is pretty simple, and snooping other users on an open wifi network isn't hard either.  In short, know where your passwords are going, and be sure you are using HTTPS or other secure protocols to send them over the network.  Your browser will show you a lock icon if it is sure the site you are connecting to is using HTTPS.  If it isn't secure, be careful about entering your login and password.

Sadly, some sites use HTTP - an insecure protocol - for the login page, but use HTTPS to send the user name and password.  Thus, the page you appear to enter the login data into isn't shown to be secure by your browser, but the connection made to send the data to the server actually is secure.  I generally find these sites have a second login page that is fully delivered in HTTPS, and thus easier to recognize as secure.  Look for a link labelled "login" or something similar on the non-secure main page and see what you find when you click on that.  Complain to sites that don't obviously use HTTPS for their login page, so they will fix things to be more obviously secure.

Finally, in the realm of things that weaken your security, don't use the same password for multiple accounts.  If you do, and it gets compromised, you have a major problem.  If the login and password you used for your yahoo email account can get the bad guys into your bank, or the account you have to manage your airline rewards program, well, you brought the trouble upon yourself.  Using different passwords is critical.  Yes, it is a problem to manage and remember all those passwords, but it is a critical step to keep your data - and identity - secure.

Security of any type begins by keeping your important login information safe.  How paranoid you want to be is up to you, but the risks described here have gotten people in trouble - in real life - for years.  How many spam emails have you gotten from someone you know?  The password for some email account they have was compromised - probably in a way described above - and was used to send that spam.  It happens all the time, and sending spam is probably the least bad of the things that might happen as a result.

Even if you're careful about who you share your passwords with, the computers you work on, and so on, an account can still get stolen.  At this point we're talking about passwords themselves and how they get cracked, which is a whole different kettle of fish.

How Passwords Get Cracked:

A cracked password is one that someone figures out in some technical way, possibly by reversing the encryption, or (more likely) by guessing likely passwords until they find one that works.

In general it isn't the NSA (or some similar foreign government agency with a zillion dollars and lots of time) who wants into your account.  Instead it's some kid in the Ukraine who wants to empty your bank account, or some "friend" who wants to ruin your day.  These people have no budget to speak of, and won't bother to wait 250 years for a computer program to reverse your password.  So they go after the simple stuff and hope to get lucky.  It turns out there are lots of simple things they can do to get into your accounts, and your choices can make things easier or harder for them.

Some of these methods won't look easy to you, but they are actually pretty simple.  In many cases you can get programs to do these things for free - or very little money - in the darker corners of the Internet, and the good guys use very similar tools to check the security if networks, computers, and passwords all the time.  Also note that some are used in combination, but for simplicity I describe them individually.

The first approach is to try obvious passwords.  Many studies report that lots of people use really simple passwords, which means the hacker can try a few dozen passwords and often find a way in.  Some examples of bad passwords include: "abcdef", "password", "qwerty", "12345678", and so on.  It turns out that any simple thing for you to type or remember is just as simple for someone else to guess.  In any given system a large percentage of accounts are vulnerable to this sort of attack.  If 20% of gmail users have really obvious passwords, the only real problem is figuring out which of those gmail accounts the bad guys want to break into, right?

Another thing they can try is a dictionary attack.  It is easy to get a list of words - a dictionary - and try them all.  The bad guys try logging in with your user name and each word in the dictionary as the password until it works.  The chances of success are high because so many people use real words as their passwords.   Near the top of this article I said that any single, real word is a weak password.  Now you know why.   It can take a while to break in if they are logging in from a remote computer, but they don't do it by hand.  Instead they use a computer program to do it.  This kind of attack is disturbingly simple and effective.

There are tricks to make a dictionary style attack work faster.  If the bad guy can get the list of user names and encrypted passwords, for example, then he can look for weak passwords much more quickly.  An insider can get that data for him, a security bug might expose the data, or a poorly secured computer system might make the password table available to an earlier attack.  Once they have the table, they simply encrypt an entire dictionary once and compare the results with all the encrypted passwords in the table.  Any matches they find become hacked accounts because they know both the login name and the original password. I am simplifying a lot, but this does happen.

If someone wants to get into your account specifically, and not just any account on a system, they can try things related to you in particular.  If they know your birthday or anniversary, the names of your spouse, children, and pets, the kind of car you drive, and things like that, those turn out to be likely passwords.  Trying a bunch of them may get them into your account because so many people use things related to themselves as passwords.  Also, many of those things are regularly used as answers to security questions, which are asked when you forget your password and want to reset it.  More on that later, but if the bad guy can get the system he's hacking to reset your password to something new, he's gotten in (or kept you out), so keeping personally identifying information private is always a good idea.

If someone is really serious they might try calling you and claiming to be from the company whose site they are interested in, and ask you for your password directly, as part of some security check.  If you fall for it, you might give them the password yourself.  Or they might claim to be doing a survey and ask for the number of people who live with you, their genders and first names.  Now they have additional passwords to try.  They might call your friends and associates at work and ask questions about you, again leading to possible passwords.  They could also call your system administrator at work, pretend to be you, and ask that the password be reset, at which time they can get into your computer because they are told (or even pick) the new password.  This is called a social attack, and while it isn't common to do this to get into someone's Facebook account, it is often used to get into more important systems.  Corporate or government espionage can happen this way, as can people trying to get data from the police or other organizations with information that isn't publicly available.  Celebrities suffer these sorts of attacks as well.

To avoid most of these issues, the best defense is a good, strong, password, one that you've told no one else, that isn't associated with you in any way, and which is hard for a computer to figure out.  Any particular system may impose limits on your password choices, but the basic ways in which you can create strong passwords are pretty simple.

How To Create Good Passwords:

The best passwords are hard for computer programs to guess or figure out, but easy for humans to remember.  That leads to some obvious choices in password selection.  The longer the string, the harder it will be for a computer to reverse the encryption process, for example, so longer passwords are better.  Non-words are always better than using a single word, but multiple words is good, particularly if they are unrelated.  Using special characters, numbers, and mixing case makes the password that much harder to guess - or reverse - too.

The system you are working with may impose limits, though, many of which are particularly stupid.  Maximum length limits are a problem; older systems often limit passwords to 8 characters, for example.  Some systems won't allow spaces or non-alphanumeric characters in passwords, or perhaps just a few special characters are possible.  These sorts of systems are making your life less secure, so consider just how much you need to use them at all and avoid them if you can.  Where you have to use them, though, you have to work within their rules.

If the system has no length or character limits of any significance, you can create long passwords by using multiple real words strung together:  "zebra goldfish piano golf".  While that is just four real words, all in lower case, that phrase of 25 characters is not in any dictionary, so it isn't subject to a dictionary attack, and it isn't associated with me in any way, so it cannot be guessed from my personal information.  In addition, even though it uses only lower case letters, it's long enough that reversing the encryption on it will be very hard.  This technique - stringing together a few normal words that you can easily remember - is a powerful one, and it is recommended if the system you are using supports it.  Note that you should not use words related to the system in question, either; "password for yahoo mail" is a poor choice for your yahoo mail account.   Also note that the spaces are optional: "PeanutSystemFlagCthulhu" is a perfectly good password.

If the system you're using requires shorter passwords, the best technique I have encountered is to use the first letters of a phrase, often with some substitutions or case changes.  For example, if I remember the phrase: "This is my password.  It should be longer."  I can use the first letters to create my password: "TimpIsbl".  If I want to I can substitute something like a number 1 for an i, and perhaps a $ for an s, creating: "T1mpI$bl".  These kinds of passwords work well on systems with limitations on length and/or characters allowed.  They are not easily guessed, provided the phrase is well chosen and unrelated to you in any way, and can contain as much character diversity as whatever system you're using allows.  Pick a phrase that you will remember easily, make a couple of substitutions in it, and you're done.

Whatever you do, don't use a single, real word as a password, and don't use anything easily associated with yourself, your family, your history, or the system or company the password is related to.

Here are some other things to avoid while creating passwords:

Managing multiple passwords is a challenge, so some people use passwords that are related in some way to help remember things.  This can work, but can also introduce risks, so be careful.  If all of my multi-word passwords are of the same form:

        password 4 email
        password 4 bank
        password 4 shopping

they are much less secure.  If one gets compromised, the bad guys might start guessing at the other passwords I use with some success.  Thus, patterns in your passwords should be avoided.

Some systems require you to change your password regularly.  In my opinion this is a really poor choice on the part of the system administrators, but it does happen.  Many people using these systems can't remember their passwords since they change so often, so they do one of a few things to help remember them.  Often they write them down somewhere, resulting in a list of passwords that they just add to as they change, and making their password available to anyone finding the list.  Alternately they may use change some part of the password each time but leave the rest the same.  This can result in much less secure passwords, commonly involving dates:


and so on for a system requiring monthly changes.  These sorts of passwords are less secure than a good password that is unrelated in any way to the user (even if that password changes much less often) and they regularly get written down too.

Telling your system administrators that password rotation is a bad idea will probably get you nowhere, though, so be a good citizen and pick a new, good, password each time, preferably using one of the methods given above, and read on to learn a bit more about how to manage large numbers of passwords.

How To Manage Too Many Passwords:

I don't know about you, but I am lucky to be able to remember the number of my own cell phone, so a huge list of passwords is a real problem.  And in this day and age that huge list is all too real. Keeping them straight is a significant challenge, one that I am not certain we have resolved just yet.

Still, there are at least a couple of approaches for this sort of thing.

The first is to avoid passwords entirely whenever possible.  If an online shopping site gives you the choice, don't create an account with them.  Yes, it means you'll have to enter your data every time you come back, but you also won't have to remember another password.  An added benefit is that they may not keep any permanently stored data about you, which means there is less chance of having your data compromised if their servers get hacked.

The alternative is to create a throw-away login every time you use a site, and never come back to it.  You can use a random string as your password and not remember it at all.  If they need an email address, remember that many email systems let you add a dash and additional characters to your email address, so you can give them something unique, and later filter out all email from that site if they start sending you spam.  For example, if your email address is foobar@gmail.com, you can tell a website that your email address is foobar-xyz@gmail.com.  Then, after your business with the site is finished, you can add a filter in gmail to get rid of anything sent to foobar-xyz@gmail.com.

If you really want to sever the connection between you and the site, though, create a whole new email address with any of the free email systems, use it for one or a few transactions or sites, and then delete it.

And while you're thinking about this, you don't have to give most sites on the Internet real data about you.  They want your birthday?  Tell them you were born on January 1, 1902 and are thus well over 100 years old.  How will they know it isn't true?  Remember that any personal data you let out is something that can be used against you, to hack any less than perfect passwords, or as part of a concerted identity theft effort.  If there isn't a good reason for the site to have that data, don't give them anything real.

But even using those tactics we still have too many logins and passwords to remember.  The list is long: banks, shopping sites we use a lot, places we pay bills to, information sources, and so on, not to mention the inevitable systems at work.  In these cases you cannot create a new account each time, and thus an alternative is needed, and that alternative is called password management software.

Password management software gives you a way to store all your passwords in a safe, encrypted format.  You get at them using a master password, and then once that system is running you can copy your user names and passwords and paste them into the login pages of websites you use.  When you exit your password management system it locks up your list of passwords in an encrypted format that, in theory, only you can get at.

The security of all password management software requires that your computers are up to date and virus free.  Anything that can run at will on your computer and/or log your keystrokes means you have no security, so always, ALWAYS, patch your computers and keep your virus scanner up to date.

There are at least 2 kinds of password management software:
  • It may be installed on your computer
  • It may be a service you use over the Internet
Software installed on your computer means that no one other than those with access to your machine has any chance of getting your passwords, so it is potentially safer.  On the other hand, you can't get to your passwords from multiple computers, so if you use more than one it may be less useful.  Do an Internet search for "password manager" to find programs available that do this sort of job.  Compare them for features and read reviews before making a choice.

An online password manager does the same job as one you install on your local computer, but it is a service provided by a company, and it requires an Internet connection to use.  That may seem like a drawback, but remember that if you need passwords you're probably online already, so it generally doesn't matter.  Online services of this type let you access your passwords from more than one computer - you just need to remember your master password to get in - but your data is stored on their servers, not your local machine.  I suggest looking for services where all encryption is done on your local computer before any data is sent to the servers.  That makes the data more secure, but it usually means that the service provider cannot recover your data if you forget your master password.  A search for "online password manager" will find these services.  Again, compare carefully before making a choice.

Both locally installed and online password managers let you save user names, passwords, URLs, and often other data associated with each login you're storing.  They have user interfaces that let you copy a password without displaying it, making it impossible for someone looking over your shoulder to see what your passwords are.  Many have tools to generate new, strong, random passwords for you, so that you can create unique passwords for each site you use.  Some have the ability to automatically log you in to sites as well.  Once you store the URL and the needed login data, you can get the tool to bring up a new browser window automatically logged in to the site of your choice, usually with just one mouse click.

Password management tools are important if you have to manage many different accounts, but they all suffer from the same weakness: the master password.  If that password gets compromised, all the passwords you have stored in the service or software are at risk.  For that reason it is critical that you treat that master password with care, and that it is as strong as you can possibly make it.  Never, under any circumstances, share it with anyone, and don't write it down.

I'm not going to recommend a password manager program.  Doing so is beyond the scope of this document, and individual requirements vary substantially, but there are quite a few choices available.

Other Thoughts On Passwords:

Many online systems make use of so called "security questions" as part of a password reset system.  Basically they let you select one or more questions and tell them what answer to expect when they know who you are, and then later - if you forget your password - they ask you one or more of those questions and will do the reset if you provide the expected answer(s).  The problem with these systems is that they are inherently weak as most users deal with them.  Maybe you're given a choice of the following questions:
  • What is your mother's maiden name?
  • What was the name of your first pet?
  • Where were you born?
  • The last 4 digits of your social security number
And you give them answers like:
  • Marx
  • Groucho
  • Tuskaloosa
  • 1234
The problem, of course, is that none of that data is secure in the modern world, and yet each one of those answers is, effectively, a password, and should be treated like one.  Of course that data is easy to remember, but by this point in your life how many people know where you were born, or the answers to any of those other questions?  If you're like most of us the answer is a lot of people know these sorts of things, and many of the rest of those answers can be searched for on the Internet for little or no money.

For some reason it seems like almost every company I deal with uses the last 4 digits of my SSN to confirm my identity, and with genealogical web sites abounding, mother's maiden names are common knowledge.  In fact, the answers to most of the usual security questions are a very simple social attack away from being compromised, if they aren't already commonly known or easily searchable.

What to do?  Treat those questions just like they ask for a password, not as a request for specific data.  The computer will never know that your mother's maiden name isn't really "Cg6y_t@$fg", but the bad guys won't know that was what you answered that question with either.  Of course, now you have yet another password to remember, and this one is going to get even less use than the regular password you use to get into the site, but if you're using a password management system which lets you take notes, you can log the security questions and your chosen - nonsense - answers there, for lookup when you need them for some reason.

This may seem like a lot of effort, but it is easy to disrupt people's lives - and sometimes steal their money or identity - using password recovery systems.  Don't treat them lightly.

Another place where we get lazy - and risk compromise - is by letting our web browsers store passwords for us.  This is very convenient, of course, and at times it is just fine.  If your browser remembers your password for the local newspaper, perhaps, and it gets compromised, someone can read articles and maybe post comments as if they were you.  Not necessarily a big deal.  Things get worse, though, if your browser remembers your amazon.com password.  Now a thief can login and order things using the credit card numbers you have saved there, possibly costing you real money and time.  And if your banking passwords are stored in your browser, well, you might just as well leave your keys in the car and the engine running all the time.

Browser based password storage is fine for sites with essentially no risk as a result of a stolen computer.  But if there is anything important on a web site, don't ever let any browser store the password for you.  You have to remember it yourself, or use your password management system to keep track of it.  Anything else is asking for trouble.

And, of course, never use browser stored passwords on a shared or public computer.

ATM PINs are among the worst possible passwords in existence.  If they're limited to 4 digits there are only 10,000 possible PINs, which is way too tiny a set.  Sadly, though, ATM networks often don't deal with longer PINs.  I encountered this once, years ago, while travelling overseas.  My ATM card worked just fine in the US with my longer PIN, but was useless in ATMs where I was.  I only figured this out once I was over there, of course, and I had to go into banks to get cash.  Hopefully the banks will get a handle on this, but always be extremely careful with your ATM card.  Once lost it is a high speed route to an empty bank account.

In Summary:
  • Create good, strong passwords using the initial letters of a phrase or several unrelated words strung together.  In either case additional security comes with some character substitutions into upper case, numbers and special characters.  Be sure your selected phrase or words aren't related to you or the system in question too.
  • Never share your passwords with anyone, deliberately or otherwise.
  • Never use the same password for multiple sites.
  • Consider using password management software if you have too many passwords to remember.
Welcome to the modern world.  Ain't it fun?

Update 9/26/11: my friend David Clunie posted a blog post about this video, that discusses some of what I talk about above.  Thanks David!

Saturday, July 30, 2011

Living With A Chromebook, Part 2

In my previous post on this topic - Living With a Chromebook, Part 1 - I discussed my initial impressions of my Chromebook after about a week.  I've now had 2 more weeks on it, and have a few more things to say about it.

In general I continue to be very happy with this device.  Battery life continues to be great, and the ability to just shut the cover to shut down is wonderful.  My power bill will, no doubt, be a few dollars smaller in the coming months since I am not running the big machine all day anymore.

A few things stand out that didn't get discussed last time, or that I have additional thoughts on:
  • As I previously mentioned, I keep an encrypted file of all my passwords on the big machine, and so far I have found no way to do that on the Chromebook.   Encrypted data, in general, is probably the weak link of this device.  I am not yet aware of any Google docs encryption options, for example, so if you're storing medical records, financial data, or anything else particularly private and important you may have concerns about using your Chromebook for that purpose, and I understand the issues.  For passwords, though, I may have a solution: passpack.com.

    I am not yet 100% certain about this, but it looks very promising so far.  Passpack gives you the ability to store passwords on their servers.  Encryption is done on your end - in your browser - and they claim even they cannot recover your data if your packing key is lost.  They have a reasonable UI which works well with the cut/paste facilities on the Chromebook, so you can click a single button to copy a password into your buffer, then Ctrl-V to paste it into the website you're logging into.  It's never visible or readable.  They store user name, email, password, URL, and a general notes field with each record, among other things, so you have lots of choices.  They can recommend new passwords for your sites, and have a 1-click login facility that I have not yet played with.  Their free account lets you have up to 100 password records, and their paid accounts are not all that expensive.  As I say, this is looking very promising, and gets around the inability to store encrypted passwords on the Chromebook, at least for me.  In a few weeks I will probably be fully converted to passpack and have played with more features.  At that time I may have more to say about it.

  • A happy discovery of a few days ago: crosh, a command line shell built into the system.  It's not a fully featured Unix command line, but it has a few nice built in commands (like top) and an ssh subsystem, which means those of us who want to connect to remove servers using ssh can do so without adding browser extensions or using other machines.  Ctrl-Alt-T will get you a crosh command prompt, and from there 'help" gets you a list of commands, and 'exit' gets you out.  Alt-Tab moves between your crosh session and the browser window.  Inside crosh you can type 'ssh' to get into the ssh subsystem, and again 'help' will get you a list of ssh related commands.  For example, you can type 'user foobar' to set the user name, 'host foobar.com' to set the host name, and 'connect' to get an ssh connection to that host.  Login with whatever your remote password is and from there it's all familiar.  This is a major win for me, though most users will never bother with it.

  • If the Chromebook has a weak spot so far it is printing.  Google won't install printer drivers on the Chromebook, so you cannot talk to a printer directly.  Printing, therefore, requires a different solution... a cloud based solution.  Google has a start on this - cloudprint - but it isn't quite ready for me just yet.  The general idea is that your local printer is connected to a computer and that you can register that printer with their cloud and then print to it from the Chromebook.  Sounds good, but, the local computer has to be powered up to make that work, and the software running on that computer is currently only available for Windows and MacOS, though they say Linux support is coming.  I really don't want to have to turn on another computer to print, though.  If I do that I might just as well login to Google docs (or whatever) from there and print directly to my local printer, right?  And leaving a computer running all the time for the rare times I want to print something seems silly.

    HP has a partial solution for this issue: network connected printers that are already cloudprint aware.  They are always on and can be printed to (so I am told) by sending an email to the right address.  Don't ask me exactly how that works... I haven't printed anything from the Chromebook just yet, and it won't be happening any time soon.  I don't happen to own one of these magic printers from HP, and I don't run Windows or Macs at home, so I have no suitable servers.  In the meantime I can just fire up the big machine and print from it when I need to, I guess, but a better printing solution would be nice.  Mind you, I print rarely, perhaps a couple pages a month.  It happens so rarely, in fact, that we destroyed 4 different ink jet printers with gummed up print heads.  Ink jets need to be used to continue to work, and we simply don't print often enough to make them last.  At the moment we have a cheap color laser printer, which seems to be fine, but isn't capable of talking to Google's cloudprint service on its own.  Oh well.

  • Another minor issue is keybounce.  As I type I see regular appearances of repeated letters, but I'm not sure what is causing it.  I cannot force it to happen when I try, probably because I am paying attention more closely - so I rather suspect it is me, doing something a tad odd.  My old keyboard has keys that are about 18mm wide, but the tops are only 12mm wide, or so.  The Chromebook has keys that are 15mm wide with gaps between keys.  I suspect I am a sloppy typist and often hit keys less than straight on.  On my old keyboard a miss like that might matter less than it does here, where hitting off center probably means bouncing off the gap filler and (possibly) hitting the key a second time.  The newish Mac keyboards are very similar, and I could easily have the same issue there as well.  In any case I continue to watch this and try to figure it out.

  • Finally, for this post anyway, Spotify is the newest oddity, but it is symptomatic of a general issue.  During the past two weeks several people I know have started using Spotify, a music subscription service that seems to be all the rage.  To make it work you need to download and install an application, for Windows or Mac, naturally, but I am told the Windows version does run under Wine on Linux.  As you can guess, though, I cannot run such an application on the Chromebook, so using Spotify would mean turning on the big machine or getting out a "real" laptop.  Thus far I have resisted.  I love the portability of the Chromebook, my laptop isn't all that great in general, being ancient, and the desktop, while plenty adequate, is stuck in the den.

    What is needed is a chrome browser app for Spotify, or any similar service you might be interested in using.  I saw a couple of things that claimed to be Spotify related in the Chrome Web Store, but nothing from the Spotify service itself, and random apps always make me wonder about security issues.  So, for now at least, I am not Spotified, which may be a good thing.  However, if the available web app list grows up a bit I will probably find it available, and then maybe I will give it a shot.
That's my list of Chromebook comments for this time around.  It's still living up to my expectations - and then some, actually - but there are a few things people need to know before jumping in with both feet.  I love it, but as with all things, your mileage may vary.  Feel free to ask questions or leave comments.  I will do my best to answer them.

My other Chromebook related posts are available here: