Home

In order to reduce my risk of being phished or otherwise have my account(s) hacked, I decided to get a Yubikey for my personal laptop. We use them at work, work is paranoid, if it’s good enough for them it is good enough for me.

So I bought a Nano4 and a NEO. I want the Nano4 so that it just stays plugged in by default, and the NEO has NFC so it can talk to my phone and tablet if I am authenticating from there. Both of these come with way more capabilities than I need, but they are the only two keys that can stay plugged in and support NFC.

Those way more capabilities are a problem because they’re all enabled by default. One authentication method that I’m not using is OTP — long press on the Nano4, and it burps a string of characters as if I had typed them. “Long Press” is what you get if your hand rests over your USB port, if it touches your leg, etc. Yubikey made a mistake here; almost certainly, the new customers for this gadget will be people less technical than me, and (more alarming) less technical than the tech support guys at work who hand these out (preconfigured) for our use, who also didn’t have an immediate answer to this question. Nobody’s going to want OTP configured, it’s incredibly annoying.

But, here you are, like me, you have your shiny new Nano4 and it does this annoying thing. How to fix? You need the YubiKey NEO Manager.

It has a window that looks like this, when you start it with your new YubiKey (NEO or Nano4) the “Change connection mode” button will include “OTP”. It’s pretty obvious from here: click the Change button, deselect OTP from the options presented, follow instructions (the key has to be removed and inserted) and you will be done and none of the U2F associations you’ve already made will be bothered (i.e., it will work exactly the same except that the annoying OTP typing burps will be gone).
YubiKeyNeoManager

If you don’t need NFC, or don’t need the key always resident in the laptop (that may have been a mistake; we use them several times daily at work, but I don’t for my personal account) you can save money and avoid this by instead buying a FIDO U2F Security Key. U2F is what Dropbox and Gmail use. I’m still working on figuring out how to not use text messages to my phone, since some of these services require both phone (which can be socially hacked from your provider, though that is well beyond normal phishing). One choice for some accounts is Google Authenticator (for a Mac); to use it requires physical access to the phone, not the account.

I would add, that at this point I feel a need to draw myself a graph of services and authentication methods and password managers (that can store data in the cloud on these services) to be sure that my access protection is “just right” — not so weak that it’s trivially hacked by phishing, not so strong that if I lose a single phone or key I am screwed.

Other stuff I use to help secure my laptop: Little Snitch (intercepts network connections) and Little Flocker (intercepts file I/O — i.e., ransomware). These tools are very annoying for normal people.

Avoid Paypal

August 29, 2016

Avoid Paypal

I’ve been using Paypal intermittently for years, but recently encountered a problem so severe that I am now trying to terminate my account completely. The fact that I cannot, and that they cannot tell me why (without contacting “customer service”, as if I expect that to be productive) is one of the reasons why.

What precipitated this was two things. First, I moved my primary bank account from the credit union whose only remaining branch was a 30-minute drive away, to one a short walk from work, and our credit card company “upgraded” (?) us from MasterCard to Visa. Over time I took steps to upgrade all my recurring payments and stored credit cards. Most organizations would let me know if they had been missed, and I’d fix it, and poof, it was done.

Except PayPal.

For months, every attempt to remove the deprecated (now closed) bank account produced a message “Sorry, you can’t remove this bank account because of a pending transaction. Please try again later”. Same for the defunct credit card. This continued for months. I managed to find the place where the primary bank and credit card were configured, I changed those to be the new ones. I found the place where the recurring and preauthorized transactions were listed, and I canceled all of them, and went to the vendors at the other end to update their payment methods to a credit card (happily, I have a leftover credit card from oldest child sent to college, he’s employed, married, and working on a retirement plan, and it is perfect for this – low credit limit, almost never used, this cuts the risk both to me and my credit card company should any of the recurring-payment people be less secure than we might want). So, those two accounts have been deselected from everything, all the recurring payments are shut down – and no change. Still can’t delete the dead accounts.

Note that nowhere in the message from Paypal does it suggest that I can do these other things; I did have one shot at “customer service” and they told me about making sure that they old accounts were not the primary funding source – but that didn’t work.

So, given proven incompetence on the part of Paypal, it seems pretty wise to sever all ties with them, how do I know my money is safe, it was foolish of me to ever give them access to any of my money. But when I hit the “close my account” button, I get:

Before you close your account
Sorry, there’s a problem. If you keep seeing this, please contact customer service.

I’m not entirely sure what to do next. I may talk to my bank; I really don’t like the idea of these guys having access to my money, and I’m virtually certain that in the EULA that I didn’t read I consented to binding abitration bullshit, and that’s just way the hell too much exposure to someone else’s incompetence.

Bad noob experience with AWS

December 14, 2014

“Your recent Trac powered by Bitnami launch failed. Your requested instance type (m1.small) is not supported in your requested Availability Zone (us-east-1e). Please retry your request by not specifying an Availability Zone or choosing us-east-1b, us-east-1a, us-east-1c.”

And how, pray tell, is “retry my request” accomplished? I probed various links, none of them took me to the place where I launched from, do I need to delete this one first, or is it already dead? If I make the obvious mistake here, will it cost me money? (I don’t think it will, but there’s a gap between “don’t think it will” and “won’t”.)

And why did it let me make this request in the first place, if it was doomed to failure (I think this was all specified on an early page, why was this combo shown to me, never mind that it was chosen as the default)? And why isn’t there a help/feedback button on this page where I need help or want to give feedback?

Fortunately, I have a blog. Always remember, this is not just about public shaming of (other) bozos, this is doing them a favor by pointing out the upside potential in their products. People who care about improving their software will make it as easy as possible to file bugs, and will make it as easy as possible for the filed bugs to be informative to whoever has to deal with them.

I’m being called in as IT consultant by my wife, who uses SPSS.
Today, mysteriously, it started INTERMITTENTLY failing with messages
like “Serialization scheme was not recognized” and “Could not instantiate a required server object”.

My snap answer (knowing that it has Java in it, and knowing that “serialization” is a magic word) was to suspect some sort of a Java version mismatch — but I didn’t see any evidence of a recent update at all. I go looking online, and all the advice tends to revolve around Java, but none of it has been updated (I looked inside the application’s package contents, nothing looked new there, there was no other new Java on the box). One thing that looked a little peculiar was in ~/Library/Application Support/IBM/SPSS/Statistics/22/Eclipse/configuration/nl/en_US/ . There, org.eclipse.osgi and org.eclipse.update had both been touched TODAY, “right around when the problems started”.

So WTFF Eclipse doing in my wife’s SPSS “Application Support”? She does not use Eclipse.

So I shut down SPSS (took it minutes at 100% CPU, ???) moved the IBM folder over out of the way (made sibling directory “NOT”, moved IBM and the other sibling SPSS folder into NOT) and restarted. This appears to have made things better.

Update: I went ahead and paid for the update and upgraded to Pro, and it is lovely. But still…

Product annoyance du jour: a product that disables features when you exceed the (wall, not use) time limit on its evaluation, but doesn’t make it clear which features are disabled for this reason.

Annoyance number two: discovering that someone else made EXACTLY the same complaint on the previous release of the product, even down to looking for documentation on and not finding it.

Annoyance number three: after registering for the user forums (passing two spam filters on the way, plus an e-mail ping-back) discovering that I am still not allowed to post “ditto, why didn’t you fix this annoying problem for this release?” without pinging a human for permission to post.

So, having consumed my quota of annoying runarounds, I decided instead to post my complaint here, where I already have permission to post. I’m trying to decide if I’m going to upgrade anyway, or if the previous release is good enough.

This is the sort of stuff that drives me nuts. Some guy (you know it was a guy) saved himself, oh, a minute or two by not writing an error message correctly, and that means that I (another guy) must spend many, many minutes in a debugging McGuffin to try to figure out what’s really going on. Read the rest of this entry »

Eclipse Fall Down Go Boom

September 28, 2012

EclipseCrashAgain

Blows up before it even runs, looks like the Mercurial plugin having a bad day.

No point bothering to report the bug, it’s a pain in the ass and they never seem to fix them. Just for example, notice how the text in the picture naming the file above looks like it’s selected, so I could copy and paste it when opening an editor to look at the contents of the file? That’s a lie, like a “pull” handle on a “push” door, and it’s long-ago-reported bug, never fixed.

I’ve been looking for an excuse to go try IntelliJ IDEA, and this just might be it. Read the rest of this entry »