phiffer.org

Dan Phiffer Dan Phiffer builds websites, makes art, and teaches in NYC

Multi-factor authentication for busy people

Multi-factor authentication (aka “two-factor,” or “two-step,” or 2FA) is a really great way to protect yourself (and anyone you’ve ever emailed). There are excellent and detailed guides out there, but the sheer amount of information about how to do things properly can be daunting for someone who has other important things to get done. I’m not saying don’t read all the nuanced details about security, just don’t put off setting it up right now if it seems too complicated.

If you do nothing else to protect your privacy, do this. (If you do two things, start using a password manager.)

You should set up multi-factor authentication on every account that offers it, but because each of those accounts all have a “password reset email” feature, securing your email account is extra important. If you use Gmail, it’s really easy, and you should literally stop and do this right now if you haven’t already. (I use FastMail as my email service provider, and they also support multi-factor authentication.)

Enable it!
Enable it!
  1. Go to myaccount.google.com and click “Sign-in & security”
  2. Scroll to the box that includes the “2-Step Verification” button and click on it
  3. Follow the steps to confirm your phone number (gotcha: it’s easy to confuse the “from” phone number with the code you need to type in)
  4. Click the “Turn on” link to activate the telephone-based confirmation step
  5. Print the backup security codes and stash them somewhere safe (in case future-you loses a phone)
Turn On 2-step verification
Turn On 2-step verification

What happens next? From now on you will need your phone to sign in with your Google account. This can be inconvenient, but it will make your account much harder to hack.

Do you use an email client like Mail.app? Did that email client stop working suddenly? You may need to configure your mail client to use App Passwords. If you changed the mail client to use the App Password and it still doesn’t work, try deleting the account and setting it up from scratch. I know all of this feels like a big hassle right now, but it’s mostly something you can set up and forget about.

Extra-credit (do this later if you don’t have time right now)

There is an known attack on SMS- or phone call-based multi-factor authentication where an adversary can trick your cell phone provider into assigning your phone number to a different phone (this falls into the category of hacking called social engineering). This tactic has been used on high profile activists, so you should consider taking one additional step to improve your security.

Setup an Authenticator app
Setup an Authenticator app
  1. Install the Google Authenticator app or Authy
  2. Go back to that 2-Step Verification page and scroll down to the “Set up alternative second step” section
  3. Click on the “Setup” link for Authenticator App
  4. Open the app you just installed on your phone and take a photo of the QR code
  5. Your phone will show a code and a countdown timer, type that code into the web form

Well done, you did it! Or maybe you got stuck? Please get in touch and let me know what gave you trouble. And then get back to all of your amazing work.

Let’s Encrypt (updated)

Update: since this was written, the letsencrypt-auto script has improved significantly. When I tried it again today (December 8, 2015), the process was basically just cloning the GitHub repo and running ./letsencrypt-auto. I’ll leave the original (outdated) information here for posterity.

As of today phiffer.org is being served using SSL encryption thanks to a free certificate from Let’s Encrypt. It’s a recently launched service, sponsored by Mozilla and the Electronic Frontier Foundation (among others), intended to make HTTPS encryption ubiquitous on the web.

Hooray for [Let's Encrypt!](https://letsencrypt.org/)
Hooray for Let’s Encrypt!

Let’s Encrypt is very new, and there are still some rough edges, but overall I’m impressed by how smoothly the process went. I wanted to document my experience, in case it’s helpful to others (and future-me). This post is a bit more technical than usual and, because the service is new, much of it may not be relevant very long into the future. That said, I hope this might offer some clues for folks trying to get up and running on HTTPS.

(more…)

Configuring jEdit

A good text editor is, by far, the most important tool for programming computers. There are many good options available, and each person has their own reasons for choosing one editor over another. On the Mac, popular choices include BBEdit, TextMate, and Coda. For modest needs, an editor like TextEdit.app can be sufficient, while some opt for a full-blown IDE like Eclipse or XCode. Many coders still work with a console-based editor, such as vim.

I haven’t had a Windows box in so long I’m not sure what the popular choices are any more, but in college I was an UltraEdit guy.

My text editor of choice now is jEdit, which is free and Open Source. jEdit is written in Java, so it works on both Mac and Windows, and it supports many of the same features of non-free editors. It seems to be pretty obscure though, in part because getting jEdit into a usable form takes a little bit of work. Plugins must be installed, settings must be tweaked. It uses ugly non-system native Open and Save dialog boxes, but I don’t mind so much because those interfaces let you work with remote files seamlessly via SFTP (using the ‘FTP’ plugin).

I thought it would be helpful to share my preferred settings, to give my favorite editor a better first impression. Below are a few steps to help you get set up on a Mac or on Windows. Desktop Linux can probably also follow along and improvise where things might diverge from Mac OS X.

jEdit with default configuration
  1. Start by downloading and installing the latest stable release, use either the Windows Installer or Mac OS X package
  2. Download and unzip my baseline configuration: jedit-mac.zip or jedit-win.zip (these have different default fonts and keyboard bindings defined in startup/startup.bsh)
  3. Launch jEdit once to generate some default settings, and then quit (on Windows you may also need to close the jEdit Server from your system tray)
  4. Make a backup of the default settings folder, found in /Users/[username]/Library/jEdit on Macs or C:\Users\[username]\.jedit on Windows 7, just rename the folder to jEdit.bak or .jedit.bak (note: your Library folder is hidden by default in Mac OS X 10.7 Lion)
  5. Copy my baseline configuration folder where the default one was (in your Library folder on Macs or in your home directory on Windows)
  6. Launch jEdit again, it should look a lot nicer!
jEdit with my baseline configuration applied

Some notes about what’s different in this configuration:

  • Nicer color scheme and default font (via the Editor Scheme plugin)
  • FTP plugin for seamless remote file management (use a path like sftp://user@hostname/path/to/directory)
  • Tabs UI instead of a drop-down to switch between files (via the BufferTabs plugin)
  • Project Viewer plugin lets you browse files from the sidebar
  • XML plugin provides handy HTML auto-completion, indentation, and entity conversions
  • SuperAbbrevs plugin lets you set up macros for frequently used code snippets (for example type ‘a’, then shift-tab, set a macro for hyperlinks like <a href="$1">$end</a>—now you can type ‘a’ followed by a tab and save yourself some repetitive typing)

You also get things like multi-line tab indenting and regular expression search/replace out of the box. Of course you’ll want to tweak your own setup further depending on your needs, so be sure to explore the preferences and browse the extensive list of plugins. One thing that’s also worth pointing out is that jEdit listens on a random network port when you start it up to determine if other copies of the editor are running. When I first saw this it made me wonder if I should worry that my editor had been hacked, but apparently this is normal behavior and can be disabled.