Switching to Ubuntu 12.04

I now lead a Windows-free existence. After switching to a Mac at work, I finally re-imaged my personal laptop at home. I have Dell notebook that came with Windows 7. It’s not that Windows 7 is bad—it’s a huge upgrade compared to XP—it’s just that I really prefer using a Unix/Linux based operating system. I’m now running Ubuntu 12.04 and wanted to share a few tips that took me too long to figure out.

Full Disk Encryption

You need the alternative installer disc—not the standard Desktop intsaller—in order to setup full-disk encryption. They’ve done a good job hiding the link:

http://www.ubuntu.com/download/desktop/alternative-downloads

If you’re using a laptop, I personally think you’d be crazy not to encrypt your data. Also, can I suggest being a good Linux community citizen? Download the image via BitTorrent and then seed for a bit.

Amazon Instant Video

If you want to watch Amazon Instant Video, you need to install two obscure packages (hat tip to this blog post):

sudo apt-get install libhal1 hal

That’s it. Then it just worked in every browser. I probably spent two hours trying to track down this really simple solution (and I just wanted to watch a movie).

Reverse Scrolling Direction

Since I use OS X Lion at work, I’ve grown accustomed to the “natural” (reversed) trackpad scrolling. There’s no option for this in the Ubuntu System Settings pages, but there’s an easy fix if you have a Synaptics touchpad (which you probably do).

Just create a file ~/.Xmodmap and add a single line to it:

pointer = 1 2 3 5 4 7 6 8 9 10 11 12

More info from archlinux: https://wiki.archlinux.org/index.php/Xmodmap#Reverse_Scrolling

Hope that helps!

3 Lessons from the LinkedIn Password Disaster

LinkedIn made the headlines for all the wrong reasons last week. If you haven’t been  paying attention, here’s a great summary of what we know. Certainly, it’s disturbing that a company with such substantial resources couldn’t follow basic security practices. Decent web developers routinely implement hashed, salted passwords on shoestring budgets. However, we all stand to learn something from this whole episode.

1. It Could Be Worse (Technically Speaking…)

Taking a step back, LinkedIn could have done worse from a technical standpoint. There are many companies who don’t even hash their users’ passwords. Every so often, I’m completely taken aback when a website emails me my own password in plaintext. This is a bad practice for two reasons: first, email is inherently insecure, and second, passwords should be stored such that they can never be recovered, just in case of a data leak. I find being emailed my own password such a troubling breach of trust that I keep track of offending websites. In 2008, VistaPrint emailed my password right after I created an account. And it happened again in 2009 after I bought concert tickets from Live Nation. I can only hope they’ve subsequently corrected their ways. Perhaps it’s more excusable from smaller operations, such as Evite and Rent.com, who revealed my passwords in 2007 and 2010, respectively. LinkedIn dropped the ball by not appending a unique salt value to each password, but I’ll give them partial credit for hashing and using the right algorithm (SHA-1 instead of MD5).

2. Users Need More Information

LinkedIn followed a common-sense approach in response to the breach. According to the company blog, they identified users whose passwords were compromised, disabled those passwords, and alerted those users so they could change passwords on other websites as necessary. But they did it quietly. Although a banner at the top of the page directs users to the company blog, LinkedIn’s official response was drowned out by news sites and social media. And when users concerns aren’t addressed officially, they look for answers elsewhere.

Two days after the story broke, I got an email from a family member who stumbled onto LinkedIn Answers looking to determine whether his password was among the compromised. He got this answer:

LinkedIn Answers suggests downloaded the stolen password hashes and looking for your hashed password.

LinkedIn Answers: not how you want your users getting their information

He didn’t follow the advice, and I wouldn’t recommend these steps to anyone. For one, I wouldn’t want a list of stolen password hashes on my PC. Also, why would I trust a third-party website to hash my LinkedIn password? However, I’d bet some users would mistake this for an official LinkedIn response. Scary.

3. Protect Yourself

I was surprised to see this happen to such a large website, but I should not have been. No one seems to be immune to cyber attacks, as the nation’s largest defense contractor learned last year. Evidently, we need to assume the online services we use are simply not secure. There are ways to protect yourself, but not without some inconvenience. Here are some practices that I think are a nice medium between paranoia and vulnerability:

  • Use a strong password — many of the leaked password hashes that have been cracked so far were likely weak passwords and easy for algorithms to guess
  • Use a unique password for every account you’d like to keep safe — remembering dozens of passwords is hard, but you need to vary your password on sites you care about
  • Be careful whom you trust — assume that wi-fi hotspots are insecure, most websites will be hacked, and apps from companies you’ve never heard of (especially on Facebook) exist solely to steal your data

Hope that helps.