fosdem’09

Last weekend some igalians and I went to Brussels to attend the FOSDEM’09. We arrived the Friday just in time for the FOSDEM Beer Event (amazing coincidence!). In the Delirium Café I got my first epiphany about the True Spirit of FOSDEM: it is not the talks and the meetings, it is the beer. So, after that night, I could say “mission accomplished”.

Nevertheless I went further and also assisted to a couple talks:

* The People Framework: it is about having a unified method to access to “contacts” backends (google, ldap, etc.) Go Vala!
* The Hynerian Empire: It was about Rygel, a UPnP media server. Go Vala!
* Bringing geolocation into GNOME: I slept this one.
* Tracker: Philip tried to expose tracker as the ultimate object locater.
* Xfce 4.6 and then?: It was a “What’s new” in Xfce.
* Maemo on BeagleBoard: Nokias employees says that their software also runs in other hardware.
* WebKit on ebook readers: A WebKit implementation for a specific embedded device.
* Ext4: What is and what is new in Ext4: a featured Ext3.

But now, when all the craziness of Brussels had gone, reviewing the whole schedule, I realized that I should went to other talks. These are my actual chooses… too late…
* Wt, a C++ web toolkit, for rich web interfaces to embedded systems
* Reverse Engineering of Proprietary Protocols, Tools and Techniques
* Building Embedded Linux Systems with PTXdist
* A talk on FLOSSMetrics
* CMake – what can it do for your project
* Syslinux and the dynamic x86 boot process
* Emdebian 1.0 release – small & super small Debian
* Mozilla Headless back-end

By the way, I just loved Brussels.

password management

Be on-line means have user accounts in a lot of services, such as email, social web sites, blogs, etc.. And have multiple user accounts implies have to remember user names and passwords.

I know people that only have one user name and password and repeat the same for all their accounts. This approach may simplify the need to memorise a lot of different pair of words. But this method is not reliable at all: 1) if your password is compromised, you’ll have to change it in all your accounts, and 2) you may forget an account if you don’t keep track of all the accounts you sign up.

Another big issue is that most of the people have passwords easy to remember, and those passwords usually easy to crack.

In other words, we have two problems: 1) keep track of all our user accounts (resource, user name and password), and 2) the password must be not guessable.

For the second problem you may follow hints and craft each one. But I am lazy guy and computers execute algorithms better than me. So I installed an automated password generator (apg) and let the program offer me a set of possible passwords, choosing the most appealing one.

$ apg -M NCL -c cl_seed -t -x 8
Awnowov6 (Awn-ow-ov-SIX)
Biuj7qua (Bi-uj-SEVEN-qua)
RyecGod9 (Ryec-God-NINE)
Ojonrag1 (Oj-on-rag-ONE)
9KnecOng (NINE-Knec-Ong)
ClagHog0 (Clag-Hog-ZERO)

Neat, don’t you think?

Now, the straightforward solution for the first problem is write down, in a plain text file, the list of resources, user names and password, of every user account you have. This file can be consulted if you don’t remember the account data.

As a personal choice, I use, in Emacs, the org mode to organise the user data, because its table editor is just beautiful. Furthermore, I have several types of outlined user accounts (web sites, email servers, WEP keys, etc.), what it is also handled by org mode.

* web
| site                   | user         | password   |
|------------------------+--------------+------------|
| https://sitio.guay.com | mi_nick_guay | Ojonrag1   |
| ...

* email servers
| server         | user          | password         |
|----------------+---------------+------------------|
| mi_empresa.com | mi_nick_serio | ClagHog0         |
| ...

* wep
| essid          | password  |
|----------------+-----------|
| essid_del_piso | Awnowov6  |
| ...

But now we have a problem: have a plain text file with all your passwords is more insecure than just have one shared among all your user accounts. If somebody gain access to this file, (s)he will own you.

The solution can’t be more simpler: encrypt the file! Well, yes, you’ll have to remember one password, but only one! In order to encrypt GPG is the way to go. GPG not only support asymmetric encryption, but also symmetric, which may be handy if you don’t like or you are not used to use private/public keys. Nevertheless, is worthy learn how to interact with the asymmetric encryption.

Well, if you use Emacs, you have the EasyPG mode, which will easy the GPG interaction, avoiding you to run the gpg command each time you want to read or save your file, the mode will detect if the file is encrypted and it will ask you for the pass phrase to decrypt it transparently for the user.

Once you have encrypted your password file, you can put it in your home page for backup and roaming purposes.

Neat, don’t you think?

This post is heavily inspired in Keeping your secrets secret.