Press "Enter" to skip to content

Category: Tools and Technology

How I Secure My MacBook Pro

Securing a computer is a balancing act. On one hand, if you go for complete security of your data, you’ll be annoyed by repeated password entries and other hassles. On the other hand, if you rid yourself of even a few of those pesky little hassles, it compromises security.

Who cares?

If you wondering why it even matters, think about what you have on your computer right now. I bet you have easy access to your email account(s), photos, probably a year or more of your browsing history and logged in sessions for your online banking, and who knows what else.

Would you hand your computer to a stranger, walk away for an hour and let them dig around? Of course not. Losing it or having it stolen is the same thing except it’s more than an hour, and the person with your laptop is going to be looking for more than your bathroom selfies.

It’s all about balance

I’ve got what I think is a pretty good balance now. Here’s how I’m set up:

I have a good user account password for my MacBook. It’s long, contains things other than lower case letters but it’s still memorable enough that I can type it in if required.

The user account password on a Mac is almost useless if someone gets physical control of your computer as it can be bypassed without much effort. With that in mind, I also have a firmware password set. My firmware password is not the same as my user password, it isn’t very memorable and I store it safely in 1Password in case I ever need to use it.

I also have FileVault full-disk encryption enabled. That means my full hard drive is encrypted and protected from prying eyes, even if someone clones the drive or steals my whole computer.

‘Unattended’ consequences

None of those things do much if I leave my Mac logged in and unattended. To mitigate this risk, I have fairly aggressive screensaver and lock settings. My screensaver starts after one minute and my computer locks five seconds after the screen saver is activated. Closing the lid puts my Mac to sleep and locks it immediately.

For example, if I’m sitting at my desk and don’t interact with my Mac for a minute, the screensaver starts. I have five seconds to flick the trackpad and clear the screensaver before it locks my Mac, requiring the password.

When I leave my desk, my computer is vulnerable for the first minute and five seconds which is probably not the end of the world where I work. I sometimes use the “hot corners” feature of macOS to instantly start the screensaver if I am leaving my desk, or I use Alfred to quickly start it from the keyboard.

The ‘key’ to reducing password entry annoyance

Entering my user password a few dozen times a day is a bit of a pain point, so I invested in a Yubikey 4 USB key. This little device works with macOS Sierra and when it’s plugged in to one of the USB ports on my Mac, the requirement for my user password is reduced to a requirement to enter a 6-digit numeric pin which is quick and easy to type.

1Password

As noted above, I also use 1Password to help keep all my online accounts secure. I have unique, long, unmemorable passwords on every online service I use, and I rely on the 1Password browser extension to log me into the various accounts on my Mac and the 1Password app on my iPhone.

The Yubikey 4 offers some additional convenience for 1Password. While there isn’t the full support I’d like for these type of hardward keys, the Yubikey 4 in particular can store a static password that it will enter on demand by pressing a button on the key.

I have my 1Password password stored in the Yubikey and when the 1Password extension asks for my password, I touch the button on my key for a few seconds and the Yubikey 4 types the password in for me, and hits enter. That allows me to to set the lock delay for 1Password to a much shorter duration as it removes the annoyance of having to type a long password in every time I want to use the extension.

Balance achieved

Overall I’m finding this to be a workable balance. My MacBook Pro is locked and secured behind good passwords when it is unattended. When I do need to log in, the Yubikey makes it much less annoying by lowering the requirement to a PIN.

If my laptop is stolen while closed, I’m covered. The data is encrypted and locked away. My user account is safe. Inside the office, my data is safe from snoopers by enforcing a quick account lock. I never store the Yubikey with my MacBook unless it’s plugged into the USB port. If I leave my MacBook on my desk at the office, I take the Yubikey with me. When my MacBook is in a bag over my shoulder, the Yubikey is in my pocket on a keyring.

Total investment was about $40 USD for the Yubikey, $5USD/month for 1Password Family, and some time getting the various screensaver and lock timings set up.

Comments closed

Using ProtonMail alongside iCloud (or another free email service)

I recently made the switch to using ProtonMail on a custom domain for the majority of my email. I like that ProtonMail stores all of my email encrypted and that they use end-to-end TLS when sending and receiving email to and from most large email providers. It means that nobody should be able to snoop my email in transit, and that in the event that my account is compromised, the contents aren’t readable by anyone since they are encrypted (hello, John Podesta…this would have saved you guys bigly).

To make the switch, I’m using a bunch of email forwards to handle things like bill emails and various notifications so I don’t have to update them anymore and I can also have some of them sent to myself and also to my spouse so she knows what’s happening with our finances.

While I’d love to completely cutover to ProtonMail, switching email addresses for all my friends and family is a pain. Because of this, I’m continuing to use iCloud email for a lot of my personal emails. I’m more comfortable with iCloud than something like Yahoo or Gmail because it isn’t ad-supported. I trust Apple to maintain security of my emails. Obviously, I don’t trust someone like Yahoo or Gmail to do the same based on past experience.

That said, I also don’t want all my mail sitting in iCloud forever (just in case), so I’ve set it up to forward my mail to my encrypted box at ProtonMail automatically.

On the ProtonMail side, I use their Gmail-like filters and tags to archive and mark that mail as read, so I don’t get double notified. I tag that mail as “forwarded” so I can find it later and add other tags like “bills” to keep things nicely organized.

The one missing feature I would love to see in ProtonMail is the ability to send via outside SMTP servers so I could reply to my iCloud email within ProtonMail. I’m hopeful that we’ll see that in time, but it’s not the end of the world for now.

Other than that, I feel much more secure knowing my email is stored encrypted in ProtonMail. Over time, I’m hoping to slowly ease back on my use of iCloud and ProtonMail plus a custom domain is turning out to be a great first couple of steps towards that.

Comments closed

Privacy Matters

Some things you should do if you value your privacy online:

  • Stop using FB Messenger, start using Signal: Facebook is a data-mining, advertising company with (some say) ties to the CIA. Stop communicating though Facebook or Google, or SMS. It’s not private. Use Signal or at least use the secret messaging function of FB Messenger which you can choose to enable when starting a new conversation.
  • Stop using GMail, start using your own domain email: GMail, Hotmail, etc. all read your mail to advertise and build a profile on you. That’s not a good tradeoff for providing email service. Get email on your own domain from Hover, Fastmail, or ProtonMail or use iCloud instead (if you use Apple products). Bonus points if you learn about and use PGP for really important communication.
  • Stop using Google, start using DuckDuckGo: Again with the profiling. You search, Google profiles you. Everything you search for, they know about. If you are okay with that, then you should have your head examined. Use DuckDuckGo instead. The search results are just as good, and they don’t track you. Ever.
Comments closed

Things I Use: DuckDuckGo

“Did you Google it?” That’s a question that pretty much everyone would be able to understand and answer. To most people, that question means, “Did you search for the answer to your question online using Google search?”

Google offers a great search engine, and maybe even something akin to a general knowledge engine that can answer questions like, “how tall is Obama”, or “what time is the ballgame tonight?”

Trading your privacy for search answers

But the trade-off for users of Google is that Google takes all that data you feed into it and creates a profile of you that it then uses to push ads at you. It’s not just the Google search engine that feeds that data-eating monster either. Your email (if you use Gmail), your web browsing history (if you use Chrome) and a whole host of other things contribute to the creation of that profile.

Google knows where you are if you use an Android phone, or navigate with Waze or Google Maps. They know what music you like and what movies you watch. They know if you are sick because you search for information on symptoms. They know if you are in a relationship or have a family because they see different users from the same IP using different accounts.

That’s just the tip of the iceberg. Suffice to say, they know a ton about you. And maybe you are fine with that…or maybe not.

I’m not fine with that, and I try to avoid using Google services whenever possible to prevent Google from assembling that profile of me.

Google alternatives

There are a bunch of different services you can use that aren’t Google. Apple’s iCloud email is great and ad-free and Apple doesn’t scan your email to know how to advertise to you. Or you can get your own ad-free, private email at your own domain name through services like Hover.com (where I work).

But search is a tough one. Google search is fantastic and over the years, there haven’t been many search providers than can match Google’s search.

DuckDuckGo search

ddg_full_horizontal-2xDuckDuckGo is now at a point where it’s right there with Google for 99% of the searches I do, including images and even news. When DuckDuckGo comes up short, it’s easy to re-do the search using Google Search, right from DuckDuckGo.

Additionally, most of the major browsers will now allow you to choose DuckDuckGo as the default search, including using it for the instant search dropdowns from the URL bar. Safari even automatically switches to DuckDuckGo when you enter private browsing mode.

DuckDuckGo has a few advanced features that Google doesn’t have, including what DuckDuckGo calls “bangs”. These are special searches that you can start by using a “!” and a keyword.

For example, you can search on Google from DuckDuckGo by starting your search with !g and then the search terms and it’ll open up Google and do your search there.

A full list of “bangs” is here. I often use !g for a fallback to Google Search, !maps for location searches and even !hover to do a domain search at Hover.com.

DuckDuckGo also provides “instant answers” for common searches like “15 inches in cm” or “24.99USD in CAD“. These give you the answer right up front without requiring you to click through to a website. In my experience, DuckDuckGo does a great job with these “instant answers”, often providing them in situations where I wouldn’t expect them to exist (like PayPal error codes).

We don’t track you

Or course, the most important part of DuckDuckGo is that they don’t track you. In other words, your searches aren’t tracked, and stored to build up a profile of you. Their policy in a nutshell is simple and succinct: “DuckDuckGo does not collect or share personal information.”

You can read the full text here and get a better understanding of why not tracking you is important and why you should care.

Once you’ve done that, switch over to DuckDuckGo as your default search engine for a week or two. I bet that you won’t notice much of a difference compared to Google.

Comments closed

Why I’m Telling Anyone and Everyone to Try Keybase.io

Encryption is something we should all be using, but it’s still too hard for the average person to understand.

Apps like Signal from Open Whisper Systems are great for basic chat where you can be sure nobody will be able to intercept and read your messages. Even iMessages are pretty well protected from prying eyes. But encrypting email and sharing files between two or more people in a secure and private manner is still really tricky to setup and use and because of that, it’s not all that common.

How many people do you know that you can send a PGP encrypted email to? How many people do you know who have even heard of PGP encrypted email?

Why does this matter?

Maybe you are in the “I’ve got nothing to hide” camp. Sure…you might think that is the case, but I’m willing to bet that you actually have plenty to hide. Criminals aren’t the only people who might want to keep things private or secret. Does your company have secrets that you wouldn’t want competitors or even your own customers knowing about?

Keybase.io website feels approachable and friendly, even to non-techie people.
Keybase.io website feels approachable and friendly, even to non-techie people.
Perhaps you want to be able to send your credit card or banking details to your spouse in a secure way. Or maybe your doctor will want to send your latest test results to you (and only you). With encryption, you can be sure that the contents of the email can only be read by you, even if someone else accesses your data.

Look at the recent hacks of the Democratic National Committee and John Podesta that ended up on Wikileaks. Had the DNC and Clinton used PGP encryption, whoever got their hands on those emails wouldn’t have been able to read them. No embarrassing opinions about other people in the open and no media to deal with.

You’d think someone like a US Secretary of State who was using a private email server would have been smart enough to require anyone who communicated with her to do so with PGP encryption…she could have saved herself a lot of trouble!

Be smarter than she was.

Enter Keybase.io

Keybase is a relatively new website and service that aims to put PGP encryption into the hands of more people. It combines easier ways to encrypt, decrypt and digitally sign messages with a really interesting idea around identity validation. As they say, “Keybase maps your identity to your public keys, and vice versa”.

I have a lot of identities online. I have a Twitter account, a website or two, a Hacker News and Reddit profile, and even a Bitcoin address.

Previous to Keybase coming along, it was the case that someone could look at this website and say that it was “probably” the same person as @jameskoole on Twitter.

With Keybase, the idea of “probably” the same person becomes “provably” the same person. How does it work? Like this:

If I can post a tweet to my Twitter account, then that’s me. So Keybase gave me a very specific text to tweet and they they checked for it. Similarly, if I control the DNS entries on my domain name, then it stands to reason I could put a very specific TXT record in place that they can check for. If you dig the DNS on jameskoole.com, you’ll see a TXT record that serves as my Keybase verification.

Here’s my Twitter “proof”, for example:

You can look at my Keybase profile to see the various identities that are “provably” me.

Encryption tools

The next big piece of the puzzle is for Keybase to provide ways to sign, encrypt and decrypt messages sent to me by others who wish to contact me securely and privately.

PGP is the key here (pun intended). OpenPGP is an open source, well-known encryption protocol that works by way of a public/private key pair. A message to me can be encrypted with my public PGP key. Once encrypted, the only thing that can decrypt that message is my private PGP key.

keybase-websiteOn Keybase, anyone can get and use my public key to create an encrypted message that only someone with my private key (in other words, only me) will be able to view. And I can do the same with anyone else on Keybase.

The idea of a PGP public key server isn’t new. But what is new is that Keybase allows users to link their online identities to those keys. So I can look someone up on Keybase by their Twitter handle and send them an encrypted message, knowing that I am sending it to the right person.

Keybase Filesystem

Encrypted Messages are great, but what if you want to send data like a text file, or a picture or a Word document. Keybase Filesystem (KBFS) extends Keybase and creates something like a secure, PGP-signed or PGP-encrypted Dropbox sharing service. You can see my public Keybase folder here which contains files that are automatically signed by me so you know that they come from me.

With KBFS, I can share things like passwords with others on my team at work as easily as dropping a text file into a folder. I can share files with anyone on Keybase, and those files are automatically signed (so people know they are from me), and encrypted (so only they can open and read/view them).

A lot more work to do

Is Keybase easy enough for anyone to understand and use? No. Not yet. But with a little effort and learning, I think anyone can get set up on Keybase and start messaging and sharing securely. If you don’t have a PGP key yet, Keybase will help you create one. If you already have a PGP key, then you can use that with Keybase.

Even if you don’t know how any of this works, you can send me an encrypted message. Give it a try! Go here, and enter my username (jameskoole) in the recipient box. Type your message in the Message to encrypt box and click encrypt!

You’ll see something like the text below, which is a secret message that only I can read because it’s encrypted with my public key and can only be decrypted with my private key which only I have. And because it’s just text, you can email it to me like any other email, except nobody else will be able to read it, even if they hack into my email or tap into the network along the way.

-----BEGIN PGP MESSAGE-----
Version: Keybase OpenPGP v2.0.58
Comment: https://keybase.io/crypto

wcBMA9DJBBBZz8ZHAQgAlJqAAlFGyxhHXmAxr79YQ2ZdwpR4e3PPCPgV7QTlLxpC
1cO5JDZwi0oDJ3MFCeo4XQgFKpqO5V8WwqtTbu9eqmSfDF6KHvm3f+vwtfJEomu9
bqEpT0CIIYZTW0S3soOJo3coMJBxx8eUfpgbWoz0MPR3wGfgOnGify4ikuVU8go7
YcPJB4jW0I01nUIU7rAD8+ZfbpKqAhIi6J2C6GafvCbiGAa78yAdFk227xwvyWC+
VANUpmg8oiZWibaF/3TsNXrdqLbUau1OOJv9DCmG4O5jZDCESQje2bvt239V6cWJ
ynW1QXOlhc+uJBJTuP4m4g0EVi3JP5+ffaVmfmiz8NJXAfnjehd0sHgvvD0RxGEb
HRFhoEo7GPw6J3Nn2LBYfab+xHDWGlZ5diJ/RbU5BrWyrZMEJdZhDZRM80i2wZJl
AJaLHAcbT5Spden7E7Eh0Vx+Oi9TZ19F
=vwhL
-----END PGP MESSAGE-----

Check it out, sign up and learn!

I’d really encourage everyone to check out and sign up for Keybase. Maybe you know a bit about encryption, or maybe not. Use this as an excuse to get educated. This stuff really matters and as time goes by, it’s going to matter more and more.

Keybase is a service that deserves to exist and that makes acquiring using encryption technology much simpler.

For a deeper explanation of the KBFS, there’s a good explanation here that spells it how it works better than I can.

Keybase is currently available via invites only, but I’ve got a bunch. Drop me a line in the comments, or hit me up on Twitter and I will get one out to you.

Comments closed