Focus stealing makes me less efficient at work !!!

Krazy Glew's Blog: Monday, February 15, 2016: "I can't believe that focus stealing is still the state of the art.  It causes bugs.  Accidental corruption and destruction of data. And it can be a security hole."

Add to this, something I just realized: focus stealing makes me much less efficient at work, because it makes switching to another task dangerous.

I do a lot of work that involves running background jobs scripting otherwise interactive apps.  FrameMaker today.

I like being able to monitor the progress of such apps by leaving them open in a window on a different display, so that I can watch them out of the corner of my eye.

I would love to be able to do something else while these long running apps run - e.g. read email.  Unfortunately, if the app steals focus, then what I am typing into an email sometimes gets inserted into the app.  BAD!!!

So, for more than a year - I blogged about this in Feb 2016 - I have NOT been able to switch to my email program while these scripts run, for 5, 10, 15 minutes, sometimes more.

Worse:  some time before this, IT disabled VPN access from mobile devices. Unfortunately, the only iPhone email programs that I can stand using - Triage, to which I have recently added Sift - do not use ActiveSync, only IMAP.

So, basically, I have been crippled keeping up with company email for the last year or more.

I only realized this because IT recently gave me VPN access.  And all of a sudden I am keeping up with email again, reading it when the GUI focus stealing scripts are running.

---

I used to be able to blog while such apps were running - but haven't been able to do that with this focus stealing crap.  At least not using blogger - I don't thing the "Blog This" Chrome extension is available on my iPhone.

Ditto anything, like web browsing.  Pretty much I had to leave my MacBook idle except for the "should be background" app, because of frigging focus stealing.

---

Usable phone or tablet apps allow some such task overlap.   But I still find it darned hard to write anything more than a few words on those devices.

Perhaps if I had a second laptop, or a desktop I could switch to.

You might hope that a virtual machine might work - unfortunately, the way I have configured Parallels, "Coherent", means that Windows apps steal focus from MacOS apps, and vice versa.

---

Always scripting such apps to "open -g" is unsatisfactory.  I *want* the app to pop onto its screen - essentially a notification - but without stealing keyboard or mouse focus.

Oh for the old XWindows twm "click to focus" behavior.

Password HELL: "work is low security"

The Register has an amusing series BOFH (Bastard Operator From Hell): this post Password HELL resonated:

"I'll just need your username and password to verify this," the customer rep tells me.

No, this is not another "Never give out your password" post.

What amused me was later:

"Banana47" I lie. "Capital B"
I hear a clicking sound and then:
"No, that password doesn't seem to work."
So at least it's not a ploy to shut me out permanently...
"Hmm. I'll need to look at my password book."
"You... have a password book?" he asks.
"Of course I do! Encrypted, obviously – because I'm an IT professional. What, do you think I just have one password which I use for everything?"
"No, I'm not suggesting that."
"A good thing too, because I have three passwords I use for everything – Low, Medium and High Security."
"And I'm assuming that this is low security?"
"No, work is low security, this is medium and all the personal stuff I care about is high."
"Work is LOW?!" he gasps.

Have you noticed this?

I use long high entropy passwords for my personal stuff.

As a conscientious employee, I would like to use a high entropy password for work. But often IT gets in the way:

• The only way I can handle a really high entropy password is using a password manager. There is no way that I can remember 24 characters of [a-zA-Z0-9[:punct:]]{20,24}; heck, I can barely type that many characters reliably. Yeah, gotta use copy&paste, or insert from a password manager.  (I hope those are secure!)
• But IT often wants me to enter my password into places where password manager insertion or copy&paste doesn't work.  E.g. these convenient ways of entering high entropy passwords did not work, for a long time, on some browsers(usually Corporate IT standard browsers) for HTTP Basic Authentication. E.g. similarly for Cisco VPN tools.  (Although mostly fixed now.)
• IT single sign on systems sometimes enforce lowest common denominator passwords: e.g. if some system only allows 14 character passwords, all are restricted.  Worse if it is a password replication system.
• If you still want to use a high entropy password despite such problems, i.e. so that you have to memorize it, then IT policies like "passwords must be changed every 90 days" get in the way. How many of us increment a version number in a password?  Password change policies can weaken security is now a meme.
• Many systems prevent you from reusing one of the last N passwords.  That's okay - they can compare hashes.  But trying to prevent incrementing patterns like HighEntropy.0342, HighEntropy.0442 if you have proper password security. Homomorphic encryption, anyone?
• Corporate IT systems seem to require passwords to be entered much more often.  E.g. in my company I have to enter my password for VPN whenever I close and then reopen the lid of my laptop, disconnecting from wifi. (I wish there was hysteresis here - e.g. don't disconnect from wifi/VPN for a few minutes, or while I am still in building.)  Often, e.g. every morning and lunch, I have to enter the same password back to back for VPN and then for Perforce (the centralized version control tool).  And then often again for VNC or an emacs shell session. At least not so much for web pages, given a password manager.   Password manager insertion works for some, but not all.  Copy&paste of passwords works for some, but not all. Ironically, secure copy&paste of passwords often means that the password is erased immediately on pasting, so that it is not left around for a bad guy to look at. (Better to have some sort of indication of timeout, and/or some sort of indication of who the password can be pasted into, and/or a notification like "Are you SURE you want to paste this password into this phishing webpage text box?") So, while I am willing to use hopefully secure copy&paste for passwords that I only enter once in a while, it can be too much of a slowdown for passwords that must be frequently entered.  So I memorize them.  And probably simplify them to make them ease to memorize.  Password friction frequency erodes entropy.
• Late addition, after original post, but probably one of the biggest factors leading to weak work passwords:  my company's "password failure" policy is "3 tries, and you are locked out for 30 minutes". Compare to iPhone "6 tries => 1 minute lockout".  (iOS 7 reported as 6=>1minute, 7=>5, 8=>15, 9=>60, 10=>lock/iTunes/erase; I don't know if iOS10 does that). A weaker password for work is encouraged by the more immediate & steeper penalty for typing a bad password compared to the iPhone - although the work password penalty curve levels off, there is no equivalent of "erase everything".

Other places where that last point applies:  

• iPhone: whereas on Android password managers can look at webpages and apps and supply passwords, it is harder to do so on iPhone. At least iPhone now mostly allows password copy&paste, and seems to have some security features like use-once. But still, has anyone else noticed that iOS encourages you to have weaker passwords?

Finally,

• Two Factor Authentication is a darn good thing for security - ok, SMS text messages can be hacked, and I dislike time-based things like Google Authenticator. But how many Corporate IT departments support it?

This may be considered an example of your most important passwords are probably your weakest, which I have posted about before.  This is why I like this BOFH saying "work passwords are low security", even if in mockery or ironically.  My employer would probably LIKE me to create high security passwords for work. But IT gets in the way.

Google Voice Bug Helps Me Get Fit :-(

Is Google Voice living or dying?  Who knows.

It has long standing bugs, such as not providing a correct count of messages in its icon badge:

Google Voice iOS notifications not working for new voicemail - Google Product Forums: "Google Voice iOS notifications not working for new voicemail"

Until today, I thought that the problem was that was following the Google "archive, not search" approach.  And also that I forward SMS text messages from Google Voice to my iPhone, where I handle them in Messenger, so historically have not gone to Voice to delete or archive them there.  I even thought that this might be a feature, since the iPhone Messenger app has no archive feature - if you want to have an uncluttered screen, ya gotta delete them iPhone messages!

But for some reason today I thought that I might try to actually use Google Voice, enabling its badge count, etc.

PROBLEM: my Google Voice badge count is stuck at 1,168.

So, I thought that I might try to archive all of my Google Voice, emptying the Inbox.

PROBLEM: Google Voice has no easy way to manage large numbers of messages all at once.  It only allows you to handle one screenful at a time.

In the past I might have handled this with AppleScript.   But macOS Sierra has gotten stricter about allowing "accessibility" apps to send keystrokes and mouseclicks and read the screen.  So my old scripts don't work, and since I am switching from Mac back to PC, I did not want to spend time learning how to make them trusted.

THEREFORE, I decided to do it by hand.

Well, not quite.  I created a keyboard macro that allowed me to select and archive or delete a screenful of Google Voice messages with one button press.  And then I started dancing in front of my computer, repeatedly pressing the button.

I created the button using Quadro, a "User Interface Extension" that runs on iPhones and iPads, and allows you to create buttons that execute short sequences of osascript commands or keyboard shorcuts.

PROBLEM: Quadro cannot send mouseclicks.  AutoHotKey on a PC can, but I didn't go there.

So I danced.  Why "dancing in front of my PC"?

Well, I'm a FitBit addict.  I needed my steps.  I could not walk around while doing this, but I could stand in front of my PC, hold my iPad in my hands, and press the button while watching the screen, re-pressing every time a screenful of messages was selected and Archived.

PROBLEM:  the Gvoice badge count was not the Inbox count.  Nor the Unread count.  Nor the missed count.  Nor...

By this time, I was  getting stubborn.  So I first archived, and then when that did not work I deleted, every single Google Voice message. In every folder or category.

I am happy to say I got my steps in. More than 4000 steps.

Unfortunately, with my Google Voice account totally empty, I still see 1,168 on the Google Voice badge count.

Uninstall, reinstall.  Reboot.

Ah, that did it.

So now my Google Voice account is absolutely empty.

And I reached my step goal for the day.

:-)

?

---

But it sucks that this app, like so many Google products, has an absolutely lousy user interface for any "maintenance" tasks like this.

Google Cookie Notice

Blogger: Krazy Glew's Blog - All posts: "European Union laws require you to give European Union visitors information about cookies used on your blog. In many cases, these laws also require you to obtain consent.

As a courtesy, we have added a notice on your blog to explain Google's use of certain Blogger and Google cookies, including use of Google Analytics and AdSense cookies.

You are responsible for confirming this notice actually works for your blog, and that it displays. "

Google tells me I am responsible for the verifying the cookies notice... but they also tell me "If you use a custom domain, you won't see the notice outside of the EU." Well, I do use a custom domain, and I can't see the cookies notice because I am not in the EU. I don't think I have modified anything that would affect Google's cookies, but shit happens - if it isn't tested, it probably doesn't work. So, how do I test it? Pay for a VPN to make me look like I am coming from the EU? Run my browser through TOR?

Since you, Google/Blogger/Blogspot, are adding the cookies, YOU are responsible for verifying that the cookie notice works.

Heck - I would actually like to post this cookies notice for all viewers of my blog, not just EU viewers.

I hate video "documentation"

What's New in Security - WWDC 2016 - Videos - Apple Developer - Leave feedback for videos.

I hate video documentation. E.g. this video about "What's new in Sierra security", referred to by a stackoverflow post.

OK, this is a bit unfair: it is great to have videos of WDC presentations. Especially if there is also some non-video format - slides, or webpages, or whatever - of about the same info.  And it is probably better than nothing.

But nevertheless, I hate videos. I avoid them when I can.  Both when looking for programming documentation, but also when shopping.   I have lost count of how many Kickstarter and IndieGogo projects I thought I might be interested in but did NOT fund, because they had little or no explanation of the project except for the apparently-now-mandatory video.

Why I hate videos:

• I can read faster than I can watch and listen
• It is hard to random access videos.

(Q: is there a good "video indexer", especially designed for slide presentations? E.g. that will show an index of thumbnails of the critical slides? E.g. that will recognize slides that are projected at a conference, and isolate them? Perhaps allowing jumping back and forth between the "static" view and the "dynamic" video view? E.g. that can work in my browser, for Youtube videos, and things like this WDC presentation? Heck, while we are at it one that does voice recognition, (a) with a text transcript cross-indexed with the thumbnails of slides (or particularly important changes of scene), and/or (b) since voice-to-text is not that reliable, that allows searches of the voice - so that you can search fr when the presenter says "delete".)

Basically, videos slow me down.

But, the thing that I hate most about videos right now, at this very moment:

• I am in a restaurant, working while eating breakfast - and I forgot my earphones (earbuds or headset). I don't want to annoy the people around me by playing a video out-loud.  Same thing applies at work.  Although at work I am more likely to have headphones, nevertheless it is a hassle, more friction, to have to set them up when I want to look at "documentation" presented as a video.

Steve Yegge tells us that Jeff Bezos hates PowerPoint - he outlawed it years ago. I wonder what Jeff Bezos would do if a project proposal were presented as a video?


'via Blog this'

Passing command line arguments from host command line to guest

It looks like VirtualBox guestcontrol makes it easier to pass command line arguments and environment variables to an application started on the guest.

Unfortunately, Parallels does not.

More and more I regret having chosen Parallels instead of VirtualBox.

I will switch as soon as possible.

VBoxManage guestcontrol start [--exe] [--putenv][--unquoted-args]

Your most important passwords are probably your weakest passwords

Have you ever noticed that your most important passwords are your weakest passwords?

Most of my passwords are random 20-24-32 Letter+Number*Symbol=Passwords. Stored in a password manager, because I can't remember them. Several hundred, different for each site. For that matter the account names and email are mostly different. Automatically entered into websites when I say okay. I am less happy when I have to cut and paste passwords, because clipboards can be a security hole. Anyway, not only do I not need to remember these passwords, but I don't have to type them in.

So, consider the passwords left over.

First, (1)  the password for the password manager itself. My most important password. Because I have to remember it, and type it on at least 2 different keyboards - phone, laptop - it probably has less entropy than most of the passwords in my password manager.

Worse: it is long enough and hard enough to type that I have more than once hit "show me my password as I type it", when repeated tries fail.  So any camera looking over my shoulder may have captured it from the screen.  Like a security camera in an airport.

Of course, even without "show me my password", a camera may see your typing.

Change it frequently, but then entry errors rise.

When I have trouble entering my password usually arises on my iPhone keyboard. Good passwords are easier to type on a full keyboard.  Not only are mobile phone keyboards, and in particular Apple's iPhone keyboards, cramped and likely to produce wrong key errors - but you also have to shift to get numbers and symbols. Sometimes multiple shifts.


Oh, and you probably should have audible keyclicks turned off. Have you noticed that Apple provides a different click for the shift key that changes between lowercase, uppercase, numbers, and symbols?  I am sure anyone with a microphone can record that and greatly reduce the password search space.  Even without different clicks, inter-key delay provides a lot of attack info.


Recently I have had to do a factory reset and reinstall from scratch on my Apple iPhone 3 times within the same month.  (I think/hope the iPhone flash storage has errors - or else the iOS apps are full of bugs that may become security holes.)

Doing this has driven home how many times you have to type in (2) the password for the device itself, and (3) Apple's iCloud password.

Now, device passwords, such as for your phone or tablet or laptop, of necessity need to be typed in a lot. One of the best things about fingerprints is that, ideally, you can use the fingerprint to reduce the number of times you have to type in the long password - and hence make the full password stronger.  My password manager does that.  But... Apple does not. At least not for 48 hours or next power-cycle.

So, we will give device passwords a pass. Ideally, you have them physically secure, and you aren't rlogin-ing in to them.  Ideally, there is a different, stronger, password for remote access...


Moving on to (3), the Apple iCloud password, and other cloud passwords. You have to type it in a lot, not only during install, but also when installing apps.  Plus Apple, in their infinite wisdom, has made it difficult to use password managers with it.  (Note: I don't use Apple Keychain much.)

So, the Apple iCloud password is arguably comparable in importance to your iPhone password, and more vulnerable. More vulnerable, because the iCloud password can be entered by an attacker into Apple's webpages, i.e. it can be entered remotely.  Only arguably comparable in importance, because while the  iCloud password controls a lot of stuff, your device password probably controls access to some of your 2-factor authentication.


Those are probably my most important passwords:

(1) password manager

(2) device

(3) iCloud.


Interestingly, my Google password is not in this list in category (3), even when I use an Android device. Google seems to be friendlier to password managers than Apple is, probably because of its web.site DNA.

My Microsoft password may be in category (3).  I don't use it enough to be sure, although from one situation in a Microsoft store I think they have made some of their services uncooperative to password managers, and hence encouraging of weak passwords.


Finally, (4) my company password.  Often entered, often uncooperative with password managers, e.g. in Microsoft Windows login, Exchange, VPN, Perforce. Often enough that I have simply had to memorize it - and it is therefore weaker than I would like.  It doesn't piss me off as much, because it's the company's secrets that are at risk, not so much my own.  I have encouraged IT to use a  better password system, friendlier to password managers -and IT's response has been to require that the password be changed more often.  Which makes it harder to remember.  Which encourages me to weaken the password.

---

Now, having listed these, I have probably opened myself up to attack.  Blargh.

---

Backing up: it is harder to enter a good password on a mobile device touch keyboard than on a physical keyboard.


Key clicks are bad. Different keyclicks for different keys are really bad, even if just "clack" for shift key and "click" for all other keys.


But even without keyclicks, shift keys make it harder to enter good passwords.

Ideally, high entropy passwords would be a random combination of A-Za-z0-9~`!@#$%^&*()_-+={}[]||"'<>,?/:;.  (I don't think many systems allow control characters in passwords. Non-English unicode? Notice that your iPhone keyboard has characters that are a pain to type on a USASCII keyboard? How about emoji?)

Uniformly weighted.

(With easy to attack patterns pulled out - e.g. all 0s can be produced by a random password generator. But I still would not use it as a password.)


Roughly speaking, there are circa 4*26 characters for passwords. If you have a lowercase letter, there's a 75% chance that you will have to type a shift key. And so on.  Roughly speaking, you would have to hit 1.75 keys for every random character in your password - and that does not even include the times you have to hit number shift then symbol shift.


I posit that part of the difficulty of typing a password is the number of keys you have to hit.  The raw physical activity.  Not just the memorization.  So if truly random passwords require 1.75 keys per character, I posit that users may prefer to use passwords that are 4/7s the length of what they might use on a keyboard that required fewer shifts.  (Note: I think physical keyboards are less onerous in this regards than thumb keyboards.)

E.g. instead of 28 characters, Apple's crippled keyboard might lead to users creating passwords that are only 16 characters long.   21->12.  14->... no, that's horrible!!!

Do the math: the longer password from the smaller alphabet can be a win.  But 1.75x is probably an overestimate for the increased difficulty.

I posit that, for the passwords you have to enter on Apple iPhone keyboard, you might be wise to reduce the frequency of shifts.  Not eliminate them.  And not fixed length groups of the same shift.  But perhaps pull from a distribution that does not create quite so many shifts.  Where the average touches per character of the password is more than 1, but less than 1.75.

And use a haystack.


Perhaps random password generators should take this into account: the typing efficiency of the password. On what is probably the worst keyboard for typing, the Apple iPhone.

===


Of course, the real fix to the problem of passwords is to get rid of most passwords.

In the 1990s I wrote up an invention disclosure for my then employer, Intel, for what I called a "security amulet".  I don't think Intel did anything with it.

The basic idea was to have something you wear. Like an amulet around your neck, or a watch. Possibly surgically implanted. Physical security being part of it.

The security amulet would be net.connected.  Your amulet's address would be registered as part of your identity.  When you try to log in to a website, the website contacts your security amulet.  The amulet asks you "Do you want to log in to your bank?"  You confirm, or deny.

The amulet could store passwords. Or a time varying code like Google Authenticator.  Better yet if it does challenge response, public/private key style.

The thing you are trying to log into could connect over the net.  Or you could be disconnected from the net, and logging into a device locally, without going through the net. E.g. bluetooth - back in the day, I liked body area networks, e.g. skin conductivity, between amulet and keyboard.  Or you could do both: triangle device<--internet-->website<--internet-->amulet->localnet<-->device.  Verify not just that somebody in possession of your amulet approves, but that the amulet is also physically close to the device where the action is taking place.  (Unless spoofed, of course. Time delay?)

You authenticate to your amulet... howsoever you want.  Some amulets might require you to type a password in once a day.  Some might use biometrics like fingerprint.  Some might monitor your pulse, to detect when you have taken the amulet off.  Some might check DNA.  Some might do nothing. The point is, once the protocols between device, service, and amulet are established, then innovation can happen between the user and the amulet.  Whereas nowadays we are all constrained by what Google, etc, accept.  The largely time based authenticator apps are better than passwords.  Watch authenticator apps are better still.  But still not there.


Back in the 1990s too much infrastructure was needed.  There was no standard way to talk to a security amulet. Mobile was still analog. The Bluetooth SIG started in 1998.  People thought that I was crazy for wanting public key in a watch-like device.

But all of these pieces are in place nowadays.  The missing piece is that Google Authenticator still expects you to type in a code. But we now have push authentication, which scares me because the user interaction is so trivial, and hence insecure.  Especially on a phone, which can be easily misplaced, and easily unlocked given fingerprints.


What I want today: push authentication to my watch.  And time based on my watch. Etc.