Heartbleed

I’ve refrained from posting or saying anything about Heartbleed all week because I didn’t want to add to any sensationalism and hype, and I’ve also been too busy actually dealing with it (as opposed to simply talking about it or running around with hands waving in the air like a mad man). Now that the dust has settled a bit, I just want to link to some sites that I think are good to keep handy as we see this play out. I don’t need to talk about the flaw itself as all you need to do is google “heartbleed” and you’ll get all the info you want; certainly more than I can provide here (although you will have to distill the sensational from the facts).

So, the sites:

  • Heartbleed Bug Health Report; they’re keeping it up to date, but it’s essentially a “top 1000 still-vulnerable sites” list
  • Mashable’s Heartbleed Hit List which has a list of some of the bigger sites/services that were (or were not) affected and whether they still are; when I looked this morning it was last updated as of last night so presumably they’re keeping it fairly up to date
  • DigitalTrends Mobile app list which has a list of vulnerable/not-vulnerable mobile apps
  • The Heartbleed site which is being kept up to date with regards to linking to various advisories

Some of these sites (and the apps that use such sites) have been fixed this week. There is speculation that this has been known for a while which means the “window of opportunity” may be much bigger than was initially thought. Some of the numbers being tossed around are pretty gross exaggerations though (one I saw was “66% of the internet vulnerable!”) so you have to take things with a grain of salt. The best advice is to look at the sites you use and if they have fixed the flaw (and were previously vulnerable) and recommend you doing something (like changing your password), strongly consider doing as they suggest — PROVIDED THEY HAVE ALREADY FIXED THE FLAW! Sorry for the caps but I talked to some people yesterday who had rushed to change their password and when I asked them if the site in question was fixed already, they gave me a blank stare.

It does you NO good to change your password to a site that is STILL vulnerable. You will only have to change it again.

Anyways, look at the sites noted above, breathe, and keep in mind that changing passwords occasionally is a good thing. Maybe now is the time to start using something like LastPass, 1Password, KeePass, or something similar and having it generate pure random nonsense for a password, knowing that you can use this tool/service to remember it for you (although, arguably, this whole situation makes me quite happy that I use 1Password (an app on my computer) instead of a service.

My last point on this is that people need to upgrade if they’re using an affected version of OpenSSL. If you are, and your operating system provides it (which is the case with Red Hat Enterprise Linux and Fedora, among many others) then you really should be updating to the packages provided. It’s not a question of whether you should or shouldn’t — you should. Period. This has been a crazy week and a lot of crazy things have happened and this is a really really bad thing IF you’re affected. So if you are (as in you’re running Red Hat Enterprise Linux 6.5 or a current Fedora, etc.) then you really need to update ASAP. And then you need to assess your next steps (changing passwords on vulnerable (and now fixed) services, revoking and reissuing certificates if you feel it necessary, etc.).

Anyways, that’s all I have to say about Heartbleed. It will be interesting to see what the next few weeks will be like as we continue to get a bigger picture of what’s happened here, how, and to whom. And to see what damage has been done, and who responded appropriately and when. For instance, if there were a site or service I was using and as of today (being Saturday, and this thing exploded on Monday) it was still NOT fixed, I don’t think I would be using that site/service anymore. To put it into perspective, Red Hat had updates out late Monday for Red Hat Enterprise Linux 6.5 and the other affected products early Tuesday morning (my time). Everything was available to customers in under 24hrs. It’s not hard to install — “yum update” and reboot (to make sure everything is covered). So for a site to be still affected by this now? There’s really no excuse as far as I’m concerned.

Finally, just to note that I did get some minor press coverage (so this is more vanity than useful), LinuxInsider reported on Heartbleed and my name is noted, although my answers to the questions must have been less than exciting as there wasn’t too much noted there other than where Red Hat customers could go for more info. =)

And to finish off, the obligatory xkcd:

20 years of tattoo collecting

So this year I’m going to be 38, which means that I’ve been collecting tattoos for 20 years. The biggest “rush” of ink has been in the last 5-6 years as I’ve actually been able to afford it, whereas before it was getting a piece done whenever I could spare a few hundred dollars (which wasn’t often) and it also meant the pieces were smaller. The challenge with the sleeves was that we had merge these things together to make it look a bit cohesive. I think, considering I have maybe 2-3hrs left to finish the right arm, that we’ve managed this pretty good. I want to sincerely thank Jared Phair of Crimson Empire for the amazing work he has done on both sleeves. He’s done a fantastic job with everything I’ve thrown at him. And now I’ve thrown my wife at him and Angela’s tattoo is looking amazing as well.

I invite everyone who’s interested to look at my tattoo set on Flickr, and Angela’s tattoo set on Flickr. There you will see all of the pictures. I did want to embed two pictures in my post, however, as I think they are quite amusing to compare.

This is today:

This is about 15 years ago (1999):

A lot has changed in 15 years!!

Angela’s First

I’ve been collecting tattoos for 20 years. In that time, Angela has never gotten a tattoo. Her sisters and her brother all have, but she was the last of the great holdouts. I’m pleased to announce that as of January 29th, that is no longer the case! Angela has lost her tattoo virginity. And I couldn’t be prouder. =)

For one, she handled it like a trooper. She went for 5.5hrs without a break for her first tattoo. 5.5hrs. I know a lot of guys, with a lot of tattoos themselves, that can’t hack that. Heck, yesterday I was in for 5.5hrs and that last half hour was pretty bad. She says she could have kept going. I believe her… I came home like a wuss last night after my 5.5hrs, she came home and was just hungry.

So I’d like to publicly state that those who mocked and jested and said she couldn’t do it (there were quite a few, most predominantly some family whom I am happy to say are properly shamed because she smoked any of their sessions and in one fell swoop may have surpassed most of them in sheer ink volume) were so completely and utterly wrong that I chuckle whenever I think about it. I knew she could do it, because my wife is tough — except when I’m around so as to play me, I’m sure.

Anyways, that is much more exciting than what I did yesterday (I also did 5.5hrs, and my second sleeve is almost complete!). Pictures of both to come shortly. And pictures of my last session too.

Email Tagging

The last 6-8 months have been pretty hectic for me, both at work and with other “real life” stuff and I’ve noticed, as a result, that my email handling has really suffered. I can’t even say it’s begun to suffer because it’s entirely snowballed to the point where my inbox is insane.

The other day Lifehacker noted Andreas Klinger’s blog posting on Don’t drown in email! How to use Gmail more efficiently.. It was a good read and got me thinking. Unfortunately, I don’t use the Gmail web interface and I doubt that it’s use of stars and exclamation marks will really work across email clients. I want something that’s easy enough to use.

Recently I’ve been using MailMate and it has a nice way of treating Gmail labels like IMAP keywords so that you can tag emails, in MailMate, and have them labelled in Gmail. The nice thing with this, unlike other non-Gmail normal IMAP providers is that you can tag a message and then delete it, and it will show up in the “folder” corresponding to that label.

So I created the following labels (in Gmail) and tags (in other IMAP accounts.. yes, I have a few scattered abroad):

  • @ACTION: for things that need to be done or responded to
  • @IMPORTANT: for really important things that need to be done or responded to ASAP (like today)
  • @WAITING: for things I’m waiting on or expect a reply on, essentially things I’m waiting on a person for (needs to be reviewed weekly)
  • @FOLLOWUP: for things I need to follow up on (such as things I’ve delegated, also needs to be reviewed weekly)
  • @EVENTS: for upcoming events or trips, just so they are easily found

I’m not sure how @WAITING and @FOLLOWUP will be treated differently. For now, I’m going to try it this way and see if I use one more than the other.

So my goal is to look in the @ACTION folder (on the regular IMAP accounts, I have a smart mailbox in MailMate named after these keywords so that regardless of whether I’m using Gmail or not I get the same behaviour on all email accounts) once a day and deal with quick things, and try to empty out every week.

The @IMPORTANT stuff will need to be dealt with daily. That’s going to be the hard one. But I’m going to have to set a time (like 3pm or something) where I have to clear this folder out.

The rest, with the exception of @EVENTS (which should be cleared out after any said events), should be reviewed at the beginning of each week. Before I used to do reviews on Friday, but that seems odd to me now as I’ll be emailing a bunch of folks right before the weekend when they probably don’t want to hear from me. Better to catch them (hopefully!) fresh and chipper on a Monday.

So I’ve cleaned out two out of my four emails. They were the easiest of the two. Inbox-zero for them both. My work and primary personal accounts are two different stories, however, and will probably require some time this weekend to do.

I have many friends who have, quite literally, thousands of emails in their inbox. How they manage to stay sane is beyond me. Maybe if I can get a system that works and I can do consistently (that is my biggest challenge… taking those few seconds to just deal with things) then I can share it with them and they’ll maybe realize what a crippling thing it is to have such horrendously large inboxes (and why it feels like their email is so slow.. seriously, I cannot make this make sense to them!).

Any other tips from anyone out there on how to manage your email, or perhaps what clever things you do to manage your email? Keep in mind that for my work I can quite easily get a few hundred emails in a day, so email is a very important and severely irritating part of my life.

40 day social media fast

Being sick this Christmas season with a cold and a middle ear infection caused me to spend more time than I normally would have on Twitter and Facebook because it was a complete time-killer and I didn’t have energy for anything productive. In fact, my one goal for this week and a half off of work was to clean my office and as I sit here typing this, I’m taking sad glances around me, to see that my one measly little goal didn’t get accomplished. Which is frustrating and annoying.

I suspect if I had spent less time just wasting time (heck, even sleep would have been more productive), my office would be clean and I’d be feeling good about myself, until at least next week when it would become less-than-tidy again.

Obviously blaming social media here is silly, but it did get me to thinking about how much time I spend on these two sites (I have never attempted to measure it), and what I actually get out of the multiple-times-a-day visits. There’s an extremely low “news value” from these sites, and I’m not as interested in what is going on in the lives of friends and family as I perhaps once thought I might be. In fact, when I really think about it, I realize that they are a complete, utter, and absolute waste of time. I seriously have better things to do with my time.

I’ve always liked the lyric “wasting time like it was free” (from a Godsmack song) because there is a definite cost to my time. If I look at what I charge people for my consultancy work, and if I applied that value to the time I spend on something that doesn’t actually bring me any pleasure or money (which, I must add, is a very important thing — if reading Facebook or Twitter was anything more than a “I’m sitting on the toilet and need something quick to read” or “I’m bored so will aimlessly wander around on social media sites”, then I would not be making this decision or writing this blog post).

Strangely enough, I find more value on Google+ because it’s all tech-related things that show up the odd time I go on there. I am going to put Google+ into the fast however.

So I’m going to fast from Facebook, Twitter, and Google+. I’ve already removed the apps from my phone (which is the only time I really look at them). And I think I’m going to close my Linkedin account because I get absolutely zero value from that and all the Linkedin endorsements and buddy requests and so on just annoy me. I mean, as an example, there is a wonderful woman who’s daughter we took in for a few months as a friend/buddy/whatever on Linkedin and we know each other, but she doesn’t really know the work that I do (other than it’s computer-related). So for her to endorse me for my Ruby programming skills is a bit odd — for one, I can say with 98% certainty that she has no idea what Ruby is other than it must be a geek thing, I’m a geek-ish person, so I must have the skill, right? Secondly, I don’t have any Ruby skills so… yeah.. don’t endorse me for Ruby. Now I doubt she thought one day that she would endorse me for a bunch of random crap, but Linkedin did helpfully suggest that maybe she’d like to endorse me for random crap? And so she did… probably because she was bored or thought it had some value for me (it doesn’t).

Facebook and Twitter just irritate me, Linkedin actually cheeses me right off.

Anyways, I’m going to fast from these social media sites for 40 days. After that, we’ll see. Maybe I’ll find I didn’t miss them at all and shut them down permanently. Maybe I’ll be desperate to know what’s been going on the last 40 days and will binge and spend a whole hour or so feasting my eyes with nonsense.

Will I miss hearing about friends who love their kids one day and hate them the next? Will I miss hearing about the seemingly constant misadventures of family when it comes to dating? Or dieting? Will I miss people who whine and complain about their crap lives? When Facebook was new and a novelty, I thought that sort of thing was amusing. Now I just find it sort of sad.

Postings from my blog will still get auto-posted to Facebook and Twitter. But if you intend to comment on them, you may want to do so here and not via either social media site as I won’t see the response. Also, there’s a few RSS feeds on my Facebook, but I have no idea how to configure the app to disable them, and it’s just my blog and opensource.com (highly recommended!) anyways, so I’ll leave those intact.

So February 15th is the day I either return to social media or … don’t. Right now, I’m betting on the latter. All social expression will be made here on my blog. Or Flickr. I intend to spend some time getting some photos I’ve been meaning to get up there so as to share (some great pics of our trip to Jasper and the Columbian Ice Fields last summer are my top priority).

MailMate keyboard shortcuts and Gmail archive handling

So, playing around with MailMate I’ve found you can create keyboard shortcuts. It comes with a standard keyboard shortcut list, one for Postbox (a Thunderbird-based email client), and Gmail. My main need here to is to map “delete” to “Archive message” because MailMate, unlike Apple’s Mail, does not seem to have a setting to turn “delete” into “archive”. So when I hit the delete key, my message goes to the trash, rather than just removing the label of the current mailbox (so if it’s in the Inbox, remove the “Inbox” label, which removes it from the mailbox but keeps it in Gmail’s “All Mail”).

First thing’s first, we need to create our new keybinding list. To do this, copy the Standard.plist from /Applications/MailMate.app/Contents/Resources/KeyBindings (to reveal this in the Finder, right-click the MailMate application icon and select “Show Package Contents”. This is where you’ll find the three keybinding plist files: Gmail, Postbox, and Standard.

Create the directory to store the new keybinding file:

% cd ~/Library/Application\ Support/MailMate
% mkdir -p Resources/KeyBindings
% cp /Applications/MailMate.app/Contents/Resources/KeyBindings/Standard.plist Resources/KeyBindings/Mutt.plist

This creates a new plist file called Mutt.plist. You can edit this file with any text editor. I suggest copying one of the existing plist files as it will have some of the commands you may already want in there with the funky characters like the down arrow, etc.

The important one (to me) is this:

"\UF728" = "deleteMessage:";

I don’t want that backspace key to delete the message. You can use the “archive” command here, which will remove it from the mailbox (and remove its label) but this also puts it into a new “[Gmail]/Archive” folder. This folder doesn’t exist normally. So while it does accomplish what I want (remove it from the specified mailbox without actually permanently deleting the message), it does it in a wonky way.

Ahh, this leads to more Gmail-related things. Writing blog posts while working through issues is so much fun. =)

The problem here is that I imported these from Apple Mail rather than creating them as new accounts. In the 1.7.1 release notes we see:

  • New: Changed default behavior for new Gmail accounts. 1. “[Gmail]/All Mail” is subscribed. 2. Default archive mailbox is “[Gmail]/All Mail”. Existing accounts are not affected.”

Interesting. So when I go to edit the IMAP account, I see that these are not subscribed. So this gets us more like Apple Mail where it also note too downloads the All Mail folder (some people have an issue with this… I never have, I kinda like that it’s all downloaded). So I had “All Mail”, “Important”, and “Starred” unsubscribed. The “Important” one can remain unsubscribed as that’s what Gmail thinks is important, not me. All Mail is subscribed to, and so is Starred. MailMate has nice smart mailboxes so you don’t need to have the Starred one (it has a default smart mailboxes called “Flagged” which shows you flagged messages in each mailbox.. unfortunately, with three email accounts handled by MailMate, having three “INBOX” smart folders means I can’t zero in on one specific account; the Starred mailbox will let me do that).

The other thing I noticed in the 1.7.1 release notes is this:

  • New: Changed default behavior for new Gmail accounts. 1. “[Gmail]/All Mail” is subscribed. 2. Default archive mailbox is “[Gmail]/All Mail”. Existing accounts are not affected.

The nice thing is that it seems when you subscribe to “[Gmail]/All Mail”, the default archive mailbox is changed as well (so if you archive messages, it goes to All Mail rather than Archive).

So now we can get back to your keyboard shortcuts. As noted above, we can now change the “deleteMessage” command to “archive” and have it do what we want:

"\UF728" = "archive:";

Now, because it is useful to be able to permanently delete stuff, we can have something like “^d” or some such to permanently delete:

"^d" = "deleteMessage:";

Anyways, calling this “Mutt” keybindings is a bit of a misnomer because they’re not default mutt keybindings (although some of them are for my mutt setup), but here’s my Mutt.plist:

    "\UF728" = "archive:";               // ⌦  (forward-delete)
    "\U007F" = "archive:";               // delete
    "^d"     = "deleteMessage:";         // CTRL-D
    " "      = "scrollPageDown:";        // Space (alternatively it can be bound to scrollPageDownOrNextUnreadMessage:)
    "$ "     = "scrollPageUp:";          // Shift-space
    "\U000A" = "openMessages:";          // Return
    "\U000D" = "openMessages:";          // Enter

    "m"      = "newMessage:";
    "r"      = "replySender:";
    "G"      = "replyAll:";             // group reply
    "R"      = "replyList:";            // list reply
    "f"      = "forwardMessage:";
    "F"      = "toggleFlag:";           // flag-message
    "/"      = "mailboxSearch:";
    "^/"     = "searchAllMessages:";
    "~e"     = "expandThread:";         // OPT-E

This is just my “starting” list. I’ll be tweaking it as I get used to MailMate more. So far, so good…

More information is found in the MailMate Custom key bindings section of the online manual.

EDIT: I removed the bits about the custom keybindings not overriding the Standard.plist keybindings as, poking around further, I realized that you need to restart MailMate in order for it to pickup the new keybindings and that was why it did not appear to be working correctly.