A few days ago Facebook founder and CEO Mark Zuckerberg shared a lengthy post laying out the vision that will be driving his company’s implementation of private messaging going forward. There was a lot to like in that message from a privacy point of view, but the scope was limited — this was not a revolutionary vision for transforming all of Facebook, just for evolving their private messaging offerings.

Big-picture-wise the post laid out six principles that will drive the evolution of private messaging on all Facebook-owned platforms — private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage. Note that the interoperability Zuckerberg describes is between Facebook-owned services, not between Facebook services and services from competitors, so that’s not actually good news from a privacy point of view. This refers to Facebook’s plans to merge private messaging within all its products into a single messaging architecture. This is a privacy loss not a privacy gain, but there is a silver lining — the post promises the merging will be opt-in, and users will be able to choose to keep separate identities on the separate services if they wish. Obviously encryption is good, as is not keeping privately shared stuff for ever.

But, does any of this change the fundamental problem, Facebook’s business model? Nope!

Facebook will continue to make its money by offering users a free service in exchange for their personal information — Facebook remains freepi (and creepy)!

Read more

Tagged with:

Anyone who listens to my podcast contributions is probably sick of hearing me repeat the mantra to follow the money. If you want to evaluate whether or not a given product or services is likely to present a privacy risk, you need to start by figuring out how it’s financed. Why? Because the financing sets up the incentives that will ultimately drive the provider’s behaviour. You’ll generally have a good experience with a product or service when the provider’s incentives align with your best interests, and conversely, things will almost certainly go south when the provider’s incentives are opposed to your best interests.

When you pay for a product or service things are usually straight forward — you are the customer, so the provider is incentivised to keep you happy so you’ll keep giving them your money. Things can of course go sour even with paid products or services when the price you pay is below the economic cost of the product or service (e.g. Amazon & Google smart speakers and TV dongles), or, when the market isn’t free, and you’re locked in to a single provider in some way (e.g. broadband in the US). But still, most of the time, if you’re both the user and the customer, your privacy is unlikely to be exploited.

Where things tend to get more complicated is when we’re not paying for products or services with money. That’s when you really need to pay close attention!

We very rarely get physical things for free, so in this post I’m only concerned with online services that are financially free to use.

We need to start by acknowledging the obvious fact that it costs money to run any online service, so if you’re not paying into the pot, someone else must be. Who ever that is, that’s who the people running the service are incentivised to keep happy. In other words, the service provider is strongly incentivised to align their actions with the interests of the people who pay them. When you figure out who that is, you can usually figure out the incentives, and whether or not they align with your best interests.

Remember, sooner or later, quickly or slowly, every organisation eventually follows the incentives acting on it. Incentives might not be fast-acting, but they are relentless, so movement is inevitable!

I want to suggest four simple categories you can group online services providers into to help you figure out the incentives at play, and whether or not they align with your best interests — free, freemium, free-for-now, and what I’ve decided to call freepi (pronounced like creepy). Yes, it will be an over-simplification, but that doesn’t mean it can’t be a useful lens to look at the world through. The real world may be messy and complex, but most things still approximate our crude categorisations!

Read more

Tagged with:

These are my slides from a talk I delivered to the CT Mac Connection Mac Users Group (MUG) on the 30th of March 2016.

IoT Talk Front Page
Click to View Slides

A PDF version can be downloaded from here.

Tagged with:

While it’s very easy to install hsxkpasswd onto your system from CPAN – it’s literally just one command (see below) – it requires administrator access to the machine.

sudo cpan Crypt::HSXKPasswd

This is all well and good if you have administrator access and are sure you want the module installed system-wide. But, what if you don’t have admin access, or, what if you just want to experiment with the module in your own home directory? The answer is perlbrew, a system for running custom versions of Perl inside your home directory. No need for sudo, and what ever you install with perlbrew is entirely contained within your home directory. If you already have perlbrew installed and configured with a version of Perl greater than or equal to 5.16, you can skip to the final step. If not, you’ll need to make your way through all the steps.

Step 1 – Install perlbrew Into Your Home Dir

There are a few different ways of installing perlbrew, but I find the following method the simplest:

curl -L http://install.perlbrew.pl | bash

That should install perlbrew into your home directory, and it should tell you to append some code to the end of your ~/.bash_profile file, which you can do with the following command:

echo 'source ~/perl5/perlbrew/etc/bashrc' >> ~/.bash_profile

Once that’s done, close your Terminal window and open a new one (this is to pick up the new environment variables defined in ~/perl5/perlbrew/etc/bashrc). You’ll know the install has been successful if you can run the perlbrew command:

perlbrew version

Step 2 – Install a Compatible Version of Perl into perlbrew

The joy of perlbrew is that you can have as many versions of Perl installed at any one time as you like, and you can then switch between them with the perlbrew command.

You can install Crypt::HSXKpasswd, and hence the hsxkpasswd terminal command, into any version of Perl greater than or equal to 5.16.

The following command will install Perl 5.16 into perlbrew:

perlbrew install perl-5.16.0

Go off and make yourself a cup of your favourite beverage – this will take a while! 🙂

Once the install finally finishes, you can activate that version of perl (just on your account) with the command:

perlbrew switch perl-5.16.0

It’s important to note that if at any stage you want to disable perlbrew and get back to the default system version of perl, the command to do so is:

perlbrew off

Step 3 – Enable the perlbrew CPAN Client

If you haven’t already done so, enable the perlbrew CPAN client cpanm with the command:

perlbrew install-cpanm

Step 4 – Install Crypt::HSXKPasswd

Once you have perlbrew installed and configured with a compatible version of perl, you can install Crypt::HSXKPasswd with the following simple command:

cpanm Crypt::HSXKPasswd

You’ll know it’s worked if you can run the hsxkpasswd terminal command:

hsxkpasswd --version

Tagged with:

This is the second part of a two-part post – read part 1 here.

In part 1 we learned how to use the command line too hsxkpasswd to generate passwords, and how to use various flags to specify custom password generation configurations, and word sources. In this second part we’ll look at how to save these customisations for future use with .hsxkpasswdrc files.

Read more

Tagged with:

Since version 3.5, the Crypt::HSXKPasswd password generating perl module ships with a command line interface to the password generator called hsxkpasswd. This provides a way for non-Perl programers to access the vast majority of the module’s functionality.

The easiest way to install the module, and it’s accompanying terminal command is via CPAN:

sudo cpan Crypt::HSXKPasswd

Once the module is installed, you’ll have access to the hsxkpasswd terminal command.

Getting started is simple, run the command with no arguments at all and it will generate one password using the default settings:

bart-iMac2013:~ bart$ hsxkpasswd
@@26.MEASURE.below.LIFT.95@@
bart-iMac2013:~ bart$

If you want more passwords, pass a number as an argument, and you’ll get that many passwords:

bart-iMac2013:~ bart$ hsxkpasswd 10
~~08!hole!VOWEL!then!45~~
$$49^monday^YELLOW^remember^22$$
//69-express-MONDAY-edge-54//
--42~KITCHEN~save~COLD~40--
==51%REPLY%even%AUGUST%28==
%%63&list&INSIDE&train&58%%
^^19!spain!CONGO!spain!01^^
::30@SMILED@from@PERIOD@90::
&&05%decimal%THREE%remember%80&&
..47^ROAD^dress^BERLIN^11..
bart-iMac2013:~ bart$

Read more

Tagged with:

The latest stable release of both the Crypt::HSXKPasswd perl module, and the hsxkpassd terminal command are now available through CPAN: http://search.cpan.org/perldoc?Crypt%3A%3AHSXKPasswd

The library and terminal command are bundled together, and can be installed onto Unix/Linux/Mac OS X computers in the standard CPAN way:

When this install finishes, both the terminal command and perl module will be available for use on the system, along with the documentation for both:

Even though I’ve put a lot of time an effort into creating these tools, I’ve chosen to released them entirely free of charge, and with a very liberal open-source license (BSD). If you find either the terminal command or Perl module useful, please consider making a donation below to help cover my time and costs.

If you find a bug, would like to suggest a change or improvement, or would like to contribute code to the project, please use the project’s GitHub page.

Tagged with:

Another week, another beta release of Crypt::HSXKPasswd. The fact that the betas are now coming quick and fast is indeed a sign that this code is getting very close to ready for a full release.

This latest series of changes came about because when I started work on a tutorial for using the command line app I realised some changes were needed to give a better user experience.

The headline changes are that you can now specify a dictionary file rather than a dictionary package name if you prefer, you can now specify arguments for the dictionary and RNG packages, and the file format for hsxkpasswdrc files has been updated to match these changes.

Finally, I’m still looking for help in the following areas:

  • Native German, French, Italian, Spanish, Dutch, and Portuguese speakers to sanitise the dictionary files for those languages, leaving only a few thousand common words – these dictionary files are simply too big at the moment, and they must be full of really obscure words to be this large!
  • People who are good at technical writing to help me give the documentation some spit and polish. I think all the relevant information is there, and I have run it all though a spell checker, but it could definitely do with some TLC from a copy editor!

Oh, and finally finally, if you find this module useful, please consider donating with the button below – I have literally put hundreds of hours into this code in the last few months, and given it all away for free.

*Download Beta 4 of Crypt::HSXKPasswd via GitHub*

Tagged with:

I’ve just released what I hope will be the last beta release before the first stable release of Crypt::HSXKPasswd. This release has some bug fixes, but is mostly focused on improvements, especially to the new command line interface.

Initially I had planned to make the previous beta the last one before the first stable release, but then I realised that the command line interface really does need support for a configuration file before it’s ready for prime-time, so this beta is focused around the addition of what I am calling hsxkpasswdrc files.

hsxkpasswdrc files allow custom presets to be stored for re-use, and for defaults to be set for many of the command line options, making it much easier to customise the command line interface’s behaviour.

By default the command line interface now looks for a hsxkpasswdrc file at ~/.hsxkpasswdrc. You can specify a different path with the new --rcfile option, and you can use the new --test-rcfile option to help you debug your hsxkpasswdrc files.

If you have an interest in this module, please install the beta and report any problems you find by opening issues on the project’s GitHub page. Or better still if you’re a developer, fixing the bug and sending me a pull request 🙂

Finally, I’m still looking for help in the following areas:

  • Native German, French, Italian, Spanish, Dutch, and Portuguese speakers to sanitise the dictionary files for those languages, leaving only a few thousand common words – these dictionary files are simply too big at the moment, and they must be full of really obscure words to be this large!
  • People who are good at technical writing to help me give the documentation some spit and polish. I think all the relevant information is there, and I have run it all though a spell checker, but it could definitely do with some TLC from a copy editor!

Oh, and finally finally, if you find this module useful, please consider donating with the button below – I have literally put hundreds of hours into this code in the last few months, and given it all away for free.

*Download Beta 3 of Crypt::HSXKPasswd via GitHub*

Tagged with:

Last night I released what I hope will be the last beta release Crypt::HSXKPasswd before the first release to CPAN. You can download it from the project’s GitHub page (reminder, you can get installation instructions for the beta releases here).

The head-line change is the addition of a bundled command line app, bringing all the power of Crypt::HSXKPasswd to the terminal, shell scripts, and indeed programs and scripts written in any language with the ability to shell out.

In terms of lines of code the biggest change is a complete re-write of all data validation code. The project now contains a custom type library which exactly defines what it means to be a word, letter, symbol, symbol alphabet etc.. This has made the code much more robust, and has make it a lot easier to write consistent documentation. The type library is written using Type::Tiny, and all the custom type definitions contain customised validation error message functions to give users much more helpful feedback.

With the help of Allison Sheridan from the NosillaCast Mac Podcast, the warnings and error messages issued by the module have also become a lot more human-friendly.

The test suite has also been greatly expanded, making it easier to find and fix bugs going forward.

If you have an interest in this module, please install the beta and report any problems you find by opening issues on the project’s GitHub page. Or better still if you’re a developer, fixing the bug and sending me a pull request 🙂

Finally, I’m looking for help in the following areas:

  • Native German, French, Italian, Spanish, Dutch, and Portuguese speakers to sanitise the dictionary files for those languages, leaving only a few thousand common words – these dictionary files are simply too big at the moment, and they must be full of really obscure words to be this large!
  • People who are good at technical writing to help me give the documentation some spit and polish. I think all the relevant information is there, and I have run it all though a spell checker, but it could definitely do with some TLC from a copy editor!

Oh, and finally finally, if you find this module useful, please consider donating with the button below – I have literally put hundreds of hours into this code in the last few months, and given it all away for free.

*Download Beta 2 of Crypt::HSXKPasswd via GitHub*

Tagged with:

keep looking »