Yes, I know I’m in a Conquest checkpoint’s capture radius! The little map in the corner that’s got a big box next to me kind of gave that fact away.

Now will you please get the mother-fudge out of the way? I am trying to look at things where you’ve got your big obnoxious indicator.

When I spied the router, high up on the wall, I soon discovered why.

Pointless trivia: This image, nicely depicting the concept of two-factor authentication, was taken from the Hong Kong central bank's website

What is Two-Factor Authentication?

Normally, when you log onto a computer-based service, you enter a username to tell the system who you are, and a password to authenticate (prove that you are who you say you are) with the system.

That is one-factor authentication: you are providing only one thing to prove your identity.

Two-factor authentication is a setup where you have to provide more than one thing to authenticate yourself. In most cases, this means your password in addition with some physical device, a hardware-based token. (It is possible to create authentication systems that require even more than two factors. Systems that require two or more factors are more generally called multi-factor authentication).

The YubiKey is an inexpensive ($25) device that provides this sort of additional authentication factor.

How does it work?

The YubiKey is a simple device that plugs into any USB port on your computer. The device has a single button, which, when you press it, spits out a One Time Password (OTP). In the eyes of the computer, the YubiKey is literally just a USB keyboard, and when you press the button, it enters text as if a person is typing (very fast) on that keyboard. Most operating systems support USB keyboards without any additional software, which means that at least on Windows, Mac OS X, and Linux, you can stick the YubiKey into the computer and press the button without having to install any additional software. Needless to say, this makes it incredibly convenient.

So, when you log into a service that supports YubiKey authentication, you’ll enter your username and password as usual, but you’ll also be presented with a text box for the YubiKey itself to “type” into. You’ll click in the text box as if you’re going to type in it yourself, but instead, you’ll press the YubiKey’s button and it will “type in” a very long password. Then you’ll click to log in like normal, and assuming both your password and YubiKey are valid, you’ll log in.

What makes this more secure?

I book flight for Sergei to come take key

The idea behind a one-time password is that, as the name states, the password can only be used once. Even if someone is sniffing your network traffic and grabs a copy of the OTP you just used, he can’t turn around and re-use the password itself, as it’s been used and is no longer valid.

The idea being multi-factor authentication is that anyone who wishes to login to services as you has to be able to provide all factors. Stealing your password or stealing your YubiKey isn’t enough – they’d need to have both. That requirement of getting ahold of something that’s physically in your possession dramatically reduces the number of people with opportunity to take your digital identity. A hacker in Russia might be able to set up a website to trick me into giving up my password, but it’s a long flight for him to come get my YubiKey too.

How do I make services “use” my YubiKey?

First of all, to use the YubiKey, the service itself has to support YubiKey authentication. This won’t be common with your average website, but it will be more common with more security-minded services, like LastPass or PassPack.

Secondly, before you can use your YubiKey to authenticate with a service, you have to associate your YubiKey with your account on that service. How this is done depends entirely on how that service has that feature set up. Here, for example, is LastPass’s instruction page for associating YubiKeys with your account on their service.

What about services that don’t support YubiKey?

If a service doesn’t support the YubiKey directly, but does support OpenID authentication, you can use your YubiKey for two-factor authentication by using an OpenID service which supports the YubiKey itself.

Clavid.com is such a service. With a properly set-up Clavid.com OpenID identity, you can have two-factor authentication for any service that does OpenID.

However, outside of those options, there’s nothing you can do to add YubiKey support to a service that doesn’t have it, besides emailing them and bugging them to add it.

What if those services get hacked? Is my YubiKey compromised?

When you register your YubiKey with a service like LastPass, that service does not have your Yubico encrypted identity. All they store is the 12-character Yubico ID. When you tap your YubiKey’s button and send a One-Time Password to that service, they don’t have the means of processing the password and verifying your identity. Instead, they send that password (which contains your 12-character ID) to the Yubico servers, which responds back with a “yes” or “no” to that service. Yubico acts as an authentication gateway for that factor.

So, only Yubico has the information necessary to process the passwords that your YubiKey creates. So, that leads to the question: what if Yubico is hacked? That is the scenario where your YubiKey’s identity may be compromised. Indeed, this happened with another token authentication system recently, RSA’s SecurID. However, as long as you are using YubiKeys for multi-factor authentication, and not as a replacement for passwords, then the result of this would be that your accounts are still protected by your passwords. In other words, you’d be in the exact same place as if you weren’t using YubiKeys to begin with.

The YubiKey website says this thing supports a bunch of different authentication systems. What’s the story there?

The YubiKey is quite a flexible little device, and can indeed be used with a number of different authentication systems.

The most common of these, the thing that people are generally referring to when talking about YubiKey authentication, is Yubico’s YubiKey OTP authentication service. This is what standard YubiKeys come ready to work with right out-of-the-box, and this is what services like LastPass are referring to when stating that they support YubiKey.

However, you can program YubiKeys to support different systems. One thing you can do is program the YubiKey to store a single static password. You press the button, and the YubiKey types in this password. This is a way to be able to create a and use a long, complex password that you can’t possibly memorize. And because it’s just a plain password, you can use it with any password-based system. This isn’t multi-factor authentication (since you’re back to using just a password, not something in addition to a password), but it can be very useful in certain circumstances. Yubico mentions an ideal use case: long passwords for encrypting TrueCrypt vaults.

YubiKeys can be programmed to work with Open Authentication (OATH). Now, read that closely. That is OATH, a system developed by VeriSign, and not OAuth, a system developed by Twitter. It took me a while before I noticed this, as I had only ever heard of OAuth before. Here’s a post from a VeriSign blogger describing the difference between these two unfortunately similarly-named projects. OATH is used in (formerly VeriSign’s, now Symantec’s) VIP authentication system, which we’ll talk about later. Yubico does not run any OATH services themselves.

YubiKeys can also be programmed to work with SAML authentication systems. SAML is used by Google Apps’ Single Sign On feature, and Yubico provides a SAML server which can be used to set up SAML-based Single Sign On for your Google Apps domain. Here are Yubico’s step by step instructions for doing that.

In general, these other non-Yubico systems are things you would use with a specific purpose in mind, not for generally-available web services.

Can you use all these services on the same YubiKey?

Originally, YubiKeys supported only one “identity”, meaning you had to pick and choose only one of these authentication systems to use your YubiKey with.

Newer YubiKeys support two identities, so you make one YubiKey work with two different authentication systems. Naturally, most users will have a Yubico identity as one of their two. By default, the second identity is blank, so setting a key up to work with another authentication system requires using one of the free personalization software tools to program the second identity. It can be a little tricky if you haven’t done it before, so be patient and find good instructions (I may write some of my own in another post).

The way that you use a YubiKey with two different services is pretty clever. If you press the YubiKey button for 0 to 1.5 seconds, it outputs the results for the programmed identity in the first slot. Hold the button longer – 2.5 to 5 seconds – and it does the output for the second identity instead. There is a “dead zone” gap in the (approximately) 1.5-2.5 second range so that you can’t accidentally end up at the “border” between the two. Any tap at all is sufficient for triggering slot 1, so you’ll tap for slot 1 and hold the button down for slot 2, and you’ll get nothing at all if you try to let go in no man’s land.

What about the Symantec VIP service?

The "V" still stands for VeriSign

Symantec’s VIP service uses OATH. However, there is a catch. While you can create an OATH-compatible identity, end users like us have no way of getting that identity into the VIP service. They do not provide a means of uploading your own created identity, as Yubico does with their service.

As such, Yubico has created the Symantec VIP YubiKey. It’s a normal YubiKey, except with slot 1 pre-programmed with a Symantec VIP identity, which was entered in to the VIP service at the time of manufacturing, per Symantec’s rules, as explained by the YubiKey YouTube user in this YouTube comment reply:

The [Symantec VIP] YubiKey is the same standard YubiKey – it already supported OATH. The problem is loading secrets and Symantec’s rules are that they can only be loaded at the time of manufacture. Hence the need for a new SKU.

So, if you wish to use a YubiKey with the VIP service, you need to buy the “VIP”-specific model. Note that this model does not come pre-programmed with a Yubico identity, but you are of course free to create one on own for slot 2. Also, the VIP credential is hard-coded into slot 1 and can’t be removed, so you only want to get the VIP model if you do intend on using VIP.

And what if you lose it, or it breaks?

The smoke monster took it

One big issue with multi-factor authentication is, what happens if you lose or damage one of the factors?

Many services have a recovery process for this, where you have to jump through hoops to prove that you’re who you claim to be. It’s also possible to order an identical replacement YubiKey that contains the same identity as the one you lost. Again, here you have to jump through hoops to prove your identity.

But there is a better, more forward-thinking way of protecting yourself from losing or damaging YubiKeys – more YubiKeys! Every YubiKey-compatible service I’ve run into so far allows you to associate multiple YubiKeys to your account, allowing you to authenticate using any one of them.

Thus, I own three YubiKeys:
… one on my keyring,
… one locked up somewhere safe in my house,
… and one locked up in my bank safe deposit box.

Should I lose or break the one on my keyring, I have backups available.

It does mean, however, that for every new YubiKey-compatible service I start using, I need to round up all my keys to associate each of them with the new account. But in practice, this is exceedingly rare – I only have a few things I use YubiKeys with, but they’re important things.

“Would you like to know more?”

I’ll be writing some more posts as I go dig deeper into what you can do with the YubiKey. LastPass and OpenID are certainly cool and sufficient for picking up some YubiKeys, but I think the ability to integrate it with your own services is more interesting.

There is a PAM module for YubiKey authentication, allowing it to be used with things like SSH and VPN. There are also plugins for web-based CMSs like WordPress. I’m going to dig around and I’ll share what I find.

If you have any questions, please ask them and I’ll try to answer them, maybe in my next post. Also, if anything in this post is incorrect, please let me know and I will correct it. I am simply a consumer and do not work for Yubico or have any stake in their product other than the ~$75 I’ve invested in the three keys I own.

UNIX logo and terminal picture from Apple.com site

A lot of people – myself included – like OS X in part because of this fact. I am primarily a Linux user, but for my personal laptop, it’s nice to have a system with all the friendly-out-of-the-box UI trappings of a general consumer product, while still having UNIX at my fingertips.

As a UNIX system, though, Mac OS X has some limiting factors. One of the big ones is that the base system (the set of core tools that make up the OS, named Darwin on the Mac) is not really updatable. Updates come from Apple packaged as part of general operating system updates, but even when Apple does push out updates, it usually not all that up-to-date.

What’s more, the base system doesn’t necessarily come with everything you might want. You can always compile from source, but this is 2011 and package management is a good thing.

There are three main community projects which bring package management for UNIX programs to Mac OS X. They are Fink, MacPorts, and Homebrew.

Of these, my favorite is Homebrew. Homebrew is very light and lean, and ideal for people who just want to install some select packages to augment the Darwin base system.

Both Fink and MacPorts work around Darwin by existing in their own little ecosystems. When installing something that depends on another tool that already exists in Darwin, these package managers tend to install their own copies of those tools instead of using the one already on the system. There are some compatibility advantages to this, but at the same time, there is some confusion when there are multiple copies of libraries and binaries on the same system.

Homebrew takes the other approach, relying on what is provided in the Darwin base system instead of replicating everything itself. It augments Darwin instead of treating it as unreliable and building its own little world.

Homebrew in general “feels” nicer than Fink or MacPorts. In the words of HackerNews commenter dschobel: “There is so much less friction than using macports or fink that I dropped them immediately.” That’s a good way of putting it. Homebrew is just less noisy and less intrusive.

There are other advantages to Homebrew. The scripts (or “formula” in Homebrew nomenclature) for building and installing packages are simple Ruby scripts. Combine the ease of creating formula with the ease of submitting them to the project – as it lives on Github and anyone can contribute with a simple fork and a pull request – and you’ve got an environment for rapid crowdsourced updates.

And update it has. Originally I ran Homebrew with MacPorts as a backup for things that weren’t yet in Homebrew, but the number of such packages has decreased dramatically. The 1587 formulas (as of this writing) in Homebrew is still much less than the 8100 packages in MacPorts or the 12000 packages in Fink, but the important stuff is well represented (and part of the difference is due to Homebrew intentionally excluding things already in Darwin). Still, it is perfectly fine to run more than one package manager to get the package coverage you need.

Homebrew is very easy to use – I won’t bother replicating the explanation of basic commands here, as the home page and the instructions on the wiki cover them nicely. But I will share one little BASH alias that I use. There is no single Homebrew command for upgrading all of your installed Homebrew packages to their latest versions, the way you might in a Debian-based OS with an “apt-get upgrade”. But a handy little BASH alias takes care of that:

# Homebrew - upgrade all installed packages
alias brew-upgrade='brew update && brew list | xargs brew install'

Error: Failed executing: make install
Please report this bug: https://github.com/mxcl/homebrew/wiki/new-issue
These existing issues may help you:
https://github.com/mxcl/homebrew/issues/#issue/4236

The Github page linked does have the answer, but I missed it for a while because I didn’t scroll down to the money post. The answer is to paste the following into your terminal:

for dep in $(brew deps gnutls); do brew remove –force $dep; done
brew install gnutls

Thank you, jabley.

But frankly, none of that speaks to the quality of the notebook. And as I nearly fill my first one with a year’s worth of work notes, I must say that mine has been a durable, reliable tool.

I’ve never been completely happy with computer-based note-taking solutions (though I have come closer with Evernote on the iPad and iPhone). And like many geek brains – constantly preoccupied with the last technical problem it was trying to solve – mine is a forgetful one.

So, a year ago, I invested in my first Moleskine notebook. I had, of course, heard all of the praise from the true believers. I decided to give them a shot myself.

My writing needs are not like those of, say, actual writers. But I needed a good, compact notebook that I could take everywhere, and one that would be able to hold its own on the inside of a laptop bag, being smashed up against larger and heavier objects.

The Moleskine is beautifully and simply designed. The importance of the little strap that holds the book closed cannot be easily overstated. Unlike every other paper-based thing that is subjected to the interior of my laptop bag, the Moleskine pages stay intact and unmolested, locked away behind an impenetrable shell held closed by that handy little strap.

As much as I like the idea of going completely paperless (as I am with magazines and books), the “best tool for the job” mindset wins out. I will continue to use Evernote for certain things, but for my daily work notes, I will keep reaching for my Moleskine.

“Bloat” is spending 5% of your CPU cycles and RAM to have a nice-looking user interface. “Bloat” is having the nerve to  create a desktop environment that might not run well on a computer that’s 15 years old.

BLOAT is a PDF reader that is a 70 MB download, and (according to the installer) takes up 418 MB of space in total once extracted.

If Adobe software were people, they’d be dead from DIABEETUS.

Having no idea who authored it or any sort of inkling of the book title, I tried to find the book. Armed only with a vague memory of what it looked like (yellowed pages, and some yellow on the cover somewhere) and a much less vague memory of the stories contained within, I headed over to Google Books to try and come up with some search queries to find the book in their archive of scanned books.

My first go-to queries related to the 222-0 Cumberland vs. Georgia Tech game. I knew very well that this story came from that book, but no joy. I searched for Dick “Night Train” Lane, but the hits there didn’t yield my book either.

Finally, I struck gold. I remembered the story of Tony Dorsett and his 1,000 yard season streak (dating back to his high school days), and how the streak was broken by the 1982 player’s strike. (In my memory, I thought it was the 1987 strike, but luckily, that didn’t matter). I searched for: Tony Dorsett 1,000 yards strike and found the exact page I was looking for:

It was only a snippet, but I vividly remember the phrasing of those sentences. I knew I had found what I had been trying in vain for the past few years to dig up in my memory.

The book was Sports Illustrated: Strange and Amazing Football Stories, written in 1986. And I’ve come to figure out that I was incredibly lucky with that search phrase. Google Books does not have anywhere near the full text of the book archived, which is why neither Cumberland nor Night Train put me on the right track. Now that I knew the book’s name and could pull it up on Google Books, I had a search bar that searched only this specific book. Most of the stories I remembered came up with no hits, and even ones that did came up with no scanned page snippets. The only hit I’ve been able to come up with that gave me a look at the book was the Dorsett query.

But that was of no consequence any longer. Now I knew the book’s name and author. Mystery solved; I had the bastard right where I wanted him. Next stop was Amazon, which gave me plenty of used copies to choose from. I picked out one listed in good condition, and a few days later:

Mission accomplished.

Not being very long, the book was easy to breeze through in an evening. Reading through it confirmed every memory I had about it, and how many old football stories and tales of old players I knew came directly from this book:

• Cumberland losing to Georgia Tech in the most lopsided game ever, 222-0
• The New York Giants spanking Sammy Baugh’s Redskins 73-0 in the 1940 championship game
• The Heidi game
• The Stanford band game
• Flutie’s hail mary
• Old players like Bronko Nagurski, Red Grange, Dick “Night Train” Lane
• Jim Thorpe and the Oorang Indians (and lots of tales of early pro teams, which were more like traveling acts than a sports league)
• Raymond Berry and his practice habits (including making his wife, Sally Berry, throw him passes to get more reps)
• Chuck Bednarik as the last bastion of iron man football
• Knute Rockne’s Notre Dame all-stars versus the New York Giants
• Abner Haynes’s “we’ll kick to the clock”

I could list plenty more. It’s a nice collection of stories, especially given what the  book is. The author, Bill Gutman, apparently churned out these kinds of young reader sports books by the dozen, for publishers like Scholastic and, as in the case of this book, Archway (putting it alongside the likes of Hardy Boys and Nancy Drew books).

Sadly, fact-checking may have been a tad loose in this book, as I picked out one glaring factual error. At the end of telling the Jerry Kramer story, the author tied things up with a nice but oh-so-wrong sentence:

“No wonder Jerry Kramer ended up in pro football’s Hall of Fame”.

Should I ever meet Kramer, I would ask him to sign this book, a relic from an alternate reality exactly like our own save for a Jerry Kramer bust in Canton.

It’s been a long time since I’ve posted here! Believe it or not, I’ve been writing a lot of blog posts. They’re all saved as drafts, waiting for me to get around to doing all of the updates to this blog that I’ve been meaning to.

I’ve managed to import posts from my old Blogger blog back in college, and I am currently digging through the Wayback Machine to recover as many posts from my old LiveJournal – yes, LiveJournal – as possible. (If there’s one thing I kick myself over, it’s how insanely sloppy I was with data archival back in college. Actually, pretty much my entire life up until now. Turn 30 and now I want all that stuff back).

I’ve come up with a new simple design for the blog, updated to WordPress 3.1.x, added Disqus commenting, syntax highlighting for whenever I post code snippets. And soon, to avoid repeating my past mistake, I’m going to look into how to archive Twitter and Facebook content here.

I’ve been cooking up some technical posts and, of course, it’s time to start talking football again, with the draft so close.

Let’s see if, this time, I can stick with maintaining my “web presence” here.

The first is Visor. Visor is a terminal window that pulls down from the top of a Mac OS X system’s screen when triggered by a hotkey. If you’ve ever played a game like Quake and remember the drop-down console view triggered by hitting tilde (technically, backtick), then you know what this looks like. Instead of a game’s console, however, it’s a UNIX terminal (specifically, an instance of the OS X Terminal.app application).

I prefer to use iTerm for my normal OS X terminal emulator, and unfortunately, there’s no way to make Visor use iTerm instead of Terminal.app. But I find this to be of little concern. Visor is for running a quick UNIX command, something that doesn’t demand I move off of my current desktop space to the one where I have iTerm/tmux running.

The other utility is Quicksilver. Quicksilver is an application launcher. Instead of clicking icons in the Dock or browsing through the Applications folder in Finder, users can trigger Quicksilver with a keystroke, begin to type part of the application’s name, then hit Enter to launch the app when Quicksilver has matched your typing to the specific app. In practice, users typically need to only type a few letters in the app’s name for Quicksilver to properly figure out which one it is that the user is seeking.

So, these things are great in OS X, but I hate having utilities like this on OS X and lacking them on Linux. Luckily, both of these tools are faithfully replicated by Linux software.

The counterpart to Quicksilver is GNOME Do, which is quite frankly almost a note-for-note re-creation of Quicksilver in Mono. I have no hang-ups on using Mono software, and I greatly prefer following the Quicksilver look and behavior as closely as possible, so this works great for me.

A Visor replacement was harder to find. I tried Tilda but just opening and closing it was very error prone. Twitter user @mrf clued me in to Guake, which works nearly as well as Visor. I also like how Guake is transparently named after its gaming inspiration.

My hotkeys for these apps are control-backtick for Quicksilver/GNOME Do, and alt-backtick (or command-backtick) for Visor/Guake.

I don’t know why it took me so long to come around on these tools. I’ve known about Quicksilver and Visor for some time. I suppose it’s because I’ve become more of a keyboard-dominant UNIX user, and these tools provide some nice functionality for making use of the keyboard within a GUI environment. Particularly in OS X, I’m making far less use of the Dock as an application launcher.