Commit Graph

355 Commits (e10067b8b4f65ab0e57bda8e42b20297d41042ca)

Author SHA1 Message Date
Mike Gerwitz 0cce516f41
Always use -t with ssh-add (and always set passwords on your ssh keys)
Many people use SSH keys for the sole purpose of avoiding password entry when
logging into remote boxes. That is legtimate, especially if you frequently run
remote commands or wish to take advantage of remote tab complation, but creating
a key with an empty password is certainly the wrong approach---if an attacker
gets a hold of the key, then they have access to all of your boxes before you
have the chance to notice and revoke the key.

ssh-agent exists for this purpose. The problem is---creating an agent only to
place the key in memory indefinately is also a terrible idea. If your system
does become compromised and the attacker is either root access or access as your
user, then they can simply connect to the ssh-agent (unless it's password
protected) and start using your key. Also consider that, should you leave your
box unattended for even a moment without locking it (for whatever reason---shit
happens), an attacker could gain physical access to your PC (and an attacker may
just be a coworker looking to play a prank).

Every morning at work, I begin the day by typing ssh-add followed by an
appropriate lifetime (be it the duration of the work day, or the duration that I
think I will need the key). This way, your key is in memory when you are likely
to be physically present at the box and it is automatically removed from memory
after a given lifetime. Additionally, I like to add `ssh-add -D` to the script
that locks my PC when I walk away from my desk: that will immediately clear all
keys from memory, just in case.
2012-10-09 18:43:39 -04:00
Mike Gerwitz f6348502ba
The use of trademarks in free software has always been a curious and unclear
concept to me, primarily due to my ignorance on the topic.

Trademarks, unless abused, are intended to protect consumers' interests---are
they getting the brand that they think they're getting? If you download Firefox,
are you getting Firefox, or a derivative?

Firefox is precicely one of those things that has brought this issue to light
for me personally: the name is trademarked and derivatives must use their own
names, leading to IceCat, IceWeasel, Abrowser, etc. Even though FF is free
software, the trademark imposes additional restrictions that seem contrary to
the free software philosophy. As such, it was my opinion that trademarks should
be avoided or, if they exist, should not be exercised. (GNU, for example, is
trademarked[0], but the FSF certainly does not exercise it[1]; consider GNUplot,
a highly popular graphing program, which is not even part of the GNU project.)

[This article][2] provides some perspective on the topic and arrives at much the
same conclusions: trademark enforcement stifles adoption and hurts the project
overall.

I recommend that trademarks not be used for free software projects, though I am
not necessarily opposed to registering a trademark "just in case" (for example,
to prevent others from maliciously attempting to register a trademark for your
project).

[0] uspto.gov; serial number 85380218; reg. number 4125065*
[1] http://www.gnu.org/prep/standards/html_node/Trademarks.html
[2] http://mako.cc/copyrighteous/20120902-00

* From what I could find from the USPTO website, it was submitted by
  Aaron Williamson of the SFLC (http://www.softwarefreedom.org/about/team/)
2012-10-06 17:01:42 -04:00
Mike Gerwitz 7c0fa042ac
Mathematics is absolute. 2012-10-06 07:45:53 -04:00
Mike Gerwitz 9eac0d894b
Getting too tired to hack? At 23:00?
This has been normal since becoming a father. I can't complain---I love being a
father. Of course, I also love hacking. I also love sleep. Knowing that my son
is going to wake me up a 6:00 in the morning has a slight influence in a
situation like this.

I'd like to just suffer through it, but being a fiancé also has another
obligation: going to bed when your significant other decides that it's bed time
(and by ``bed time'' I mean sleep). I still manage to fit it in somehow.
2012-10-05 23:04:53 -04:00
Mike Gerwitz d604805644
Who needs ``microblogging''?
I don't. This is just some place safe to store random thoughts that people
probably don't care about (like most comments on most social networking
services), with the added benefit of distributed backup, a simple system and no
character limit.

All the thoughts are commit messages; in particular, this means no versioning.
That's okay, because I'm not going to go back and modify them, but I do want
dates and I do want GPG signatures (to show that it's actually me thinking this
crap).

This isn't a journal.

This will mostly be a hacker's thought cesspool.

This isn't a blog.

Though, considering how much I ramble (look at this message), certain thoughts
could certainly seem like blog entries. Don't get the two confused---one
requires only thought defecation and the other endures the disturbing task of
arranging the thought matter into something coherent and useful to present to
others.

Yeah. Enjoy. Or don't. You probably shouldn't, even if you do. If you don't,
you probably should just to see that you shouldn't.
2012-10-05 22:37:39 -04:00