I use Atlassian's Bamboo for continuous integration on a lot of projects. I'm a huge fan, it's a solid product with a lot of flexibility and the OnDemand service coupled with EC2 instances and custom EBS volume make for a really robust cloud based solution to continuous integration. Almost every project I put into Bamboo involves a call to load composer and install dependencies. Many of the projects I dabble with belong to other people and so they're locked down with some form of authentication and not normally in Packagist. In the past this has created some challenges with installing my composer dependencies, but this past weekend I think I finally found a tolerable solution to my dilemma.
In addition to being a big fan of Atlassian's Bamboo I also really like Atlassian Bitbucket. I became a heavy Bitbucket user back before Atlassian bought the product because I was a heavy Mercurial user and it was the only hosted solution available. When they were bought and added git I kept using them because they offer free private repositories, whereas competitor GitHub does not. I've had problems when I develop a private package and then want to use it in an application. My workaround up until this weekend was to create a "deployment" user and give them access to my private repository, finally including it's username/password on my vas url in the repository block of my composer.json. This is all sorts of ugly and I have never been satisfied with it. In addition to not being safe or secure it also chews up one of the sacred five users you can team up with on a private repository.
So this weekend I set out to find a different approach to private Bitbucket packages in composer. One that wasn't so ugly and didn't make me feel so insecure about my setup.
BitBucket (and GitHub for that matter) have this concept of a deployment key. It's a private/public ssh key combination that grants read-only access to your repository without chewing up a user account to do so. It's specifically geared toward the problem I was trying to solve. In my case Bamboo executes it's tasks as the 'bamboo' user. The trick is getting the private portion of your deployment key into a place that Bamboo can use it. Bamboo OnDemand creates EC2 instances when it needs to run a build and then terminates it after its done. This is great because it keeps costs low and it means you don't have to worry about a machine getting gunked up with stuff between builds. It also means there's no shared state between runs, so sticking a private key on your EC2 instance only helps you for a little while. But wait a minute... what if I set that up with a task in my job when it runs?
I wound up creating an initial task to setup my private deployment key like this:
Fortunately Bamboo lets you lock down your user's ability to see these sort of things and the logs don't show anything indicating what's going on, which makes it relatively secure - at least seemingly more so than sticking a plain text password in my composer.json file.
Now if you're familiar with Bamboo at all you know that the initial repository setup does not allow you to clone using ssh. This is limited only to the Java implementation of git that Bamboo uses to poll the repository. The default EC2 images ship with a full first class git, and so that means if you declare your package in the repositories block like "[email protected]:team/project.git" it'll use the aforementioned key and load just fine.
Life is a lot easier with an on-premise install of Bamboo where your disk persists between builds and you can set that key up permanently, but for those of us living in the cloud this will do the trick. You can use this approach on-premise too though and you can even use it with Jenkins if that's your preferred continuous integration implementation.
On Thursday, December 20th I decided to deactivate my Facebook account. In full disclosure I am not committed to leaving it deactivated forever. I made this move against the recommendation of my wife and closest friends. Nonetheless I have committed to being Facebook-free for the remainder of 2013.
The question remains, why? Rather then let acquaintances, connections and dare I say “friends” (all supposed 918 of you) speculate I figured it would be best to set the record straight.
I was an early adopter of Facebook, having jumped on the bandwagon in 2005 while I was still studying at school. At the time the appeal for me was to connect with my high school friends, none of which were going to the same school I was. My Junior year of High School morphed into my Senior year and I got out of West Chicago Community High School in three years instead of the normal four. This meant that the group of individuals I had grown up with I was no longer graduating with. Facebook helped me stay connected with some of those people I grew up with and also find out what I had missed my would-be senior year.
I didn’t get heavily involved in posting until 2009 when my daughter Lucy was born. The months leading up to her entrance in the world were filled with posts and pictures of me and my baby-momma packing the pounds and preparing for our daughter’s big appearance. By that point my Facebook friends had expanded to include church friends, neighbors, colleagues from work and college friends as well. So Facebook became a great way to share with them what was going on as a young couple with a growing family.
Fast forward to 2013, eight years after I first setup my account and here I am deactivating it for the first time ever. I’ve longer surpassed Dunbar’s number with regards to my friend count and it’s always been on my mind that many of these connections simply don’t matter. But some of them do. Some of them matter a lot.
I have tried in larger part to resist the urge to discuss politics on Facebook. If you’ve met me in person you know that I am more than willing to share my positions and defend them, and have a reasonable conversation about them. For the most part, I don’t do that on Facebook. Likewise, religion is another topic I do my best to steer away from. This area I have been more gray with though, especially as of late. Please don’t misunderstand me, I have expressed my faith and frequently share things from the Higher Things website. But you won’t find me sharing my beliefs on what I consider to be polarizing social topics. It’s not that I don’t have those beliefs, I do - and as my closest friends will tell you I’m pretty passionate about them too. (Systematic and liturgical theology, the things that most of the world doesn't care about are another story - those I've largely considered fair game for better or worse.)
I consider it a matter of pride that what you get when you talk to me is the same whether it be by text, email, phone or in person. I try very hard to maintain the same level of sarcasm and crassness whether in person or by email. I outright refuse to take myself too seriously on any of these mediums either. This is not a standard I believe to be common though, and I think these medium allow many to hide behind their keyboard and says things in ways they simply would never do in person.
People are very much entitled to their opinions. They are equally entitled to post them on Facebook (or Twitter or the flavor of the day). I’m not getting off Facebook because I don’t want people to speak what they believe or think. If you need to, please read that sentence one more time. I’m getting off of Facebook because I still want to have dinner with you. It dawned on me this week as I watched close friends and immediate family openly criticize my faith in an offensive and personal fashion. I think they thought it was cute, perhaps even comical. I think stupidity prevailed over judgment and they didn’t think it was nearly as awful as it was. Here’s the thing that got me though, none of the people who circulated the meme in question would dare say such things at the Christmas dinner table. They just wouldn’t. It’s in large part because they are decent and kind individuals who love me as much as I love them. Yet on Facebook for whatever reason they seem compelled to cross that line boldly. I’m sure it’s in part because they have friends who are going to hit that “Like” button, or perhaps give them a “True dat!” in the comment feed. But I think they forget that I’m their friend too.
I really enjoy seeing pictures of friends and family. I love hearing about your trips and weekend travels. The recipes you share are not only delicious but inspiring. The posts you make that you’d never be willing to say to my face… those trouble me. They hurt. And I guess that’s ultimately what has driven me away from Facebook. My feelings have been hurt and it’s been done in the shadows of the dark alleys of my Facebook feed. I'm sure others feelings have been hurt to, maybe even by some who agreed with you on your last rant but find this just as offensive as I do.
Growing up my dad would often tell me that “every action has an equal and opposite reaction.” For much of my childhood I wrote this off as just another stanza in the long ballad of life. As an adult I realize there’s a lot of truth and wisdom in such a statement. I guess the reaction then to those friends I mentioned earlier is this… You don’t get to see pictures of my kids at Christmas. You’re not going to get to see the videos on my wall as they open the presents you sent. You’re going to miss next week’s sonogram. And when it comes to that Christmas Wossel recipe we were going to re-share, well you’re out of luck there too. It's pretty tasty by the way.
I don’t know if this is forever… I’ve got the unusual occasion to take time off at Christmas (for first time in four years) and I felt my time might be best spent focussing on my kids than on Facebook. I guess we’ll have to wait and see what’s in store for 2014.
A lot of services across the web are amping up security in lieu of recent breaches. One technique to do this is called two factor authentication. It’s a name that perfectly describes the technique, but explains absolutely nothing.
So what is two factor auth and why do you care? Simply, two factor auth is your password plus something else. In most cases that “something else” is going to be a text message, an email or a secure token system like Google Authenticator or Authy. Some banking websites have been doing this forever via email but the growing trend is to use text messages as they can be a considerably safer approach to this sort of authentication.
Here’s the thing to keep in mind… You are most likely already doing two factor auth in your life - you just don’t think of it like that. If you have a safety deposit box for example, it takes two keys to unlock it. Without both sets your birth certificate isn’t going to see the light of day. If you’ve bought a car recently you’re also using two factor auth as every car key these days comes with a microchip implemented in it. You can’t start your car with a copy of your key, you need to use the key plus the microchip if you want to drive anywhere. And if you don’t have that microchip your car not only won’t run, it very well may lock up on you too! These are two factor strategies, where they prevent criminal-like-folk from copying your keys and running away with your identity and precious automobile. Why not use that same strategy with your personal information stored securely on the world wide web?
How does two factor work with your favorite web service? There are two typical routes, the most common of which involves your cell phone and a text messaging plan. If you don’t have unlimited text messaging either pony up or take a trip to the Verizon store for an upgrade. When you login, normally for the first time, you’ll get a text message from the service in question. Websites like Facebook will ask you to punch in a unique code on this text message after you enter your password, but before you actually get to login to the service. The idea is that your cell phone is most likely on you and there’s a uniqueness to the device in your pocket that a hacker cannot replicate. Stealing your password then is not enough, you need to steal a person’s cell phone too - thus making it infinitely more difficult for a hacker to access your information.
Not every service has two factor authentication, but a lot do. You should evaluate the services you use every day and consider enabling two factor authentication where it’s available. I’m a big proponent of enabling two factor auth for your Google, Dropbox, Evernote and Facebook accounts. As these items likely contain more personal data about you and your friends than anything else you’re using it’s important to harden your security around them.
Don’t get me wrong… Two factor auth doesn’t just slow down the losers trying to compromise your data, it slows you down too. Principally though this should only happen when you setup Facebook on your phone, or configure your email client to pull down your Gmail. Your setup is slower, but your data is safer. In my opinion this is a fair trade considering what is at stake. One other thing to keep in mind… These services don’t do two factor auth for their sake. It actually costs them money to run, with almost no return on the investment! Two factor auth is a service for you, to protect your data and keep you, your family and friends safe.
So you don’t give a crap that your data gets exposed or hacked? You don’t have anything to hide, so the potential leak isn’t worth the added effort of complex passwords and password management systems. You want a simple, easy to remember password. Fair enough. I get it. You don’t give a crap, but here’s the thing… Your mom might. Or your dad, or your sister or your great Aunt Bertha or your Cousin’s best friend that you just recently added on Facebook. And that’s the point!
Let’s say you’re one of the few who don’t give a rip because you have nothing to hide. Stop being selfish! Most of this password protection junk has nothing to do with you. It has to do with the information you have access to, like my email address, my phone number, the names of my kids and that picture I shared with you from my best friends bachelor party!
You are most likely passively collecting information in the services you use every day. It might just be people's names, but it also could be more serious information like their addresses and phone numbers. A data leak because you used a stupid password exposes all kinds of things that your friends and family don’t want everyone under the sun to know. And not just because it’s private information, but because it effects their safety!
It can get worse then just the revealing of address and phone numbers though. How you say? Consider the fact that that Facebook app on your phone posts where you go. Maybe it’s a restaurant, church or even the grocery store. You’re a hip social media rock star and you’ve been capturing your geo-coordinates and checking in wherever you go. So have I, your mutual friend on Facebook, as well as your neighbor’s 16 year old daughter. Now ALL of that information about where you’ve been and the trends of your daily activity is accessible to some low life hacker that cracked your stupid-simple password. Is this sounding scary yet? Let’s keep going… That hacker might decide to pay one of us (you, me or or your neighbor’s teenage daughter) a visit. Or maybe the hacker sells that valuable data information to a petty thief or a pedophile. Now is it scary? It ought to be. This is what happens when the flood gate known as your weakly protected account is opened.
You are just a gateway drug for a hacker. Your credit card, social security number are low hanging fruit compared to the peripheral data you are toting in those web based accounts you login day in and day out. Protecting your accounts with unique and complex passwords isn’t just about you. It’s about everyone you engage with using those services. It’s about personal protection, for you, your family and your friends. So I get it, you don’t have anything to hide that you’re worried about a hacker exposing. But I do.
Google's 12/12 cleaning eliminated a product called Google Sync. This was an extremely handy product for folks going mobile who want to stay connected to their email. It essentially allowed you to setup your Gmail account using Microsoft's Exchange protocol. What's significant about that is that it enabled instant push notifications for new email messages. This meant that when Google got an email for you, if you were using the Exchange protocol you got it instantly. When Google dropped support for this the best you could hope for was getting your email in a 15 minute window, hardly instant.
In a world of instant not having your email as soon as it's available is a huge deal. But why did Google do this? Presumably to get more people to adopt their Gmail iOS app. But here's the thing... Gmail for iOS SUCKS! Yeah, I said it, it's absolutely terrible! Not all of it is Google's fault, but some of it should have been resolved when Google picked up Sparrow in an acquisition - those dudes knew how to make an email account. Gmail for iOS is awful first and foremost because iOS has no concept of a default email client. If you're using Safari and you click on an email address, or maybe you click on it from your Contacts, you're going to open up the native Mail app. There are more problematic issues though that are technical in nature, like Gmail's inability to properly handle responsive email layouts. When email doesn't look right people don't want to use your product. This is where everything goes bad...
Your email looks like crap and nothing on your mobile device uses the right client. So what do you do? You start experimenting with other clients. This is fundamentally how Google is destroying the security of Gmail. Since the shut down of Google Sync for the masses you've seen a whole host of iOS email clients spring up. I'm looking at you Mailbox, Evomail, Boxer and friends. Personally I don't have a beef with these products in and of themselves, but the problem is they all offer you push notifications at a cost. Not a financial cost, a risky security cost. In order for these applications to tell you the instant you get your email you have to give them full and absolute access to your inbox. Then you have to trust that no one at that company is stupid enough to become the next Adobe. I actually like some of the products I just mentioned, but I don't use them. The reason is simple, I'm not comfortable letting someone else comb my email every single day. Quite frankly, you shouldn't be either!
What's the answer? For me it's two fold... Important email accounts use the Gmail iOS app. Non-important email accounts stay in the native Mail app. The important ones are there too, so that the rest of my iOS experience doesn't stink, but I have notifications and badges turned off for those accounts. It's not a pretty solution in my opinion, but it's the only solution that keeps your email safe. Your email needs to be safe too. There is no easier way for a hacker to gain access to everything else in your life than getting access to your email. Most services allow you to reset everything under the sun using just your email address. Keep your email safe!
Both Google and Apple can help us out too, though I don't think either of them are going to do so. Google can fix their technical problems. Most of them should just not happen, it's inexcusable. They can also work on making Gmail act more like an iOS app and less like a red-headed-Android app. Meanwhile Apple can give us the ability to select a default email app, and they can also build out APIs to allow apps like Mailbox to poll an IMAP service like Gmail in the background of the device. Yes, it's going to hurt your battery life but that's a price I'm willing to pay for security. I just wouldn't expect Apple to do that anytime soon...
There's one other option I haven't mentioned... Ditch Gmail altogether. If Google is content to encourage users to risk their email security then maybe it's time to look elsewhere? Any Exchange based service will work, and quite honestly the dudes over at Microsoft have built a solid product with Outlook.com. If that doesn't float your boat, Yahoo Mail also has a solid email solution. And guess what... you can get push notifications for both!
Someone may be quick to point out that Apple's own iCloud solution does push too. This is true, but anyone who has used iCloud knows, the spam filtering and phishing protection makes it nearly the worst solution to email available on the internet today.