February 2019, #295: The Security Issue
On January 13th, 2018—at 8:07 am—an emergency alert was issued in Hawaii. The message, in its entirety: "BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."
Although this message—which showed up on smart phones across the state—was, indeed, not a drill...it also was not a real threat. There was no missile hurtling through the atmosphere towards Hawaii. It turns out someone had simply clicked the wrong option from a very poorly designed user interface and sent out a fake (but very real-looking) emergency alert.
This is officially known as a "whoopsie daisy".
As the story spread around the globe, obviously all the news reports were going to need a picture to run along with it. As luck would have it, the Associated Press had published a picture taken inside the Hawaii Emergency Management Agency—showing computer workstations where they watch for such possible threats. This picture was spread far and wide.
On that picture, people noticed something. Something amusing. Something, for many of us, relatable.
On one of the monitors was a sticky note. With the password written on it.
(There were actually two sticky notes on the monitors in the picture. The second sticky note contained the message "SIGN OUT". Because, you know, security is important.)
While the accidental, non-real emergency alert was not caused by any sort of security breach (sticky-note-based or otherwise), this picture served as a great reminder to the entire world that we probably shouldn't write down our passwords on sticky notes. Not even a government agency tasked with Emergency Management is immune to this sort of weak security.
It reminds me of a scene from the Mel Brooks' film Spaceballs. In the film, an advanced security barrier had been constructed around a planet. The dastardly space-villains forced the king of the planet to give up the code that would open that barrier. That code? 12345. Upon learning of the code, one of the characters was shocked. "Remind me to change the code on my luggage."
Any of this sound familiar? Perhaps it's time to get rid of the sticky notes—and the passwords that are no more complex than "password123"—and get yourself a good password manager.
In this issue, Shawn Powers provides a good "Password Manager Roundup", laying out the pros and cons of various options.
Then, while you're in a security frame of mind, familiarize yourself with a good set of guidelines (based on the Linux Foundation's Security Checklist) for how to keep your system secure with Mike McCallister's "Everyday Security Tips".
Following these suggestions will make you far more secure than that Emergency Agency in Hawaii or that planet in Spaceballs, but what if you want to take things a step further? What if you want to dive into the world of encryption and hardware security keys?
First things first: get a basic grasp on how current, modern encryption works with Jeff Woods' "Understanding Public Key Infrastructure and X.509 Certificates". It may not seem like a page-turner, but trust me. This is good stuff to know.
Then, move on to hardware security keys and the benefits they can provide to Linux-based workstations and laptops.
Todd A. Jacobs' "WebAuthn Web Authentication with YubiKey 5" gives an overview to using a YubiKey for website authentication (how it works and how to use it). Then he follows that up with "The Purism Librem Key" and how that specific USB hardware key compares to others on the market (like the YubiKey).
Once you've decided on a password manager, started using a set of security guidelines and even begun utilizing a hardware key, you're probably feeling like your computers are pretty gosh-darned secure. Right?
But what if you want more. What if you want to be confident that not even the BIOS of your computer has been tampered with in any way?
Enter Kyle Rankin (Tech Editor for Linux Journal) and his article, "Tamper-Evident Boot with Heads". Kyle breaks down how Heads is set up and how it can be used to verify, at boot, that your BIOS and kernel haven't been messed with by dastardly villains (like the ones in Spaceballs).
All of these tools are powerful ways to secure your Linux systems—whether for work or personal use. But, here's the key, they're effective only when used.
In other words, no more sticky notes.
Subscribers, you can your Febuary issue now.
Not a subscriber? It’s not too late. Subscribe now and receive instant access to this and ALL back issues since 1994.
Want to buy a single issue? Buy the February magazine or other single back issues in the LJ store.