Today is the day that much of the internet is going dark to protest the SOPA/PIPA acts in the United States.

I wrote a little piece on it for Acceler8or, and I’ve blacked out my logo for the day.

Please, take a moment to register your displeasure with legislators.  Don’t break the internet.

No, I haven’t gone anywhere.  I’ve just been letting my poor site languish without adequate attention for lo these many moons now.  I’ll try to to do better in 2012.

Some recent highlights:

• I moved to a new place, still in the Rogers Park neighborhood in Chicago.  This is a Really Good Thing, since now I have enough room for real furniture, an office and workspace, and all my books and stuff.  Will it lead to an uptick in creative output?  Signs point to yes!
• I really, really want to tell you about Project R, a little thing I was working on last year.  I’ve got a bunch of pictures, and a writeup started, but unfortunately, I can’t post it yet, since some aspects are still “sensitive”.  But!  It was a very cool project, and I learned a lot from it.
• Acceler8or is going swimmingly!
• Do you follow @horror_bot on Twitter?  Check out the totally automated blog that the ‘bot is keeping right over here!
• Are you using Google+ to social-media-ize?  Why not circle me up?
• And really, if you’re interested in keeping up with the minutia of my day-to-day existence, there’s no better source (at the moment) than my Facebook page.

Onwards and upwards!

Latvian jokes are the new Pollack jokes.

“Three Latvian are brag about sons. “My son is soldier. He have rape as many women as want,” say first Latvian. “Zo?” second say, “My son is farmer. He have all potato he want!” Third Latvian wait long time, then say, “My son is die at birth. For him, struggle is over.” “Wow! You are win us,” say others. But all are feel sad.”

http://www.chrisconnollyonline.com/2009/02/72-is-partial-compendium-latvian-humor.html

Wow, these tips really work!  Be sure to watch the whole thing; the punchline at the end is hilarious.

After having three different requests in the past couple of weeks which required me to strip stop words from a bunch of text, I decided there should be an easy way to do it online really quickly.

So I made one.

Try it out here:

http://www.ianmonroe.com/stopstrip/

Why is it useful?  Well, perhaps you’re taking a bunch of free-response answers to a question, and turning it in to a word cloud, for instance with Wordle.  You’ll get far more useful graphics back if you take the time to strip out the stop words first.

Or maybe you want to do some natural language processing.  Strip out those stop words to get only the most relevant data to crunch.

Try it out!  It’s free!

 http://www.ianmonroe.com/stopstrip/

This one comes via Boing Boing.  Richard Feynman talks about science and beauty.  Excellent.

So, I’m sure by now you’re aware of the new FX show, American Horror Story. It’s set to begin next week.

Well, FX decided to embark on a viral campaign for the show, using the site youregoingtodieinthere.com.  And I signed up with them a while back, to keep up with the project.

And this morning, at my office, a fellow came by and dropped off a package.

“Well,” I thought, “Isn’t that friendly?”  So I opened the box.

And this is what I found inside.  The note is written on a scrap of wallpaper.

That's a ball gag. With a bite taken out of it.

Oh, American Horror Story, now I’m stuck on you.  Your show better be good.

I like tablet form factors, I really do.  I’d love to get one, but they don’t quite make my kind yet.

I need, need, need for there to be a stylus.  I’m a doodler.  Handwriting recognition is also a must.

I need it to be Android 3.1 or higher

An 8″ screen is about optimal, though I’d go down to a 7.  10″ might be too big for my purposes.

It’s got to have GPS sensors, 3G/4G data (unlimited preferred), wifi, NFS, accelerometers, gyro, etc.  I’m of the MOAR SENSORS! school of thought.

Lenovo has almost gotten there, according to this Ars Technica review, but not quite yet.

Soon though.  Soon.

Recently, I recall, in some conversations with friends who are also fans of electronic music, I’ve been critical of the dubstep genre.  But I have to admit, I’ve been reconsidering my position, especially since I’ve heard some of the harder stuff.  Think, Borgore, Skrillex, et. al.

Look, I’m a tech guy. I work on a lot of computers. I work on a lot of web sites. I try out new web services and products all the time. I pay my bills online, I bank online, and to a great extent, much of my life and work is preserved online.

I have a lot of passwords. I need to keep track of them all, and keep them safe.

I’ve had a password strategy which worked for me for years; I kept several base passwords, which I mentally sorted by level of secrecy necessary, and I’d use variants of those basic passwords to create new ones at the right levels.

So I had a low-security password which I could use across sites to try out new services. I had a medium security password for accounts that were associated with my public face — i.e., Twitter, Facebook, etc. And of course, I had a high-security password which nobody at all knew besides me, and that secured my online banking and financial accounts.

Like I said, this worked for years. If I changed jobs, or if I could no longer ensure the security of a given password, I just had to change that one in my rotation.

There were problems, of course… sometimes I couldn’t remember which variant I had used at which site, what the user name might be, etc.  But overall, it worked pretty well, and I’ve never had one of my accounts hacked.

But we live in a different world these days.

I’ll admit, it was the LulzSec leaks that convinced me to re-think my password strategy. They dumped 62,000 email/password combinations on the web, for a wide variety of sites, and let people run wild with them. My email/password weren’t included in the leak, but it got me thinking about how devastating it would be, should my passwords get out in the public sphere like that. It could compromise not just my own security, but the security of my client’s sites.

So I knew I had to smarten up. I needed a way to secure my ever-growing list of passwords, and furthermore, I needed to ensure that I was using different passwords everywhere.

Beyond that, I work on different machines in different locations, and I needed all my passwords to be accessible to me no matter what machine I was using at the time.

And I needed to secure the whole list in a way which was bulletproof, hacker-proof, snoop-proof.

So the solution I found works pretty well, and I figured I’d share it around. There’s nothing really novel about this solution, but there’s certainly no harm in sharing what I’ve learned. Perhaps it’ll inspire you to do the same. The more people who take their digital security seriously, the less harm hackers/viruses/data leaks will be able to do for all of us.

Step 1: Storage in the cloud.

I need access to my passwords wherever I am, on any machine I’m working on. That means either a) a private server or b) a public service or c) a USB key. I opted for the public service, specifically Dropbox. Dropbox has caught a lot of flack over the past few weeks for significant security breaches, but I knew a way around that (see step 2, below). The important thing was Dropbox would give me access everywhere, and two gigs of storage for free. I toyed with the idea of using a USB key, but I abandoned the idea because it meant I’d have to back it up regularly, just in case I lost my key. I can’t imagine the horror which would befall me if I should lose my only copy of my entire password database down a drain, or something. No, better to rely on Dropbox, backed by Amazon’s cloud storage. But something had to be done to make it more secure.

Step 2: Military-grade security

If I’m going to store my most sensitive information in the cloud, I needed to ensure, for my own peace of mind, that it was really, really, really secure.  I couldn’t just rely on someone telling me it was secure.  I needed to do it myself.

Enter TrueCrypt.  TrueCrypt is free, cross-platform, open source, military-grade encryption software which allows the user to create encrypted virtual disks, or even to encrypt entire drives.  It was perfect for my purposes.

So, after getting my Dropbox account all set up and working on my various computers, I installed TrueCrypt.  The fact that it’s cross-platform is particularly important, since I use a PC with Windows 7 at home, and a Mac running OSX 10.6 at work.

After installation, I created a new TrueCrypt volume in a data file in my Dropbox folder.  I set it up with 256-bit AES encryption, which is approved by the US government for documents up to the Top Secret level.  I also made sure to put both Mac and PC-installable versions of TrueCrypt into an unencrypted Dropbox folder, in case I needed them on a new computer at some point.  I could just install without having to download the packages anew.

Step 3:  A secure password database.

Once again, cross-platform compatibility was absolutely key.  Once again, the open-source community came to the rescue with the really excellent program, KeePassX.  It’s got Mac, PC, and Linux flavors.  It stores your passwords in configurable groups.  It includes a password generator for creating and storing really long, really strong passwords on the fly.  And it stores the database in an AES 256-bit file.

I downloaded both a Mac and a PC version of KeePassX, and dropped both of them into the encrypted container that TrueCrypt created.  Again, this is so if I’m on a strange computer, I won’t have to download new copies of the software.  But you won’t know they’re there unless you’re already looking inside my TrueCrypt volume.

You can unlock a KeePassX password database with a master password.  I chose a really long password (~ 30+ alphanumeric characters) for this purpose.  Actually, this was the hardest part of the whole set up — I wanted a master password which I could remember and type, but which would be long and complicated enough to be virtually un-breakable.

At this point, I felt like there wasn’t much more I could do to ensure security, so I started dumping all my passwords in to KeePassX.  Over the last week, I’ve slowly been adding accounts to the database, and I’ve been changing passwords as I go, to ensure I’m not using the same ones for multiple accounts.  I organized them into groups for work, banking, consulting clients, etc., which makes it easy to find the one I’m looking for.

And so far, so good.

So, how secure is it?

Well, let’s pretend I’m a determined hacker, and I’m trying to get at these passwords. Here’s what I’d have to do:

1. Compromise the Dropbox account. Considering the security issues, let’s just say this a given.  For the sake of our argument, it may as well have no password on it.
2. Locate and compromise the secure data file created by TrueCrypt. This part is really tricky, because it’s very, very secure.  It’s extremely unlikely that it could be broken by anyone outside of the NSA, and even then, it could take them years and years of computer time to crack it. However, if they did, they’d still have to …
3. … Compromise the KeePassX database. Again, AES 256-bit encryption with a very, very long passphrase would protect this file from brute-force attempts for longer than the life of the universe.

What about other vectors? Like, say for instance someone was sniffing my network packets trying to pick up the passwords as they passed over the network?

Well, what’s getting transferred over the network is the TrueCrypt file, which is secure.  Local, cached copies are saved on each of the computers which have connected to it, so the only thing that would be sniffable would be the entire file, which would still leave you with steps 2 & 3 above.

What about if they compromise one of the machines that I have Dropbox installed on?  Again, the TrueCrypt volume would be visible to them, but unless they could get into it, and past still another level of encryption, my passwords are still safe.

Keyloggers?  Well, yeah, this is a possible vector.  If one of the machines I was working on were to have a keylogger installed, then a determined attacker could indeed get both the TrueCrypt password and the KeePassX password, which would let them get into the file.  But honestly, that’s the case no matter what steps you take to secure your information.  Best defense there is to keep the ol’ antivirus software up to date, and to regularly scan the system for malicious software.  Of course, that probably wouldn’t help if, for instance, a government agency were to break into my house an install a surreptitious keylogger on my machine, but if that’s what I’m up against, I have bigger problems than whether or not someone can get into my Twitter account.

Caveats: It seems profoundly unwise to have multiple machines accessing the TrueCrypt file at the same time.  That could, potentially, corrupt the encrypted volume irreparably.  Dropbox does do versioning, so this may not be a gigantic problem, but still, I’m not going to try it.  One machine at a time.  Dismount the TrueCrypt volume before logging out.

Another caveat is mobile access.  TrueCrypt and KeePassX don’t work on Android devices, so I can’t see my passwords through my mobile phone.  I can live with that, however.

So, while there may be no perfect security in the world, I feel pretty confident now that my passwords are all safe, accessible, and secure.  Perhaps that’s the best any of us can hope for, as we watch the continuums of privacy and technology shift under our feet.

Did I forget something? Got a better idea? Let me know in the comments.