New Loose Leaf Security series: all about phone security

Two more episodes of Loose Leaf Security are out, a series about phone security:

"Securing your phone"

We take our phones everywhere and trust them with a lot of sensitive information, but have we put enough thought into how to secure them? Liz and Geoffrey discuss different aspects of securing the smartphone you have, including passcodes, location services, notifications, and digital voice assistants. Plus, a question from a caller and a major Supreme Court decision!

and "Comparing Android and iOS security"

Considering buying a new phone? Liz and Geoffrey compare the different security models of Android and iOS, the two most popular smartphone options on the market. We also talk about California's new privacy law, a number of recent attacks on cell phones, and how Tinder swiped left on bad crypto.

Teacup and locked phone, high tea two-tiered tray with Android and Apple logo cookies on the top tier and tea sandwiches on the bottom tier

Head over to Loose Leaf Security or click the links above for the full audio and our detailed show notes. As a reminder, you can also catch our show on Apple Podcasts, Google Play, Pocket Casts, Stitcher, TuneIn, or other podcast places. Additionally, you can follow the project on Twitter, Instagram, and Facebook.

New Loose Leaf Security episode: two-factor authentication and account recovery

The second episode of Loose Leaf Security came out today, about two-factor authentication and account recovery:

Last week we talked about strong passwords, but what if there was a better way to secure your account? We look at options for two-factor authentication, including text messages, apps, and security keys. Plus, security news from Apple, one of Liz's accounts got breached, and Geoffrey wants to celebrate a special birthday.

Security key on a keychain near steam coming out of a teapot

Head over to Loose Leaf Security for the full audio, show notes - including a deep dive into different two-factor authentication methods and which ones are supported by a handful of popular websites - and complete transcript. As a reminder, you can also catch our show on Apple Podcasts, Google Play, Pocket Casts, Stitcher, TuneIn, or other podcast places. Sadly, we're still not yet in Spotify, but we're working on it! Additionally, you can follow the project on Twitter, Instagram, and Facebook.

Introducing Loose Leaf Security, and securing your online account passwords

I just launched a new project with Geoffrey Thomas: Loose Leaf Security, a podcast about making good computer security for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe. In every episode, we tackle a typical security concern or walk you through a recent incident.

Loose Leaf Security album cover

Our first episode is about securing your online account passwords:

You've heard for years about how to come up with strong passwords, but are those guidelines really true? Liz and Geoffrey talk about new risks to your online accounts, especially with the news of clear-text passwords being mishandled at Twitter and GitHub, and whether you should trust a password manager to solve all your password problems for you. Plus, what's happening to the green lock icon in Chrome, and should you worry about EFAIL?

The full audio, show notes - including a comprehensive and current comparison of the leading password managers - and complete transcript can be found on our new website. You can also catch our show on Apple Podcasts, Google Play, Pocket Casts, Stitcher, TuneIn, or other podcast places. Sadly, we're not yet in Spotify, but we're working on it! Additionally, you can follow the project on Twitter, Instagram, and Facebook.

Adding Open Graph to Pelican

I just added Open Graph support to this Pelican-generated site so pretty previews would show up when people shared my posts, and I figured I'd share the fairly tidy way I went about it in case other people were interested. I only added support for articles, my journal entries, and pages, the other headers on this site, because adding it for things like tags didn't make a lot of sense (why would anyone share those?).

The changes were pretty simple. First, I added the following to the <head> section of template.html, the part of my custom theme from which every webpage on my site inherits its style:

{% if article is defined %}
<meta property="og:type" content="article" />
<meta property="og:url" content="{{ SITEURL }}/{{ article.url }}" />
<meta property="og:title" content="{{ article.title | replace("\"", "&quot;") }}" />
<meta property="og:description" content="{{ article.content | striptags | replace("\"", "&quot;") | truncate(196, False, '...') }}" />
<meta property="og:image" content="{{ SITEURL }}/images/{% if article.opengraph_image is defined %}{{ article.opengraph_image }}{% else %}opengraph-default.jpg{% endif %}" />
{% endif %}

{% if page is defined %}
<meta property="og:type" content="website" />
<meta property="og:url" content="{{ SITEURL }}/{{ page.url }}" />
<meta property="og:title" content="{{ SITENAME }} - {{ page.title | replace("\"", "&quot;") }}" />
<meta property="og:description" content="{{ page.content | striptags | replace("\"", "&quot;") | truncate(196, False, '...') }}" />
<meta property="og:image" content="{{ SITEURL }}/images/{% if page.opengraph_image is defined %}{{ page.opengraph_image }}{% else %}opengraph-default.jpg{% endif %}" />
{% endif %}

It was obvious to treat what Pelican calls articles, my journal/blog entries, as articles, and I decided to treat my Pelican pages, basic information about me, as websites. My article titles stand well on their own, but my page titles are accompanied by Liz Denys, my SITENAME, because they don't make as much sense on their own.

Raw double quotes would be problematic in meta tags, so I make sure to replace them with the friendlier HTML entity &quot; in both the titles and descriptions with Jinja's replace function. I've found that double quotes in article titles mess other things up in Pelican, but still applied the replace to titles here just in case that changes.

The Open Graph description property, og:description, is generally a preview of the website's content, and since I don't use Pelican's summary attributes in my theme, I opted to grab a bit of the content directly with article.content or page.content. I couldn't find a definitive answer as to how much that should be - Open Graph says a description is "a one to two sentence description of your object", Facebook defines a description as "a clear description, at least two sentences long", and Twitter specifies that a description has a maximum of 200 characters. These seemed a bit conflicting, so I followed the clearest instruction, Twitter's, and limited my descriptions to 200 characters, including the possible trailing " ..." with Jinja's truncate function.

Some, but not all, of my articles and pages contain images, so I wanted a default og:image for the entire site that could get overridden on webpages where something specific made more sense. I briefly considered progamatically taking the first image to appear in a post for its preview, but when I looked through some older posts, I noticed this wasn't always the right choice both in terms of content and size - you need at least a 200px square for Facebook and probably want even larger. I uploaded a default og:image to "{{ SITEURL }}/images/opengraph-default.jpg". I named the file that instead of something that describes its content (currently an old photo of me in SIPB's machine room) so that I would only need to upload a new image to the same location to change it later. When I want to override this default for an article or page, I'd simply define opengraph_image in the meta information of its Markdown file like so:

Title: Inbox by Gmail's accidentally abusive algorithm
Slug: inboxs-accidentally-abusive-algorithm
Date: 2016-05-14 11:03
Category:
Tags: a little too helpful; content algorithms; email; gmail; Google; harassment; inbox; social; software engineering and computer science
opengraph_image: software/inboxs-accidentally-abusive-algorithm/inbox-speed-dial.jpg

The code in the template checks whether or not this meta information exists, so if I want to use the site default, I simply leave it out.

Once I added this to my site, I checked that my new Open Graph information rendered as I expected with Facebook's Sharing Debugger and Twitter's Card Validator. I also sent direct messages containing links to my posts on Slack to see how they rendered there with the new Open Graph information. Here's what one of my articles now looks like when someone posts it to Facebook:

Facebook share preview for Inbox by Gmail's speed dial with Open Graph information including an image, title, and description

That same article when it's shared on Twitter:

Twitter card preview for Inbox by Gmail's speed dial with Open Graph information including an image, title, and description

And finally, what it looks like when posted to Slack:

Slack preview for Inbox by Gmail's speed dial with Open Graph information including an image, title, and description

Impostor syndrome, an ancient arcane magic

Dealing with impostor syndrome isn't fun, but playing Dungeons & Dragons is! Here's a quick little spell combining the two:

Impostor syndrome

5th-level enchantment

Casting Time: 1 action
Range: 60 feet
Components: V, S
Duration: Concentration, up to 1 minute

You create an overwhelming sense of doubt in the mind of a creature[1] that you can see within range. The target must make a Wisdom saving throw. On a success, the spell ends. On a failed save, the target firmly believes it is less talented than it actually is, and its Intelligence score is reduced by 2 until this spell ends. Additionally, the target becomes very anxious, and any Constitution saving throws made to maintain concentration are made with disadvantage until this spell ends.

While a target is affected by this spell, the target rationalizes all previous accomplishments as luck and deeply fears its magic will fail and reveal it as a fraud.

On each of your turns for the duration, you can use your action to deal 4d8 psychic damage to the target. You do not need to be able to see the target or continue to be within range to deal this damage.

At the end of each of the affected target's turns, it can make a Wisdom saving throw. If you can no longer see the target, it has advantage on this saving throw. On a successful save, this spell ends.

At Higher Levels. When you cast this spell using a 6th-level spell slot, the target's Intelligence score is reduced by 3 on a failed save. When you use a spell slot of 7th level or higher, its Intelligence score is reduced by 4 on a failed save.

Available to classes: Bard, Sorcerer, Warlock, Wizard

[1] I framed the target as a "creature" and used the pronouns "it" and "its" because that's the standard way to define spell targets in 5E. It felt awkward to use this standard for something we all know is commonly cast on women, people of color, etc., all of whom are humans.