New Loose Leaf Security episode: two-factor authentication and account recovery

The second episode of Loose Leaf Security came out today, about two-factor authentication and account recovery:

A hardware security key with a leaf logo on a keychain near the spout of a steaming pot of tea

Two-factor authentication and account recovery

Last time we talked about strong passwords, but what if there was a better way to secure your account? We look at options for two-factor authentication, including text messages, apps, and security keys. Plus, security news from Apple, one of Liz's accounts got breached, and Geoffrey wants to celebrate a special birthday.

Head over to Loose Leaf Security for the full audio, show notes - including a deep dive into different two-factor authentication methods and which ones are supported by a handful of popular websites - and complete transcript. As a reminder, you can also catch our show on Apple Podcasts, Google Play, Pocket Casts, Stitcher, TuneIn, or other podcast places. Sadly, we're still not yet in Spotify, but we're working on it! Additionally, you can follow the project on Twitter, Instagram, and Facebook.

Introducing Loose Leaf Security, and securing your online account passwords

I just launched a new project with Geoffrey Thomas: Loose Leaf Security, a podcast about making good computer security for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe. In every episode, we tackle a typical security concern or walk you through a recent incident.

Loose Leaf Security album cover

Our first episode is about securing your online account passwords:

A password made up of letters, numbers, and symbols written in the steam of a green lock-inspired teapot

Securing your online account passwords

You've heard for years about how to come up with strong passwords, but are those guidelines really true? Liz and Geoffrey talk about new risks to your online accounts, especially with the news of clear-text passwords being mishandled at Twitter and GitHub, and whether you should trust a password manager to solve all your password problems for you. Plus, what's happening to the green lock icon in Chrome, and should you worry about EFAIL?

The full audio, show notes - including a comprehensive and current comparison of the leading password managers - and complete transcript can be found on our new website. You can also catch our show on Apple Podcasts, Google Play, Pocket Casts, Stitcher, TuneIn, or other podcast places. Sadly, we're not yet in Spotify, but we're working on it! Additionally, you can follow the project on Twitter, Instagram, and Facebook.

Adding Open Graph to Pelican

I just added Open Graph support to this Pelican-generated site so pretty previews would show up when people shared my posts, and I figured I'd share the fairly tidy way I went about it in case other people were interested. I only added support for articles, my journal entries, and pages, the other headers on this site, because adding it for things like tags didn't make a lot of sense (why would anyone share those?).

The changes were pretty simple. First, I added the following to the <head> section of template.html, the part of my custom theme from which every webpage on my site inherits its style:

{% if article is defined %}
<meta property="og:type" content="article" />
<meta property="og:url" content="{{ SITEURL }}/{{ article.url }}" />
<meta property="og:title" content="{{ article.title | replace("\"", "&quot;") }}" />
<meta property="og:description" content="{{ article.content | striptags | replace("\"", "&quot;") | truncate(196, False, '...') }}" />
<meta property="og:image" content="{{ SITEURL }}/images/{% if article.opengraph_image is defined %}{{ article.opengraph_image }}{% else %}opengraph-default.jpg{% endif %}" />
{% elif page is defined %}
<meta property="og:type" content="website" />
<meta property="og:url" content="{{ SITEURL }}/{{ page.url }}" />
<meta property="og:title" content="{{ SITENAME }} - {{ page.title | replace("\"", "&quot;") }}" />
<meta property="og:description" content="{{ page.content | striptags | replace("\"", "&quot;") | truncate(196, False, '...') }}" />
<meta property="og:image" content="{{ SITEURL }}/images/{% if page.opengraph_image is defined %}{{ page.opengraph_image }}{% else %}opengraph-default.jpg{% endif %}" />
{% else %}
<meta property="og:type" content="website" />
<meta property="og:url" content="{{ SITEURL }}/{{ output_file }}" />
<meta property="og:title" content="{{ SITENAME }}" />
<meta property="og:description" content="A page on Liz Denys's personal site" />
<meta property="og:image" content="{{ SITEURL }}/images/opengraph-default.jpg" />
{% endif %}

It was obvious to treat what Pelican calls articles, my journal/blog entries, as articles, and I decided to treat my Pelican pages, basic information about me, as websites. My article titles stand well on their own, but my page titles are accompanied by Liz Denys, my SITENAME, because they don't make as much sense on their own. Everything else - my journal's timeline and tag pages - doesn't have a lot of information in Pelican, so they just got a boring default.

Raw double quotes would be problematic in meta tags, so I make sure to replace them with the friendlier HTML entity &quot; in both the titles and descriptions with Jinja's replace function. I've found that double quotes in article titles mess other things up in Pelican, but still applied the replace to titles here just in case that changes.

The Open Graph description property, og:description, is generally a preview of the website's content, and since I don't use Pelican's summary attributes in my theme, I opted to grab a bit of the content directly with article.content or page.content. I couldn't find a definitive answer as to how much that should be - Open Graph says a description is "a one to two sentence description of your object", Facebook defines a description as "a clear description, at least two sentences long", and Twitter specifies that a description has a maximum of 200 characters. These seemed a bit conflicting, so I followed the clearest instruction, Twitter's, and limited my descriptions to 200 characters, including the possible trailing " ..." with Jinja's truncate function.

Some, but not all, of my articles and pages contain images, so I wanted a default og:image for the entire site that could get overridden on webpages where something specific made more sense. I briefly considered progamatically taking the first image to appear in a post for its preview, but when I looked through some older posts, I noticed this wasn't always the right choice both in terms of content and size - you need at least a 200px square for Facebook and probably want even larger. I uploaded a default og:image to "{{ SITEURL }}/images/opengraph-default.jpg". I named the file that instead of something that describes its content (currently an old photo of me in SIPB's machine room) so that I would only need to upload a new image to the same location to change it later. When I want to override this default for an article or page, I'd simply define opengraph_image in the meta information of its Markdown file like so:

Title: Inbox by Gmail's accidentally abusive algorithm
Slug: inboxs-accidentally-abusive-algorithm
Date: 2016-05-14 11:03
Tags: a little too helpful; content algorithms; email; gmail; Google; harassment; inbox; social; software engineering and computer science
opengraph_image: software/inboxs-accidentally-abusive-algorithm/inbox-speed-dial.jpg

The code in the template checks whether or not this meta information exists, so if I want to use the site default, I simply leave it out.

Once I added this to my site, I checked that my new Open Graph information rendered as I expected with Facebook's Sharing Debugger and Twitter's Card Validator. I also sent direct messages containing links to my posts on Slack to see how they rendered there with the new Open Graph information. Here's what one of my articles now looks like when someone posts it to Facebook:

Facebook share preview for Inbox by Gmail's speed dial with Open Graph information including an image, title, and description

That same article when it's shared on Twitter:

Twitter card preview for Inbox by Gmail's speed dial with Open Graph information including an image, title, and description

And finally, what it looks like when posted to Slack:

Slack preview for Inbox by Gmail's speed dial with Open Graph information including an image, title, and description

Impostor syndrome, an ancient arcane magic

Dealing with impostor syndrome isn't fun, but playing Dungeons & Dragons is! Here's a quick little spell combining the two:

Impostor syndrome

5th-level enchantment

Casting Time: 1 action
Range: 60 feet
Components: V, S
Duration: Concentration, up to 1 minute

You create an overwhelming sense of doubt in the mind of a creature that you can see within range. The target must make a Wisdom saving throw. On a success, the spell ends. On a failed save, the target firmly believes it is less talented than it actually is, and its Intelligence score is reduced by 2 until this spell ends. Additionally, the target becomes very anxious, and any Constitution saving throws made to maintain concentration are made with disadvantage until this spell ends.

While a target is affected by this spell, the target rationalizes all previous accomplishments as luck and deeply fears its magic will fail and reveal it as a fraud.

On each of your turns for the duration, you can use your action to deal 4d8 psychic damage to the target. You do not need to be able to see the target or continue to be within range to deal this damage.

At the end of each of the affected target's turns, it can make a Wisdom saving throw. If you can no longer see the target, it has advantage on this saving throw. On a successful save, this spell ends.

At Higher Levels. When you cast this spell using a 6th-level spell slot, the target's Intelligence score is reduced by 3 on a failed save. When you use a spell slot of 7th level or higher, its Intelligence score is reduced by 4 on a failed save.

Available to classes: Bard, Sorcerer, Warlock, Wizard


  1. I framed the target as a "creature" and used the pronouns "it" and "its" because that's the standard way to define spell targets in 5E. It felt awkward to use this standard for something we all know is commonly cast on women, people of color, etc., all of whom are humans.

On the Fearless Girl, what constitutes art, authorial intent, and the patriarchy

A little over a month ago, Kristen Visbal's Fearless Girl statue was placed face to face with Charging Bull statue in Manhattan's Financial District:

Visbal's Fearless Girl stands strong with her hands on her hips
Moody Man's photo of Fearless Girl
Visbal's Fearless Girl stands firmly opposing Charing Bull
Anthony Quintano's photo of Fearless Girl facing Charging Bull

But she wasn't just the fearless young woman standing up to capitalism she seems to be. A plaque was placed next to her that read:

Know the power of women in leadership

SHE makes a difference.

State Street Global Advisors

The plaque said "State Street Global Advisors" and emphasized the word "SHE" because Fearless Girl was commissioned by State Street Global Advisors as an advertisement for their SHE index ETF. A lot of people, including the bull's artist, are upset because Fearless Girl's origins are partially related to an advertisement.

Interestingly, Fearless Girl and its plaque were rather ineffective as an ad. (The plaque has now been taken down.) It certainly looks weird to have something that says "State Street Global Advisors" on it by the statue, but it's not at all obvious that this is a reference to the SHE ticker. When I asked people who saw it in person, most of them told me they saw a strong young woman standing up against capitalism. When I myself moved closer and saw the plaque, I felt my eyes roll because it felt like a poor effort on behalf of a finance company to promote women. I didn't recognize it as a publicity stunt for a ticker, and I work in finance. The average visitor is probably much less likely to realize "SHE" meant the ticker. I actually only know a few people who recognized the reference to State Street's ticker, and they all specifically pay attention to new financial products as part of their job. It took the internet to explain the ad to the masses, and it seemed to have gone viral in a way that didn't benefit State Street unless you really, truly believe that all press is good press.

Honestly, I don't love that this otherwise wonderful statue started as an ad; I'd love it a little bit more if it weren't one. However, public art is incredibly expensive to create - Arturo Di Modica spent $350,000 of his own money to create Charging Bull. Not everyone is independently wealthy enough to have a whopping 350 thousand dollars in 1989, which is roughly 700 thousand dollars today, around to drop on a statue that they don't even expect to see returns on. If we believe that "true" art is self-funded, we let art only be the domain of the rich and lose the viewpoints of everyone who doesn't have that kind of privilege. That isn't right.

Di Modica is upset not just because Fearless Girl was in part an advertisement: he is also upset that people are misinterpreting his Charging Bull. He says his statue is about "the strength and power of the American people" and does not like that people view it differently. Specifically, he does not like that some people interpret the bull as the strength and power of capitalism or men in the United States. But once you release your art into the world, your intentions as the artist no longer comprise the only valid interpretation of your art. You cannot control how people react to your art, nor should you be allowed to.

Greg Fallis is one of those people who thinks Di Modica has a point about how authorial intent relates to both Di Modica's Charging Bull and Visbal's Fearless Girl. He writes:

Fearless Girl also changes the meaning of Charging Bull. Instead of being a symbol of "the strength and power of the American people" as Di Modica intended, it's now seen as an aggressive threat to women and girls — a symbol of patriarchal oppression.

Fallis notes that Fearless Girl highlighted the interpretation of Charging Bull as "a symbol of patriarchal oppression" as a valid interpretation. He shows that he understands that authorial intent isn't everything. He continues:

In effect, Fearless Girl has appropriated the strength and power of Charging Bull. Of course Di Modica is outraged by that. A global investment firm has used a global advertising firm to create a faux work of guerrilla art to subvert and change the meaning of his actual work of guerrilla art. That would piss off any artist.

See? It's not as simple as it seems on the surface. It's especially complicated for somebody (like me, for example) who appreciates the notion of appropriation in art. I've engaged in a wee bit of appropriation my ownself. Appropriation art is, almost by definition, subversive - and subversion is (also almost by definition) usually the province of marginalized populations attempting to undermine the social order maintained by tradition and the establishments of power. In the case of Fearless Girl, however, the subversion is being done by global corporatists as part of a marketing campaign. That makes it hard to cheer them on. There's some serious irony here.

Fallis's belief that subverting Charging Bull as "a symbol of patriarchal oppression" should solely be the "province of marginalized populations attempting to undermine the social order maintained by tradition and the establishments of power" leaves no room for works funded for corporate interests. Specifically, he states that the "global corporatists" who funded Fearless Girl as "part of a marketing campaign" invalidates it as subversive art. He implies that it only disrespects Di Modica's statue because it has, as Fallis later states, "hijacked the meaning of his work" under false pretenses.

What Fallis is really saying is that it's valid to see Charging Bull in lenses other than Di Modica's authorial intent, but Fearless Girl will always primarily be marred by its associations to State Street's SHE index ETF. Not only does this imply that some concept of authorial intent has to be the primary interpretation of Fearless Girl, but that the authorial intent of Fearless Girl is solely the province of State Street and is thus completely disconnected from its creator, Kristen Visbal.

While it's true that Kristen Visbal's Fearless Girl was funded by State Street, it is equally true that Visbal wove her own vision of the girl into the statue. Visbal put careful thought into the girl's expression:

"But I made sure to keep her features soft; she's not defiant, she's brave, proud and strong, not belligerent."

She made a deliberate choice as to who the girl should represent:

The sculptor based her work on two Delaware children - a friend's daughter she said had "great style and a great stance, and I told her to pretend she was facing a bull." The second was a "beautiful Latina girl, so everyone could relate to the Fearless Girl."

Removing Visbal's creativity from an examination of the authorial intent behind Fearless Girl just doesn't make sense. Whatever value authorial intent holds aside, her creative decisions undoubtedly influenced why I relate to a girl proud to face capitalism and take on Wall Street.

Later in his piece, Fallis focuses even more on State Street's intentions when trying to evaluate the merits of Fearless Girl:

And yet, there she is, the Fearless Girl. I love the little statue of the girl in the Peter Pan pose. And I resent that she's a marketing tool. I love that she actually IS inspiring to young women and girls. And I resent that she's a fraud. I love that she exists. And I resent the reasons she was created.

On its surface, this paragraph sounds like an understandable set of mixed feelings on the piece that I largely agree with, but Fallis hides something much, much more insidious - the idea that Fearless Girl is a "fraud" because State Street funded her creation.

Calling the girl a "fraud" has deeper underpinnings than only the unjust idea that getting funding invalidates art mentioned above. Women's ideas have been erased by men who restate their ideas, take get credit for them, and successfully erase women's involvement in them - much as Visbal's creative decisions are being erased because State Street funded her sculpture. Women's contributions have been consistently devalued because they have been supported by the money of others, usually men who collectively hold the keys to significantly more money than women do - much like how Di Modica's self-funded $350,000 work is considered true guerilla art while Visbal's has no such value because she didn't pay for it herself. Finally, as much as it pains me to say it, women's progress often depends on the approval of men and their willingness to take up their cause - much as State Street chose to fund Visbal's work.

Do I think we should stop thinking critically about Fearless Girl? Absolutely not, but I definitely think we can't consider the context surrounding how the statues were funded and their authorial intents in a vacuum - they are fundamentally intertwined with the patriarchy.


  1. This doesn't seem inaccurate to me: State Street notes inclusion and diversity to be "strategic imperatives", but I could not find any specific numbers supporting this beyond a report from 2014. That report mentions some programs to support women more than a few times, but only one mention includes hard numbers: a leadership development and rotational program with 37 participants that was 57 percent women. That leadership program (which also had 46 percent individuals of color!) sounds like a positive force within their company, but a program with 37 people doesn't constitute a meaningful report on diversity on its own for a company with 33,000 employees. Further in the report, State Street mentions goals to increase diversity to be implemented by 2017, but they don't include numbers there. The same report from 2015 shows diversity goals for women employees and employees of color at various levels within the company on the page labeled 36. These goals may be better than the average financial company, but they aren't particularly satisfying. Furthermore, the report did not include anything about their 2015 breakdown of women employees and employees of color, nor can I find any follow-ups showing their diversity numbers as they implement these goals.
  2. But really, you picked a bull, a male cow, and gave him huge testicles, so can you really be surprised that people feel it might be related to the patriarchy? (The linked article also has a lot of other analysis of another article about Fearless Girl that I also dig into in the next paragraph.)
  3. Which sometimes only happens because it benefits them.
  4. And chose to instantiate any sort of program at all to increase diversity (see footnote 1) which is probably in no small part due to how it "creates better business results" as mentioned in that 2015 report (see footnote 3).