1x63: Single Point of Weather

Jono Bacon, Jeremy Garcia, Bryan Lunduke, and Stuart Langridge bring you Bad Voltage, in which it is always sunny in California, we have the worst analogy ever, and:

  • 00:01:56 Trouble at the Wikimedia foundation? The executive director and a bunch of others have stepped down; it's not clear whether their "Knowledge Engine" was a plan to make a rival to Google's search, or just to improve Wikipedia's own searching capabilities; and the accusations of them being secretive and avoiding their goals of transparent access to information are flying thick and fast. What's going on here?
  • 00:19:25 Jeremy reviews the WS-1001 Wifi Observer weather station from Ambient Weather
  • 00:33:31 Josh Strobl talks to us about the Solus project, a Linux-based OS designed for the desktop
  • 00:49:51 Password managers: they seem a good idea for your personal security, but they're all difficult to use or require you to store your data on their computers. Are there good ones? Is using a password manager a good idea for us?

Download the show now!

What the heck was going on at 35:05? :smiley:

oi, @jonobacon, why is there a tiny amount of thrash metal guitar at 35.05? :slight_smile:

Random Bill & Ted style air guitar?

1 Like

I am using Keepass 2 (link). It is fitting all of your requested features.

So why are you not using Keepass 2?
Sorry for the links, but new users can post just two links!?? Just add a https:// in front of them. [edit by sil: links now linkified; thank you @dervomsee]

Regards from Germany.

@jeremy did his usual excellent job in doing a review. Jeremy, you always keep my interest in what you are reviewing, even though I might have no interest in actually obtaining the object. This time, and especially after your review, I wish I could get that weather station. @bryanlunduke’s suggestion of tampering for fun reminded me of my own antics when, during a long drought, I would spray the neighbors rain gauge while watering the garden, just enough to get a bit in there. Don’t know if I ever fooled him though. :slight_smile:

I wanted to express appreciation for another good interview. I did enjoy it, with the rest of the show. Thanks guys.

1 Like

Much appreciated.

–jeremy

I used LastPass for years, though they’ve been hacked before and after they where purchased by LogMeIn I decided to finally switch to something else.

I spent awhile experimenting and finally landed on pass which I know you already tried, @sil. I’ve been using it happily on Linux, Windows and Android since ~November of last year.

Every password is stored in a gpg encrypted text file which just contains one line with the password, which provides great security. If the pass project were ever to die, everything is just a gpg file so you can easily retrieve your passwords and store them in something else.

The pass program uses git to sync across systems (windows/linux/android/etc), so you can setup your own private git server and sync your encrypted gpg files, which git knows nothing about the contents of said files.

pass has a browser extension, though I haven’t tried it yet because I’m using a dmenu script with some keyboard shortcuts to make things just as fast IMO.


On Linux

Everything is stored under ~/.password-store/ which looks like:

~/.password-store/website1.com/generic_username.gpg
~/.password-store/website1.com/username2_for_same_site.gpg
~/.password-store/website2.com/email@domain.com.gpg
~/.password-store/website3.com/email2@fmail.com.gpg
~/.password-store/not-a-website/username.gpg

Or if you want to categorize:

~/.password-store/finance/website1.com/generic_username.gpg
~/.password-store/finance/website2.com/email@domain.com.gpg
~/.password-store/games/website3.com/email2@fmail.com.gpg
~/.password-store/work/not-a-website/username.gpg

I use the commandline for adding passwords and pushing/pulling from git, and have bash completions enabled for pass which makes typing and remembering commands quicker.

To retrieve my password for a website, I use passmenu rather than a brower extention. This is what really has me loving pass.

I just press my keyboard shortcut of choice to launch it:

Then I start typing the website for which I want the password (or browse with arrow keys):

Press enter and the password is automatically copied to my clipboard.

One thing to note is that I changed dmenu to rofi in the passmenu script:

< password=$(printf '%s\n' "${password_files[@]}" | dmenu "$@")
> password=$(printf '%s\n' "${password_files[@]}" | rofi -dmenu -p "passmenu:" "$@")

For random password generation, I use pwgen -s.


On Windows and Android

It’s not as convenient as Linux with passmenu, because you have to use a point and click GUI to pick which password you want, then the password gets copied to your clipboard. Though the experience is on par with most Android or Windows password managers. Plus everything still gets synced with git which is nice.

3 Likes

@sil oi, @jonobacon, why is there a tiny amount of thrash metal guitar at 35.05? :slight_smile:

While doing the interview I realized I had some tabs open that might make noise (e.g. gmail, facebook etc) so I went to close them down. One tab was YouTube and it blared out a split second of deathcore when I clicked the tab. No idea why it did that. :slight_smile:

1 Like

Regarding the discussion on password managers, is it time to start considering alternatives to the password itself? NFC readers are cheap and readily-available. Yubi-key has been around for a while and many of us have or have access to those portable authentication fobs - or even Google Authenticator. So perhaps web sites that require one-factor to authenticate might allow that factor to be something you have rather than something you know. And maybe sites that require two factors might use fingerprint readers or facial recognition as the other factor, eliminating the need for passwords entirely.

Or is that just crazy talk?
EB

It’s not crazy talk, but it’s not something we can do. I’d like to improve my use of the web; convincing every site owner to abandon passwords isn’t on the list of stuff I can accomplish to make that happen :slight_smile:

I believe in you.

1 Like

Shall we start with http://lunduke.com/wp-login.php ? :slight_smile:

4 Likes

Password Managers; I keep trying to move away from lastpass. A couple of times a year I try out f/oss alternatives but it’s yet to stick. The reason I’ve kept with lastpass has nothing to do with other options requiring a terminal/cli -I’m fine with that. The issue is how much time it takes every time I need to enter a password.

The alternatives don’t let me stay on the page or app I’m in; instead I have to leave the page or app, open some other interface, login/identify with the password manager/vault, find the entry for the specific page/app, copy the username (sometimes the copypasta username step is avoidable) return to the requesting page/app, paste username, leave the page/app for the manager/vault (here’s hoping it my login hasn’t timed out), copy passwd, leave manager/vault for the page/app, paste password, login. That’s more or less the workflow of the managers I’ve tried (especially on android).
So I use lastpass -I feel a bit guilty about it, but it works on linux (through firefox and chrome) and android pretty seamlessly (sometimes it fails to recognize an app login request), and the ability to use my fingerprint to quickly unlock my vault means I don’t have to type a 30 character master password every time.
I agree that ‘one point of failure’ isn’t great, I agree that trusting one commercial company to act in my best interest is problematic -doubly so since being bought. by a bigger fish with a bad track-record). My biggest issue with lastpass, though -and the reason I continue to try alternatives- is that they aren’t open.
If they shut down tomorrow I’d lose a few bucks (I pay yearly for the premium version) but my passwords are mine -they, at least, let you export your vault.
Before lastpass I tried to have good passwords -I ended up using 4 passwords: super-strong-took-me-months-to-memorize, strong, weak, and ‘i could live with this password being made public’. Today any site/app I use that wants a password gets something decent generated by lastpass -I rarely think of them and they’re mostly never seen by me in plain text. Every now and then I export my vault to a local backup.
I will happily jump ship when a useful (to me) f/oss solutions is available. I like lots about their product, I pay them, I suggest them to my family -but I’m not loyal. When a f/oss solution comes along -it doesn’t even have to match lastpass’ usability -if it comes fairly close I’ll jump.

Can you say why? Is it to reward them for a good service, or because you value the sync capability, or something else?

I’m content with just using the builtin password manager in Chrome and Firefox–the other stuff sounds like too much of a hassle to setup. The thing that really annoys me are the one or two websites that refuse to work with them and I have to do the whole copy/paste thing :grimacing:

As a LastPass premium subscriber (for sync), my thoughts mirror VXXii’s. While I’d like it all be FOSS, I’m willing to sacrifice some security for a lot of convenience. It’s a compromise for sure, but the alternatives seem all have the extra steps I do not want to use on an hourly basis. I try to use 2-factor authentication as often as I can (I use Authy for the same reasons I use LastPass), but other than Google and a few others, 2FA is not commonly implemented it seems. And by the way, how is it possible in this day and age banks like Chase allow only max of 12 (or maybe 20?) character passwords, without special characters and no 2FA? C’mon bruh.

I had the same issue. I tried to switch away from them for years, though the logmein purchase finally tipped me over. Look at my post regarding pass. If you use Linux (I think it works on Mac too), try the dmenu/rofi script. I honestly like it better than the browser integration for lastpass. Its fast and convenient and I get the satisfaction of using my own security and syncing with gpg and git.

It’s so you can sync to mobile.

Please respect our code of conduct which is simple: don't be a dick.