2023-06-11

Okay.. Setting up MFA

(2FA is just MFA where "multiple" == "two")

Have you got your FaceBook page up?

1. Click on your profile picture -- top right in English, North America. A menu will drop down.

2. You'll want to click on "Settings & Privacy" with an angle bracket to the right. Clicking it will produce another menu.

3. You'll want to click "Settings" and that will lead to a page titled "Your Facebook Information". If you haven't been here for awhile, you may get a pop-up window telling you that account security management has been moved to a Meta page.

4. On the left, of "Your Facebook information", under "Settings" there's a "Meta Account Center" (mis-spelled because of course this is an American page, not a Canadian one -- it's called "Centre" up here) an item called "Password and security". Click on that.

5. Annoyingly, the result will look like you're Starting All Over Again...<sigh>

6. And again, on the left, there'll be a "Password and security" item. Click it. (Didn't I click that already?)

7. And now, on the right there's a Two-factor authentication item. Click on that. With Meta, you may need to choose between a Facebook and an Instagram account. (Remember. Computers are stupid. They're the idiots here, not you)

8. If you don't already have it set up, Meta will probably ask you to do 2FA through SMS messages (text) on a cell phone first. Go ahead and follow the steps.

Choose a cellphone that you have exclusive use of, if you can. If you can't, I hope it's held by someone you can trust. Enter the cellphone and when you get the text message, enter the number in the browser.

9. Then go back into the 2FA selection and choose the app.

10. Fire up the app on your phone and choose "Scan a QR Code".

11. Back on the computer, when Meta gives you a QR code, scan it with your phone and a 6-digit number will start being generated on your phone (whenever you need it).

12. Enter the "current number" (you'll have a minute after the next time it changes) in the field on the web site.

13. Then, make sure Meta wants to use the app, not SMS to your phone going forward.

There. You're done. There were more steps there than I thought there would be (or in all honesty, more than I think there should have been) but it wasn't that hard, right?

Can you do the same thing in gmail? It'll start with the "Gear" icon and choosing "See all Settings" but I'll leave the rest for you to discover and feel accomplished for yourself.

And now it'll be just that little bit harder for someone to take over your account. You won't be able to prevent someone from choosing a name like yours on Twitter or Facebook, but your. own. account. is just that much safer than it was.

One last thing. Can you pay it forward? Maybe you know an elder or other person with practical challenges who could be helped with this?

But now this is out there and maybe when someone else does the google search, they'll find my explanation, and maybe it'll help in a more generic way than any one web site's explanation. 🧵4/4

(click older to get parts 1 to 3)

One more thing first...

Every online tool you use does MFA slightly differently -- that's the first bad news. It means I can't say "just do this", "just do that" and it'll explain for all times.

But it's not that bad. For one thing, the mechanisms are all pretty similar. Once you know one, you'll have a hint when you get to the other ones. That's good news.

Even better... as multiple services consolidate -- something I'm not really happy about but there are upsides -- there's a certain uniformity the services gain so that if you know how to do it in one service by, say, Meta, you'll know how to do it in another of their offerings. That's even better news.

And yet... online services are constantly looking for ways to "improve" their web pages, not realizing that change is a downgrade by default -- until we find the new places things have been stuck -- and that can be bad news.

All that is to preface my instructions and justify their sketchiness. What I'm describing is Summer 2023 on Facebook, on a desktop. There's a difference here between my preference and my wife's. She does everything on her phone. I do everything on a laptop/desktop. I view things on a phone but most of what I do is on a desktop.

You can do all these things on a phone, too, but maybe the first time you'll want to do this on a computer? If you have one, great.

If you don't, maybe your public library is a good option? Ask them before you try, "How sure you are that my credentials are safe if I enter them on those computers?" Librarians are cool and if you press a bit (respectfully, remember) and there is a problem, they'll crack and may suggest a better local option.

If they're firm that there's no problem, there's no problem, at least not in most western countries. Remember, these are the people who resist book bans. Let me say it again in my best Henry Winkler voice: Librarians are Cool! 👍 (Leather jacket extra, motorbike? I prefer my pedals)

When it comes to doing MFA, you'll find it easier to do on a desktop regardless. We did one MFA for my wife on her phone and switching from one app to another was a bit tricky. It was possible but took a few tries. We did the next one on a laptop and it was a lot easier, switching from one device to another instead of switching from one app on the phone to another.

Have you got your FaceBook page up? Bring it up and click newer. 🧵3/4

(click older to get parts 1 and 2)

What is MFA?

Wait a sec. What on earth is MFA? That's short for Multi-Factor Authentication and the quick answer is the entrance to Edna Mode's design studio.

Did you see? Watch it again. How many factors did Edna verify against? Watch it again and watch for these points:
  1. 0'04": she entered a password
  2. 0'06": she offered a handprint
  3. 0'08": she offered a retinal scan
  4. 0'10": she offered a voice sample
  5. 0'14": she acknowledged Helen (Elastigirl) Parr's presence
That's. Too. Many. Factors. for you but it demonstrates the point, right? Especially when you remember that once she's in the door, into her studio, MFA never bothers her again.

For you, when you first log into your social media with MFA on your phone or your computer, you'll have to enter one more thing. Once you're there, you'll probably have to log out in order to be challenged by it again. The other time would be when you change your password. Do you change your password now and then? My employer makes me change certain passwords regularly. Personal accounts tend not to insist on it but, if you can come up with a way to NEVER forget your new password, you may want to change passwords periodically.

Oh, and yeah... you're not using the same password for all of your social media, are you? You are? Well, there's a reason to do some password changing right away after all then. It's obvious, right? If you use the same password everywhere, an attacker who cracks your password in one place gets an entré to all your accounts, right?

If you want the background, if enough people want a background, I'll try to add that later.

Otherwise, why not arm yourself now? Click newer to find out how. 🧵2/4

(click older to get part 1)

Help! My Account Has Been Hacked!

Many too many have stood where you stand.
Too many more will stand here too.
I hear your account's been hacked,
you've had to change your name
Build your contact lists again. (with apologies to Genesis - Many Too Many, 1978)

This hasn't happened to me --- yet. But I've been doing something I thought everyone knew about and I think it's helped prevent it. And yet, when my wife mentioned the lengths a friend of hers had to go to, in order to move heaven and earth to convince some social media site that, yes, yes! I really am that person! someone stole my account and I want it back! I turned to her and said, "Did she have MFA?"

She said, "I don't think so. How do I do that, anyway?" And I realized that I'd probably let her down on this one.

"Wait a sec," I said, "You have MFA don't you?" I'm geeky enough, we've been together long enough that she knows what MFA is, but she hadn't figured out how to do it for herself. Other things got in the way before now, but today, those were put aside for about 30 minutes and I made sure she had MFA on all her accounts and understood how to use it.

It's not hard and all of you, my neighbours, deserve to have the same protection for yourselves (and it's REALLY not that hard to do).

There's a community I'm a part of, attached to a weekly youtube rant with graphics, song parodies, guests, open source intelligence deep dives (you know who you are) -- you can't "just believe" everything they say (there are a couple of points on which I disagree with them or at least have my strong doubts) but they're a tribe I don't mind hanging with (@the_five8) though I'm pretty stodgy in a bunch of ways compared to them. Recently, several of them have changed their names several times, so it's made me wonder if either:
  1. this MFA thing isn't as effective as I thought (and I've been lucky) OR
  2. this MFA thing isn't as widespread as I thought
Adding MFA to ALL your account is, like, so 90s or 00s, you know? Oh. You don't? Oh yeah. I'm a geek, a nerd. Worn with pride but sometimes I miss the implications.

Some of the OSInt people on the Five 8 have really angered a few people. One of them (not one of the hacking victims) has had to leave home, never to return until the local powers that be are no longer mobsters who'll cause injury or death if a return is ever attempted. No. I'm not joking. The situation's broad strokes are a matter of public record in credible press reports and other places.

Anyways... another one said, when I poked at the MFA subject, that they had no younger relatives to appeal to for help setting up MFA, so I decided to write this -- a blog thread, if you will. Oh Arthur, that is just so 90s.... and you do threads on twitter! not on a blog... (I don't care. I'll do it this way anyway).

So, what is MFA? click newer to find out. 🧵1/4

2023-05-02

CMAKE and Windows Executables

Make no mistake about it. I LOVE cmake. CMake, git and post-2011 C++ reinvigorated my love for what I do and confirmed for me that whatever development I do, I want it to be in C++, extra marks for cross-platform, and can we be test-driven please? I'm doing all that on my own stuff, which has slowed to a crawl for a variety of reasons these days.

But this week, I bumped into a wrinkle. I needed to deploy an extension .DLL (it's called a .so in Linux, .dylib on macOS) with an installer, and it was working just fine... until I tried to test it on Windows 11, in which case my extension DLL just plain failed to load.

I speculated about what new thing on Windows 11 might be causing my problem. Was it some "property" -- no fiddling with icacls that I could do seemed to fix it. Overnight that night, I woke up thinking, "no, it's not that, it's something about the code underneath." What? I though? Like C++ and depending on the STL? So I implemented my way around that (which was fun), ran it as a test DLL and everything seemed to work. I put it the result into the build system and the DLL from there wouldn't load any more than my first attempt. Poring over the compile commands, between the Visual Studio-produced build properties and those generated from CMake exposed some odd differences but nothing that looked dispositive.

The link switches, though, that was another question entirely. The CMake-generated version was showing /SUBSYSTEM:CONSOLE in the link parameters; the Visual Studio created one was showing /SUBSYSTEM:WINDOWS. Google did NOT lead me to where I wanted to go easily. Instead, I found stale articles from 2008 (with no answer) and conflicting advice on StackOverflow. A co-worker pointed to an article that said to specify something in the add_executable command inside CMake. Only... I was writing a DLL (add_libraryand there wasn't the same option there. I did find one article that suggested a way to do it: the resulting DLL did indeed work on Windows 11, but it struck me as clunky, so I pushed a little harder on it and produced a one-line solution.

So, just to make sure I wasn't swallowing a horse unnecessarily (the STL free code that I wrote when I thought that was the problem?), I tried the same solution on my original code -- and it worked! So I had fallen prey to two sets of red herrings, not just one.

And so. I present here a formula, in one place, for forcing any EXE or DLL to be compiled for /SUBSYSTEM:WINDOWS, because sometimes  that's just what you gotta have.

For an executable, add "WIN32" to the add_executable command where you create your target, as:

add_executable(${target_} WIN32 .... )

For a Dynamic Link Library, add the line

set_target_properties( ${target_} PROPERTIES LINK_FLAGS "/SUBSYSTEM:WINDOWS")

You may also find this useful -- to prevent your DLL from reaching out and including other DLLs on systems where they aren't already installed:

set_property(TARGET ${target_} MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")

Simple solution and now, hopefully, it'll be easier for me (a) to remember it or if not (b) to find it when I need it again... okay google?

2022-04-22

ansak-string, ansak-lib and packaging sqlite

Six years ago, I went for a holiday with my wife, just the two of us -- pretty much the first such holiday (measured in weeks, not week-ends) we had taken since our first child was born. It wasn't off to some sun-soaked beach -- we've never been that kind of couple -- but we had a wonderful time, camping (not glamping), hotelling, time-share-condo-ing, eating out etc. Along with spending time together, we each did some of "our own" things, too, together in silent (or not so silent) companionship and not. I spent a bunch of time reading, some time biking and some time writing software. Like I do for work. Only this time, it was for me. I joked to myself that I was prepping for a "retirement project" and maybe I was. We'll have to see how that turns out but for the moment, I had a lot of fun.

When I got back, in talking about it with a colleague, I immediately got side-tracked: his response regarding one part (a simple API for re-encoding strings between wide and narrow) was, "Oh! we need that. Can you package it?" So, I made some modifications to the repository, and to the CMake script to enable that -- a lot of it was sequestering away everything but the string library so that all they got was what they really wanted. And so I discovered, that even for my own software, if you're not careful, a long line of "yaks" will show up in need of "shaving". It took over some of my free time for awhile but I was able to deliver something they could use, and then nothing more came of it. Some work-churning that followed diverted me still further and it took awhile to get back to it. But this month, I think the yak-shaving has come to something of an end.

I could spend some time describing the different yaks, but I want to point out a yak-razor-forge that I designed for myself, that took care of a bunch of them, and could be useful to others. About six months ago, I asked my brother (a network tech, not a developer) to try my stuff out. His first response was, "why can't I ./configure, make, and make install it?"

That "ancient" paradigm of "download -- ./configure -- make -- make install" has served open source projects well for deployment, at least for the consumers of the tarballs constructed to be deployed that way. For producers, especially those of us who came to it later in the game, the autoconf and automake tools that support it are bewildering. Learning to use them well, and then using them repeatedly for oneself can be daunting. And then, it's not even much good on a non-Cygwin, non-msys2 Windows environment. But the paradigm, for the end user at least, is wonderful.

The kind of code I was writing was platform-independent C++11 (and I'm loving the continuing updates) with few package dependencies on other things, so a full autoconf/automake approach was wrong-headed anyway. Yet, for deployment on Linux, MacOS, Cygwin and msys2, the result of such an approach made a lot of sense, even if one arrived at it by other means. So I wrote my own minimal configure script that determines the platform, chooses a few defaults for things and then writes them into a file that the Makefile includes.

The Makefile is very simple, mostly a cmake dispatcher, as that was one of my early choices. By the way, if I am missing out on a better cross-platform meta-build system, somebody please tell me? So far cmake is making my life very easy and making me feel smarter than I really am every time I poke at it.

But on Windows, not even a marginally good GNU make is available by default, or where it is, it doesn't interoperate well with other parts of Windows, to my knowledge. As for the end result, there really isn't a "standard place" to put 3rd party headers and libraries -- at least to my knowledge and in wide-spread use. So, I decided to use a default prefix (and allow it to be over-ridden) of C:\ProgramData -- it seemed an easy call to me, and I have seen some feints in that direction. Sub-directories from there of include\, lib\ and bin\ seemed logical, too. And as for a "make" stand-in, remembering Dave Beazley's "Discovering Python" video, the choice there was obvious, too: python. I did give PowerShell a shot on the way there but at the end of the day? No comparison.

Once I'd decided to use python, the choice between python 2 and python 3 was also obvious (for feature-set if not for the Jan 2020 sunset of python 2) but how to make sure of that? And how to run things as, "download -- .\configure -- make -- make install"? So I wrote a configure.cmd that looks for python, makes sure it's python 3 (in a python-version-independent way) and calls configure.py. Before that script completes, it writes a make.cmd file that uses the python 3 that was found for configure.py to run a make.py. That script imports the configvars just produced to influence how it should do what it wants to do -- in the same way as the Makefile does.

On the non-Windows side, by this time, with help from a good friend, I had been using CPack inside cmake to produce tarballs, RPMs, Debian packages and arch ZST files. CPack will also produce NSIS installers automatically, but it struck me that they were aimed at applications, not libraries (and so far, I'm writing libraries). So I wrote my own NSIS installer scripts, too. make package on Windows produces one of those.

After completing the work for ansak-string, I extended it to ansak-lib as well. When I got around to doing the Windows work I ran into another dependency issue. I intend to use sqlite3 (props to D. Richard Hipp for this excellent resource) for my back-end storage and I have some C++ classes wrapping it. Checking for SQLite3's existence at build time is too late. Downloading and "installing it" to where I want it during configure for ansak-lib wasn't hard manually, but the more I tried to accomplish it automatically, the messier it looked. I hit on a cleaner solution, alongside ansak-string (the original shave-off I did for my mates at work) ansak-lib (includes the sqlite3 C++ classes). I produced a sqlite_msvc_packager that uses the same "download -- .\configure -- make -- make install" cycle.

So there it is: a packaging solution for Sqlite3 and a couple of libraries you might find useful (especially this means of reading files of lines of text -- any width, any ordering -- as though they were lines of UTF-8 text). But even more useful, perhaps is the meta-facility I developed and described above: a flexible way of deploying libraries, either directly (make install) or through install sets -- and Python3 helped me bring it all to Windows, too.

2021-04-05

It's time to turn away from the "Masters" this year

I appeal to all (Canadian sports fans) who think that voting should be easy for all citizens of all backgrounds, ethnicities, identities and back-stories, of all countries, everywhere... Please follow my example and post something like this to: https://www.tsn.ca/help/contact-us form (Click through. I promise it Just Works™)

In solidarity with Georgia (US)'s newly re-suppressed voters, I appeal to your network to black out Masters coverage this year. Remembering the history of the Confederacy, the resonance of "Masters" where slaves once worked around it, where the first re-suppression legislation (of over 300 pieces in over 40 states) was passed, the optics are horrible and as a voice against suppression of freedom, for conscience' sake, TSN should black it out this year.

There's a 500 character limit so this doesn't say everything I would want, but it'll be enough to get the message across. Will you join me? (like the 50 people a day coming in singing Alice's Restaurant) Can we effect this change? I've gotten four "likes" so far on FaceBook but I'll bet that hasn't resulted in more than maybe one or two further posts to TSN.

It's incomprehensible to us as Canadians that any political party would EVER want to keep anyone from voting, but that's what this bill in Georgia was written to do. The governor took it inside a private office with six or eight white men and a cameraman to sign it. He sat at one end of a table with these guys in masks staring him down, beneath a picture of an antebellum plantation.

Meanwhile, a black woman member of the lower house in Georgia knocked politely but firmly on the door calling for the signature to be done in public. It went down like this:

Assemblywoman: Knock! Knock!
Georgia Capitol Police: You're under arrest.

And she was arrested and dragged out, charged with felony obstruction and disrupting assembly business. Think of an opposition MP / MLA / MPP / MNA from YOUR province being dragged away by the cops-on-duty from the Governor General or Lieutenant Governor's residence and charged with similar "crimes". If you don't feel outraged, I question if you understand what representative, responsible government, democratically elected means, or if you believe in it at all.

Three time zones, the whole continental US and an international border away, there isn't much I can do about this, but I can't become comfortably numb about this, and neither should anyone with democratic scruples of good conscience.

So, I'm not asking for money. I'm only asking that you click here and copy-paste the 2nd paragraph of this blog post and hit send. I won't encourage you to do it multiple times, but maybe this is a time to relinquish default Canadian "politeness". Their phone number is 1-833-TSN-HELP or 1-833-876-4357. For me, maybe it's time to try to figure out this Twitter thing and send a haiku to @TSNGolf.

I AM going to cc this to audience.relations@bellmedia.ca, too.

Here's hoping that, it's still true that... you can get anything you want at Alice's Restaurant ... even without 8x10 colour glossy pictures ... This is the colour I've found to try to start a small change. The crayons are free. If I toss you one, will you catch it and add your scribbling to it?

2020-10-22

Strong Encryption with Backdoors: An Oxymoron for Authoritarians

What follows is a model letter for Canadian citizens to send to the Honourable Bill Blair, your MP and the Prime Minister:

Dear Sir:

Regarding Strong Encryption with Backdoors

Once again, a push has been put out there for the development of strong encryption with backdoors, and to our collective national shame, you have signed it.

Do you understand how moronic that makes you appear? You just asked for something more impossible than rain falling from a blue sky, than deriving significant heat from a full moon, than wanting (with conscious reference to 1984) 2 plus 2 to equal 5.

The math. does. not. support. the concept of Strong Encryption with Backdoors. One of the words, "Strong" or "Backdoors" must be removed from the phrase for it to refer to something real. I and others more competent than me have repeatedly told this and previous governments, yet the request keeps coming back. And every time it does, the governments that request it make themselves look foolish and naïve -- or worse. We elect you to be wise and informed, competent and, where your competence does not extend, humble  enough to ask for wisdom from those who have such competence. So requesting this again (and again, and again) is undermining the faith of Canadian citizens in the competence and capability of our government. Do you need me to outline how this undermines our faith in democratically elected government? Not that we would turn toward autocracy but that we would give up and dis-engage, which in the longer term would result in the same thing.

Please, I urge you, to retract your signature from the recent "International Statement: End-To-End Encryption and Public Safety" published at

https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety

The presence of your signature there is a signal to all and sundry of your incompetence to speak about encryption at all and it shames all Canadians whether they understand the issues or not.

Only governments aspiring to totalitarian powers would insist on this kind of a policy after being informed by mathematicians and cryptographers of its impossibility. I want to believe that my government's security apparatus does not aspire to totalitarian powers. Please restore my faith on both issues (competence and trustworthiness) that this is the case and rescind your signature.

Sincerely,

make use of it as you will...

2020-09-11

Snap BC election right now? A real leader would say "no"

Posted to FaceBook, by me, via greenparty.ca:

It's Mr. Horgan's option. That's the way parliamentary democracy works.

But this is not the time. Despite the foolish result FPTP delivered in the last election, it's been reasonably stable and is only preventing things widely opposed by most of the voters from occurring. Maybe FPTP would deliver a majority to Mr. Horgan if he were to call an election, but maybe it wouldn't.

Run out your term, Mr. Horgan. Introduce sensible electoral reform, like my own "Regionalized Proportionality", so that future governments look more like the will of the people, where politicians MUST collaborate, co-operate, and submit to mutual accountability -- rather than the Manichean roulette wheel which is the only kind of electoral world that I have ever known in BC.

Then and only then call an election. That's what a real leader would do.

2020-06-29

Can Justin be anti-Racist?

This morning, I sent the following to my Liberal member of parliament. Do you know who your MP is? Are they also a member of the same party? Maybe this is a letter you can forward to them.

E-mail from constituents matter. Many e-mails from many constituents matter more. Many thoughtful e-mails (I tried to be so) even when forwarded with few edits matter still more. We. can. influence. That's what responsible citizenship is about. Look up your Liberal MP's e-mail address at parl.gc.ca and fire it off, too, okay?

Hi <name of your Liberal MP>

<I'm quoting something someone posted on FB but I feel strongly this way, too.> <For what it's worth, my status with regard to First Nations Membership is ... >

I'm calling on your leader, our Prime Minister, to repudiate, disavow and do actual things to reverse the policy embodied in something his father said.

Recently, someone posted on Facebook one of those annoying graphics-with-texts in them. I call them annoying because it means you can't copy/paste the text somewhere else in order to interact with it. But that's okay. I'll type it in here.

The. Rt. Hon. Pierre Elliott Trudeau said, "If you no longer speak your language and no longer practice your culture, then you have no right to demand aboriginal rights from us, because you are assimilated with the ruling power."

The graphic has a split face, on the right is Pierre Trudeau's face, on the left, his son, Justin's.

This would be a good moment for our current prime minister to quote his father explicitly, to disavow and apologize for the statement -- not just as a statement of his father but as of one made by his predecessor in the office he holds -- and pledge now, and act promptly to undo the structures established by the cabinet department whose animus (despite its several-times renaming, rebranding) has often been that echoed by the one time Deputy Minister, Duncan Campbell Scott: "I want to get rid of the Indian problem ... Our object is to continue until there is not a single Indian in Canada who has not been absorbed into the body politic and there is no Indian question and no Indian Department." Even if that kind of policy was meant kindly (I'll allow that he may have thought it was so far as he was concerned, but I'm inclined to doubt it, and it hasn't worked out that way, ever), it's racist and offensive and a piece of our past that must be actively turned away from if only to lend a shred of credibility (and a very tiny shred at that) to our self-congratulation in looking across the border to the south (and their looking across the border to us), to say that on race we're at least not as messed up as they are.

For starters piles of First Nations communities have not had clean water much longer than Flint, Michigan has suffered under that lash.

"Not a racist" was never good enough, and now we all know why. It's time for even the Canadian Government to start turning towards striving to become anti-racist.

Sincerely,


<your name>

Are you going to?