Reconsidering Lastpass for password storage

Posted by on Jan 22 2020

I recently found out that 3rd party password manager, LastPass, was sold to = for 4.3 Billion USD. This certainly opened my eyes, since I have been a long time user. I have recommended it in past, but with the recent sale I have reconsidered. Here’s why.

The first thought is the magnitude of the sale – for this purchase price, one would expect that buyers to try to ensure the profit of the sale. This is only natural, and not always an issue.

However, I do regard passwords as personally identifiable information, and with the sale, it has made evaluate if I trust the company enough through my information into the gears of surveillance capitalism. The issue here is getting opted in, without permission, to other 3rd party operators without my permission.

I had a look at the companies that where in the portfolio of the buyers, many in fact, looked good, but there was enough there to made me question whether the privacy was in good hands.

  1. Evergreen Capital Companies: This is looks like the main purchaser of LogMeIn, the former owners of LastPass. They also own the following: Travelport – A travel intelligence company. Coveo – A business intelligence company. These make me uncomfortable because they can certainly use LastPass data to drive their algorithms and machine learning, and almost certainly with prior permission.
  2. Francisco Partners: https://www.franciscopartners.com/investments – The
  3. Elliot Management Company https://en.wikipedia.org/wiki/Elliott_Management_Corporation – described in Wikipedia as a vulture funder. Though vulture funders are not bad in itself, their portfolio includes an advertising agency and telecom companies – both are not ideal fits for personally identifiable information.

There has been no official announcement on the Lastpass website as of yet. There privacy policy states:

We don’t store personal information on our servers unless required for the on-going operation of one of our services. (For example: If you choose to store login history, we keep login history, if you choose not to, we don’t)

To repeat, there is no indication that Evergreen Capital will ever use your password for nefarious purposes, however, I have to trust the company. Since there has been no transparency, the onus is on me to make the decision. And my choice is to move away from LastPass.

500,000 Emails Later

Posted by on Jan 22 2020

This is a story about my inbox.  In 2006, a friend opted me to gmail beta account. In early 2019, I noticed that I had over half a million emails. Comparatively, my combined old Yahoo and Hotmail accounts have roughly 5000 emails between them from active use from 1998-2006. How did this happen? Google accounts translates roughly to:

  • 38,500 emails a year (vs 625 with Yahoo/Hotmail)
  • 3,200 emails a month (~vs 52 with Yahoo/Hotmail)
  • 740 emails a week (vs 12 with Yahoo/Hotmail)
  • 105 emails a day (vs 2 with Yahoo/Hotmail)

While I know this glut is not an uncommon experience, but I pride myself for my efficiency. How could I seriously consider over 100 emails a day being productive?  I decided to take matters in my own hands.

I am proud to say that my inbox is now just under 35,000 mails. Here’s what learned about my experience.

A step back in time

In 2010, I had a colleague who began deleting old emails from his gmail account. I told him there is no need because he will likely never run out of space. Otherwise he could do some old school folder filters to categorise things. He just said he needed a clean inbox for clear mind. I just nodded and left him to it. I thought to myself he was looking at it backwardly. Now, 10 years later, I felt he was on to something.

I had constantly battled my inbox tidy by keeping unread messages at the top. If my inbox has less than 20 unread messages, I was at the top of my game. If it went over 1,000 unreads (which happened several times), I would work for hours to get this under control. For the most part it worked. Until it didn’t.

In the days of my early internet experience (lets just say 1998-2008) I remember my inbox as pretty sacred space. I like writing, and if given the option to write or call, I typically preferred to write.

But email had become so habitual – first thing I do when I wake up. What new mails did I get? Sitting on a bus, train or ferry, yep, emails were my go to before surfing the net (I am not really on social media; I imagine the noise there is just as bad). The constant check was an inane practice, and wasn’t adding anything, but taking away time I should be enjoying life. So early last year, I checked my gmail email account (you can do this by typing “in:all” in your search bar. My result was over 500,000 emails.

I started to think of these emails as analogues of pieces of paper. If that was the case, would I keep that that piece of paper? I wanted to actually get to the bottom of why I would have so many emails. So over the course of a year I decided to clean up this digital horde of information.

Sadly, I should have documented the numbers, it just didn’t seem important at the time. This wasn’t the case, as I have to rely on my potentially faulty memory. Nonetheless these here are a few things I’ve learned along my journey.

User Engagement is socially acceptable spam.

Going from 50000 to 35000 is sizable, 93% reduction. What were those emails rendered useless? Most of them came under the guise of ‘user engagement’ from e-commerce and social media sites.:

  1. Purchase confirmation receipts
  2. Purchase status updates
  3. Delivery updates
  4. Automated newsletter signups from when you bought a product
  5. Alerts from things you did on a website (you just logged in, you have items remaining in your account)
  6. Alerts from what others did on the website (auction bids, others looking at your classifieds)
  7. Social engagements (you got a like, someone wants to connect to you)
  8. Reminders that you haven’t engaged in the service for a while
  9. Reminders of expiring services or renewals
  10. Verification of email or identity
  11. Terms of services change & Policies updates.
  12. Engagements with customer service

Of the above, I want the paper trail of purchase receipts. However the worst noise came from numbers 4 – 8. I would suspect that 75-80% of my deleted emails came from those. I had 2 simple rules for keeping something in this group:

  • Is it useful for record keeping?
  • Did it add meaning or colour to my life?

For the above: purchase receipts and some customer service engagements where the only ones worth holding on to. It was the latter that most of these succumbed to. Its highly subject to me, but I was going to be brutal. No more noise.

The most noise came from Twitter, Facebook (before I deleted my account) and Google+ (before they deleted their account). These were constantly barraging me into engagement from people I didn’t particularly care about. Even after I disengaged or deleted my account, I would still get occasionally notices, but these are at a complete standstill.

The most annoying were the coy newsletter and promotional emails opt-in:  this result from missing a pre-ticked box, requirement for the terms and conditions, or simply opted in without asking. Among those, a financial advice – one I had signed up for was particularly bad: In the course of 10 months, over 2,000 emails were sent from their products, talking heads and sales. I had just signed up for a once-a-month video cast about the financial market. Other furtive opt-ins had accumulated for years sending 5-10 emails a month resulting in 1,000’s of emails.

The ones I thought would be worst – Ebay and Amazon, were surprising benign. While there was a lot of noise for auction or purchase events, but it  died down afterwards. I think what matters here, is that though there was flurry of emails here, they were expected, and at the time, useful. However, there was no need to keep the myriad of bid notices as history, only winning bids.

Getting rid of unwanted email was surprisingly easy. It was simply a matter of putting the domain in the search box, and then excluding keywords that I didn’t want to match. I used a negative match “-” for the types of email I want For example:

from:biffsbargainbarn.com -receipt -”account information”

This would find all the emails sent from biffsbargainbarn.com, and exclude anything that would be a receipt or account information. You will have to experiment with the negative keywords.

This way, I could select all and delete swaths of unwanted emails to my satisfaction.

More Difficult Decisions

The more difficult decisions were emails that enjoyed reading. I belonged to Quora, which is a social question & answer website. I found myself spending a lot time on their emails simply because they were interesting. But what I find is that they were creating aof n artificial feedback loop. For instance I had read 2 or 3 articles about the Beatles. Soon enough most of my engagement was around the Beatles. After awhile it felt all the same. The problem here was, as they gathered information on my interests, they couldn’t hold me there because there was little novelty.

This one was one of the email types I deleted. I did so because they were a time suck: though interesting and engaging, but over the course of years it wasn’t meaningful. It was just something that held my attention. So why did I decide to delete these emails?

The decision was made by how I shared the emails. Out of the thousands of emails from Quora I got, I shared 8 articles from Quora. When I looked at the articles I shared, half them didn’t originate from the emails, but where part of other online research I did.

Quora wasn’t the only newsletter I decided to delete, it was just the most significant one. The litmus test was whether I would miss it. As much as it held my attention, I actually don’t miss that email at all.

The remaining 7%

Although it took a good year to get to this point, it has been a great treasure trove of discovery including the first email I sent to my future wife!

  • I’ve found very meaningful emails from significant events in my life
  • I realised emails that I sent to myself – whether links or photos, where far more interesting than nearly all the newsletters I subscribed to. Even from 14 years ago, still are meaningful to me
  • I’ve been able to reconnect with mates outside of noise of social media
  • The vast majority e-commerce emails are noise; hitting the unsubscribe was a relief.
  • I’ve moved on from Gmail to paid, privacy focused email using my own domain.
  • I spend less time on email, but the time I spend communicating is more enjoyable.
  • It makes it easier to put down my mobile phone or close the lid to my laptop.

Also, please excuse me know, I am going to call my mum.

 

 

 

 

Installing a ‘stubborn’ Perl Mod that is not recognised in @inc: HTTP::BrowserDetect

Posted by on Jan 21 2020

I have an old ‘beater’ laptop which I use to try Perl scripts among other things. I had just installed a very cool mod called HTTP::BrowserDetect. After installing it, I ran this to check and see if was installed:

perldoc -l HTTP::BrowserDetect 
/home/myusername/perl5/lib/perl5/HTTP/BrowserDetect.pm

Looks good, BrowserDetect.pm is installed. However when I ran the script, it was an internal server error. So I used tail

tail /var/log/apache2/error.log [pid 25664] Can't locate HTTP/BrowserDetect.pm in @INC 
(you may need to install the HTTP::BrowserDetect module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 
/usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 
/usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 
/usr/share/perl/5.26 /usr/local/lib/site_perl /etc/apache2) at 
/var/www/testwebsite/public_html/BrowserDetect.pl line 9.
nBEGIN failed--compilation aborted at /var/www/testwebsite/public_html/BrowserDetect.pl line 9.n

Notice that it didn’t find “/home/myusername/perl5/lib/perl5/HTTP/BrowserDetect.pm” from my previous command. During the install, it probably recognised wisely that the Perl is used by my OS, and installed BrowserDetect in my home directory instead. How to fix?

In my perl script, I placed this line to the folder, at the top with my other ‘use’ lines. This worked! I am sure there are better ways, but this seemed simple and functional:

use lib qw(/home/myusername/perl5/lib/perl5/);

Installing mod_perl on Apache 24 Ubuntu 18.04

Posted by on Jan 20 2020

This is quite old school, but if you want to try mod_perl on Apache2.4 on Ubuntu, here’s how I did it:

First get the modules for Ubuntu server. If you were like me and trying to read the [installation process on the mod_perl website][1] , you probably were scratching your head. Luckily its trivial to install with just a couple of commands:

sudo apt-get update -y
sudo apt-get install -y libapache2-mod-perl2

Once that is done, just set up the virtual hosts, here is an example, just replace <yoursite.com> with your domain as well as any other directives. For the below, you can easily search and find the meanings of the directives:

<VirtualHost *:80>
         ServerAdmin webmaster@<yoursite.com>
         DocumentRoot /var/www/<yoursite.com>/public_html
        Servername <yoursite.com>
        Serveralias www.<yoursite.com>
       <Directory /var/www/<yoursite.com/public_html>
               AddHandler perl-script .pl .cgi
                PerlResponseHandler ModPerl::Registry
                Options +ExecCGI +FollowSymLinks +MultiViews
                 PerlOptions +ParseHeaders
                 AllowOverride All
               Order allow,deny
                Allow from all 
         </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
 </VirtualHost>

As for why, I happen to like Perl. The webstuff is just for fun, but I’ve used to on my system to parse through large amount of text files, and it works great.

I know there is doom and gloom about the future of this language. I first heard of Perl’s demise in 2002, when I wanted to try to learn a scripting language outside of ASP. My Java programming mates thought it was horrible decision: Perl was considered old even then! However, not long after I started digging into Perl when I learned about PHP, and that became what I used for years. So I revisited Perl again, and wow, there is a very, very deep community. A google site:cpan.org yields over 400,000 pages, though I suspect more. Even that archaic [mod_perl][2] was updated just a few months ago.

The Java guys? Not sure what happened to them. But its certainly fun to horse around with “Perl again before it disappears completely” 🙂

https://thehftguy.com/2019/10/07/perl-is-dying-quick-could-be-extinct-by-2023/

All your passwords belong to us.

Posted by on Jan 16 2020

Why did I have to learn about Google’s password collection by surprise?

Last year, I found out about Google’s tracking of our purchase history. Yesterday, after reinstalling my email client, my Gmail account was blocked because it was considered an ‘unsafe’ app. * In turn I had to dive deeply into the issue, and found out that Google now has a password manager.

Yes, we take passwords for granted, but should we trust Google with them?

A password may be deemed as a type personally identifiable information, so moving my password from my devices without prior consent feels like highjacking. Google is not a disinterested 3rd Party; by holding on to your passwords, it gives theme more power to create a walled garden between your life and their corporation. In addition, the cumbersome interface makes its difficult to delete your passwords in Google. Taking a page right out there purchase history, you have to delete passwords one by one.

I can not recall specifically how they got my passwords, my best guess is that I occasionally allowed Chrome to store the passwords. I thought these were kept in a local, encrypted file, not on the cloud. I would imagine for many passwords collected were for sites that would be none of Google’s business.

Their sleight of hand is ever so effective – essentially we want to see if your passwords are compromised – the guise is that Google is providing you a service. The thing is, I never asked for this service, and I already use a password service that tests against compromised passwords.

By storing your purchases, passwords and both your digital and physical life, Google is putting all your eggs in one basket. This makes its not only a slippery slope for you, but for them. They say their technology is a step ahead of external bad players. But what about internal? A single disgruntled employee can make decisions that are harmful to many. A single bad management decision can effectively bring the online world to its knees.

They can afford millions for lawyers and a public relations team, but would happen if the keys to your kingdom was handed over to thieves? Let’s hope Google never drops the basket or give it to the wolves.

What to do next?

Here’s where you can see your passwords: https://passwords.google.com/. Deleting is cumbersome, there is a not “select all” to delete, and in addition, you have to content with the ‘are sure’ popup.

Here are independent 3rd Party managers that can serve as alternatives to Google password manager.