Let’s play a game. Here are some grep results. Can you guess the search term?
Here are some more. Try to guess the search term again:
Neither were too hard, right? Here is where I confess it was a stupid game (and not simply due to priming issues or WordPress’s apparent inability to display images without resizing them): The point was to demonstrate a difference in speed that you are likely unable to even detect–but that doesn’t mean it’s not important. Your eyes were guided immediately to the blinking text, because out on the savanna, your ancestors cared more about whether or not a lion was charging than they did the color of its mane.
Yet, upon learning of my liberal use of the terminal blink attribute–interestingly enough, the only text attribute more or less exclusive to terminals–a co-conspirator scoffed: “Ew.”
Such emotional responses hold back otherwise better programmers. Perhaps this particular person should have chosen a walk of life less demanding of rationality. Regardless, what this person did not realize is that good trains of thought require minutes to get going but only milliseconds to derail–and being able to find the exact text you were looking for while largely coasting on muscle memory is a godsend. The blink attribute helps tremendously toward this end–and not simply with $GREP_COLORS, either… though I do welcome you to begin by placing the following in $BASH_ENV (a more appropriate location than ~/.bashrc) or the corresponding location for your shell of choice:
Congratulations. Whether you intend to or not, you are about to stick it to the man–or at least two of his most prized servants. Perhaps you fall into some of the following categories:
Intolerant of non-consensual sphincteral expansion
Ironically, the latter quality will bite you in the ass if you start off on the wrong foot. The purpose of this article is to provide basic insight and practical tips on how to make yourself comfortable in your new home–because that’s what it is. You are away from your Windows or Mac home for the first time, and things are different. Accepting this is your first step.
A Linux distribution is three things:
An interface to the world’s Free software, called a repository
An interface to that repository, called a package manager
The code is out there, waiting for people to use it. The kind folks responsible for Debian and other such distributions simply make that code more readily available to users. Naturally, this changes…
In Windows, software installation generally involves downloading software from either its home page or c|net, Tucows, and other such mid-to-late 90’s software portals. Do not do this in Linux.
In Linux, use the package manager to install software from the repository.
Choosing a Distribution
As illustrated in an aforementioned link, Linux offers too many choices. You may recognize this plethora of choice as an opportunity to express yourself in superficial yet self-satisfying ways.
Such distributions seem fun at first, but unlike that holiday sweater you bought for last year’s company party, your distribution is an outfit you wear every day. Choose a beginner-oriented distribution with a large and supportive community that offers a comprehensive and relatively up-to-date repository. Distributions that fulfill these criteria include:
Write a live installer of your chosen distribution to a bootable USB data drive. The Windows program most commonly used to do this is called Rufus and may very well be the last piece of software you install the old-fashioned way.
Plug the USB drive into your computer, reboot, and enjoy. Your computer now runs Linux, and you haven’t even installed it. Your underlying system–files and all–remains untouched. If you like what you see, reference your distribution’s official installation guide in order to take the plunge:
Your computer likely requires user intervention in order to boot from USB. Look for a message shortly after powering on, something to the effect of: “Press ____ to enter boot menu.” If you do not see such a message, try F1~F12 and Delete.
Traditional installers sometimes succeed, even when live installers present errors.
Hierarchy of User Experience and More Seasonal Analogies
Screenshots of distributions mean nothing. Ignore them.
As mentioned, a distribution is three things–only one of which has any effect whatsoever on the screen in front of your face (and even then, only when managing software packages). Otherwise, a distro is like Santa Claus. It lives in your heart and brings you fun toys, if you are good and install from the repos.
Rather, screenshots show programs, the vast majority of which are common among all Linux distributions. What most people think of as an “operating system”–the start menu, the control panel, the little clock in the corner–is actually a collection of programs called a desktop environment. Linux offers many desktop environments. Each of them is a compromise between resource usage and wiping your ass without you having to ask. In order from most to least wiping, they are:
For even more efficient usage of system resources, experienced users sometimes opt to install only certain components of desktop environments. Technically, the only necessary component is the “window manager”.
Laptops manufactured in small runs sometimes have issues running Linux out of the box. Experienced users can sometimes help (as can including specific hardware models in online searches).
System updates in Linux are heavenly, as they tend to make your system faster. Update often.
Migrating your setup to any other Linux distribution (or even BSD) involves little more than copying your home directory.
Expunge from your head the concept of a “clean install” every year or so, when things “get bogged down”. Your new home does not need it.
Linux is easy.
Summary of Steps
Accept there will be differences.
Ignore distribution screenshots.
Run a live installer off a USB drive.
Install software from your distribution’s repository, not “the Internet”.
Remove the sphincteral expanding device from your personal cavity, and place it into the cavity of Bill Gates and the grave of Steve Jobs.
Makepkg says to verify the key 449190F3235ABD3B. I decide today is the day I stop relying on –skippgpcheck. Wonderful.
From $HOME/.makepkg.conf, I set $GNUPGHOME to a freshly created gpg directory (as there are different kinds of “trust” in the world, and mixing personal keys with makepkg keys confuses two, separate kinds). This feature is not documented in makepkg’s man pages, but a contributor to makepkg mentions it here. I then run gpg –search-keys using my original $GNUPGHOME because hey, all it does is search, and something may very well be missing from the new $GNUPGHOME. Gpg, however, gives an error about dirmngr not running. I check dirmngr.conf. I try $( gpg-connect-agent –dirmngr ). “IPC connect call failed.” Fine, that’s another problem. There are still options, though, and I step over that rabbit hole.
I decide to verify the key manually, searching the PGP public key server at MIT. That’s a pretty big one, right? Sorry, the key is not there… All right, let’s try SKS. After all, that one is recommended in the GnuPG FAQ! That counts for something, right? “No results found.” Okay… I’ll just search for the key ID using a regular, Internet search engine.
DDG returns one result, and this link isn’t even it. Fine… perhaps DDG is small-time. Perhaps their web crawlers run on bread-powered ducks. Whatever. I seek the help of a multi-billion dollar corporation, which provides five results! The first is the same result from DDG! The remaining four are two copies each of the very signature error I foolishly thought, earlier this morning, that I could resolve through mere perseverance and rational protocol. These results were posted not by humans but by logging utilities.
Most importantly, do you honestly care at this point? The listed user has “debian” in his name. I can trust that, right?
Verification in AUR Land is security theater. It is not real security, because it is not feasible. Knowledgeable users may respond by pointing out PKGBUILD’s validpgpkeys, but aksr (the uploader) is just a regular user. Why should I trust him? Because I want to view PDF files with vi-like controls, that’s why. Such baseless trust is tantamount to –skippgpcheck, the very option that will earn your relay-chatting buttocks a paddling in #archlinux.
I pity the people who spend as much free time as I do, wrestling imaginary monsters, and I apologize to the fine citizens of the Netherlands for implying their municipalities deserve anything less than international renown.
# This file demonstrates ALSA configuration for a loopback device that simultaneously saves both input and output. Thanks go to debianuser from #alsa on the Freenode network for providing guidance.
Edit: Security features described below have since been incorporated into mutt as the mailto_allow directive.
It’s time to configure your web browser to open mailto links using mutt. You know you want to.
You also know it’s going to be tricky, as mutt is a command-line program, and command line programs are like appliances that refuse to die. They work well but don’t match your cupboards from IKEA made from particle board. Still, mutt has a nice trick up its sleeve: It can process mailto arguments on the command line.
The solution is to wrap mutt in a script that parses mailto links. Using a whitelist of valid attributes has an added benefit of heightening security, as potentially malicious attributes are automatically discarded.
In an uncharacterstic move, I type now not to my future self but to the entire world. The importance of my announcement justifies this decision: If you use LastPass, your conception of security is wrong. Expert knowledge is not necessary to understand why, and the only postulate to which you must agree is that of chains only being as strong as their weakest links.
I do not use LastPass, though I consider its accessibility and ease of use a boon to the security ecosystem. I even recommend LastPass to others (family and friends with little inclination toward computers, for example). In recommending LastPass, I do not reveal that its foundation is flawed. Such knowledge is irrelevant to the people to which I recommend LastPass, as these people are not able to customize their window managers. If you are not able to customize your window manager to the point of emulating keypress events from menu items, the remainder of this article will be of little use to you. If, on the other hand, you are, we will be using the following tools:
The window manager’s main menu is opened, and the password menu (P) is selected. A category is chosen (A), followed by the actual item for which a password is retrieved (A). The final item is an encrypted password file that is decrypted by GNU Privacy Guard, with the resulting password output by xdotool to whatever program currently accepts input. Already, we have uncovered three advantages over LastPass and friends…
Works with any program, not just with forms displayed in web browsers with password plugins installed.
Fewer entry points. Fewer links in the chain lower the chances of one being weak (the unknown unknowns).
Customizable and extendable.
… and one quality that LastPass would like to claim a disadvantage:
Limited to terminals with access to encrypted password files.
I claim this an advantage, because once again, I know that chains are only as strong as their weakest links. Today, it is raining outside. I look outside, and I see clouds overhead. My neighbor sees the same clouds. My neighbor might think those clouds can hold critical documents, but I keep mine locked in a file cabinet in the basement. This is not an issue of trust so much as one of common sense and convenience–because the file cabinet is closer, and tomorrow could very well be a sunny day.
Then again, the whole point of having clouds hold documents is for people to be able to go one town over and still see those documents hanging in the sky. I have had enough of this analogy. If you require access to a critical document on a terminal to which you cannot trust to store an encrypted password file, you are managing passwords wrong. Use “12345” for those. They are not secure, and no quantity of helmets will protect you from sharks while diving. I am an analogy machine.
Critical documents should only be accessed from terminals you are able to claim as your own. You might think you need your online banking password available on any computer with Internet access, but I bet you could count on one hand the number of computers you actually use. Send money, record secrets, and store nude photographs on your own computers, not on some cloud on a cloudy day.
Then when you have separated cruciality from “12345,” make some noise:
for (( u = 0 ; u < uCount ; u++ )) ; do
# Output is concatenated to maintain continuity of demonstration.
# For the real deal, use gpg's --output option and forego looping.
gpg --armor --gen-random 2 "$uLength" >> /mnt/hdd_not_ssd/entropy.txt
Look at the randomness. These are your passwords. Break them into variable-length chunks, and store them in files. Don’t let your editor back them up, and remember that extra caution during the setup procedure lasts forever:
echo "set nobackup" >> ~/.vimrc
echo "set nowritebackup" >> ~/.vimrc
# Saved to these:
Gnome-keyring, python-keyring, and libsecret would only be redundant links in your chain. Do not bother assessing their strengths, because they are superfluous. Instead, concoct a good master passphrase and generate a key from GNU Privacy Guard:
Finally, output passwords through your window manager, using xdotool. Though this link is arguably stronger than even physically typing a password on a keyboard, it is still the weakest in our short and sturdy chain:
When you’ve memorized your master passphrase, adjust time-to-live settings for its prompting. The following settings will make gpg-agent require master passphrase input only once per day–not as often as it should, but I have little faith in you. Specify in seconds:
You can also force re-prompts for any subsequent password accesses. This is good to do before leaving your computer unattended. Make this command accessible. Mine is never more than four keystrokes away (the “R” item in the animated demonstration). It is a good idea to force a reprompt on system idle and sleep events, as well:
echo RELOADAGENT | gpg-connect-agent -v
… and that is the optimal convenience you can get out of a truly secure password management system. Passwords entropy level is high; password retrieval is convenient, with the master passphrase only required as often as configured; lastly, the chain of software from password request to password retrieval is as short as feasibly possible.
.. and I didn’t even mention LastPass being closed-source as a deal-breaker from the get-go.