You Should Enable Two Factor Authentication by Yesterday

For example, if I want to log into my GitHub account which uses two factor authentication, I need to provide both a password and a six digit code to access my GitHub account. Using two factor authentications makes it a bit harder for hackers to gain access to your account even if they were able to get your password since the second factor is needed to verify the login request.
Now we know what two factor authentication is and how it helps, let’s explore the options.

Option 1: One Time Passwords via SMS

The most common is getting a one time password (OPT) sent via SMS whenever a login is requested. The good thing about this option is that the password is unique each time it’s generated, meaning that once it’s used, it becomes invalid. While the OPT via SMS option is simple to get going and it’s better than not having TFA, it has many downsides. A practical downside is that you won’t be able to get the OPT when there’s no phone reception (like when you’re travelling) and you have to give away your phone number which could bring about spam. Also, it’s possible for your phone number to get “stolen” through social engineering, such as an attacker tricking the cell provider into terminating your SIM and giving it to the hacker. This happened to some prominent YouTubers last year such as h3h3, LinusTechTips and boogie2988 last year where poodlecorp was able to access their channels and deface them, with help from “Forgot Password” and overwhelmed customer support.

Option 2: Time-based One Time Password (TOTP)

Given the limitations of OTP via SMS, a step up would be to use a Time-based One Time Password, or TOTP. TOTP combines time and a secret key to form a temporary code needed to access an account. TOTP codes are typically managed in an authenticator application, such as Authy or Google Authenticator. Since they work of of time rather than an SMS, they’re much more convinient. Also, authenticator applications are much harder to spoof. There aren’t perfect however. Given how TOTP is time based and time doesn’t always line up perfectly, TOTP codes usually last longer than their supposed expiry date to ensure things work. Also, if the secret key used to form the code was to get leaked, the TOTP code can be calculated.

Option 3: Login Verification

Another TFA option is login verification where a notification is sent to your device asking you to verify a login request. It uses public key cryptography which sets things up such that only you will be able to authorize login request to which only they can validate. Public key cryptography is a bit complex, but login verification is the simplest option out there. With login verification, All you need to do is click a notification and you’re done! The main issue is the device which gets the notification needs internet access, and if the private key is stolen, you’re screwed.

Option 4: Security Tokens

The most secure of the TFA options are security tokens such a YubiKeys and smartcards. Security tokens are considered true two factor authentication (better yet two separate values) since they work completley independent of the server. I haven’t had much experience with security tokens but from what I’ve read their purpose built to authenticate accounts. The codes (or “codes”) generated by these tokens can be in a random loop, cued on demand or not even require your input whatsoever. Since their purpose built, they’re a very solid options. The isses with security tokens are that they can be lost and stolen, you might need a lot of keys for your different accounts, the private key can extracted from the device (with lots of effort) and they tend to be more expensive than using a phone you already have.
The TFA option you choose comes down to a nubmer of factors such as whether the service supports two factor authentication (let alone two factor authentication), how much the account means to you, what you can afford, and what you’re willing to tolerate for the sake of security.
I’ll use myself as an example. For me, given how careless I am, security tokens aren’t an option. Since I’m glued my phone and I travel quite a bit, I prefer to use the TOTP option via Authy since it doesn’t need internet. If the option is availible, I tend to activate login verification feature because it’s just a matter of clicking yes or no. If the above options aren’t supported, I just use the SMS based TFA since it’s better than nothing.
If you want to see if your online accounts support two factor authentication, head of to twofactorauth.org, home to the Two Factor Auth List. There, you can look up a service and see which TFA options they support, potential issues, and if the service doesn’t support TFA, it let’s you send a message to the service’s Twitter or Facebook asking them to add the option.
Like password managers, two factor authentication should be another thing to keep in your security. TFA usually makes breaching into an account a whole lot harder, there are some drawbacks such as getting the secret keys used for verification stolen as well as the fact that given how none of these options are perfect, they sometimes supply you with backup codes, which are much easier to steal. Oh, and the rubber hose is still a thing.
There you have it! A guide to two factor authentication! Check out the Two Auth List to see if your services support two factor authentication. For a TOTP option, check out Authy, my chosen TOTP method. If you’re more inclined to using security tokens, Yubico have some great options and if you don’t like it, you can make your own.
That’s all for now. Share this post if you found it useful and until next time, seize the means of computation.

Wanna see what I’ve got lined up? Watch the Trello Board here.
Have an opinion about me? Let me know what you think here.

Awesome Screenshot

What is it?: A Chrome Extension
Link: https://www.awesomescreenshot.com/
Developers: Diglo

Awesome Screenshot is a Chrome Extension that allows you to take screenshots on a webpage. I recently used it to snap a web comic for a book review I did here.

Awesome Screenshot gives you the option to screen-cap an entire webpage, whatever is in view or even a selected area. Once the screenshot is taken, it gives you some options to edit the screenshot like adding text, cropping, annotating, drawing and blurring. I wish I could change the blur’s intensity however.

If you wanna take screenshots of web pages, Awesome Screenshot is a great way to do it.

CSS Tricks

URL: https://css-tricks.com
Creator: Chris Coyier
Genre: Web Design

CSS Tricks is a blog focused on web design and development. I found the website on Google back when I was trying to figure out how to do the thing in CSS when designing websites.

There was quite a lot to like. For one, I like the website’s design. The font’s (Whitney) on point. Colors work nicely together. Layout is solid In essence, it lives up to its name. There is a slight issue on my iPhone SE where the page doesn’t stretch all the way out. Besides that, the site is well made.

Another thing I liked is their writing. The posts on CSS-Tricks are written by great authors like Sarah Drasner and Chris Coyier. That’s the big reason I keep coming back to this site.

CSS Tricks also has handy code snippets on how to do commonly needed web development stuff, an almanac (a prettier w3shools), handy videos, a job board and in depth guides on web frameworks.

CSS Tricks is one of the things I’m glad to see whenever I google how to do the thing in CSS. It has a clean layout and it’s well written by great authors. A must read for anyone looking for CSS help.

The 2037 Bug

Editor’s Note: This would have been a video, but I got lazy… Sorry :(.


On January 19 2038 at exactly 03:14:07, many computer will probably fail. The reason has to do with the 2038 bug which I shall explain in the post below.

To start off with, let’s talk about how computers track time. Most computers track time through a counter hooked onto a hardware element that causes the counter to increment at certain intervals, usually seconds. The time is inferred from the time elapsed from a certain reference time or epoch. In the case of *nix systems, like Linux and macOS and some programming languages, this epoch started on January 1, 1970.
2^31-1
231-1=2,147,483,647
The issue with *nix systems is that they store the time difference from the epoch in a 32-bit signed integer. The biggest number a signed 32-bit integer can store is 2^31-1, or 2 147 483 647. Why not 2^32? The integer is signed, so the leading bit is reserved for the sign. Now, two odd billion sounds like a big number but you are mistaken. Being the Zimbabwean that I am having experience with numbers in the trillions, I can tell you that 2 billion isn’t enough.
100 Trillion Banknote from Zimbabwe
Like, serious!
I mean, it’s all fine and dandy until that two odd billion runs out. That time will be exactly 03:14:07 on the 19th of January 2038. Once that date is reached, the next second will bring things back all the way to 13 December 1901 at 20:45:45. Why does this happen? When the number is incremented after having all True 31 bits, the next value will cause the signed bit to increment, turning the number from a positive to a negative.Year_2038_problem.gifHandy GIF thanks to Wikipedia
This sounds awful…Scratch that – this *is* awful! This bug has the potential to affect millions of systems. Desktop computers, phones, electronic assists in cars, avionics systems, industrial systems – anything using a signed 32-bit integer to store time. It’s not confined to hardware either. This bug could impact databases, file systems, medical software, military software among others.
Besides that incident with Paul Ryan’s economic forecasts, people have encountered some issues. AOL screwed up and some people couldn’t play video games. Also, some people have one more year (2018) to fix this bug lest their future calculations stop working. To be honest, I’m being a bit melodramatic. Knowing that this bug exists doesn’t necessarily predict that computers will catastrophically fail.
The last time we had this big of a scared based on time was during the Y2K bug craze where the issue had to do with storing only the last two digits of the year (so 2000 would actually be 1000). While they were warned about it 50 years in advance, they only started working on it in the last decade of the 1000’s, a bit like my essays and Paul Ryan’s healthcare bill. Thanks to programmers providing $300 billion in effort, they were able to mitigate disaster, although things did fail and they subsequently got fixed.
age of universe comparison.png
Now we know the problem and what it could do, how can we fix it? Well, the answer is surprisingly simple, but not easy. A good fix would be to move from 32-bits to 64-bit, giving us 293 billion years (about 22 universes) to think of something better. But, like I said, it’s simple, not easy. Any change is bound to break something. time_t is afunction in the C programming language responsible for storing time as a 32-bit signed integer on some computers. If time_twas changed to an unsigned number, we would work with numbers into 2106, but dates before 1970 won’t work.
64-bit computers already use the 64-bit integer, although they can’t calculate past 32-bit for legacy issues. Some Linux kernel maintainers have spent years finding a fix. Bergman has a proposal, but only one fix has been committed. Clearly, this will take a while to sort out, but I trust that programmers will be able to think of something.

Hello World!

Hi, my name is Farai.

I want to redesign my blog, AGCKB, but designing things are hard. Because of that, I decided to look at other people’s websites and get inspiration from that.

This blog will be an unqualified design critique looking into sites I use a lot and why I like it. 

If you found my site, have fun!

Farai Read…The Thrilling Adventures of Lovelace and Babbage: The (Mostly) True Story of the First Computer by Sydney Padua

Book Info
ISBN:  9780307908278
Author: Sydney Padua
Publisher: Pantheon (US)Penguin (UK)
Published: April 21, 2015
Length: 320 Pages
Genre: Steampunk
Price As Purchased: $13.69 (with $5 discount) on Amazon

I did a book review on this book. Again, I wrote the post, but my text editor messed up the format, so you can watch the video on my thoughts below.

Where to get it:
Buy it at Barnes and Nobles – http://www.barnesandnoble.com/w/the-thrilling-adventures-of-lovelace-and-babbage-sydney-padua/1120420212?ean=9780307908278
Buy it on Amazon – http://a.co/aW3XufU
Find it on Worldcat to borrow in a library near you http://www.worldcat.org/oclc/869881357Fun Stuff
Sydney Padua’s Talk at Google – https://youtu.be/5fVlGAY6m8o
The Thrilling Adventures of Babbage and Lovelace Webcomic – http://sydneypadua.com/2dgoggles/

I Got a Password Manager and You Should Get One Too

The other day, I read an article by security expert Troy Hunt on how “The only secure password is the one you can’t remember“. In it, he laments how we have so many online accounts and how with all these services, come the risk of massive data breaches that can cost you.

These accounts need passwords and given how many accounts we have, we fall into two bad habits when choosing passwords; weak passwords, which can be found and cracked easily, and reusing passwords where the breach of one service will result in the breach of more valuable services.

Now, there patterns that supposedly make passwords more secure and easier to remember, like sentences and substitutions, but remembering hundreds of passwords like “Il0vefurryp0rn” is hard. So what do we do now? Well, you could write them down on a piece of paper, but that’s a bad idea for obvious reasons.

A better solution is to use a password manager that allows you to generate passwords, store login details, save documents and secure them with 1Password (hehe) in a super safe vault. A secure password btw. Password managers are very secure and their security is constantly evaluated and improved upon. Heck, the password manager I use, LastPass, got breached and while attackers could get the vaults, they we’re strongly encrypted, making them useless, unless you have a lot of time on your hands.

Rather than tell you how password managers work, I’ll show you how I use my password manager, LastPass. I’m not being paid for this, but I wouldn’t mind it. Password managers typically feature browser extensions that let me log into websites quickly. If the site is being weird, I can just copy the password over and it will clear out the clipboard after a while so other apps can’t take a peek. I can randomly generate passwords for new accounts to specified parameters, login easily, change passwords on the fly, store form fills and credit card details to easily access, share an account with someone (either showing or hiding details) and even designate someone to access the vault in the case of an emergency.

If I move onto my mobile phone, I can secure the vault against a pin or fingerprint for quick access. I can also log into websites in the browser and generate logins. The best part with password managers on mobile phones is that I can log into apps. It uses the 1Password logo, but you can use any password manager. Nifty hey?

There is a slight benefit to the extensions in that they prevent phishing since the login details will only fill under the right URL match. You still need to take care about the websites you’re logging into however. Also, password managers can’t stop you from Rubber Hose Cryptography (i.e. beating you with a hosepipe until you give in), so a password manager should serve as one element in your security arsenal as opposed to being the security arsenal (the Electronic Freedom Foundation has a great guide on it here).

Now, there are many password managers out there such as 1Password, Dashlane, Sticky Password, Clipprz, RoboForm and the built in options on web browsers and iCloud. There are some superb open source options such as KeePass and Bitwarden which do need some tweaks to get them to the convenience of the previously mentioned methods. Some are solely cloud based, which are slightly less secure and more convenient and others give you greater control as to where to store the encrypted vault ((S)FTP, Google Drive, Dropbox etc.). Some even have two factor authentication in which a password AND something else to verify you, like an SMS code, a special file or “key”, or an app which generates codes needed to sign in. Two factor authentication is another step you can take in ensuring account security. I’ll talk more about those another time.

With that, I hope you’re compelled to get a password manager now.

A Byte of Py: For Loops

This is the first of a new series “A Byte of Py” where I share tasty Python concepts in around 256 seconds (for the video that is). I had this post planned for a long time and I’m only getting to it now, so it might not be the best. Enjoy 🙂


In this Byte of Py, I’ll explain how for loops work in Python using the range statement, enumerate, dictionaries and enhanced for loops in addition to the for-else construct.

There’s also a handy GIF I created explaining for loops.

for-loop

My Goldman Sachs Summer Technology Analyst Interview Experience

This past week, I was able to land an interview with Goldmam Sachs for their Summer Technology Analyst position. From the 50 odd applications I submitted, Goldman are the first company to invite me to their offices for an interview.

The time between the application and the interview was 10 from when I filled the online application.

The day after I applied, I was given a Hackerank quiz. The quiz had two questions, one on finding the second smallest element in an array and the other on the sum pairs in an array that add up to a certain number. While the first question was easy, the second one was hard to do efficiently.

Once I handed in the Hackerank quiz, I got a Hire Vue interview. The Hire Vue interview had me answer 6 questions with a video response. While they were mostly easy, one of them was rather hard to answer.

Mind you, these interview happened within 4 days from applying, which was quick. Once I finished the interviews, I got an email saying that they were reviewing my application and they would get to me a few days later.

A few days later, the recruiter asked me to confirm that I would be able to get to the interview, which They would fly me out to. After ironing out a few details and booking my flights, I was ready for the Superday.

That weekend, I spent some time preparing my business attire. I couldn’t decide which tie I wanted to wear, so I picked red since it stood out. Later on, I was told red was too powerful and political to wear, so I went with Navy Blue.

The flight to New York via Newark (don’t fly there) didn’t go too well since my original flight got cancelled and the replacement flight got delayed. Because of the delays, I got to the hotel (which Goldmsn owns) rather late. I could have taken an Uber, but that was $40 vs. The $5 for public transport and my feet.

The next day, I got up and ready and I headed for Goldman’s New Jersey office which was just a ferry across the river away from Lower Manhattan where the hotel was. They had an office right next to the hotel, but the held there interview in NJ for some reason.

I digress. I got to their office with plenty of time to spare. I got to mingle with some other candidates before we headed up to their office. 

The Superday was in 3 parts, a behavioral interview, a technical interview and an informal networking session where we got to talk to some of the technical staff.

I had the behavioral portion first where I had to walk through my resume, explain how I would design a self parking car, talk about a unique problem I’ve faced as well as a question on how I would scale an application. After I asked the interviewer a few questions, I went to the next room for the technical portion.

At the technical portion, I met with two engineers. They asked me how I would design an application to search a string, how to sort some numbers, how to help a co-worker who isn’t getting along well with a colleague as well as how to ensure quality assurance.

With the technical portion over, I headed for the networking session. I had a really good chat with the tech staff where they talk about how they got to work at Goldman, NY life, their projects, intern experience, and their experience returning at Goldman.

With that over, I headed across the river back towards the World Trade Center to grab some lunch, hang around and try it done headphones. Once I got bored, I headed back to Newark to get back to college.

A week later, I got a call saying that I didn’t get the position. To be honest, I don’t think I did too well. I didn’t handle the abstract questions well and I couldn’t explain quick sort or merge sort. I ended up getting a lot of hints and a internalized stares of futility.

I appreciate Goldman for flying me out and giving me a chance. It’s exciting to get flown out. I just wished they I was better prepared for the interview and I communicated better. Back to applying I guess!