The Zen of Forty

A series of small bits of wisdom that have helped me, at 40, become the happiest I’ve ever been in my life by remembering to review them each week, and try to live by them as much as I can.  I share them with you with the hope that they’ll resonate with someone who is reading through them and provide that little extra motivation to point yourself in the right direction.

  • Ask yourself each day what you’re considering important and whether it would be 100 years from now. Does it matter as much as the energy you’re putting in to worrying about it?
  • Try to make each day a “no more zeros” day. Do something each day that furthers your life goals, even if it’s just a minor step in that direction.
  • Take care of the 3 you’s.  Thank the past you for good decisions you’ve made, cater to the present you by keeping attention and focus on whatever you’re putting your time and effort to at this moment, and do favors for the future you by making choices that further your goals. Treat your future self like you would a best friend.
  • Forgive yourself for mistakes you’ve made in the past.
  • You control how you react to everything that happens in your life. Whatever emotion you’re feeling, you can choose to change it if you want to. It’s totally up to you. Choose to be happy.
  • The world really is a playground if you’re willing to let it be.
  • Stop complaining and try to look for opportunities or moments of happiness instead.
  • It’s ok to have regrets. Don’t make the mistake of thinking that having something you regret is something you should be ashamed of.  It’s how you learn and become a better person.
  • The king and the pawn are put back in the same box at the end of the game. Don’t get too wrapped up in who you think you are on the board from day to day.
  • Be honest with yourself about everything. That’s a responsibility you have to yourself.
  • Start facing problems head on, and taking care of small problems before they become big ones later.
  • You can choose to let your day run you, or you can run your day.
  • If you’re feeling down, upset, regretful, or any other negative emotion, then just do something – anything. Action is always better than inaction.
  • Your job isn’t your worth, and it isn’t your life. Let your job fund your life.
  • Start being authentic and making your own happiness a priority.
  • Build a life that is tailor made for you.
  • Take responsibility for mistakes and failures, and clean up your own messes.
  • Think about the person that you want to be, and act like that person until you ultimately become them.
  • Running away from problems in life is a race that you’ll never win.
  • Make time in every day to enjoy life and the world around you.
  • Don’t feel sorry for yourself.  Everyone has their own obstacles to overcome. Very few people are born with a free pass.
  • It’s worth repeating, choose happiness whenever possible. It’s possible more often than you think.
  • Be kind to others.  Remember that other people have it tough too.
  • Don’t defer happiness until a future date. That’s a terrible idea, because that date may never come.
  • Possessions will own you if you let them. Keep things simple, and remember that a few great things will always trump a multitude of mediocre ones.
  • Be silly, be honest and be kind.  It’s better for you and everyone around you.
  • Think about who you would call and what you would say if you only had one hour left to live.  Does that person know?   They should.
  • Remember not to live only for the sunshine. Instead, don’t be afraid to dance in the rain too.
  • When you feel like you have no time, remember the key to prioritization: golf balls, pebbles, sand and a jar.
  • Read and do things that nourish your mind every day.

Good luck. Keep smiling.

Read More

Being in charge of security for anything is a lose-lose proposition

The resignation of Secret Service Director Julia Pierson prompted a discussion between a friend and I about jobs that focus on being in charge of the security of something. For the purpose of our discussion, the something didn’t have to be the President of the United States.  It can be the security of a campus network, a physical structure, or something as large and complex as the Department of Homeland Security.

The four links included above are a very small sampling of fairly recent examples of the head of some sort of security being forced or voluntarily resigning their duties in the face of security breaches and the ensuing backlash.

Unfortunately, in most of these cases, the person charged with directing security was fighting a losing battle from the outset. Taking on a role as the head of security for anything means that you’re saying essentially “I believe that with limited resources, and finite time, I can protect against a variety of threats that have nearly unlimited resources and infinite time.”  It’s crazy to believe that’s possible.

I personally don’t believe that Julia Pierson got in to the position of leading the United States Secret Service while simultaneously not understanding how locks on doors work, as Congressman Darrell Issa seems like he’d like me to believe by asking Ms. Pierson ‘$800 million a year, millions of dollars or more during your tenure, each year, than the president’s request, and that door was unlocked with no one standing at it when Mr. Gonzales came through?

Unfortunately the reality is that providing security is really mostly about preventing exposure of easy areas of vulnerability, and making whatever it is you’re charged with protecting a *slightly* less attractive target that the next thing that might attract the attention of attackers.

When security incidents ultimately do occur, someone has to take the fall, and in almost every case, it’s going to be the person charged with leading the security effort. This despite the fact that if someone stays in a security related position long enough, it’s nearly inevitable that some sort of incident will occur that draws criticism from those outside looking in, wondering how the person in charge could have let this happen.

Success as the head of a security operation seems to me to be largely dependent on your timing. Joseph Clancy, the man who has been named as interim Director of the Secret Service to replace Pierson, is a good example of timing working in your favor.  Clancy retired from the Secret Service in 2011 after heading security at Comcast.  After his departure from Comcast, there were several security incidents, but since Joseph Clancy departed before the breaches actually occurred, he gets to reap the benefits of a successful security tenure there, and now moves back to the Secret Service to take over for the departing Pierson, who’s timing wasn’t so lucky.

That’s not to suggest that Clancy is a poor choice, or unqualified for his role, it’s just a reminder that being successful as the head of security for anything is really as much about your timing as it is your skill and experience in the security world.

It’s also a not-so-gentle reminder that when it comes to personal security, both in the physical world and online, it’s unwise to depend on anyone regardless of their credentials or history, to do all of the work for you. Be smart, and help make yourself a less attractive target.  It’s also wise to consider whether you think your timing is good enough to allow you to be successful leading any security effort.

 

Read More

Blog post of extremely limited usefulness – ColdFusion 11, Mac OS X and MAMP

This post will admittedly have a very small audience, but for those of you who do stumble on to it while trying to get ColdFusion 11 installed and configured in a development environment on OS X using MAMP, you’ll hopefully find it very helpful.

By default, the web server connectors that ship with ColdFusion 11 (including the Apache connector for OS X) don’t play nicely with a MAMP setup. Attempting to run the connectors in their default state will result in the connector scripts trying to install themselves in to the default OS X apache installation in the /etc/apache2 directory.

Of course, with MAMP, what you’d like is for the connector to install itself to the Apache webserver embedded within MAMP, which on a default MAMP OS X installation is located within the /Applications/MAMP directory.

The easiest way to resolve the problem is by opening up the apache_connector_macosx.sh script (this is located in the /Applications/ColdFusion 11/cfusion/bin/connectors directory) and modifying it so that the -dir, -bin, and -script variables point to the Apache installation that you want to use with ColdFusion.

You can do this pretty easily yourself with any code editor, but in the event that you can’t or don’t want to do this, I’m sharing a pre-modified version of the apache_connector_macosx.sh script that you can download and run to get your installation up and running.

You can download the modified web server connector script here.

Read More

original

Multi-factor Authentication Is Simple Enough Now That Everyone Should Be Using It

Multi-factor Authentication (also sometimes called Two-Factor authentication) is a method provided by many sites and services to help their users better secure access to their accounts.  For the remainder of this post, I’ll use MFA for short.

Most major web services now offer some sort of MFA, and over the last several years, integrating the use of MFA in to your daily life has become simple enough that it should be accessible to most every user.

So much of our lives is online these days, that most of us have a lot of personal, private information stored with our email service providers, in our Dropbox folder, Google Drive, SkyDrive, etc.  Imagine if someone had the password to your email account.   What types of information might they be able to find out about you?  If it doesn’t give you a little cause for concern it should.   Yet for many people, those sites and services are protected only with a password – one of the weakest forms of security available to end users.

Even if you have good personal security habits, and make use of strong passwords that are regularly changed and never written down, it is still possible to pretty easily circumvent that security measure with the right tools, a little time, and a lot of persistence.  Unfortunately, the vast majority of users don’t have good personal security habits.

According to a study conducted by Time Magazine in January 2014, the most popular passwords that people selected to protect their information online were “123456”, “iloveyou”, and “qwerty”.  Ahem…..

Needless to say, those passwords aren’t indicative of good personal security habits at all. It’s roughly akin to leaving your wallet laying on the drivers seat of your car in plain view, with the window rolled up and the car door locked. Yes, you’ve put forth a minimal amount of effort to protect yourself, but it’s not going to discourage someone who is even marginally determined.

Are you responsible with maintaining security of the network in a workplace?  If so, the risk is even greater for you. According to a 2013 Verizon Data Breach Investigations report, 76% of network intrusions exploited weak or stolen login credentials.  In these incidences, the companies suffering the breach weren’t even really trying to make it difficult for their networks to be exploited. The tools needed to exploit passwords like “123456” aren’t sophisticated, and can be downloaded and run for free by anyone, of any age, with access to a working internet connection.

A good password should be your first line of defense in protecting your or your organizational data.  Sometimes the password policies of organizations work against themselves by requiring things like uppercase letters, special characters, etc.  If you haven’t see the classic xkcd comic about password strength it’s worth taking a look.

The point of the xkcd comic is that in most cases, a random string of words that can be remembered easily by the user is a much better strategy against a brute force attack than the typical password gymnastics required by most organizations attempting to enforce strong password policies that may encourage users to write down their passwords and stick them to the front of the monitor.

Fortunately, in addition to having a good, difficult to guess, password, multi-factor authentication adds another significant layer of protection by combining something the user knows (a password), with something the user has (a token, often sent to a phone via SMS or through a MFA application like Google Authenticator).

The way it works is pretty straightforward. You will download an application on your phone, and pair that application with a site or service that supports MFA. Typically, the site will provide you with a QR code that you can simply scan with your phone, and the pairing will happen transparently to the user.  Once activated, when you attempt to login to that service the next time, you’ll first be asked for your password. After successfully authenticating, you’ll be asked for a security code. You will open the authenticator app on your phone, copy the randomly generated code, and provide it to the login page to complete the login process. In most cases, this randomly generated code will be automatically changed every 20-30 seconds. The entire process adds a total of 10-15 seconds to the login process, but astronomically raises the security of your accounts.

A simple example can be seen below.  In this example, I’m logging in to my RSS feed reading application using my Google account.  Note that after entering the correct password, I’m challenged for a code that I can obtain by switching over to my authenticator application.  I copy the code, switch back to the application I was logging in to, provide the code, and complete the login process. It’s a minor additional step for a major security advantage.

134


authyMost authenticator applications will allow you to register more than one service, so that you go to the same code generator application for all your MFA sites.  My personal preference, and recommendation, is Authy, a great MFA application available for both iOS and Android devices.  Authy allows you to register multiple MFA accounts, and easily switch between them via a familiar interface.

If you’re interested in enabling MFA for the applications that you use regularly, be sure to check the support site for the service in question. Chances are they offer some sort of MFA. If not, don’t be afraid to request that they add this option. In 2014, this really should be part of the basic service offering for any serious provider.

Here are links to the MFA options offered by some of the services that I (and probably you) use regularly.

Twitter and Apple also offer their own implementations of MFA that work in slightly different ways. In the case of Twitter, the code is sent to your phone either via SMS (my preference) or through the Twitter application itself as a message sent directly to you in-app.  For your Apple ID, a four digit pin is sent via SMS to a registered device, and required in addition to your Apple ID password. To enable 2 factor authentication on your Apple ID, sign in at appleid.apple.com, and visit “Two Step Verification” under “Password and Security”.

In summary, if you haven’t already been exposed to the concept of multi-factor authentication, the good news is that it’s now very simple and convenient to use. Hopefully the information provided here will help you make yourself more safe and secure online. Good luck!

 

 

 

Read More

Exchange Server, Mail.app, Alias Addresses and the unnecessary self CC on “Reply all”

If you’re using Apple’s Mail.app in conjunction with an Exchange server where you have an account that is also configured to use an alias address, you may have encountered an odd problem where anytime you hit “Reply All” to a message, your alias address is included on the CC line of the email.

This had been happening to me for quite some time.  Instead of searching for a solution and resolving the issue, I dealt with it by simply deleting the address on the CC line before sending.  This morning, though, I decided to take a few minutes to try to permanently resolve the issue.

It turns out it’s a pretty easy fix, likely caused by an odd quirk in the way that Mail.app handles Exchange account information.

When you set up your Exchange account on OSX, the information about your configuration to the mail server that the application uses on each startup is stored in a .plist file called “Accounts.plist”.  This file is located in the /Users/{username}/Library/Mail/V2/MailData/ directory.  The quickest way to get to and edit this file is to use Finder’s Go>Go To Folder menu, and type in the folder name.  When you see the Accounts.plist file, open it for editing (make sure that you’ve shut down Mail.app before attempting to edit).

A .plist file is a simple XML file used by OSX apps to store and read configuration data on startup.  Because these files are XML based, you should be able to read and edit them with any capable text editor.  I prefer Bare Bones Software’s BBEdit but any text editor should work.

The basic structure of this XML file is as follows:

<key>DeliveryAccounts</key>

<array>

<dict>

Account Information

</dict>

</array>

Search the various accounts in your DeliveryAccounts array until you find the Exchange account, listed as an “EWSAccount” in the Account Type section of the XML.  Within this block of XML code, you’ll see a key named “EmailAddresses”, followed by an array with the email addresses associated with this account listed.  If you’re experiencing the self-CC problem, it’s unlikely that the alias that you use with your Exchange account is listed here.

Just add an additional string value to the email address array, inserting your alias address between the <string>..</string> blocks.

Here is a before and after of my EWSAccount section:

Before:

Accounts_plist

After:

Accounts_plist 2

After making this change, save the file, restart Mail.app, and try reply-all.  You should no longer see the self-CC appear on the CC line of the email.

 

Read More