Tuesday, February 26, 2013

Quick YubiKey PAM Bash Installer

Quick YubiKey PAM Bash Installer

A quick and easy way to install YubiKey PAM for Ubuntu.  There is also a Bash installer for Debian in the same GitHub repo.


We recently switched to OpenBD on a production website and it uses MySQL FOUND_ROWS().  There a couple of things to ensure it works properly on OpenBD.

You need to add this setting to the "Connection Settings" in the datasource


The queries need to be in a cftransaction block otherwise they will use a different MySQL connection.   It would look something like:

<cfquery name="foo" datasource="foo">
    WHERE id > 2 LIMIT 2
  <cfquery name="bar" datasource="foo">

Monday, February 18, 2013

Twitter Needs to Add Two-Factor Authentication

After the account of @BurgerKing hacked at Twitter, when is Twitter going to add two-factor authentication? Google and Facebook both have done it.

Friday, February 15, 2013

Excited for PyCon 2013 - Live Blogging It!

PyCon 2013 is the first conference since 2007 that I will be attending and not speaking at the conference itself.  So I actually feel like I can focus on being an attendee instead of a speaker.  So this is going to be a different experience for me and I'm already planning what I want to do at the conference.

I've decided I'm going to live blog the sessions that I attend at PyCon using Google Drive.  This means you'll be able to even watch me take my notes as the session goes on.  So I'll be blogging the live Google Doc links in a future blog post.  I'm so excited!  Watch this space...

Thursday, February 14, 2013

pyMNtos - February Meeting Agenda - David Goodger on The Zen of Python Revisited and 3 Lightning Talks

ImageOur next meeting on Thursday 2/21 (pizza at 7p / meeting at 7:30p -- Please RSVP) includes three Lightning Talks:

  • MyHDL -- Chris Felton
  • Docopt -- Andrew Carter
  • Building Web UIs with Twitter Bootstrap -- Peter Farrell

David Goodger will be presenting a longer talk on The Zen of Python Revisited -- A fresh look at the meaning of Python's Zen. Does it mean what you think it means?

David is best known in the Python world for Docutils / reStructuredText and for chairing the 2008 & 2009 PyCons in Chicago.

We might broadcast this as a Google+ Hangout for those interested in attending remotely or out of state.  Let me know if you are interested as I don't want to setup all the mics and camera if nobody is going to come.

Wednesday, February 13, 2013

LastPass and YubiKey - Lessons Learned

Continuing on with my year of digital security ideas, I wanted to share a few short thoughts on some lessons I learned using LastPass and YubiKey.


  • Before I committed to switching to LastPass, I tried it out. LastPass uses a Master Password and I generated it in my KeePass.  However, I didn't save my KeePass vault for some reason.  Never forget your LastPass Master Password or you will be sorry.
  • Always generate a few one-time passwords (OTP) to get into your LastPass vault just in case.


  • After you receive your YubiKey, be sure to sign up for the Yubico Revoke Service and add your key.  This allows you to revoke your YubiKey in the YubiCloud authentication service in case your key is lost or stolen.  You have to physically have your key to add it to the revoke service -- you cannot add a key if you do not have it (like after you lost it).
  • Be sure to add your YubiKey to your LastPass profile and enable two-factor authentication.

Tuesday, February 12, 2013

2013 - The Year of Digital Security

Last year, 2012, was the year of backups.  Between the cloud and automatic backups and safe places to keep drives -- I believe backing up my digital life as well as getting it more organized in the first place was a complete success.

This year I'm focusing on something entirely different: Security.  Actually, I did a lot of small security stuff at the end of 2012 so I'd say I started 2013 with a "very good" rating.  Instead of a tutorial on how to implement security in your digital life, I'm just going to share some of things I've already done and where I'm going from here.

I was already doing a lot of good things that I started in 2012:

  • I was user of a password manager / password vault.  I've been using KeePassX (available on many platforms like Linux, MacOS, Android, Windows, etc.) on both my laptop, desktop and Android phone. I kept my single password vault file in sync between devices using DropBox.

  • Stopped sharing similar or the same passwords between sites. I was pretty good about this, but sometimes I would order something from a company that I knew I would rarely use.  I became lazy and didn't always setup a new profile in KeePassX. For example, I was one of the 24 million accounts that were hacked at Zappos in January of 2012.  Also, my credit card information was stolen (see sample letter in PDF) from Altrec -- an outdoor outfitter where I made a purchase almost two years ago.

  • After reading Matt Honan's tail of how he got his entire digital life wiped out by hackers in Wired last August, I turned on Google Authenticator (two-factor authentication) on all my GMail accounts (even DropBox can utilize Google Authenticator).

So, you're probably thinking what more can you do? Well, there a few more items that I've already working on or done in 2013:

  • I decided to switch from KeePassX to LastPass for my password management. I switched for three reasons:

    • #1 - LastPass has tighter integration with the browser and the cloud. LastPass has a pretty good web browser plugin for Chrome and Firefox.  KeePassX I would have to find the profile and use the clipboard to copy my password.  LastPass just reminders my profiles.

    • #2 - My LastPass password vault is encrypted locally and stored in the LassPass cloud.  This takes the pain of synchronization with KeePassX and Dropbox out the equation.

    • #3 - Two-factor authentication support. For those that don't know what this is, this means you need both the password and some physical item (that usually emits unique codes) in order to login.  If you don't have both items, you cannot login.

  • Two-factor authentication using YubiKey.  These are amazing little USB devices that emits an one-time password (OTP).  For example, to login into my LastPass vault I use my master password and then I have to authenticate using the OTP emitted from my YubiKey.  They even offer a YubiKey that has NFC built-in so you can use it with NFC enabled devices like my Google Nexus 7 tablet.

  • I now encrypt my home directory data on my HD (via Ubuntu) on both my laptop and desktop.  So even if you steal my computer -- you cannot get my HD contents unless you know my password. (Note: Yubico offers a PAM for Linux so I could even require my YubiKey login).

I hope this inspires you to do more for your security of your digital life.  I'm planning on writing up a nice quick start soon for getting started with LastPass and some of the things I did or things you shouldn't do like I did.  Let me know if you have any questions.  Until then, may the security deities be with you!

Saturday, February 9, 2013

Illegal use of nonvirtual function call in Java / MySQL JConnector

My computer crashed today and after restart none of my Java based application via Tomcat that used MySQL would work.  I would get an error like this:

Could not verify datasource: java.lang.VerifyError: (class: com/mysql/jdbc/DatabaseMetaData, method: supportsRefCursors signature: ()Z) Illegal use of nonvirtual function call

No matter the amount of Googling did anything turn up useful.  After reinstalling MySQL, I realized that my Aqua DataStudio could still connect and query the MySQL databases.  I tried a new MySQL J/Connector which did not help.

In the end, the fix was that Tomcat was using Java8 weekly (via a .deb) and something in Java8 must be broken.  I downgraded Tomcat to use Java7 and everything worked.  I found out that there was an update to my system to Java8 on 2/13 and the restart made it effective because Tomcat had been running for at least a week.

The fix: Check your Java version and downgrade from Java8