Tales from the jar side: Security, NFTs, and Signing ebooks
It's amazing how much I'll write just to tell a bad joke
Welcome to Tales from the jar side, the Kousen IT newsletter, for the week of February 21 - 28, 2021. This week I taught a Spring MVC Fundamentals course and a Kotlin Fundamentals course on the O’Reilly Learning Platform, and I ran an NFJS Virtual Workshop called Deep Dive Into Spring.
I’m in the middle of several things at the moment, most of which have to do with security, so let me talk a bit about that this week.
1Password Built 4 Two
I decided it was finally time to use a password manager, rather than my current mechanism of just relying on Google to save everything. After all, what could go wrong?
CommonsWare is the one-person company owned by Mark Murphy, who is a big, big name in the Android community. He has the distinction of having answered more Android questions on StackOverflow than anyone ever. Here is his page. From it, you can see that his reputation there is just under 900,000 (seriously), and that he’s answered over 22,000 questions.
Let that settle in for a moment. 22,000 questions. That’s a lot. That places him in the top 0.01% of all users, which ranks him #7 all time.
For the IT people, here’s my one StackOverflow joke:
The maintainers of StackOverflow have the toughest job in IT, because when the site goes down, they have to restore it without looking up anything on StackOverflow. (rimshot)
For the record, my reputation there is about 2500, which still puts me in the top 15%. I don’t spend much time answering questions there (obviously), but even if I did, I wouldn’t register on the Mark Murphy scale.
Murphy writes books on Android. His CommonsWare site is a subscription site. You pay $20 every six months and you get access to all of his books, which he updates roughly every six to eight weeks, so they stay up to date in a rapidly changing field. I first got to know him from his previous (“first generation”) book, The Busy Coder’s Guide to Android Development, which topped out at 4298 (!) pages. That, too, is a lot.
I know what you’re thinking, because I’m thinking it too: Couldn’t he have added two more pages before declaring it final?
Coming back to his tweet, the “Terraria fiasco” he refers to involved a developer who mistakenly had his entire Google account invalidated, which locked him out of Gmail, Google Docs, and any other service they offer. It took weeks to fix the problem, and it probably only got fixed because a game that developer created was used by millions of people, so when he went public, there was quite an outcry. Murphy strongly recommends that a one-person company really shouldn’t “put all their eggs in one basket” by relying on a massive social media company that can destroy you without a thought. At minimum, he suggests that if you deploy an Android app to the Play Store, you should use a separate account, so if you somehow do offend a Google bot, you don’t lose everything.
I can see the point, but that would be difficult for me. My one-person company is completely powered by Google horses. I have a business account with Google, I use Google Slides for all my talks, Google Docs for notes, and Gmail (of course) for both person and company email, as well as whatever other Google services are available.
Still, I can do better with security than I have in the past. I use 2FA (two-factor authentication) on many sites, but even when I do that I use the Google Authenticator app.
But I have another challenge, which is that my wife’s idea of security is typical of non-IT people — meaning she cares about it, but doesn’t really have any idea how to go about it. I also wanted to share certain accounts with her, like my newspaper subscriptions or streaming video sites.
Enter 1Password. 1Password is “the world’s most-loved password manager” according to their propaganda. It lets you store and use strong passwords everywhere, and log into sites and fill out forms securely with one click.
(Btw, if you ever hear me expressing “love” for a password manager, you’ll know either something has seriously gone wrong, or they’re paying me a lot of money, or both.)
A couple weeks ago, I decided to give their family plan a try. It’s roughly $5/month for up to five people (extra people add $1 each), so I went with that. I installed the app on my laptop and my phone and added the browser plugin for all my browsers (Chrome — there’s Google again— as well as Firefox and even Safari on my Mac). After working with it for a couple weeks, I finally set up my wife to use it as well, along with a shared “vault” of sites we can both use with a single click.
So far, so good. I was able to import all the saved passwords from my Chrome browser, both from my company and my personal accounts, and did the same for my wife. We’ll see how it goes in the long run.
I’ve noticed one unexpected benefit already. I can now use any browser I like, because all my sites and passwords are in 1Password rather than in the browser storage or history. Google Chrome is a notorious memory hog on a Mac, so the fact that I can log into, say, Pandora for my music inside Safari is great. Fewer open tabs in Chrome is definitely a good thing.
Self-Signed Certificates
When I was writing my first book, Making Java Groovy, I used to daydream a lot about what I would do with it when I was finished. Fortunately, many of those ideas were silly enough for me to drop when the book actually got done. For example, at one point I discovered that you could submit a book for a Pulitzer Prize just by filling in an online entry form, so I thought I’d submit my own book and then make that part of the marketing (Nominated for a Pulitzer Prize!), but fortunately I came to my senses. Or, more honestly, I was too much of a coward to do it.
Still, I’ve always had one particular idea that I still haven’t taken the time to do, but is sufficiently amusing that I still think I’ll get around to it eventually. Like most of my silliest ideas, it takes a bit of explanation.
One of the key concepts in security that made the Internet possible was the development of PKI, public-key infrastructure. The idea is that with PKI, you use a tool to generate a pair of large, prime numbers. One of these you call a public key, and share it with everyone, and the other is a private key, which you share with no one.
Here’s a picture from the Wikipedia page on public-key cryptography:
Note: all cryptography examples use Alice trying to communicate with Bob, with Eve trying to intercept and decode the message.
The beauty of public and private keys is that whatever is encrypted with one key can only be decrypted with the other. For example, if Bob wants to send a private message to Alice, he encrypts his message with her public key. That way only she can decrypt it, because she is the only person who has her private key:
But there’s another use case, which is called non-repudiation. Say Alice encrypts a message with her own private key. Then it can be decrypted by anyone, because everyone has Alice’s public key:
So what does that accomplish? Bob now knows that the message could only have come from Alice, and it was not modified during transit. Otherwise her public key would not have worked on it.
If you take a message and reduce it down to a small, standardized size using what’s called a hashing algorithm, you can then encrypt that hash with your private key. The result is what’s called a digital signature. It can be verified by anyone who has the user’s public key, and if they know how the hash was made, they can also verify that the document has not been modified as well. It doesn’t hide the contents, but it proves that the document came from only one person, and that it hasn’t changed in transit.
The final part of the puzzle I want to address is how to distribute the public keys. What you can do is to create a certificate, which is a combination of a public key and the business information associated with that person. Then a trusted third party, known as a certificate authority, can verify that the certificate is correct and comes from the original person. They add their own certificate to it, forming a certificate chain. Your browser (all of them) contains lots of certificates, from major public certificate authorities, that can be used to verify keys from others.
You start the whole process by generating a certificate, and then digitally signing it. That produces what’s called a self-signed certificate.
Now we get to the good part. People still do buy and read physical books, but many more electronic copies are sold (especially in the IT world), either as a pdf or in epub or mobi formats (used in Kindle readers). So the question that came up was, while I can autograph a physical book, how do you sign an ebook?
The obvious answer is to digitally sign it. Of course, all the ebook copies are identical (unless they have the purchasers email address embedded in them, as often happens), so you don’t want to hash the book itself. Instead, my idea was to create a web site that would ask a user what they wanted me to say. Ahead of time I would generate a certificate of ownership, resembling something like this but fancier:
I would save that as an image in some digital format. My program would write on it something like, “Thank you for purchasing Making Java Groovy / Gradle Recipes for Android / Modern Java Recipes / Kotlin Cookbook! You asked me to say:” and I would append what they submitted, along with my own scanned signature. I would then generate a pdf from the result, run it through a hashing algorithm, and sign it with my private key.
The result would be — wait for it — a self-signed certificate signed with my self-signed certificate, which you could freely download and enjoy.
If you’re thinking that’s an awfully long way to go for a gag, you’re right, and that’s probably why I never followed through. But I still might, because there’s been a new development in the cryptography world recently, which is part of this week’s Meme Watch.
Meme Watch: NFTs
I should say up front that I never planned for Meme Watch to become a regular feature of this newsletter. All I ever wanted for the newsletter was to cover my activities during the previous week and highlight interesting issues that I encountered along the way. Eventually I started adding amusing tweets at the end, partly because they were funny and partly to justify the absurd amount of time I spend keeping up on Twitter. Somehow, over the last few weeks, that has turned into a collection of posts about whatever hot idea dominated the web during that week. I’ve covered sea shanties, and Bernie in mittens, and Ted Fled, and more.
Nothing dominated my Twitter feed this week, but if Meme Watch is going to become a thing, then I might as well mention something that I did run into that isn’t quite a meme yet, but might spawn a series of them very soon. That thing is the concept of NFTs, which stands for Non-fungible Tokens, believe it or not.
A non-fungible token is a cryptographic token that represents something unique. A good explanation and example comes from NBA Top Shot, which is a “booming blockchain-based market of NFTs,” according to this site. As I understand it, the idea is to take some NBA highlight and assign a digital signature to it, but make that signed asset part of a distributed blockchain.
The point is that even though a particular highlight can be seen anywhere, exactly one of those copies is the “authentic” one, and that has value. In fact, this copy of a LeBron James dunk recently sold for (I still can’t believe I’m saying this) $250,000. The NBA Top Shot web site allows you to “own the best moments from NBA history,” as though they were trading cards, but in this case trading cards that can be duplicated infinite times and seen anywhere. Still, only one is considered the actual “Top Shot Moment”, which is what you’re paying for.
The blockchain part solves the distribution problem, verifying that your copy is the “official” one. It’s rather like owning an original work of art, even though you can see absolutely perfect digital copies everywhere else. Speaking of art, NFTs have made major inroads into the art marketplaces, especially if you allow sales to be done with cryptocurrencies. This article talks about a digital work of art whose NFT was just sold for $6.6 million.
So, great. Now you can combine artificial scarcity of an object with no clearly defined value with cryptocurrencies like bitcoin (or, more likely, ethereum), whose verification has the side effect of generating enough waste heat to burn civilization to the ground. How 2020s can you get?
More about this as it develops, probably in a future newsletter.
A few funny Tweets
To finish up, here are a couple of funny tweets this week:
Just in case you don’t get the joke, an Arnold Palmer is a drink that combines iced tea and lemonade. On the vaccine front, my wife is scheduled to get one in a couple weeks (yay!), and this week I found out my sister the physical terrorist (her term for physical therapist) has already been vaccinated (yay again!), which is awesome. In Connecticut, I become eligible tomorrow, so I’ll go searching for the earliest appointment I can get.
On the security front:
I talked above about how locked into Google I am. I still prefer that to selling my soul to Apple.
That’s an almost perfect tweet, though if you go with this version, they’re missing a couple options:
Rock-paper-scissors-lizard-Spock has been around a while and here are the rules as they were discussed on an episode of The Big Bang Theory (though you can infer them from the diagram).
Oldie but goodie:
That cracked me up, until I read in the comments that the joke has been used for decades by sources from Mad Magazine to Mel Brooks. Plus, transit is apparently Latin for bus or van or some other kind of mass transportation, which led to my favorite follow-up:
I sincerely hope the dinosaur gets better.
As a reminder, you can see all my upcoming training courses on the O’Reilly Learning Platform here and all the upcoming NFJS Virtual Workshops here.
Last week:
Spring MVC Fundamentals, on the O’Reilly Learning Platform
Kotlin Fundamentals, same
Deep Dive Into Spring, an NFJS Virtual Workshop
This week:
No classes! My last open week for a long time.
I really, truly, hope to complete all the chapters of my upcoming book, Help Your Boss Help You, soon to appear on The Pragmatic Bookshelf