George V. Reilly

Passphrase Generators

I've been using password managers for at least 15 years to keep track of all my passwords. I have separate, distinct, strong passwords for hundreds of sites, and I've only memorized the handful that I need to actually type regularly.

I started out with the KeePass desktop app originally, but I switched to the online LastPass app about a decade ago. At work, we use 1Password.

When I register for a site, LastPass generates a random password for me, such as:


LastPass securely syncs my passwords between machines and devices. Its browser in­te­gra­tion and its Android and iPhone apps mean that I rarely ever have to actually type any of those ugly continue.

Old Presentations

I uploaded some pre­sen­ta­tions to Speak­ tonight.

Here are various pre­sen­ta­tions of mine at Speak­ and

USB Charge-Only Cables and Condoms

Thanks to Tom Limoncelli, I became acutely aware of USB charge-only cables and condoms. If you plug your phone into an unknown computer to charge the battery, you run the risk of having your phone hijacked by malware. USB transfers data as well as elec­tric­i­ty and you're es­sen­tial­ly giving the computer un­re­strict­ed access to your phone.

Certain USB cables are charge-only and will not pass data. There are also “USB condoms”, which are inserted between the cable and the computer. They not only block data, but they can po­ten­tial­ly charge the battery faster, as they can switch the device into a fast-charging mode. I've ordered a pair from Amazon, as we're continue.

HTTPS for GitHub Pages Custom Domain: Not Yet

This website, http://www.georgevreil­, is hosted at GitHub Pages. It's actually https://georgevreil­ but I've configured the former as the “custom domain”, so the latter is un­con­di­tion­al­ly redirected to the custom domain.

GitHub Pages gives me free, fast hosting and an easy pub­li­ca­tion model: I commit the latest changes to my master branch, I push the branch to GitHub, and seconds later, my site is updated. I'm using Acrylamid to generate the content from re­Struc­tured­Text source on the blog branch and ghp-import to commit the HTML to the master branch.

GitHub Pages supports HTTPS as of June 2016, but not for custom domains. There are some hacks but I don't feel like using them. I'm continue.

Homograph Attacks

During an internal training exercise today, as a sort of one-man Chaos Monkey, I de­lib­er­ate­ly broke a test system by changing a config setting to read:

itemfinder.url = http://test-і

The correct value should have been:

itemfinder.url =

What's that, you say? There's no difference, you say?

There is a difference, but it's subtle. The first i in the URL is 'CYRILLIC SMALL LETTER BYELORUSS­IAN-UKRAINIAN I' (U+0456), not 'LATIN SMALL LETTER I' (U+0069). Depending upon the font, the two is may be visually in­dis­tin­guish­able, very similar looking, or the Cyrillic i may not render.

This is an example of an In­ter­na­tion­al Domain Name Homograph Attack. There are Greek letters and Cyrillic letters that look continue.


I was sent an invite to Keybase a few weeks, which I accepted tonight.

Keybase Wants To Make Serious Encryption Accessible To Mere Mortals explains:

From a cryp­to­graph­ic standpoint, PGP is rock solid. In practice, using it is very messy. Its complexity has deterred the vast majority of people who might otherwise benefit from using encryption.

The first problem is es­tab­lish­ing a valid identity, especially with other people located oceans away. The second is dis­trib­ut­ing public keys without nefarious types posting al­ter­na­tive keys that appear to be registered to the same person. ... The third issue is getting people to install and use PGP software.

I can now be reached via­ly. I've proved my continue.

LastPass and Diceware

My LastPass browser plugin just upgraded itself to v4.0. For several years, I've been using LastPass to manage all of my passwords. I have literally hundreds of passwords. I can't even remember half the sites, much less the usernames. With LastPass, I can maintain a strong, distinct password for each site, which is robustly encrypted and backed up in the cloud, and I get good browser in­te­gra­tion and adequate Android in­te­gra­tion. We also use LastPass at work for our individual use and to share cre­den­tials.

There are still a handful of passwords that I have to remember and type, including the master password for my LastPass account, laptop passwords, and GPG passphras­es.

I've continue.

Security 101 for Developers

The Cozi Tech Blog needed some love, so I wrote a post a couple of weeks ago on Security 101 for Developers.

Odds and Ends #4

Mis­cel­la­neous links.

Odds and Ends #1

Herewith several articles that I've read lately for which I'm not going to write individual posts.

Previous »