152 stories
·
1 follower

Hi, Hello, I’m Back At It

1 Share

*peeks hesitantly around the corner*

Hey everyone. Tomorrow, after almost 7 months of a sabbatical break, I’m resuming regular publication of kottke.org. (Actually, I’ve been posting a bit here and there this week already — underpromise & over-deliver, etc.) I’m going to share more about what I’ve been up to (and what I’ve not been up to) in a massive forthcoming post, but for now, know that I’m happy to be back here in the saddle once again. (And that my fiddle leaf fig is doing well!)

I am, however, still dealing with some chronic pain that sometimes makes it difficult for me to work. I’m doing the things I need to do to get better & stronger, but just be aware that it might affect my output here. It’s a very frustrating situation — in many ways, I’m in the best physical shape of my life and am excited to be back here but this more-or-less constant background pain is a real source of friction as I go about my day. Just wanted to get that out there — thanks for your continued patience.

Ok, here we go!

Tags: Jason Kottke   kottke.org   working
Read the whole story
kbreit
6 days ago
reply
Share this story
Delete

Say hello to 1Password 8 for iOS and Android

1 Share
Say hello to 1Password 8 for iOS and Android

Sometimes I forget to marvel at what we, as an industry, have built in the past 30 years.

I have this little device in my pocket, and a slightly larger version on my nightstand. With either one, I can video chat with a friend in the UK, access my medical records, or check in for a vet appointment. I can track my workouts or reserve a table at my favorite restaurant.

I can buy movie tickets, concert tickets, and plane tickets. I can watch videos uploaded by creators from around the globe and learn how to do almost anything. Heck, I can even pair up a controller and play some pretty awesome games. All from the device in my pocket.

Unless I was tethered to my desk, I couldn’t do any of that when our founders – Dave, Sara, Roustem, and Natalia –  built the first version of 1Password in 2006. The smartphone and tablet as we know them didn’t yet exist.

But today, when I pull out my phone or grab my iPad, a world of possibilities opens to me.

That’s the world for which we built 1Password 8. The one in which most internet traffic goes through our phones and tablets. The one in which most people are juggling dozens, if not hundreds, of logins to access everything they need for work and life.

The world where you use your phone for everything.

This is 1Password 8 for iOS and Android. It’s a brand-new experience designed to bring a little order to a hyper-connected world. Where did I save my medical records? What’s my bank account number? Do I need to worry about that data breach I heard about yesterday?

And, of course, what the heck is my password?

Built for speed

iPhone and Android phone side-by-side, displaying the new 1Password 8 home screen and customization options with various sections toggled.

When we began work on 1Password 8 for iOS and Android, we went straight to customers to find out what they were trying to accomplish in 1Password. Armed with that knowledge, we then dove into making it as fast and easy as possible to achieve those tasks. Speed is everything on mobile, and 1Password 8 delivers.

It starts with your new home screen. And I mean it when I say it’s your home screen. When you open 1Password, you can hide, unhide, or reorder what you see here. You can even pin specific fields from your items to this screen for instantaneous access.

I have my kids' Screen Time passcode pinned to my home screen so I can show it in Large Type with a tap. No two people are alike – and now, no two 1Passwords are alike.

The new design also incorporates an updated, always-available navigation bar so you can:

  • Quickly access your home screen. Here you’ll find your favorites, recent items, or anything else you want fast access to.
  • Access all items across all your accounts. All your vaults, all your tags. It’s all here.
  • Search everything. When you tap the search button, the search field is immediately focused. Just start typing to find what you’re looking for.
  • Boost your security. Get one-tap access to the all-new Watchtower experience for mobile.

Of course, 1Password is more than just an app. If we’re doing things right, it feels like an extension of iOS and Android, putting the things you’ve stored in 1Password right at your fingertips, right when you need them.

Maybe you’re autofilling the one-time code when you log into your banking app, or your payment card info on Amazon.

Everywhere you need it, the autofill experience is now faster and more precise. Payment cards, addresses, identities – autofill whatever you need, when you need it, on both iOS (with the Safari extension) and Android.

Built for peace of mind

iPhone and Android phone side-by-side displaying the Watchtower dashboard with shareable security score and list of items with weak passwords.

There’s nothing like knowing – not guessing, but knowing – that you’re protected. With the all-new Watchtower experience for mobile, that peace of mind is just a tap away.

Watchtower is your security sentinel, letting you know when you need to take action and making it easier to do so. If your credentials are involved in a data breach, you’ll see an alert in Watchtower and in the item itself. Tap it to take steps to protect yourself (like changing your password).

Those actionable alerts now extend to your security score, which gives you a bird’s-eye view of your overall security. Watchtower continually evaluates key security data points (locally, on your device) to calculate your score, and shows you where you can take action to improve your security. Your score incorporates things like weak passwords, inactive two-factor authentication, compromised passwords, and others.

You can also share your score directly from Watchtower by copying it or tweeting it. Watch out, though – this can get addictive fast. I’ve been known to spend idle minutes knocking down security issues in my own vaults to get my score just a little bit higher.

We also made security questions easier. Questions like “What’s your mother’s maiden name?” or “What was the name of your childhood pet?” are designed to enhance security, but they can also be a pain. If the question is too obscure, it’s hard to remember the answer. Too common and it’s easy to find that info if an attacker looks hard enough.

Now you can generate random answers to security questions as easily as you generate a password. Just add a security question field to any item, and let 1Password generate an answer for you. Better security, no more guesswork.

Of course, you still get all the other security-boosting features you’ve come to expect from 1Password. That includes the ability to securely share items – yep, files and documents too – with anyone, even if they don’t use 1Password.

Built for you

iPhone and Android phone side-by-side displaying the 1Password 8 home screen with pinned fields and customizable sections in various configurations.

Nothing is as personal as these little rectangles in our pockets, so with 1Password 8 we wanted to create something that you could shape to your needs.

Enter the customizable new home screen.

You might want fast access to your favorites and pinned fields, whereas I might prefer to see a list of frequently used and recently created items. It’s your 1Password, so it’s your call.

What are pinned fields? The easiest way to make 1Password truly yours. You can pin any field in a 1Password item directly to your home screen, so you always have instant access to, say, your bank’s routing number or the one-time code for your Twitter login.

To customize your home screen, scroll to the bottom of the screen and select “Customize” then select or deselect sections to show or hide them (respectively). Drag-and-drop sections to choose the order in which they appear.

iPhone and Android phone side-by-side displaying work and travel collections

Collections have come to iOS and Android, too. Collections are an easy way to create a custom group of vaults for easier context switching. Maybe you want to create a collection of personal, work, and travel vaults, or create collections that separate shared vaults with private ones.

Again, it’s up to you. Just tap the vault icon at the top of the screen and select “Manage Collections” to set it up.

1Password also respects your device’s appearance settings, so if you dwell on the dark side all day long with Dark Mode, 1Password will embrace the darkness right along with you. 😎

Download 1Password 8 for iOS and Android

I can’t emphasize the new part of “all-new” enough. 1Password 8 is more than an upgrade: It’s a brand new experience, and you can download it now from the App Store and Google Play Store. 1Password 7 will not automatically upgrade to 1Password 8.

Migrating from 1Password 7 to 1Password 8

If you're using 1Password without a subscription and would like some guidance [migrating to 1Password 8](https://support.1password.com/migrate-1password-account/), 1Password Support is standing by to lend a hand.

Contact 1Password Support

Once you download the app and start exploring, you’ll also find little flourishes throughout: new icons and typography, detailed item views, and new indicators next to shared items so you can see what’s shared and what’s private at a glance.

Regardless of how you set up your 1Password, you’ll be getting the most advanced version of 1Password we’ve ever built, completely recreated for a mobile-first world.

PS: I want to give a huge shout-out to the 1Password community. The feedback from Early Access testers and other contributors has been invaluable. Thank you.

But we’re not done yet. We’re still listening, so if you’d like to share your thoughts, stop by the community and say hi.

Download 1Password 8 for iOS

Get the all-new 1Password 8 for iPhone and iPad. It's everything you need for a worry-free digital life on the go.

Download on the App Store

Download 1Password 8 for Android

Protection has evolved. Get the all-new 1Password 8 for Android phones and tablets.

Download on the Play Store
Read the whole story
kbreit
120 days ago
reply
Share this story
Delete

Vin Scully Passes Away

1 Share

Broadcasting legend Vin Scully passed away today at age 94, according to a Dodgers news release.  “He was the voice of the Dodgers, and so much more. He was their conscience, their poet laureate, capturing their beauty and chronicling their glory from Jackie Robinson to Sandy Koufax, Kirk Gibson to Clayton Kershaw.  Vin Scully was the heartbeat of the Dodgers – and in so many ways, the heartbeat of all of Los Angeles,” the release stated.

For all of the legendary voices who have called baseball games over the decades, there is little debate that Scully was the best of them all, both for the incredible length of his tenure in the booth, and his unmatched quality over those 66 years of broadcasting Dodgers games.  Amazingly, Scully was already a Hall-of-Fame level broadcaster even aside from his work with the Dodgers, as he covered the NFL, pro golf, tennis, and (naturally) postseason and All-Star baseball games for such outlets as CBS, NBC, ABC, and TBS.

From start to finish in his iconic career, Scully was a master storyteller, finding endless inventive and poetic ways to call the action, yet never overwhelmed the play on the field.  Scully was on the mic for many of the greatest moments in baseball history, adding to those moments with both wonderful calls and (just as important) poignant silences.

Scully was something of a prodigy, as quite early in his career he began calling Dodgers games in Brooklyn in 1950 on both TV and radio broadcasts.  He was then in the booth until the end of the 2016 season, following the Dodgers to Los Angeles.  As noted in the press release, “it was Vin as much as anyone who bonded the franchise with its new city.  Fans – not only around the city, but at the games themselves in the Los Angeles Memorial Coliseum – would listen on their new transistor radios to Vin and colleague Jerry Doggett.”

On behalf of all of us at MLBTR, we send our condolences to Vin Scully’s family and legions of friends and fans.

Read the whole story
kbreit
127 days ago
reply
Share this story
Delete

Video: Rage Against The Machine’s Zack de la Rocha Injures Leg Onstage, Finishes Set Seated

1 Share

Right now, Rage Against The Machine are performing for the first time since 2011 on their long-awaited reunion tour. However, the band hit a snag at last night’s show in Chicago when frontman Zack de la Rocha injured his leg, and was forced to finish the band’s set seated on a monitor.

As you can see in the fan-shot video below from YouTuber Caleb Crockett, midway through performing “Bullet In The Head” (at about the 3:26 mark), Zack jumps in the air and leaps around the stage. Then, all of a sudden, Zack is very still, crouching, and, upon the next chorus, hopping a little. Then, in a video taken by YouTuber The Pistol777, we can see that Zack performed “Testify” from while seated/leaning on a monitor. If we had to guess, the dude landed wrong on those jumps during “Bullet…” and is now having a tough time.

Anyway, our best to Zack, and we hope he makes a speedy recovery. Catch RATM live, perhaps with less jumping, at one of the following dates:

7/12 – Chicago, IL @ United Center ^ [tickets]
7/15 – Ottawa, ON @ Ottawa Bluesfest [tickets]
7/16 – Quebec City, QC @ Festival d’ete de Quebec [tickets]
7/19 – Hamilton, ON @ FirstOntario Centre ^ [tickets]
7/21 — Toronto, ON @ Scotiabank Arena ^ [tickets]
7/23 – Toronto, ON @ Scotiabank Arena ^ [tickets]
7/25 – Buffalo, NY @ KeyBank Center ^ [tickets]
7/27 – Cleveland, OH @ Rocket Mortgage FieldHouse ^ [tickets]
7/29 – Pittsburgh, PA @ PPG Paints Arena ^ [tickets]
7/31 – Raleigh, NC @ PNC Arena ^ [tickets]
8/2 – Washington DC @ Capital One Arena ^ [tickets]
8/3 – Washington DC @ Capital One Arena ^ [tickets]
8/8 – New York, NY @ Madison Square Garden ^ [tickets]
8/9 – New York, NY @ Madison Square Garden ^ [tickets]
8/11 – New York, NY @ Madison Square Garden ^ [tickets]
8/12 – New York, NY @ Madison Square Garden ^ [tickets]
8/14 – New York, NY @ Madison Square Garden ^ [tickets]

2023 Rescheduled Dates

2/22 – Las Cruces, NM – Pan American Center [tickets]
2/24 – El Paso, TX – Don Haskins Center [tickets]
2/26 – Glendale, AZ – Gila River Arena [tickets]
2/28 – Glendale, AZ – Gila River Arena [tickets]
3/3 – Oakland, CA – Oakland Arena [tickets]
3/5 – Oakland, CA – Oakland Arena [tickets]
3/7 – Portland, OR – Moda Center [tickets]
3/9 – Tacoma, WA – Tacoma Dome [tickets]
3/11 – Vancouver, BC – Pacific Coliseum [tickets]
3/13 – Calgary, AB – Scotiabank Saddledome [tickets]
3/15 – Edmonton, AB – Rogers Place [tickets]
3/17 – Winnipeg, MB – Canada Life Centre [tickets]
3/19 – Minneapolis, MN – Target Center [tickets]
3/20 – Minneapolis, MN – Target Center [tickets]
3/22 – Sioux Falls, SD – Denny Sanford Premiere Center [tickets]
3/28 – Kansas City, MO – T-Mobile Center [tickets]
3/30 – St. Louis, MO – Enterprise Center [tickets]
4/1 – Detroit, MI – Little Caesars Arena [tickets]
4/2 – Detroit, MI – Little Caesars Arena [tickets]

The post Video: Rage Against The Machine’s Zack de la Rocha Injures Leg Onstage, Finishes Set Seated appeared first on MetalSucks.

Read the whole story
kbreit
149 days ago
reply
Share this story
Delete

Experian, You Have Some Explaining to Do

2 Shares

Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.

John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.

Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian’s password reset process was useless at that point because any password reset links would be sent to the new (impostor’s) email address.

An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.

“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. “At that point, the representative read me the current stored security questions and PIN, and they were definitely not things I would have used.”

Turner said he was able to regain control over his Experian account by creating a new account. But now he’s wondering what else he could do to prevent another account compromise.

“The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.”

Arthur Rishi is a musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently discovered his Experian account had been hijacked after receiving an alert from his credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.

Rishi said the alert surprised him because his credit file at Experian was frozen at the time, and Experian did not notify him about any activity on his account. Rishi said Chase agreed to cancel the unauthorized account application, and even rescinded its credit inquiry (each credit pull can ding your credit score slightly).

But he never could get anyone from Experian’s support to answer the phone, despite spending what seemed like eternity trying to progress through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself at Experian.

“I was able to open a new account at Experian starting from scratch, using my SSN, date of birth and answering some really basic questions, like what kind of car did you take out a loan for, or what city did you used to live in,’ Rishi said.

Upon completing the sign-up, Rishi noticed that his credit was unfrozen.

Like Turner, Rishi is now worried that identity thieves will just hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity. Even using the paid Experian service, there were no additional multi-factor authentication options available, although he said Experian did send a one-time code to his phone via SMS recently when he logged on.

“Experian now sometimes does require MFA for me if I use a new browser or have my VPN on,” Rishi said, but he’s not sure if Experian’s free service would have operated differently.

“I get so angry when I think about all this,” he said. “I have no confidence this won’t happen again.”

In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

ANALYSIS

KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

How does Experian differ from the practices of Equifax and TransUnion, the other two big consumer credit reporting bureaus? When KrebsOnSecurity tried to re-create an existing account at TransUnion using my Social Security number, TransUnion rejected the application, noting that I already had an account and prompting me to proceed through its lost password flow. The company also appears to send an email to the address on file asking to validate account changes.

Likewise, trying to recreate an existing account at Equifax using personal information tied to my existing account prompts Equifax’s systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).

KrebsOnSecurity has long urged readers in the United States to place a security freeze on their files with the three major credit bureaus. With a freeze in place, potential creditors can’t pull your credit file, which makes it very unlikely anyone will be granted new lines of credit in your name. I’ve also advised readers to plant their flag at the three major bureaus, to prevent identity thieves from creating an account for you and assuming control over your identity.

The experiences of Rishi, Turner and this author suggest Experian’s practices currently undermine both of those proactive security measures. Even so, having an active account at Experian may be the only way you find out when crooks have assumed your identity. Because at least then you should receive an email from Experian saying they gave your identity to someone else.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

Emory Roan, policy counsel for the Privacy Rights Clearinghouse, said Experian not offering multi-factor authentication for consumer accounts is inexcusable in 2022.

“They compound the problem by gating the recovery process with information that’s likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches,” Roan said. “Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.”

Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experian’s customers — banks and other lenders — choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.

“The actual customers of the credit service don’t realize how much worse Experian is, and this isn’t the first time Experian has screwed up horribly,” Weaver said. “Experian is part of a triopoly, and I’m sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, it’s the lender who eats that fraud cost.”

And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.

“I do think it’s important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax,” he added.

More greatest hits from Experian:

2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

Update, 10:32 a.m.: Updated the story to clarify that while Experian does sometimes ask users to enter a one-time code sent via SMS to the number on file, there does not appear to be any option to enable this on all logins.

Read the whole story
kbreit
149 days ago
reply
Share this story
Delete

Go ahead, delete your .env.example file

1 Share
Go ahead, delete your .env.example file

When we develop software, it’s common practice for engineers to require system configuration in order to run a program. We specify instructions on how to set up your own local environment in a .env.example file or README.md file.

For every project that we work on and for every configuration change of those projects, we need to do manual work to keep our local environments up to date so they continue to work. Often, this is a struggle. Also, aren’t we all sick of hearing “it works on my machine”?

Why are we creating and maintaining this configuration manually? The reason: our required configuration contains sensitive values that should be kept secret. For this reason, the environment file that’s consumed by our applications is added to the .gitignore file, in order to avoid it being synced to source control.

To date, there is no common practice to collaborate on and share these sensitive values securely and effectively. We’re either sharing the values insecurely (via email and other messaging apps), or adding to the hassle of configuring our environments by doing our own encryption inside source control using tools like GPG (do you also always forget which command to use?). Or, we manually copy sensitive values, for example by pairing with a colleague that already has the sensitive value on their machine.

Why can’t we have a way to collaborate on configuration both effectively and securely? With the launch of 1Password Developer Tools, let’s take a closer peek at an alternative way to collaborate on configuration to remove the hassle – and securely store and synchronize the sensitive values that we should keep secret.

A new way to collaborate on environment configuration

Instead of keeping the environment configuration out of source control, why don’t we just remove the sensitive values, so that we can enjoy all the benefits of collaboration that source control provides us?

This is exactly what 1Password now allows you to do. You store the sensitive values in 1Password and replace those same values in your environment configuration with references to where these values are stored in 1Password. 1Password CLI loads these values from 1Password when and where you need them.

Since the environment configuration no longer contains sensitive data, you can check it into source control, collaborate on it using pull requests and every developer working on the project automatically receives the configuration they need when they check out a version of your source code.

Github commit page authored by Simon Barendse to push changes to .env file including Striple publishable key and secret key.

Accelerate onboarding

When new folks join the team or start working on a new project, there’s no longer a requirement to configure a local environment. Their manager can add them to the 1Password user group for the team they just joined, which grants them access to the secrets they need to do their job. Instead of spending their first day struggling to get their environment configured, all the new developer needs to do is clone the repository and they’re good to go.

Let’s go a step further and automate access provisioning through the 1Password CLI so the new team member doesn’t need to be manually added to the user group by the manager. For example, one can grant access automatically when teammates are added to the GitHub project for which they require these secrets.

Remove interruptions from your day-to-day

When environment configuration is managed manually, your development workflow is interrupted when a colleague merges a change that requires configuration. Then, you have to redirect your attention to reproducing the environment of your colleague to fix your build, before you can continue developing another feature, costing the team valuable time.

List of user environment variables with their name and corresponding value.

Using the new workflow enabled by 1Password, you no longer need to manually synchronize your environment to keep up with the state of the code-base. When your teammate makes a change to the codebase that requires a configuration change, they commit the required config change in the environment file together with the code changes. When you pull these new changes, you’re good to go. All the configuration is synchronized through source control and you never have a broken environment anymore. 🚀

The file you’re using to configure the program when you’re developing the feature is the exact same file that you’ll check into source control and share with your colleagues. This ensures that the configuration is reproducible and complete. There’s no longer an additional .env.example or README.md file that you’ll need to separately update (and can forget to do) to inform your colleagues about the necessary changes.

Achieve Dev/Prod parity

To prevent errors occuring in production that weren’t present during development, the dev/prod parity factor of the twelve factor app states you should keep development, staging and production as similar as possible.

For security, secrets should vary between the different environments. To protect the production environment, access is typically restricted to a smaller group (e.g. Operations or Sr. Devs). When (other) developers make changes to the application code that require a configuration change, while using traditional environment files that contain the secrets, they cannot edit the production configuration file. This friction can lead to missing configuration in production, which causes the application to not work properly, or not work at all in production.

1Password secret references enable developers to write and review the configuration, without requiring access to the secrets themselves. The operation team uses the same configuration file for production as the developers do during development and then add the required secrets to the production vault in 1Password.

We can also go a step further and add an automated check in your CD pipeline, validating that all secrets used by the configuration are stored in 1Password.

DB_USER = op://my-project-$env/database/username
DB_PASSWORD = op://my-project-$env/database/password
STRIPE_PUBLISHABLE_KEY = op://my-project-$env/stripe/publishable-key
STRIPE_SECRET_KEY = op://my-project-$env/stripe/secret-key

Improve security

Did you notice that throughout this new workflow the environment file on your system never has the plaintext secrets? The 1Password CLI passes the secrets to just the process running your application, adding to the security of your workflow. The secrets are only kept in memory and never written to disk.

For secrets protecting our development environments, because there was such a hassle synchronizing updates with all devs working on the project, we have come to accept that we (almost) never rotate these secrets.

In too many cases, former teammates can still access these environments. Because this new way of collaborating on the environment configuration removes the manual steps required to synchronize changes, we can now rotate secrets as many times as we’d like without interrupting the developers working with these secrets. Note that this is especially important to do for development workflows that connect to production infrastructure, which tend to be more sensitive. Think for example about configuration for operations and configuration for infrastructure as code projects.

Get started using 1Password environment configuration in your projects today

We’re curious what you think about this new way of collaborating on development environment configuration. How will you be using this? And where should we go with this next? Let us know in the community!

Collaboration on environment configuration is just one of the many improvements we’re creating to make developers’ daily lives easier and more secure. Keep an eye out for more updates and subscribe to our developer newsletter to be notified of new developments.

To upgrade your team’s productivity and security today, get started with environment configuration using 1Password.

Read the whole story
kbreit
182 days ago
reply
Share this story
Delete
Next Page of Stories