Superb cache, my favourite in Vienna so far. Love the design; I might try to make one like this back in Oxfordshire, UK upon my return!
FP awarded.
Coordinates put me exactly where I needed to be. Fortunately I had exactly what I needed to retrieve the cache: it’s something I always carry when I’m caching anyway!
I’ve been in Vienna for a week to meet work colleagues, and today – our meetings at an end and still with a few hours before my plane leaves – I
decided to come out and find some local geocaches.
At the GZ there were lots of good hiding places so I reached over and around. In a few seconds my fingers touched the cache. Great!
But then – disaster! As others have observed, the magnets in this cache aren’t the
strongest and it bounced free. It fell a long, long way! I rushed across the road and down to the lower level to grab it. Luckily the cache container was unharmed, so I signed the log
as I carried it back to up its hiding place. What an adventure!
FP awarded for the cool container and hiding place, and for the fun story you helped me tell. Greetings from Oxfordshire, UK. TFTC!
Finishing my morning walk where, perhaps, I should have started it with the first cache in this enjoyable series. Took a while for a good GPSr fix and I walked up and down the path a few times before spotting the container. But then – disaster – this replaced cache has a brand new log book… and I’ve
dropped my caching pencil somewhere between the last cache and this one. Unable to sign log, but hopefully attached picture showing CO’s replacement message will suffice.
TFTC, and the series in general. So glad to be able to take this lovely walk from Fairlawns this year. FP
awarded here for the series in general.
Distracted by the cattle eating their breakfast and the increasingly beautiful sunrise, almost forgot to look for this cache. Read the hint but still didn’t have a clue until I spotted
something out-of-place in a field. Sure enough, it was the cache. Nice hide! TFTC.
Sunrise taking off in earnest now with reds and pinks on the horizon, and my spine – unhappy for sleeping in an unfamiliar bed last night – is enjoying getting a stretch from the walk,
too. Stared right at this cache for a moment thinking “well that’s where I would hide it, but would the CO” before reaching to check and,
yup, putting my hand right on it. Now on through the cattle field!
I can see why the previous log moved this cache; pleased to see you be a good hiding place on the other side. Also pleased this wasn’t another nano! Light’s grown enough now to add a
smiley selfie from the path. Greetings from Oxfordshire, and TFTC!
Got carried away with my walk and briefly overshot this one: realised as I reached the quarry road. Turned back and found the cache in the third place I looked. Said hi to a rabbit and
the horses, up and foraging for their breakfast in the early light, before moving on.
This morning’s caching expedition just has it in for my back, I fear, with this one no exception. Nonetheless, a QEF in the first place I looked. TFTC!
A nonprofit I volunteer with has, years ago, held our Christmas bash at the nearby Fairlawns Hotel. We haven’t been in several years and –
even though we missed Christmas itself by a full month! – decided to return here this year.
I’m often an early riser, especially when away from home, and enjoy making the most of the first light with a walk. Last time I was here there wasn’t a geocache in sight, so imagine my
delight to find that now there’s one right on the doorstep! Armed with a torch to fight off the renaming pre-dawn darkness, I braved the cold and came out to explore.
Found the obvious hiding spot quickly, but my sore back (Fairlawns’ mattress was somewhat softer than I enjoy!) made retrieval challenging! Still, a success once I was on my hands and
knees! TFTC, and Merry Christmas I guess!
The two most important things you can do to protect your online accounts remain to (a) use a different password, ideally a randomly-generated one, for every service, and (b) enable
two-factor authentication (2FA) where it’s available.
If you’re not already doing that, go do that. A password manager like 1Password, Bitwarden, or LastPass will help (although be aware that the latter’s had some security issues lately, as I’ve mentioned).
I promised back in 2018 to talk about what
this kind of authentication usually1
looks like for me, because my approach is a little different:
I simply press my magic key combination, (re-)authenticate with my password safe if necessary, and then it does the rest. Including, thanks to some light scripting/hackery, many
authentication flows that span multiple pages and even ones that ask for randomly-selected characters from a secret word or similar2.
My approach isn’t without its controversies. The argument against it broadly comes down to this:
Storing the username, password, and the means to provide an authentication code in the same place means that you’re no-longer providing a second factor. It’s no longer e.g.
“something you have” and “something you know”, but just “something you have”. Therefore, this is equivalent to using only a username and password and not enabling 2FA at all.
I disagree with this argument. I provide two counter-arguments:
1. For most people, they’re already simplifying down to “something you have” by running the authenticator software on the same device, protected in the same way, as their
password safe: it’s their mobile phone! If your phone can be snatched while-unlocked, or if your password safe and authenticator are protected by the same biometrics3,
an attacker with access to your mobile phone already has everything.
2. Even if we do accept that this is fewer factors, it doesn’t completely undermine the value of time-based second factor codes4.
Time-based codes have an important role in protecting you from authentication replay!
For instance: if you use a device for which the Internet connection is insecure, or where there’s a keylogger installed, or where somebody’s shoulder-surfing and can see what you type…
the most they can get is your username, password, and a code that will stop working in 30 seconds5. That’s
still a huge improvement on basic username/password-based system.6
Note that I wouldn’t use this approach if I were using a cloud-based password safe like those I linked in the first paragraph! For me personally: storing usernames, passwords, and
2FA authentication keys together on somebody else’s hardware feels like too much of a risk.
But my password manager of choice is KeePassXC/KeePassDX, to which I migrated after I realised that the
plugins I was using in vanilla KeePass were provided as standard functionality in those forks. I keep the master copy of my password database
encrypted on a pendrive that attaches to my wallet, and I use Syncthing to push
secondary copies to a couple of other bits of hardware I control, such as my phone. Cloud-based password safes have their place and they’re extremely accessible to people new to
password managers or who need organisational “sharing” features, but they’re not the right tool for me.
As always: do your own risk assessment and decide what’s right for you. But from my experience I can say this: seamless, secure logins feel magical, and don’t have to require an
unacceptable security trade-off.
Footnotes
1 Not all authentication looks like this, for me, because some kinds of 2FA can’t be provided by my password safe. Some service providers “push” verification checks to an app, for example. Others use proprietary
TOTP-based second factor systems (I’m looking at you, banks!). And some, of course, insist on proven-to-be-terrible
solutions like email and SMS-based 2FA.
2 Note: asking for a username, password, and something that’s basically another-password
is not true multifactor authentication (I’m looking at you again, banks!), but it’s still potentially useful for organisations that need to authenticate you by multiple media
(e.g. online and by telephone), because it can be used to help restrict access to secrets by staff members. Important, but not the same thing: you should still demand 2FA.
3 Biometric security uses your body, not your mind, and so is still usable even if you’re
asleep, dead, uncooperative, or if an attacker simply removes and retains the body part that is to be scanned. Eww.
4 TOTP is a very popular
mechanism: you’ve probably used it. You get a QR code to scan into the authenticator app on your device (or multiple devices,
for redundancy), and it comes up with a different 6-digit code every 30 seconds or so.
5 Strictly, a TOTP code is
likely to work for a few minutes, on account of servers allowing for drift between your clock and theirs. But it’s still a short window.
6 It doesn’t protect you if an attacker manages to aquire a dump of the usernames,
inadequately-hashed passwords, and 2FA configuration from the server itself, of course, where other forms of 2FA (e.g. certificate-based) might, but protecting servers from bad actors is a whole separate essay.
If you read a lot of the “how to start a blog in 2023” type posts (please don’t ever use that title in a post) the advice will often boil down to something like:
Kev writes about what he’s learned from ten years of blogging. As a fellow long-term
blogger1, I was
especially pleased with his observation that, for some (many?) of us old hands, all the tips on starting a blog nowadays are things that we just don’t do, sometimes
deliberately.
Like Kev, I don’t have a “niche” (I write about the Web, life, geo*ing, technology, childwrangling, gaming, work…). I’ve experimented with email subscription but only as a convenience to people who prefer to get updates that way – the same reason I push articles to Facebook – and it certainly didn’t take off (and that’s fine!). And as
for writing on a regular schedule? Hah! I don’t even
manage to be uniform throughout the year, even after averaging over my blog’s quarter-century2 of history.
Also like Kev, and I think this is the reason that we ignore these kinds of guides to blogging, I blog for me first and foremost. Creation is a good thing, and I take
my “permission to write” and just create stuff. Not having a “niche” means that I can write about what interests me, variable as that is. In my opinion the only guide to starting a blog that anybody needs to read is
Andrew Stephens‘ “So You Want To Start An Unpopular Blog”.
And if that’s not enough inspiration for you to jump back in your time machine and party like the Web’s still in 2005, I don’t know what is.