Learn Python On A Smartphone

You can learn to code Python on an iPhone or Android relatively easily. There are lots of classes and tutorials on where to start, but all you really need is a Smartphone and a good search engine to get started. I like to tell people that there is no singular more important/useful thing that you can learn other than to speak and read/write. You’ll never look back on your life and say, “Boy, I wish I hadn’t learned this incredibly useful skill.” It may seem crazy that you can learn Python on an iPhone, but it’s actually really simple, and anyone can do it.

  • Start with the right peripherals. Specifically invest in an Apple TV or Chromecast and a Bluetooth keyboard. You’re going to thank me later when your thumbs aren’t falling off.
  • Next, download something like Python 2.7 for iOS ($1.99). It’s not quite as full featured as the full blown thing, but it’s a great place to get your feet wet as you’re learning, and doesn’t require Internet access, which is great when you’re on an airplane our out in nature and still want to be learning/practicing.
  • If you want an eBook that you can read on the road without lugging a heavy book along with you you can try Introduction to Python Programming ($9.99 on Kindle). There is a free Kindle app for the iPhone too, which is even better.
  • Once you feel a little more comfortable programming you can shift to getting yourself a FREE Amazon EC2 instance. Yes, Amazon has a free tier to get you started. They want you to like and use their products and what better way to entice you than to give it to you for free, right? You’ll want an Ubuntu install for this, because it works really well with Python.
  • Next you’ll download and install the Coda App ($24.99) or an equivalent SSH client. This will allow you to connect to your EC2 computer in the cloud. Just copy the private key and use that with the username provided, which will be “ubuntu” and you should be off to the races. I recommend you also run the command “screen” upon login so that if you get disconnected you can just type “screen -r” and recover the session without losing anything. This is a key bullet because it will allow you to build a website too if you want.
  • Then you can use your favorite terminal editor. I prefer vi, which has a steep learning curve but is very lightweight and powerful. Here’s a great tutorial on vi. If that’s too complicated pico is a nice option.

If you’ve ever wanted to pick up a new skill, this is a very inexpensive way to do it. I always recommend starting with something simple that you need to be done repetitively. A simple program that alerts you when something happens, or something that allows you to write something down in a format that’s easy to retrieve are both good examples of things you might need to be done on a regular basis. Start simple and start with something you need and it’ll be a lot more practical.

This is one of the many ways in which smartphones are helping to democratize business. Even someone with just a smartphone can start a business, learn to program, or generally produce great content. I hope this has been helpful! Good luck!

Mud Puddle Problem

When it comes to security of the apps you use and the device you chose, I think it’s best to consider the Mud Puddle problem. That may not be a term you’ve heard but it’s very important to understanding how threat actors think about your device.

For instance, let’s say you drop your phone in a puddle of mud and it ceases working. You try everything you can to clean it up but it stops working. If you can take it to some store and some genius can recover your data off of the device, it has failed the mud puddle problem.

The basic concept is this. If there is a way that a stranger can take your device and resurrect the data out of it, it means an adversary can do it as well. That is why it is always best to ask vendors how your data is secured. Can they recover your information after you’ve deleted it? Can they recover it after your account has been erased? Can they recover it if your device has been crushed in an anvil? If the answer is yes, then probably many people have access to your data whether you or they realize that or not.

It’s something to consider as you consider which products and services to use.

Lost and Found

Losing your laptop or phone is one of the most devastating things that can happen. Not only is there a loss of whatever data wasn’t backed up, a loss of business continuity as you find and re-build a replacement, but there’s also the potential of loss of critical data. This is actually one area the phone is substantially better – you can carry it with you everywhere. Like I discussed before, you’re far more likely to bring your phone with you to the bathroom than act like a nut-job and bring your laptop. It’s just a fact. Even if you’re extremely good about keeping your laptop bag with you at all times, it’s just far more likely that you’ll be separated from it than from a smart phone.

But I’d be remiss in saying that a smart phone is a perfect solution. It too can and does get separated from your hands. You go through an airport, it’s out of your hands. You want to show someone a video? There it is, in someone’s hands, unlocked. I have even been told I can’t bring my cell phones into a meeting – so there it sits in some basket outside of my direct line of sight. Let’s ignore the threat of malware for this post, because that’s a different threat vector in a number of ways.

So what do you do when your cell phone is stolen to prevent bad things from happening beyond the immediate loss of the hardware? There are some pre-emptive steps you can take and some things you’ll have to do after the fact:

Let’s start with the pre-emptive steps:

  • Keeping your phone locked with a password is the first line of defense. If you can limit it to a number of failures before being wiped that further increases your safety. If your phone is locked, the data within should be safe barring any other vulnerabilities in the phone. I really recommend a relatively short timeout (E.g. Less than 5 minutes) before the screen locks, but not so short (Eg. Less than two minutes) that you have to type your password/passphrase often in public, as that creates more likely opportunities for shoulder surfing the password/passphrase.
  • Disable Wifi on the phone when out in public. You don’t want the phone connecting to a random Wifi and being man in the middled so that content it sends over the wire is visible. Apple has made a lot of progress here by requiring that apps communicate over HTTPS, but that’s still not 100% rolled out, given that there are many apps that have circumvented this rule.
  • Disable any notifications so they aren’t readable on the locked screen so that information isn’t leaked to whomever has the phone ahead of time. This often requires a lot of configuration of each app’s notifications.
  • Use a long passcode/passphrase instead of the short 4 digit pins or equivalent, so that brute force is significantly more difficult. I know it’s annoying, especially when you’re in a hurry, but it does provide a significant barrier to someone breaking into the phone once it’s outside of your control.

After the fact:

  • Use any/all services you have to locate the phone. Maybe your friend picked it up for you at the bar. You can attempt to call it as well. At this point it’s probably gone and you can move onto the following. On trick is to allow one of your close friends to always have access to your phone’s location. That’s a lot of trust though, and understandably comes with its own risks.
  • Remote wipe the device if you can.
  • Immediately change all passwords to all of the services you use, and ideally lock that phone out from any APIs it is authorized to once the phone is deemed lost.
  • Disable VPN accounts, and any SSH keys you use. As an aside I don’t recommend SSH keys as the only line of defense for exactly this reason – if the machine is compromised they have instant access to the remote server. I prefer SSH keys be used to jump to bastion hosts or VPN tunnels, but then passwords be used from that point on, so that even if an attacker does get access to the bastion host, they can’t pivot into the other machines because they lack the password. Passwords are easy to brute force though, so that’s why you use them only after a key is required. It’s a bit like second factor auth in a way.
  • Assume email has been compromised, shut down the accounts immediately. This is one of the most critical steps, because email typically has a lot of passwords, and PII in it. And worse yet, most of the services you use require an email for password reset. Once they have access to email they have access to everything. This means every password needs to be changed that exists in your email, and anywhere you use that password should also be changed.
  • Assume that all apps that have access to your credit cards have been compromised – think things like Uber, and Amazon. Unfortunately this means you need to cancel your credit card immediately.
  • Assume all chat clients that you have logged into have been compromised. iMessage, SMS, Facebook, Instagram, Snapchat, Signal, Twitter, Yahoo!, MSN, IRC, Slack, Hipchat, WeChat, Skype, etc… etc… Only chat clients with ephemeral OTR are reasonably safe because they auto-delete content over time, but even still, the adversary can read recent messages and contact your contacts as you, so you’ll need to disable the account/change passwords, etc if that’s possible.

The nice part though, is that while all that stuff sounds bad, if you follow the very first step, you may have no issues at all to worry about other than replacing the device. So in many ways the primary defense really is the best one – a good password and keeping it locked when it’s out of your sight.

Period Shortcut on iPhone

I’ve never been a big fan of cloud based applications or cloud based programming as a general rule, because I lose control over what I’m working on, it’s more difficult to use those services when I’m traveling with spotty connectivity, etc. But for the sake of moving down the path of a phone desktop replacement, it’s important to get at least vaguely comfortable with the idea that if you need to do some programming work, you’re probably not going to want to be doing that on your phone.

I’ll talk about doing dev-work on the phone itself in a bit, but for now, let’s talk about cloud solutions. Over the last week I’ve slowly gotten myself used to connecting through iSSH to remote Amazon Elastic Cloud Computing (EC2) servers to test various features, develop simple applications and general ease of use. I’ll dissect iSSH at a later date as well, but I ran into other interesting issues almost immediately.

Firstly, as I said in a previous post, I use Vi (or Vim) as an online editor fairly regularly, because it makes my life easier. However, there’s a usability feature of the iPhone that gets in the way. If you hit double space on the iPhone it creates a period. If you in Vi a period will do one of two things. It will either write a physical period if you are in editing mode, or it will run the previous command. Yes, whatever thing you just did, it will do it again. So if you were just editing something and you added a word, that word will get added again. Extremely frustrating.

If you’ve seen the Silicon Valley episode for spaces verses tabs, you’re probably chuckling to yourself right now, but the reason I use spaces is because terminals are often fixed-width and line wrapping is reduced when you use spaces. Anyway, without getting into a religious war, on the iPhone it can be overridden by going to Settings – Keyboard – “.” Shortcut and disabling that shortcut checkbox.

	Disable
Disable “.” Shortcut

Ideally something like this would be optional and easy to enable or disable on an app by app basis when a user identifies a problem with their shortcuts. But for now, this workaround does work well, if you are okay disabling this otherwise helpful shortcut for the rest of the applications that need it.