The 2017 Daily Carry

When a consultant friend (Hi M!) asked what I carried with me every day, it was the first time that I’d stopped to think of everything I’ve collected over the years to carry with me on a day-to-day basis. Based on their challenge, I’ve catalogued what’s in my daily carry bag, and I present it here for you. 

First up, the bag itself. I have a 2013 Timbuk2 custom messenger bag. Timbuk2 bags have two specific problems: One, they’re gorgeously designed and Two, they last forever. I’ve had a total of four since 1996, and I’ve never needed to buy a new one, I just always wanted to change up my style before the bag gave out. Better still, they have lifetime warranties, so if a part gives out, you can ship back your bag and they’ll shine it up good as new. They’re not inexpensive, but the features of the bag are substantial, and the design is wonderful. My messenger has a flap organizer in the front fascia, as well as multiple zip pockets for business cards, baseball cards, your passport, and other flat goods. The flap organizer is my catchall for small tools and keychains that I tote with me all the time.

From a hardware perspective, I carry the following:

  • Late 2016 MacBook Pro 15” with TouchBar, 1TB, 16GB
  • iPad Pro 12.9” with Apple Pencil
  • iPhone 7 Plus (Matte Black)
  • AirPods

The MacBook Pro and iPad ride back to back in the padded laptop sleeve in the center of the bag, and the iPad behind in the protected position. 

Inside my bag itself I have a couple of organizers that serve as containers for primary work tasks, and they keep the contents protected and clearly identified and organized in case I need them. The bigger of the organizers is a Skooba Cable Stable DLX, with multiple mesh pockets to allow easy visibility into the contents, and elastic tension loops to hold the contents in place.

Contents, Left Side:

  • Mini DisplayPort to DVI Adapter
  • Wired EarPods
  • USB-C to Lightning cable – 2-meter
  • USB-C to USB-C charging cable – 2-meter
  • 27W USB-C Charger
  • Diskwarrior USB Drive
  • OWC Envoy Pro Mini USB Drive
  • LED Flashlight

Contents, Right Side:

  • Lightning to 3.5mm adapter
  • Paracord USB-A to Lightning Cable
  • Thunderbolt 2 to Gigabit Ethernet Adapters (2)
  • USB-A to USB Micro Cable – 6-inch
  • Netool Smart Network Terminal
  • USB-C to Lightning Cable – 2-meter
  • Belkin USB-C to Gigabit Ethernet Adapter (2)
  • Thunderbolt 3 to Thunderbolt 2 Adapter

Contents, Center Spine Loops:

  • USB-C to USB-A Adapters (2)

I don’t have a lot of notes on this set, except to say that extras are always welcome, especially when you think about all the times your clients need something, and you just supply it out of clean blue air, and replace it later. 

In addition to my primary organizer, I also keep a smaller Cable Stable Mini outfitted with my SpecAn gear. This includes a full Metageek set, including a WiSpy DBx for peeking at the 2.4 and 5 Ghz spectrum in their entirety, as well as a Linksys AE2500 USB WiFi stick for use with Channelyzer in my Windows VM (Windows VMs on the Mac can’t talk too the AirPort interfaces, we just get a raw network socket, so this is our workaround) as well as the USB-A to USB Mini interface. In the pocket I keep the antenna and hook. Sometimes I throw the Oscium Lightning-based SpecAn in this as well, but most times it’s loose in the pocket.

And then there’s everything else! This list starts at the upper left corner and works clockwise:

  • Thunderbolt 2 cable, 2-meter
  • Carmex
  • Field Notes notebook
  • Velcro Straps
  • USB 3 SANdisk Extreme
  • Code 42 branded microfiber cloth
  • Cleaning wipes
  • POE Injector
  • OLALA 13000mAh battery
  • PSUMA-branded 4000mAh backup battery
  • sticky-backed velcro strips
  • RJ-11 and RJ-45 jack ends
  • Zipties
  • Sugru moldable plastic
  • Pentalobe and Tri-wing screwdrivers
  • Gotenna bluetooth radio for texting when there’s no cell service
  • USB-A Voltimeter/Ammeter

That’s a look inside my daily carry. It’s pretty amazing how much stuff I tote around on a daily basis. 

Tech Tips for a Hostile World

I’m not all the way through Kubler Ross just yet, but I’m starting to think about how to respond in a way that’s productive, engaged, and focused on reality.

I’m a tech person, so I’m gonna talk about tech things. There are people that are going to be able to talk to you about effective protest tips, effective lobbying, good organizations to send money to, and all those things. This isn’t about that.

One of the most important things in a hostile world is the ability to protect yourself, and your communications. I’m going to tackle this in a couple different pieces:

Encrypt Your Mac

In a world where the central authorities are scary, and where you might want to protect your data, it’s really important to have some level of data protection. I strongly recommend the Filevault 2 technology that’s built into macOS and Mac OS X 10.9 and later. If you have a laptop with fast storage (an SSD), you won’t notice a difference. If you have an older machine with a spinning drive, this will cause a 20% performance hit.

Your computer may have helped you turn this on already. Open System Preferences, go to Security & Privacy, and click on the FileVault tab.

You will see a message that is unequivocal about the status of your computer’s drive. If FileVault is off, turn it on.

When you turn on FileVault, as part of the encryption process, it will generate a key that can unlock your computer that is separate from your computer password. This is a failsafe key designed to get you back in if everything else has gone to hell. Your computer will offer to escrow the key with your iCloud account with security questions protecting it. You can provide security questions there, but know that any answers you give are case sensitive and will need to be provided to Apple exactly as they are written in order to recover that key.

I wouldn’t recommend this if you’re really concerned with security, though. I would strongly recommend you print a copy of that key and give it to someone you trust, or someone that is bound by contract to store it without turning it over, like your lawyer if you have one. You could probably talk to a trusted IT professional who would keep that key safe.

Use iOS’ Built-in Security

While the Black Jeopardy skit makes fun of using your fingerprint on your phone, saying “that’s how they get you,” the TouchID sensor on iOS devices – and coming soon to a laptop near you – is a remarkably secure technology. The TouchID sensor has a direct connection to the Secure Enclave co-processor on the device, which uses encryption techniques that even the FBI and NSA will have trouble working against. Your fingerprint is tied to your passcode, and without your passcode, on boot your phone will not accept your fingerprint as proof of identity.

That means if you’re in trouble, shut your phone off.

All of this advice applies only to personally owned phones. If you’re using a phone that work gave you, do not expect privacy on that device, and don’t sign into your secured services on a work-owned device. Work-related devices will often be enrolled in a Mobile Device Manager that your employer can use to clear your passcode and provide access to third parties. This is the end-around for the San Bernardino situation that saw Apple in court with the FBI. If the device isn’t 100% yours, it’s not something you should trust your privacy on.

Use Only End-to-End Encrypted Messaging

If you’re part of the overall iOS/macOS ecosystem now, iMessage is a technology that is encrypted from device to device, which means no one in the middle can decrypt those communications. When your device connects to the iMessage servers for the first time, it creates a set of encryption keys that are used in all future communications, and those keys are what keeps your communications secure. Every message is individually encrypted using those keys, and the public keys of the person you are talking with. No third party can read them. This is called end-to-end encrypted messaging.

Facebook’s WhatsApp also uses end-to-end encryption. Please be aware that Google’s Allo and Google Talk products do not use end-to-end encryption, nor does AOL’s Instant Messenger, nor is standard SMS encrypted. These are all technologies that can be warranted and searched, and shouldn’t be considered private communications.

Use a VPN

There are a lot of great options you have to protect your traffic from prying eyes at your internet service provider, or the ISPs of your favorite coffee shop or any other public place. I recommend Cloak which is $120/yr for unlimited data, and shunts your data traffic securely out to an Amazon instance. Their privacy policy isn’t perfect, but take solace in the fact that, at least for now, the FBI won’t be knocking on their door until well after the 16 day window for records expires.

There are other options for this, and I would encourage looking around. I’ll update this post with other suggestions.

Use a Password Manager

Lastpass, 1Password, the iCloud Keychain, these are all examples of password managers, designed to help you use unique and complex passwords to access your online accounts. It’s good practice to have a unique password for every service you use. Embrace this, and use a good password manager with a strong master password you can remember.

Use Two-Factor Authentication

Much as your ATM card is useless without the PIN you have memorized, if you’re using two-factor authentication (2FA), just having your password won’t be enough to get access. Your Google, Dropbox, Facebook, Twitter and other accounts can support 2FA, and if you want a step-by-side guide, there’s a good one at Turn on 2FA, and you can use that to help you. I’ve been using Authy on my iPhone, and it’s been pretty great so far.

Join Organizations That Will Fight For Your Privacy And Rights

We’re all just individuals, but when we band together, our powers for good can magnify. I strongly recommend picking some organizations to join and be part of to help fight the battle on your behalf. Here are some organizations I’ll be donating to:

You can pick your own, or join me with these three. Suggest more in the comments!

Never Surrender, Never Give Up

I’m pretty exhausted right now, and I’m not sleeping well, but I figured it might help to outline some things people can do to help improve their privacy in the face of a government that is increasingly hostile.

Deploying NoMAD with Configuration Profiles

It feels a little silly to be so excited about something so simple as NoMAD, but there’s nothing simple about NoMAD behind the scenes. It’s doing a lot of heavy lifting that you’d usually need binding to accomplish. Preventing the complication of binding simplifies your Mac environment. On the Macadmins.org Podcast recently, we spent an hour talking with Joel Rennich about just that.

We’ve now deployed NoMAD for a single site, using Munki to deploy the application bundle, but when it comes to deploying the preferences, I’ve decided to take some notes from the tea leaves being read and move my deployment strategy to take advantage of Mobile Configuration Profiles. Rusty Myers has a good meta-repository of Profiles if you’re not familiar with all the options available.

From our testing rig, where we finalized the settings for deployment, we built a good configuration. You can use the system defaults command to play out what NoMAD is setup to do. defaults read com.trusourcelabs.NoMAD will give you the entire contents of the prefs domain, but you don’t need everything from that file. This is what we took forward from that file:

nomad-mcx

Now, if you want the full payload of preferences, there is a published guide to all of the settings options.

defaults read displays the contents of the preferences file in the old MCX format, which is exactly what we need to generate a profile for upload to MDMs, or deployment directly via Munki. Tim Sutton has written an MCX-to-Profile python script that can take the contents of that file and turn it into a mobileconfig profile. Name the MCX file com.trusourcelabs.NoMAD so that the correct permissions domain is applied – or just change the name once the profile is built.

nomad-config

To get the profile out, we made it an update for the NoMAD installer itself, set as an unattended installation. When NoMAD is installed by Munki, it gets the profile as an upgrade in the background, installed and ready for first run. In this case, we’re using NoMAD even while bound, just to simplify the installation of an X509 identity for use with 802.1X and Cisco ISE for Wi-Fi purposes. There are a lot of good reasons to use NoMAD to simplify your world.