What’s the best crypto-wallet for daily use?

Cryptocurrency is different than fiat money, as you probably already know.  But those differences make a HUGE impact on how you choose which wallet software to use.  And it’s all about control… YOUR control over your own money.

Let’s begin…

Rather than telling you which wallet apps are best, I’m going to lay out the features you need to look for in wallets, and the ones you need to DEMAND.  In other words, in the “demand” features, you should remove any wallet from consideration that does NOT have the complete “demand” list.  Other features, that may help, but are not deal breakers will be listed as “nice to haves”.  One of the reasons I’m not listing any wallets is because that would make this article dated eventually.  What I’m presenting here should be relevant for decades to come.

DEMAND

  1. Open Source:  If the software wallet you’re considering is NOT open source, then ditch it immediately!  Why?  Because open source wallets have no secrets.  Their entire source code is freely available for anyone to inspect, to guarantee there are no malicious intentions hidden behind the scenes.  Closed source wallets are a black box and you’re throwing out any chance of verification of honesty and relying SOLELY on the word of the wallet creator.  The whole point of cryptocurrency technology is that you DO NOT TRUST ANYONE ELSE WITH YOUR MONEY!  And that INCLUDES programmers… ESPECIALLY programmers!  And I say that AS A PROGRAMMER, MYSELF!
    1. Addendum:  Just because a wallet CLAIMS to be “open source”, doesn’t mean it IS.  For example, I could publish a closed source wallet and just CLAIM it’s “open source” and people would just believe it and download and use it, while I never publish the source code.  So, if some app CLAIMS it’s open source, DON’T BELIEVE THEM… EVER!  You go and FIND the source code (usually on https://gitlab.com or https://github.com) and verify the source code exists.  A reputable wallet author will also provide you a link to the source along with the binary to download.
    2. In addition to FINDING the source code, make sure you download the app FROM the source code repository’s binaries, NOT from an app store or anywhere else!
    3. If you’re a programmer, just download the source and compile it yourself and use THAT!  If you’re NOT a programmer, do #1.2 above.
  2. Must be an app that runs on your own hardware.  In other words, if it’s a website, then you’ve just completely obliterated the ENTIRE PURPOSE of cryptocurrency.  A website “wallet” is NOT a wallet.  It’s a BANK!  THEY are a centralized authority holding YOUR money.  By definition, if YOU are not in control of it, then it isn’t YOUR money, it’s THEIRS.  They ALLOW you to access it, until they DON’T!  Stay away from online wallets, with the brief exception of online exchanges where you EXCHANGE your cryptocurrency for fiat money or vice/versa.  But as SOON as you acquire crypto from an online exchange, you MOVE IT IMMEDIATELY into your OWN wallet!
    1. This means that you must DOWNLOAD an app (desktop or mobile).  And I recommend staying away from browser plugin wallets.  Browsers are just not a safe enough environment.
  3. Your keys or seed phrases are not transmitted over the internet FOR ANY REASON!  Your keys ARE your money!  Whomever holds they keys, holds and OWNS the money.  This is the very core and soul of cryptocurrency.  It’s its reason for being.  NO ONE other than YOU should EVER know your seed phrase or passwords… EVER!!!

NICE TO HAVES

  1. Easy to use user interface.  A lot of people mistakenly think this is a “demand” feature, but you’re better off with a klunky UI that puts you in control of your crypto rather than a sleek and polished wallet that doesn’t meet all the “demand” features.
  2. light vs full node.  What does this mean?  The most secure wallet will be one that’s ALSO a full node on the network for that cryptocurrency.  But to do that, it would need to download the ENTIRE blockchain for that cryptocurrency.  For a popular cryptocurrency, like #BitCoin, that would mean HUNDREDS OF GIGABYTES of data (eventually TERABYTES!) and hours or days of downloading, plus consuming all that space on your hard drive, forever.  It would also mean that your PC would be an actor in the BitCoin network, processing transactions.  That’s actually a GOOD thing for the network, but NOT a good thing for your local resources.  If all you’re looking for is a wallet, a full node is beyond overkill.  It’s like running a whole grocery store just because you need a refrigerator for your Milk.  I’m not discouraging you to NOT be a node.  By all means, PLEASE DO run a full node.  It helps the whole crypto community.  But, it’s not necessary for YOU if all you want is a wallet.  A “light” wallet is JUST a wallet, not a full node.  As such, light wallets are the only kinds of wallets that are available on mobile.  A full node requires a desktop PC, plugged into the electrical outlet.

Other Considerations

There’s another kind of wallet that I’m on the fence for at the moment, because it violates demand #1:  It’s NOT open source.  However, it has some other interesting security features.

The Samsung cryptocurrency wallet

I know I said I’m not going to recommend any specific wallet, and I maintain that.  I AM, however, going to TALK ABOUT one:  The Samsung cryptocurrency wallet meets all the other demand features, but it IS NOT OPEN SOURCE!  However, it has an important security feature no other software based wallets have.  That is, modern Samsung phones and tablets have a hardware based key store.  This is a special, isolated chip that can store encrypted versions of your cryptocurrency keys.  This hardware IS robust and is an important, core feature of the Samsung Knox (now known as “Samsung Secure Folder”) isolated security environment.  It’s the only mobile environment approved by the US Department of Defense for its employees.  Take that however you like.

What is Samsung Knox (or “Secure Folder”)?  You know how you enter a PIN or a password, or a pattern, or a fingerprint, or a face image to unlock your phone?  Well, on Samsung phones, you have all that, PLUS another, completely isolated, secure environment INSIDE of that.  It’s like a smartphone within a smartphone.  Once you set up “secure folder”, you get a SECOND smartphone environment, with another home screen and another set of apps.  Apps installed inside this secure area are NOT accessible to apps outside of it.  I personally install all my financial apps inside of this area.  My games and less sensitive apps and data are stored in the regular phone area.

Side note:  Whether you use the Samsung crypto wallet or not, you SHOULD install the mobile wallet you DO use inside the Samsung Secure Folder area on your phone (if you’re using a Samsung device).

The Samsung Cryptocurrency wallet is a software mobile wallet, and just like all other mobile wallets, it encrypts your seed phrase to your cryptocurrency with your password.  But the difference is that it stores that in the isolated, secure chip.  THAT makes it immensely more secure.  HOWEVER, the app is NOT open source!  Hence my hesitation of recommending this app.  We have no way to know what’s REALLY going on inside the Samsung wallet, because it’s closed source.

My Compromise:

So, here’s my recommendation:  If you DO use the Samsung wallet, never have more in it than you’d ever put in your real, physical wallet.  In other words, in the days when you’d have a wallet in your pocket with cash in it (you remember that right?  That green paper that you’d trade for stuff?), you’d rarely carry more than about $100, because that’s all you’d need for 1 day and it wouldn’t be the end of the world if you lost it or if it were stolen.

I recommend the same practice with the Samsung crypto wallet.  Only store about $100(USD) worth of crypto in your Samsung wallet.  If you run across a local place that accepts crypto, you can spend it, but if there’s ever any kind of a breach with Samsung’s OS and/or software, you’re not going to lose too much.

And I’ll give the same $100 limit advice for ALL OTHER mobile wallets too!  Store the remainder of your fortunes in multiple hardware wallets or multiple desktop wallets.

Conclusion

Cryptocurrency was created for the purpose of YOU being in control.  Therefore, it’s pointless to store your cryptocurrency in a place that you DO NOT control.  As always, don’t put all your eggs or cryptos in one basket.  Don’t put your life savings into your mobile wallet.

Addendum

Speaking of not putting all your eggs in one basket:  As you start accumulating more and more wealth in cryptocurrency, either by continuous investing or by the value of it rising, it’s smart to create more digital wallets and spreading your crypto among them.  Don’t store all your passwords and seed phrases in the same place.  Following these practices, if any of your wallets are ever compromised by your own failures to protect them, you won’t lose ALL of your assets.

In the comments below, tell us what wallets YOU use… THAT FIT THE DEMANDS listed here?  Please keep the conversation limited to those that fit the minimal demand list.

Samsung Blockchain Keystore “Couldn’t install app”

If you’re getting the “Couldn’t install app” error when trying to install the Samsung Blockchain Keystore app in your device’s Secure Folder, then read on.  Skip the background if you’re familiar with it and go straight to the Solution section.

Background

In mid-2019, Samsung came out with the Samsung Galaxy S10 phone.  At the same time, they introduced their first cryptocurrency wallet, the “Samsung Blockchain Wallet”.  At first, it only supported Ethereum.  But as of late 2019, it supports a few more cryptocurrencies, most notably, it now supports the most important one, Bitcoin!

But, to use the wallet app, it requires another app; the “Samsung Blockchain Keystore”.  I’m not sure why they separated that out into two apps, but my semi-educated guess is that you can create your keys and manage them in one app and use them in other apps, not JUST the wallet app.

Now, as anyone with any knowledge of cryptocurrencies knows, you have to be EXTRA careful with your keys for cryptocurrency.  YOU are 100% in control of your cryptocurrency.  If you’re careless, and it gets stolen, you have NO RECOURSE!  Unlike a traditional bank with FDIC insurance of up to $100,000 protection per account, there’s NOTHING for cryptocurrency.  That’s not a bug, that’s a feature!  With freedom, comes responsibility.  But that’s a speech for another day.  The point is, that if you’re going to do this on mobile, you want it to be a secure as possible, and on a Samsung phone, that means putting it in the ultra secure section called “Secure Folder”.  Now, let’s get back to the “Couldn’t install app” error.

Solution

Sorry to be the bearer of bad news, but there is no solution at the time of this writing (2020-01-04).  I spent an hour on chat support with Samsung, who then sent me to a phone tech support that’s a specialist on the Secure folder.  Both the chat tech and the Secure Folder tech were unaware of the problem and both confirmed that it is, indeed, a problem that they’re going to have to fix.

Here are the problems you’ll experience:

  1. When trying to install the Samsung Blockchain Keystore into the Samsung Secure Folder:
    1. It will not find it in the installed apps from the apps installed outside of the Secure Folder.
    2. It will not find it in the Play Store (to their surprise, it’s not in the Play Store at all.  You can search for it with a desktop browser.  It’s just not there).
    3. It WILL not find it in the Samsung Galaxy Store… at least, not directly.  First, you have to search for the Samsung Blockchain Wallet app, select it, scroll down for similar apps, and you’ll find the Samsung Blockchain Keystore down there.  Try to install it, and you’ll get the error:
    4. Installing the KeyStore app OUTSIDE of Secure Folder will NOT make it available to the wallet app INSIDE the secure folder.
    5. Even when installed outside of secure folder, it does not show up in the app drawer.  You cannot add its icon to the home screen.
    6. The ONLY way to launch it is to find it in the Galaxy Store and tap the “Open” button there.

So, the conclusion is that it’s not possible to use the Samsung Wallet app in the Secure Folder area.  And if you can’t use it in there, it’s not worth using.  You NEED the extra protection of the Secure Folder for your cryptocurrency.  DO NOT ATTEMPT TO USE IT OUTSIDE OF SECURE FOLDER!!!

Speaking of Decentralized Monetization,

If you like my work, you can contribute directly to me with the following cryptocurrencies (but, apparently, not with the Samsung Blockchain Wallet app in Secure Folder yet!)

BitCoin:

bc1qx6egntacpaqzvy95n90hgsu9ch68zx8wl0ydqg
bc1qx6egntacpaqzvy95n90hgsu9ch68zx8wl0ydqg

LiteCoin:

LXgiodbvY5jJCxc6o2hmkRF131npBUqq1r
LXgiodbvY5jJCxc6o2hmkRF131npBUqq1r

Must-Haves for Decentralized Apps

Whether you’re a developer or a user, these are the requirements for a truly decentralized app. If it lacks any of these, your app can (and should be assumed that it WILL) be censored:

  1. No reliance on legacy DNS.

    1. While you CAN make use of DNS as an additional measure, your app should still fully function even if the entire DNS system is compromised and/or your domain name confiscated.  You should think of the DNS as only a gateway for legacy users to find your services.
  2. No reliance on a centralized account creation system.

    1. User accounts should be created client side ONLY, like a cryptocurrency wallet. The app’s concern with the user account should ONLY be that the user cryptographicly signs their communication with you, using their private key and you use their public key to transmit private data from you to them.
  3. Deployment of the app should NOT depend on a centralized app publisher.

    1. The app should be obtainable if you or your company or your organization cease to exist. This does not mean that you can’t ALSO deploy to centralized app stores, but those should be SECONDARY. You should also dissuade your users away from centralized app stores.
  4. User’s personal data should ONLY be stored on their own device

    1. OR encrypted with their public key before being stored remotely to their choice of external storage.
  5. Remote storage

    1. All remote storage should be stored on a decentralized storage platform (The user’s SiaCoin or FileCoin accounts, for example. For published data, IPFS and/or a blockchain). This doesn’t mean you can’t also make use of centralized platforms. In fact, make use of popular centralized cloud storage like Amazon S3, DropBox, Google Drive, etc, but encourage the user to add 3 of those to their storage preferences and you encrypt their data locally, with their public key, then replicate it, like RAID 3, across at least 3 or more centralized storage platforms.
  6. Monetization

    1. Creator monetization should NOT be controlled by the app creator. The app creator should only facilitate code in their app to allow independent users to pay, directly, to each other, using a system outside the control of the app creator (such as cryptocurrencies).

Speaking of Decentralized Monetization,

If you like my work, you can contribute directly to me with the following cryptocurrencies:

BitCoin:

bc1qx6egntacpaqzvy95n90hgsu9ch68zx8wl0ydqg
bc1qx6egntacpaqzvy95n90hgsu9ch68zx8wl0ydqg

LiteCoin:

LXgiodbvY5jJCxc6o2hmkRF131npBUqq1r
LXgiodbvY5jJCxc6o2hmkRF131npBUqq1r

SANS DIGITAL Raid Tower Four Years On

SANS DIGITAL MobileSTOR MS4UT+B

Almost 4 years ago, I bought a Sans Digital MobileSTOR MS4UT+B four drive bay RAID tower.  Here’s how it’s stood up so far:

The reason I’m writing this article today, is because this past week was the first time one of my drives in the ARRAY failed.  To be clear, this is not a complaint.  ALL drives fail.  That’s WHY I bought a RAID tower, so that when one eventually DOES fail, I have the redundancy in place to keep going while I get a replacement drive, with zero down time and zero data loss.

Before reading further, if you don’t know what RAID is or a RAID tower, please click the link below for a straight-forward explanation:

When I bought the tower almost 4 years ago (this model is not available for sale anymore), I also bought 4 of these drives.  Click the image to see it on Amazon.

Seagate 4TB NAS HDD SATA 64MB Cache 3.5-Inch Internal Bare Drive (ST4000VN000)

for $149.99 each in December 2014.  They were the cheapest 4TB drives I could find at that time.

All 4 have been running 24/7 until 2018-10-29, when one of them finally failed.  To be honest, I expected the first failure to be years ago, considering my track record of at least 1 failed drive a year.  I bought the cheapest drives I could find too, so I expected more frequent failures.  The front panel of the RAID tower indicated that my drive #3 had died.

The computer was completely unaware of the failure.  This is a good thing.  That means the RAID tower’s seamless drive failure was working.  I immediately ordered a new, replacement drive.  I ordered the cheapest, 4TB drive I could find.  Why?  Because reliability of individual drives is not all that important when you have them in a RAID tower.  The redundancy of the whole system dramatically improves overall reliability, even when using low reliability drives.  I should also point out that just because a drive is inexpensive, doesn’t mean it’s also low reliability.

Here’s the drive I bought in late October 2018 for $79.99… nearly half the cost from 4 years earlier.  Click the image to see it on Amazon.

WL 4TB 7200RPM 64MB Cache SATA 6.0Gb/s 3.5″ Hard Drive (For RAID, NAS, DVR, Desktop PC) w/1 Year Warranty

What did I do?

When it arrived 3 days later, without shutting anything down, I opened the front panel of my RAID tower, pulled out the bad drive (with the whole system still on and running), unscrewed the 2 screws holding the handle onto the bad drive, screwed them and the handle onto the new drive, and plugged it into the RAID tower.

What did the RAID tower do?

The RAID tower immediately recognized the new drive and started replicating data to it.

What did the PC do?

My PC never knew anything ever happened.  As far as it was concerned, there was a working 12TB drive that it continued to actively use throughout the whole process.  There was never any downtime.

How long did it take?

Swapping the drive took about 5 minutes or less.  The replication, however, began on the night of Tuesday, October 30th.  It was still replicating when I left the PC on Saturday night, November 3rd.  However, Sunday morning, when I got back to it, it had finally finished.  So, it took it about FOUR DAYS to complete the replication.  Much longer than I thought.  I figured it would take between a couple hours up to maybe 1 day.

What does this mean?

It means that my data was vulnerable to disaster via a SECOND drive failure from the moment the drive went bad on Saturday, October 27th, through when the data was finally, fully replicated onto the new drive somewhere between the night of Saturday 11/3 and the morning of Sunday, 11/4… a total of a few hours more than 1 solid week.

If any other drive had died during that time, my 10TB of data would have been hosed.

The good news is that if I were NOT using a RAID tower, I’d be in that same risk ALL THE TIME!  I was only at risk for 7 days.  The BAD news (for YOU) if you’re not using RAID, you’re at that risk 100% of the time.

Conclusion:

This RAID tower performed as designed and is still performing.  The vulnerable replication period is much longer than I expected.  But, in the end, it all worked.  This is the first drive failure I’ve had where I didn’t lose a single bit of data.

My recommendations:

Whether you need speed or reliability, you SHOULD be using a RAID array.  I highly recommend buying a RAID tower and let it handle the complexities of configuring the system.  Software RAID solutions are available, but they are much less reliable and consume resources on your computer, slowing you down.  With an external hardware solution, it’s literally just plug and play, like any normal, single external drive.  But with the capacity, speed, and reliability of a RAID solution.  RAID towers can be found for under $100 and there’s no upper limit to how much you can spend on one.

So:

  1. Buy a RAID tower.
  2. Configure it to the configuration that best meets your needs.
  3. Have a local backup using a low cost, external USB hard drive of equal capacity as your full RAID array’s configuration.
  4. Have a cloud backup of your data too, AND MAKE DARN SURE IT’S ENCRYPTED ON YOUR END BEFORE BACKING UP!!!
    1. There are a lot of decentralized, peer-to-peer, cloud backup services coming online like:
      1. Sia
      2. FileCoin
      3. StorJ
      4. and others.  None of them are great solutions as of this writing YET!  But that’s changing.  Keep an eye on them and read EDUCATED reviews of them.  That includes keeping an eye on my blog because I’m watching them with intense interest, in addition to testing them myself.  I’ll ring the alarm bell when it’s time to jump on.  They WILL BE the ultimate backup solution.

Tensorflow, Python, & NVidia CUDA Setup

If you’re trying to get started with Machine Learning using Tensorflow, you’ll likely experience frustration trying to find the right version of Tensorflow, Python, & NVidia CUDA drivers that all work together.

Having just gone through that frustration myself, I present to you a WORKING set of instructions.

NVidia CUDA

This part is NOT REQUIRED, unless you want to use your GPU for MUCH faster Tensorflow program execution.  You DO want to use your GPU, BTW!

As of this writing, CUDA 9.2 is the latest version, however, Tensorflow will not work with anything later than 9.0, so go here to download CUDA 9.0:

https://developer.nvidia.com/cuda-90-download-archive

If you don’t have an NVidia GPU, click here to get one…

NVidia GPUs on Amazon.com
NVidia GPUs on Amazon.com

What is CUDA?

CUDA is software to allow you (or other programs written by other people) to write software to utilize your video card’s GPU (Graphic Processing Unit).  A GPU is hardware designed specifically for video operations that are many times faster than a CPU can do it.  Turns out, you can use your GPU for some specific types of calculations that have nothing to do with graphics and speed up those operations… like… a Neural Network like TensorFlow.  They’re also good for cryptomining, but we won’t get into that in THIS article.

Tensorflow

Once you have CUDA installed (assuming you have an NVidia GPU and want to take advantage of the massive speeds it’ll give you compared to just running Tensorflow on your CPU), it’s time to install Tensorflow.

Follow these instructions:

https://www.tensorflow.org/install/install_windows

They’ll also get you up and going with your first “Hello World!” program… after you get Python installed (next section).

Python

There are multiple versions and flavors of Python out there.  THIS is the one that will work with the version of Tensorflow and CUDA listed above:

https://www.python.org/downloads/release/python-362/

Once you have them all installed, follow the tensorflow tutorial on the tensorflow link above.

That’s it!

Extra

Here’s an easy to use Python play site where you can write and test Python code as you learn it without installing anything!

https://www.tutorialspoint.com/execute_python_online.php

IRS Hell for BitCoin Users

Summary

2018 is the first year U.S. citizens have to file taxes on their cryptocurrency activities for 2017.  The limited “rules” the IRS has published do not cover the majority of types of activities and the information needed to accurately file taxes is simply not available to non programmers and is excruciatingly difficult to acquire, even for programmers.

Tax “Guidance”

In 2014, the IRS published a somewhat vague guidance on how to report cryptocurrency taxes.  It essentially boils down to:

  1. How much did you buy? 
  2. How much did you sell?
  3. What’s the difference?
  4. Send in 30% of your profits.
  5. Determine fair market value on the day of your transactions.

Here’s the actual 2014 IRS tax guidance document.

Reality

Unfortunately, reality is much more complicated than that.  Here are the real-world things that we have no clear rules on:

  1. What if I bought some prior to 2017?
  2. When I sell some, which of the MANY prior purchasing transactions do I apply the price to?  The price is different for every transaction.
  3. What about mining?
  4. What about mining hardware prices?
  5. What about price of electricity?
  6. I bought & sold on more than one exchange.
  7. I moved crypto between exchanges.
  8. I converted crypto from one to another.
  9. Prices at the moment of each transaction are not available when converting between currencies.
  10. Which price would we use, even if we had it?  There’s no universal price on any crypto.  Each exchange has its own, moving price that changes by the second.
  11. What about when a cryptocurrency forks, like BitCoin to BitCoinCASH and BitCoinGold?
  12. They say to use the fair market value of the day to determine prices on transactions, but that’s of no use since the price can swing thousands of dollars within a day.

My Experience

Since 2014, I’ve bought and sold crypto hundreds of times.  On some days, I’ve made dozens of trades in a single day.  In addition to that, I have accounts on 4 exchanges and also mine Ethereum.  I also traded between cryptos like converting BitCoin to LiteCoin and LiteCoin to Ethereum & Ripple & IOTA, etc., and moved crypto between exchanges like CoinBase, Kraken, Bitfinex, & Bittrex, and to and from my personal wallets,  and gained some crypto during forks, and lost some due to CoinBase not giving me my Ethereum Classic.

Over the past week, I’ve spent about 6-10 hours or so JUST on trying to gather what I understood would be needed for my tax accountant for cryptocurrency (not counting my usual taxes).  From the list above, you’ll get a rough idea of what I was going through to try to collect the information.

It’s 2018-03-31 and I finally finished my taxes.  Here’s how the day went:

I was woken up around 9:45 am this morning (I like to sleep late on Saturdays) by my tax accountant.  We spent a SOLID FIVE HOURS on the phone, trying to resolve everything (95% of that was related to cryptocurrencies).  This is their first year dealing with this.  I had to explain a lot about crypto and even the IRS’s rules.  She, apparently, had the same, uninformative PDF document from 2014 from the IRS too and just assumed it’d be as simple as they explain.  Reality is hugely different.

She wanted me to make it simple for her.  I wanted her to make it simple for ME.  That’s kind of why I’m paying her, right?  I spent hours gathering everything she could possibly need (minus the information that was just not feasible to get, but that we actually DO need).

It was simply not enough information, not just the lack of data that I didn’t have access to, but the lack of rules from the IRS.

Conclusion

The amount of effort trying to figure out just HOW to report my cryptocurrency transactions to the IRS was a nightmare and equals about the same amount of effort I spent throughout the year transacting and buying, learning, and setting up my Ethereum mining.  And it was significantly more frustrating than the actual crypto activities.

The IRS needs to get their act together, learn what it is we actually do, and come up with REALISTIC rules that we can actually perform.

After all the time and effort I spent preparing my taxes for my accounted, PLUS the amount of time we spent on the phone afterwords was insane and we STILL didn’t get everything.  We probably got about 85% of what was needed and I guarantee that what we reported was not right, but that was the best we could do.  I had tens of thousands of dollars in transactions.  With the limited information we had, she simply ended up using what I sent to her from the website CoinTracking.com, which is ONLY good for a SINGLE exchange.  So, I reported a $200 profit and paid taxes on that.  At least that is small, to keep my taxes down AND shows a “profit”, which should keep the IRS off my back, since I’m actually paying them something.  I was told that if I reported a loss, it would likely trigger an audit.

What?  Were you hoping to come here for a resolution to YOUR tax problems?  Sorry.  All I can offer is comfort that you’re not alone.  The IRS needs to get their act together and YOU need to click this link to contact your U.S. representative and explain to them the nightmare they’ve created for us.  Click the following link:

Find Your Representative

 

See these images?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

Validating Digital PGP Signatures & Why it’s Important

Do you ever see the checksums, CRCs, SHA, or PGP signatures presented to you when you’re downloading a file?  Like this for example:

These are actually SUPER IMPORTANT!

What are those signatures?

They are, in a very very simplistic explanation, answers to a math function where the numbers given to the function are the bytes of the file you want to download.

Why are they important?

They are used to prove to you that the file you’re downloading hasn’t been tampered with.   HOW? you may ask?   Because only the valid, original file, with the original set of bytes in it could have produced that signature.  If you change just ONE byte in the entire file, no matter how big the file is, you’d get a DIFFERENT answer to the math function.

This is CRUCIALLY important for things like cryptocurrency wallets for cryptocurrencies like #BitCoin, #Ethereum, #LiteCoin, etc…  Hackers frequently publish TAMPERED versions of wallet software and if you install and run the hacker’s version, they’re going to steal ALL OF YOUR CRYPTO!  This has already happened many times.  Websites are compromised and hacked versions are put on their websites.

This brings up another important concept of signatures vs. the files they’re supposedly coming from:

A published signature is absolutely USELESS if it’s on the SAME website as the download file.  Why?  Because if a hacker compromises the download site, then you can’t trust anything on that site, including the signature.  You’ll find that MOST sites that publish a signature do so on one website, but the downloaded file is hosted on another website.  For BOTH the signature AND the file to be compromised by the same hacker, they’d have to hack BOTH of those websites, which is much more difficult.

How can I validate them?

You’ll need software on your computer that can compute the same types of signatures that the website publishes for their downloaded files.  In short, these are the steps (I’ll go into explicit detail shortly):

  1. Install some signature making and validating software onto your computer (Do this only once).
  2. Make note of the published signature for the file you’re about to download. (Do this for every download that offers it).
  3. Download the file (DO NOT EXECUTE IT!  It’s NOT trusted until you validate the signature!)
  4. Use the signature software to make or verify the signature of the downloaded file.
  5. If the signature checks out, the file is safe.  If it doesn’t, DELETE THE FILE!  DO NOT EXECUTE IT!

Detailed VALIDATION instructions:

Before you get overwhelmed, scroll to the bottom and see that once you’ve done all this once, future validations are really simple…. Just those 4 steps at the bottom.  But for now, you’ll need to go through this more lengthy setup process.

In this tutorial, we’ll be dealing with a downloadable executable file that offers a public PGP signature for you to validate against.  You should know that there are many forms of signatures that an author could choose to publish.  Other than PGP, there are SHA1, SHA256, SHA512, MD5 (which has been broken), and several others.  These are the most popular ones.

We’ll be downloading and validating a popular BitCoin wallet app.  For this type of app, it’s critical to validate the downloaded file against the published signature.

Yes!  This looks very involved, but the good news is that most of these steps are only needed to be done ONCE EVER.  Since this is your first time, there are many steps to get new things installed and set up right.  Subsequent verification will be much simpler and I’ll provide a list of steps to do after you have everything set up.

First, install some PGP key software on your computer.

  1. Install gpg4win from here: https://gpg4win.org/
    1. It will install a few utilities and a GUI app that will hold all of your PGP keys and certificates. (You don’t need to understand what those are at this point).
  2. Skip this step if you already have a public/private PGP key pair.  Create public/private keys for your own e-mail address.  You’ll need this later and it has other benefits such as being able to send and receive encrypted e-mail on any e-mail system.  See: STICK IT TO THE NSA: HOW TO ENCRYPT YOUR WEBMAIL
    1. Open the “File” menu and choose “New Key Pair”.
    2. On the box that opens, choose “Create a personal OpenPGP key pair”.
    3. Enter your name and e-mail address, then click “Advanced Settings…” and on the top 2 drop downs, change it to 4096 bits.  That’ll make your key orders of magnitude stronger.  If you want, feel free to check “Authentication” and “Valid until” and pick a date.  I recommend 1 year into the future.  If you choose a date, your key will not be trusted by anyone after that day.
    4. Click [OK], then [Next], then [Create].
    5. It’ll prompt you for a password.  To use your private key, you’ll need this password, so DO NOT LOSE IT!!!!!  Go ahead and enter it.
    6. After taking a few moments (and it WILL take a few moments), you’ll have a key pair.  If you want others to be able to send you encrypted data, I recommend clicking the button “Upload Public Key To Directory Service…”.  People will be able to look up your public key via your name or e-mail address.  But, it’s not needed for validating signatures, which is the primary purpose of this article.  Now, click [Finish].
    7. You’ll now have a new, certified key in your key ring.  PROTECT YOUR PRIVATE KEY WITH YOUR LIFE!!!!

If you’re interested in more details about what they private/public key pair is that you created, please see.  It’s not necessary to know all of that for this article, but it will clear up some confusion, if you have any.

Now, let’s do an actual Verification!

  1. Go to https://electrum.org/#download and view that page.  (Note, if you have the know-how and the means to download and build from the source code, ALWAYS do that rather than downloading a pre-built executable!)  Notice the signature links next to every download option?  THAT’S what we’re working with in this article.
  2. Click the Windows Installer and download it.  DO NOT RUN IT!  In the folder in which you downloaded the file, you’ll see a file named something like electrum-3.1.0-setup.exe.  As you can see, I’ve downloaded prior versions of the file too.  Notice that some of the files DON’T have “.exe” at the end?  We’ll fix that shortly.
  3. Back on the web page, click the signature next to “Windows Installer”.  You’ll see something that looks like this in your browser:
    1. -----BEGIN PGP SIGNATURE-----
      
      iQIcBAABCgAGBQJanWcrAAoJECvVgkt/lHDm/a8P/iyHkc+2zkaL2JpbhBMEnPE3
      qf21G0xOmkq9x9bfnKhCT1WYbpJrkjbeSCUSlfENbpjpud+ANCDNLA16n4T9eVPL
      0VrrejOTtH37OwJUI35v5asqmT6N4XcuokY+D2f0uSjd4Pnh+SQP9D5NAk0/1DeH
      WgtEfTKYfiPHzl6NJ3XcVjdMNl2H536OwFZx0x4u0nsdFoAvZgHIA/rrSWxMkN+C
      AbMtTd0pGqPYo5gJnHaoYkxbDIvq/CXRgaHFp0arPaKkYSwqkG/Q7KC1z1zbFLcq
      gD2z9tkj3toBzyCUNrmbmmGd491T6XbZujtiFYbjNhyMBjuBBR4V1sae/mzXoFDb
      LW3wwl8OsrnQlFfSN/NbqEFPSUIbFl5rFpK/LgV3YId7kbujXukKxfTHDce2OsjP
      U7a8QrUm7C3MTz4zAlgWWDwN3rioEzlfebe1qCQxI4hAu7vglOE+cW3UKJVh7zyM
      J21KKKzIO1EZz91t8EfHYrJMWL7Yl3/orgDOEjM2t1IAEm5znAzO0uBujBykgLXV
      A0mF3CP1/Vt+Wosc1aRn7+rzMH1nPpOiEoXYDALASc1mXnNA4oS3/vK9BtzJtZJm
      1jG/Zc+ubB7ybUjKP6e9Z0O8eGX2sWdaqPZCXm2ZNpRidPV6S0Y4mVuoPWb1CIg2
      wJlzoxNsCRk4Ox7qOv6e
      =cof+
      -----END PGP SIGNATURE-----
  4. Click anywhere on the text and hit [Ctrl]+[A] to select all of that text, then [Ctrl]+[C] to copy it.  Or you can select all the text with your mouse and copy it.  You’ll be pasting it into a text file shortly.
    1. DO NOT COPY THE PGP SIGNATURE FROM MY ARTICLE TEXT!!!
  5. Open the folder to where you downloaded the Windows Installer file.  It should be named something like electrum-3.1.0-setup.exe.  Obviously, if you’re reading this in the future, there will likely be a newer version.  This is the latest version at the time of this writing.
    1. Right-click on any empty, white space in the folder and choose “New”, then “Text Document”.  A new, empty text file will be created.  Ignore the extra menu items I have.  I’m a developer and have extra features installed that you might not.
  6. Now hit enter to open the empty text file and paste the PGP key into it (from step 3.1 above, you should have the text in your copy buffer (or “clipboard”) still).  Hit [Ctrl]+[V].  This will paste the text you already had copied from 3.1 above into the text file.  Now hit [Ctrl]+[S] to save it.  And finally CLOSE notepad (or whatever text editor you’re using).
  7. Now rename the text file to exactly the same name as the downloaded electrum exe file, but with “.pgp” added to the end of the filename.  In my case, I rename the text file to electrum-3.1.0-setup.exe.pgp
  8. Now, let’s fix that problem where the file types (also called “file extensions”) are hidden.  While looking at the filename that you downloaded in Windows Explorer, open the “View” menu or tab.  On the right hand side (you might have to resize the window to something bigger to see it), open the “Options” drop down and choose “Change folder and search options”.
  9. On the “Folder Options” that opens up, click on the “View” tab and check OFF (or UN-check) the box “Hide extensions for known file types”, then click “OK”.  It should NOT have a check-mark in it.
    1. You’ll see the files changed from this…
    2. to this…  (again, these are MY files, you may have more or fewer and certainly different files in your downloads folder).
      1. It’s VERY important that you see the FULL filenames.  Before this, the electrum-3.1.0-setup.exe.pgp file looked like it it was named electrum-3.1.0-setup.exe and as you can see, there’s actually ANOTHER file that actually has that name.  Why Microsoft hides these by default is beyond me.   All it does is create confusion is severely increases the risk of hackers tricking you into launching a malicious program when you think you’re opening a safe text file or a picture file.
  10. LET’S DO IT! Let’s make an attempt to actually verify the PGP signature of the file.  Spoiler alert:  It won’t work, but that’s OK.  It will walk us through what we need to do.  Right click your newly created and renamed file that you added “.pgp” to the end of the filename on.  In my example, it will be electrum-3.1.0-setup.exe.pgp , and then choose “More GpgEX options”, then “Verify”.
  11. The verification process will complete as verified, but not fully verified…
    1. Here’s what’s going on.  The EXE file DID verify against the PGP signature, but the signature, itself, is not known to be trusted.  At least, your verification software you’re using (called Kleopatra) does not know the signature to be from a trustworthy source.  You’ll have to TELL IT that you trust that author’s key.  Once you do that, Kleopatra will fully verify everything produced from that author, signed with his same keys.  Click the “Search” button.  This will search on several public PGP key stores on the internet for one that contains that PGP key you have from that author.
      1. It SHOULD find a key from ThomasV@gmx.de after a minute or so…
      2. Click his e-mail address and then click the “Import” button.  That will import his public PGP key into your PGP keyring.  This will make it available for future use by you to validate new versions of this app and others from the same author.  You won’t have to go through all of these steps again for future downloads from him.
  12. Now we need to CERTIFY his signature.  This simply means we’re going to tell our local install of Kleopatra that we TRUST the key from ThomasV.  Open your start menu and find Kleopatra and launch it.
    1. It will show you all the public and private PGP keys you have installed.  Here’s what MINE looks like.  Yours may have only the one key from ThomasV and your own key.  (I’ve blurred my personal keys).
  13. Now, we’ll certify ThomasV’s key.  Right click his key (anywhere on the line with his e-mail address in it) and choose “Certify…”
  14. Check ALL the boxes on the “Certify Certificate” dialog box that pops up, then click “Next”.
  15. Now you need to tell it which of YOUR keys you want to certify it with.  It should show you all your keys that you already installed for yourself.  Select the one you wish to use to validate.  It’s not critical which one you choose, but I recommend choosing the latest one of yours that’s not expired and is associated with your most used e-mail address.  And select “Certify only for myself”, then click “Certify”.  (I’ve blurred all my personal signatures).
    1. You’ll see the following once Kleopatra has marked his certificate as validated by your own key.  We do this to make the software validation work.  Most of these steps are a one-time deal.  You will not repeat all of these every time you want to validate a signature on software.
      1. Click [Finish] and you’ll see your list of installed keys and see that his key is now marked as “certified”.  This is good.  This will REDUCE the number of steps to validate software from him in the future.
  16. Now, one more time, let’s right-click the electrum-3.1.0-setup.exe.pgp file you created, choose “More GpgEX options”, then “Verify”.  This time, you’ll get FULL VERIFICATION!

Congratulations!  You’ve now validated that the Electrum BitCoin wallet software is safe, unmodified, and from the original author.  It is safe to install.  Please note, this was NOT an article about installing the Electrum BitCoin software.  It was an example of how to validate software signatures from ANY software you download (as long as the author provides you validation signatures).  We could have used countless other apps to do the same thing.

It’s MUCH easier the second time!

Yes, I know.  That was quite a lot of work to do.  But that’s only because you’re new to this AND you had to install, configure, and create lots of new things.  Now that you’ve done it once, doing it again will be much less effort.

From now on, all you do is the following:

  1. Get the PGP signature of the file you want to download and save it into a text file.
  2. Download the file you want.
  3. Rename your PGP signature file to exactly the same name as the file you download, but with “.pgp” appended to the end of the file name.
  4. Right-click that pgp file, choose “More GpgEX options” -> “Verify”, and it’ll either validate or report that it’s not valid.

That’s it!  And getting newer versions of the app will be the same 4 steps.

See these images?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

LastPass: Turn Off Auto-Fill NOW!

There are many reports recently of malicious websites and malicious scripts in ads and comments on websites that generate login name and password fields on legitimate sites that trigger LastPass and other password managers to auto-fill with your credentials, allowing the bad actors to literally steal your login credentials, without you doing anything except innocently visiting your favorite sites.

Side note:  This is a REALLY GOOD reason to turn on 2-Factor Authentication.

To turn off aut-fill in LastPass is pretty simple, but nearly impossible to find and know how to do with out someone else “in the know” showing you.

  1. On your desktop browser, open your LastPass vault.
  2. Click “Account Settings” in the lower left.
  3. Click on the “Never URLs” tab.
  4. Click the “Add” Button at the bottom of the dialog box.
  5. Now, you’ll need to do this 3 times, once for “Never Fill Forms”, “Never AutoLogin”, and “Never AutoFill Application”.  Choose “Never Fill Forms”, from the “Type” drop down and then type “all” (without the quotes!) in the “URL” box and click add.  Continue for “Never AutoLogin” and “Never AutoFill Application”.

That’s it!  From this point forward, LastPass will still work, but it won’t just blindly fill in your login name and password to just any field named “login” or “password”.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypting Degoo Cloud Drive With Cryptomator

In this article in my series of “Encrypt All The Things!”, I’ll show you the specifics of encrypting a cloud drive using the Degoo.com cloud drive service. For a generic overview, that’s not Degoo specific, see:

If you use cloud drive services, of any kind, it’s critical that you do so ONLY with data that YOU have encrypted on YOUR END and that YOU are in control of the keys. Any service that handles the keys for you is NOT SECURE! The ONLY way your own data is secure is if YOU are in control of the keys. Some cloud drive services offer encryption at an extra price, which is crazy because you can do it FOR FREE with the added benefit of YOU being in control, NOT THEM!

The best way to ensure that you’re in control is for you to do the encryption yourself with software NOT provided by your cloud drive service.

In this article, I’ll show exactly how to do this with a commercial cloud drive service called Degoo.com and a free and open source encryption application called Cryptomator.

Create a Degoo account and install the software

First, you’ll need to sign up for the Degoo.com cloud drive service here.

100 GB Free Backup

Be sure to download and install the software. Don’t set up the download or sync folders yet. We need to get the encryption app installed first. BTW, Degoo has both free and paid options.

Install the Encryption App

Go to Cryptomator.org and download and install the software (It’s free and open source!). Once installed, you’ll need to setup one or more “vaults”, which are simply nothing more than a folder on your hard drive where encrypted files will be stored.

Set up a Cryptomator vault

First, you need to understand how Cryptomator works. DO NOT SKIP THIS!

The first time you run it, you will not have any vaults (encrypted folders). First, create a new folder on your drive in whatever way suits you best. This is where you’re going to have encrypted versions of your sync files stored.

  1. Click the “+” sign in the lower left and choose “Create New Vault” to create a vault.
  2. Navigate to the folder you want to store your encrypted files (the folder should be blank, right now) and give it a name, here I Cryptomator.
  3. Then create a password for it. DO NOT FORGET THE PASSWORD OR YOUR DATA WILL BE LOST FOREVER!!!!!
    1. I Highly recommend saving it in a password manager like LastPass.com. I also recommend using that password manager’s password generator to generate a long, random password for you.
  4. Create the Vault by clicking the “Create Vault” button. This stores a couple of small files in there that cryptomator needs.
    You’ll be prompted for the password again. This is not part of the vault creation process. You’re done. Now you’re ready to use it like you will everyday. Now you unlock the vault by entering your password.
  5. Click the “more options” button to see what you have available. Those options are pretty self-explanatory. I’ll skip those and let you choose how you want to configure it.

Your vault is now unlocked and is opened in a Windows Explorer window, usually as drive letter Z:.

The real folder on the real drive is here (below) (depending on where YOU chose to create it… this one is mine):

Now, I can store files in my Z: drive (as long as my vault is unlocked) and I can use any apps I want to read and write to the Z: drive. Everything works normally. Apps that read and write there have NO IDEA that they’re reading and writing to an encrypted folder.

You’ll notice that in Documents\deleteme\test (again, that’s where I created mine; yours will be where ever you put yours), you’ll see a “d” folder and 2 masterkey files. Those masterkey files have an ENCRYPTED version of your key. No one can decrypt it without knowing YOUR password that you just created.  This masterkey file WILL BE ON THE REMOTE SERVER, so this is why you need a STRONG password, preferably random characters generated by a password manager.

As you save more files into your Z: drive, you’ll see more files show up somewhere under Documents\deleteme\test (again, MY folder is here, YOURS is where ever you put yours). The files that show up here have unreadable filenames and if you try to open them, they will have what appears to be garbage in them. These are the files you stored in your Z: drive, but these are encrypted.

Think of your Cryptomator unlocked vault Z: drive as a decrypted, magic window into your physical, encrypted files stored in their encrypted state in your Documents\deleteme\test (again, MY folder name I chose, YOURS will be different).

One caveate: Files in your Z-Drive CANNOT be larger than 2GB! That’s a limitation with the current version of Cryptomator.

I created a text file in my new Z: drive. As you can see below, Cryptomator created a file in the Documents\deleteme\test\d\WQ folder with a funky name. That’s what’s REALLY stored on my REAL hard drive. If I try to open the funky named file, it looks like garbage bytes. Both of those windows are showing the SAME data, it’s just that the REAL data is encrypted (top window). The bottom window is a VIRTUAL drive with an decrypted view of the data. ALWAYS remember this! You will NOT back up your Z drive! EVER! You’ll back up and/or sync your Documents\deleteme\test folder. More on that later.

Now, how to sync your encrypted files with Degoo.com

Now that you have a folder that contains your encrypted files and an easy way to use the the encrypted files (your cryptomator Z-drive), you need to sync the encrypted files to your Degoo.com account. DO NOT SYNC OR BACK UP YOUR Z: DRIVE!!!!!!

  • If you haven’t already, download and install the software on Degoo.com and create an account.
  • When you open it, click on the “Choose what to backup” tab. The actual folders on disk that are being backed up are each in their own cryptomator vault folder with encrypted files.
  • Click the “Add folder to backup…” button and navigate to your Cryptomator vault folder… the one with the unreadable encrypted files NOT YOUR Z-DRIVE!!!! and click “Add folder to backup”
  • Your folder will be added to your list of folders to be backed up.

Now, you’re all set. Anything you put into your Z-Drive is automatically encrypted at the time it’s written and since the real folder with the encrypted files is the one that’s backed up, you automatically get your data backed up in addition to automatically encrypted. Now, no matter how malicious anyone at Degoo may be (I have to reason to believe the are (or aren’t)), your privacy is safe. They cannot see anything other than what you see when looking at the encrypted version of your folder. Unless they have your password to your vault (which, of course, should be DIFFERENT from your Degoo password), they’ll never be able to see the contents.

But that was hard!

No it wasn’t! And, the small amount of work you did above is only done when creating a new vault and installing everything for the first time. Once it’s done, here’s all you need to do moving forward:

  • Turn on your PC and log into Windows (or Mac or Linux)
  • Start Cryptomator and unlock your vault.

That’s it! You can even shorten that to not have to start cryptomator setting up your vault to save your password and auto-unlock on start.

You can also add more cryptomator vaults at any time.

Quick review:

In this tutorial you did the following simple steps:

  • Signed up with and installed Degoo.
  • Downloaded and installed Cryptomator.
  • Created a vault with Cryptomator.
  • Told Degoo to sync the encrypted version of your cryptomator vault.

That’s really all you did. And now, you’re protected both with encryption and with an automatic, encrypted backup.

What’s Next?

Just continue to use your computer with your Z-Drive as your unencrypted version of your data. You can even lock your vault and Degoo will continue to back up your data. Degoo doesn’t need you to have it unlocked because it’s NOT backing up the unencrypted files. It’s only backing up the encrypted bits.  Degoo isn’t even aware of the Cryptomator software.  From Degoo’s software’s point of view, all that matters is that folder with the encrypted files in it.

Conversely, the Cryptomator software is unaware of Degoo.  All Cryptomator knows is that you have a folder with encrypted files and it provides the means to unlock and use them.

You can create more vaults with Cryptomator, if you like and add them to Degoo as well.

You can create vaults inside your Google Drive sync folder, your Microsoft One-Drive sync folder, your DropBox sync folder, etc, etc… As many or as few as you want.  Cryptomator works by encrypting any folder and providing an unencrypted view of it.  Cloud drives work by backing up and/or syncing a folder.  Put the two of them together and you’ve got a robust and secure backup strategy.

I do strongly recommend you make a cryptomator vault in EVERY cloud drive sync folder and move all your non-encrypted files INTO your virtual drive letter created for that vault.

WARNINGS!

You MUST obey the following rules!!!

  • Don’t write files directly into your real folder that contains the encrypted files. If you do that, it will be backed up AS-IS… WITHOUT ENCRYPTION!
  • Do NOT backup your Z: drive (or whatever drive letter cryptomator makes for you). That is DECRYTPED and if you back THAT up, you’ve wasted all your time and effort and are NOT storing an encrypted version of your files. Your Z: drive should ONLY be used for your normal work. DO NOT BACK IT UP!!!!

You are, of course, free to break these rules, but your secure backup is not going to be encrypted if you do break them.

GIT For Beginners

Target Audience

Programmers that need a good source code repository and versioning system.

Expected Knowledge Level:

Beginner through Advanced. You do not necessarily have to have experience with other version control systems, but it helps, of course. Your knowledge of programming is of minimal importance to this article. But if you’re reading this, you’re most likely a programmer, and that’s all that really matters.

Purpose of this article:

To give you a head start with Git. This is not a complete tutorial. This will give you critical pieces of information that are usually lacking in other documentation that experienced GIT users forget that non Git users don’t already know.

What IS Git?

Git is a source code repository and versioning system. It’s free and open source. It lets you keep track of your source code projects, have them backed up on zero or more remote storage locations, share your source code (if you want), keep track of versions of your source code, branch from your source code to work on special features without interfering with the main branch, merge branches together, provide opportunities to review source before merging it back into an important branch (for teams), allows teams of programmers to easily work on the same project without undue burdens of coordination and synchronization.

What Problems is GIT a Solution For? (Why GIT?)

First, let’s answer what version control systems, in general, solve, not just GIT:

  • Provides a backup for your source code.
  • Allows collaboration with other programmers.
  • Allows keeping track of versions of your source.
  • Allows branching and/or forking of your source to work on specific features or bugs or experimental releases without contaminating the main source branch.
  • Replication of your source for safety.
  • Many other reasons.

So, why GIT in particular? I’m not an advocate for GIT in particular. I like it and I use it. What’s important is that you’re using a modern source code control system and have policies in place to prevent problems and provide standardized solutions. GIT is one of many solutions. However, GIT has risen in popularity and seems to be the defacto go-to source control software these days. And there’s good reason for that. It was created by Linus Torvalds (the creator of Linux) and is actively maintained. GitHub.com, arguably the most popular source code repo on the planet is based on GIT. And like most source control systems, GIT is multi-platform.

Again, I’m not advocating for GIT. I’m writing a quick-start guide with a little bit of background. I’ve written plenty of articles on subversion too. Note also that Mercurial is a Git derivitive, so pretty much everything I cover here applies to Mercurial as well.

Things You Need to Know:

GIT is not easy to get started with if you’re not familiar with it, and by definition, if you’re getting started with it, you’re NOT familiar with it. For one: GIT is not a single product. Since it’s open source, there are MANY products that are GIT compatible and you have options for command line, GUI, embedded into your favorites IDE or source editors, plus multiple server options as well.

1. Terminology

  • “Repo”: A managed database of a source code project. Unlike other source control solutions like Subversion, where a “repo” is a centralized database where you store all your projects, in GIT, a “repo” is where you store ONE source code project. For example, say you’re writing a game. You’d have a dedicated repo just for that game. On your local machine, you’ll have a complete repo folder named “.get” inside your primary source code folder.
    “Project”: A centralized server can host multiple software projects. Each project is generally set up for a single software application being worked on by programmers. Programmers will “clone” or “check out” the project to their local machine, creating a local “repo”.
  • “Check Out”: The process of retrieving source code from a branch in a repo. That repo could be a remote repo or your local repo.
  • “Clone”: Pretty much the same thing as “Check Out”. In other source code providers, “checking out” a project informs the server that you have it checked out. In GIT, the server is never aware of who has what and doesn’t care and doesn’t need to know. You’ll simply “clone” the project to get a local copy of the database and work on it locally, committing locally, then eventually push your changes back up.
  • “Check in”: This is not a term used in the world of GIT.
  • “Commit”: The act of submitting your local source code edits into your local repository.
  • “Push”: The act of sending all of your commits from one of your local repositories up to a remote server. If someone else committed and pushed code in on any of the same files you worked on, chances are you’ll have a conflict and will be forced to perform a merge.
  • “Merge”: The act of you being presented with two conflicting versions of the same source file. You’ll be asked to pick and choose which differing lines from both versions should be merged into a single file version before committing.
  • “Pull”: The act of you pulling down the latest changes from a remote repository into your local one.  Note that “pull” is in the direction of the machine in which the code is moving to.  Whoever triggers a pull, does so from the location of the machine in which the code moves to.  For example you “pull” from the server to your local machine.  You log onto the server’s web interface and request a “pull request” to move your code into the central repository.
  • “Pull Request”: The act of a programmer requesting that their committed and pushed changes be merged with a more important branch. One or more other programmers (frequently the project lead) will review your changes and decided whether or not to allow them to become part of the bigger project. You may be asked to make some minor changes and re-submit your pull request or it may be rejected out-right.

2. Storage

Unlike Subversion and the much older Microsoft Visual SourceSafe, you don’t have 1 server and multiple clients. Instead, GIT has no “real” central server. Though most people use it in a way that sets up one repo as the understood central repo.

You don’t simply check out from the server, edit, then check back in. Instead, your local machine, itself, becomes a server. You become a client to your own server. So, when you check out and commit your code, you’re doing it from and to your local repository. At any time, you can push all your commits from your local repo up to another repo. You can “pull” from a remote repo to yours to get yours up to date.

But while writing code, you’ll create branches locally in your own repo, then checkout from those local branches, edit, commit. You may do this many times. Eventually, you’ll want to push your changes up to the shared repo.

3. Branching

If you’ve ever tried branching in things like subversion, you’re probably aware of how difficult it is and how easy it is to screw things up badly.

SUBVERSION BRANCH: HOW TO

In GIT, it becomes ridiculously easy. It’s so easy, in fact, that branching will become your common, every day practice. Everything you do… every feature you add, every bug you fix, will be done in a branch.

In all fairness though, it’s still hard if you’re not using the right tools. If you’re a command-line junky (which I do not recommend, nor should anyone be impressed by someone insisting on sticking with the command-line), you can implement best-practices like GitFlow. Better yet, are plugins for GitFlow that are made for Visual Studio, GitKraken, and many other Git clients. This removes the complexity of branching and merging down to a couple of clicks and removes the human error component, making your workflow incredibly powerful and easy at the same time.

4. GitFlow

Make your life much less complicated. Start using the GitFlow best practice. Just because GIT supports branching, doesn’t mean that everyone’s going to do it the same, nor that everyone’s doing it “good”. What’s your policy on how code moves from developers to production? There are just about an infinite amount of hodge-podge plans using GIT to make that happen. GitFlow is a standardized way of doing it. In short (very short) explanation, here it is:

 

  • When you create your project, you create a “main” or “master” branch. The becomes the gold standard for finished, polished code. You will most likely build what’s in there and publish it.
  • Create a branch off of “master” called “develop”. This will be the main, working branch where programmers will branch from and merge back into. This isn’t necessarily the “best” version of the code, but it’ll be the “latest” version that all developers use as their developing silver standard.
  • If you are tasked with fixing a bug or creating a new feature, you’ll create a new branch derived from the develop branch. You’ll work on your fix or feature until done, then merge it back into develop.
  • Some coding shops like to have a “bug fixes” branch, a “features” branch, and “hot fixes” branch from the develop branch. Then the developers never branch directly from the “develop” branch. They’ll instead branch from one of those 3 branches.

Making this happen is a chore if you don’t have tools that are designed for this and you are likely to introduce big mistakes without using GitFlow tools. If you’re using Microsoft Visual Studio, go to the Extensions and search for GitFlow. Install that, then you can very very easily automatically create, pull, and work on a feature or bug or hot fix branch. Then when you’re done, you simply click “finish” and it’ll do all the committing, pushing, and merging for you (except for the merging where human intervention is required). Your F-Up rate will greatly decline and your co-workers will appreciate it!

If you’re using GitKraken, there’s a plugin for GitFlow there too. You can use both Visual Studio’s GitFlow and GitKraken’s GitFlow interchangeably, at the same time, on the same project.

No joke! Go get GitFlow now!

Resources/Tools:

  • The base GIT software:  https://git-scm.com/downloads
  • GIT Bash
  • GitFlow
  • Git Clients
    • Git GUIs
    • Inside Microsoft Visual Studio
      • VS directly supports GIT
      • Install the GitFlow extension.
    • Eclipse
    • Sublime
    • Android Studio
    • Stand-Alone clients
      • GitKraken
      • SourceTree
      • GitExtensions
      • Git Bash
  • GIT Servers
    • BitBucket.com
    • GitHub.com
    • VisualStudio.com

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.