Corporate Data Breaches: What They Mean for Us

Entrepreneurship, Media

Part III in a series on personal online security. Parts I and II can be found here and here.

sony-hacked-again-1

 

What’s it gonna take?

That’s the question we’re all asking after the countless cyber attacks on the world’s most powerful corporations. The Sony Pictures hack got a lot of attention for the 47,000 embarrassing executive emails and celebrity Social Security numbers dumped onto the Internet. But check out this list of high-profile hacks and how many records were breached:

  • Michaels Stores, Inc. — 2 million
  • JP Morgan — 83 million
  • Home Depot — 109 million
  • Target — 110 million
  • eBay — 145 million
  • Adobe — 152 million
  • Court Ventures (Experian) — 200 million

We’re talking credit card data, home addresses, checking account numbers–everything an identity thief dreams of at night.

For this post I had planned on listing all the household-name companies hacked in recent years. But it would be way easier to list the handful that weren’t hacked. One prominent cyber security analyst claims 97% of all companies have had their servers broken into.

What’s it gonna take for them to do better?

Actually, that’s the wrong question. We now know the biggest, most powerful companies don’t have our backs regarding Internet security. We also know, by the sheer scale of these attacks, that we have all been touched by these crimes, if not directly, then via someone close to us.

So, the real question is, What’s it gonna take for us to take better care on our own initiative?

(Image:  yuhootech.com)

Ethical Wool?

Health

wool-305684_640

I’ve recently blogged about my newfound love of woolen activewear (the flipside of which is my move away from synthetic fabrics). Here’s an update to that post.

As a winter cyclist I’m amazed at the high-performance qualities of wool. But my attention has been drawn to the question of wool as an ethical product. Can one choose wool ethically?

Yes. Or at least wool can be relatively ethical, compared with the wool fiber industry of only a few years ago. Back then it was impossible for apparel manufacturers to fully trace the supply chain of raw wool. In other words, even if manufacturers wanted to offer garments made of ethical wool, the info did not exist for them to avoid “mulesed” wool. Mulesing is the horribly inhumane animal farming practice defined here.

Nowadays an industry initiative called Zque guarantees the supply of certified, non-mulesed wool. Patagonia, Ibex, and Smartwool now use Zque suppliers, exclusively. The manufacturer Icebreaker Merino has mounted a similar effort called BaaCode.

None of this completely resolves the question of wool as an ethical choice. There’s still the issue of animal cruelty in shearing operations, not to mention the bigger question mark of humane animal treatment in mass production, in general. But it is progress.

[Image credit: Pixabay]

Password Managers, or Doing Passwords Right

Entrepreneurship, Media

Part II in a three-part series on personal online security. Parts I and III can be found here and here.

please don't steal this

Still Using Scraps of Paper?

Back when I was “storing” passwords via pen and paper, I had, what, twelve pages worth? Fifteen? Of course it’s impossible to memorize more than just a few passwords, which is why people duplicate, or reuse, passwords on multiple sites. Reusing passwords is the primary no-no of personal Internet security. Yet we all do it, we who keep passwords on paper.

The trouble is, when a reused password gets stolen, the thief has access to any site associated with it. This is the principal danger for most when caught up when a big company gets hacked.

Then there’s the problem of using easily remembered passwords for our most frequented sites. Your dog’s name, your child’s birthday. Now that’s secure! Use it for online banking or your most-used email account!

Our third most common failing is not changing passwords regularly. Really? All fifteen pages worth?

If your password-tracking system is stack of dog-eared, greasy pages in disintegrating manila folder, you’re essentially dangling your business checking account in front of cyber criminals and taunting them to take its contents.

The Best of the Best:  LastPass vs. 1Password

Enter: the password manager.

Here are the two password managers I have direct experience with: 1Password and LastPass. These two, along with KeePass, represent the best of the best.

Ten years ago I started out with 1Password. 1Password is one of the few top password managers that does not store your data in the cloud. 1Password is essentially an encryption program, but one dedicated to password management. It generates and organizes strong, unique passwords, all encrypted and stored locally on your hard drive.

What soured me on 1Password is its lack of cloud-sync. It’s greatest strength was also it’s biggest weakness.

Like a lot of entrepreneurs, I have a raft of devices float through my life every few years. Without cloud syncing, 1Password  limited my password “vault” to my main laptop, only. After a few months I bit the bullet and manually re-created a second password vault on my second laptop. That chore took hours.

1Password did offer syncing via Dropbox. Convenient, yes. But then you have to rely on Dropbox’s security, as well.

At that point I switched to LastPass. Yes, this switch was guided, admittedly, by convenience. How great it was to have all my passwords on all my devices! But LastPass also offers topflight security.

I was queasy at first about LastPass storing my data in the cloud. It took some time to get comfortable with their basic concept: LastPass servers don’t actually store passwords. They only store encryptions of passwords. That’s how they thwart any potential inside job (a.k.a., a LastPass employee stealing customer data).

How Long Is a Billion Billion Years?

The encryption also discourages cyber attacks from outsiders. With AES 256 bit technology, a hacker who cracks the LastPass servers would need at least a billion billion years to decrypt even a single password. That’s not a typo. A billion billion. (Here’s a discussion of these numbers.) Hear that? That’s the sound of hackers crossing LastPass off their hit list. (1Password also uses AES 256.)

Finally, decryption of the LastPass ciphers happens locally, on your device. In other words, your naked passwords never travel outside of your device. Plus, you are the only one who holds the key to the decryption. That key is what LastPass calls your Master Password. Hence, the name–your Master Password is the last password you ever have to memorize.

So, I remember one, and LastPass handles the other 179.

No matter which program you choose, you should make your Master Password long and strong. And change it three to five times each year. Rather than a pass-word, I use a pass-phrase.

Two Factor Authentication

We should also all be using 2 Factor Authentication (2FA) with our password manager. Even if my Master Password were stolen, say, by keylogger malware, the thief still couldn’t access my LastPass vault without my 2FA security key. I love having my USB security key on my keychain, which I can use to access LastPass on any laptop or desktop. For my Android needs, I use the Google Authenticator app (always on a separate device).

It’s heartening to learn that LastPass is popular at MIT.

Next Post: Data Breaches in the News

Gore-Tex vs. eVent: Two Waterproof/Breathable Cycling Jackets Go Head-to-Head

Health, Writing

showers pass Elite 2-0

What I’m interested for this post is the waterproof/breathable (WP/BR) fabrics of two different jackets I own: Gore-Tex vs. eVent.

I’m actually not going to review the jackets, per se.  What I will do is save you all from the fatal mistake I’ve made, an honest mistake that has ruined one of these two jackets.

Pictured above is my Showers Pass Elite 2.0 jacket, $250 retail.  At the bottom you’ll find my Patagonia Super Alpine mountaineering jacket, $600 retail.  Very different market segments, I know.  The WP/BR laminate in the Patagonia is the high-end Gore-Tex Pro Shell, while that of the red, Showers Pass jacket is an unspecified, entry-level product from eVent.  So, not apples and apples.  I can’t offer up the definitive Gore-Tex vs. eVent head-to-head competition.

Or can I?

Both Gore-Tex and eVent fabrics are laminates, both using an active layer made of PTFE (polytetrafluoroethylene). The best known PTFE product is Teflon. The PTFE used in WP/BR fabrics is manufactured by stretching a PTFE solid to be a very thin, microporous membrane. The micropores are what make the membrane at once breathable yet waterproof. The micropores are too small to let in liquid water, such as rain or melted snow, yet large enough to allow moisture vapor to pass through, such as perspiration evaporating from your skin or baselayers.

The PTFE membrane must be protected from contamination. Contaminants such as skin oils and dirt will permanently clog unprotected micropores.  Just how to protect the PTFE layer is where Gore-Tex and eVent part ways.

  • Gore-Tex covers the PTFE membrane with a protective film of polyurethane (PU) on the interior side of the jacket.
  • Rather than covering the whole PTFE membrane, eVent uses a proprietary method to somehow coat the interior of each micropore with an oil/dirt resistant chemical.

Wet System vs.  Dry System

Gore-Tex is the so-called “wet system”: it vents perspiration only after vapor has collected as liquid on the inner surface of the jacket. As liquid, the moisture necessarily seeps through the PU film by basic diffusion, from the area of higher pressure (inside the jacket) to the area of lower pressure (the outside air). This diffusion forces the liquid water through the PTFE layer. So for Gore-Tex, venting is a two-step process: body moisture (vapor) must first condense on the inner surface. Only then can it diffuse through the membrane.

On the other hand, eVent is the “dry system”: sweat vapor vents “directly” through the membrane. It need not collect as liquid, first.  In that sense, eVent is the “more breathable” of the two products.  The two-step process of Gore-Tex venting definitely takes more time.

The problem with eVent—and this is essentially why I’m writing this post—is that its micropores are still vulnerable to contamination by skin oils and dirt. Yes, the micropores are treated with an oil- and dirt-resistant chemical. But get it dirty enough– i.e., clog the pores really badly—and the PTFE loses its breathability. Permanently.

Thus, eVent garments require laundering way more often than you’d think. We’re talking cycling garments, so, “regularly” means laundering after heavy use.  Read: every, or every other, hard ride. If you ride through the winter, this means washing the jacket two or three times a week.

Washing it often isn’t a terrible hassle. But as everyone knows, washing machines are hard on clothes. So we’re caught between a rock and a hard place. Care for this jacket properly, and shorten its lifespan. Or, launder it less, and risk clogging the micropores.

In my ignorance, I managed to do both types of damage. First, I simply didn’t know of the need for regular laundering. I treated my Showers Pass jacket like a jacket. I washed it about once every four weeks. Micropores? Pretty damn, well clogged. Breathability went to near zero. When I learned of my mistake, I began washing the jacket weekly. Just one Wisconsin cold season meant laundering the jacket probably twenty times. Some of the breathability returned (though, mostly not). All the washing totally destroyed the DWR coating on the jacket exterior. Now the jacket no longer sheds water. Rain and snow don’t get through to the inside, blocked by the PTFE layer. But they do saturate the outer fabric of the jacket, sapping warmth.

Conclusion

I love my Patagonia jacket, while my Showers Pass jacket makes me sad. The Showers Pass jacket no longer performs. I’m pretty angry that the care tag didn’t alert me to the need for special care. I only learned of it on the web, after the damage was done. I wonder what percentage of eVent users know they should wash an eVent jacket as if it’s a sweatshirt? I also wonder, if laundered as often as necessary, will an eVent jacket survive even a single season?

On the other hand, I’ll be wearing my Patagonia jacket for years to come. It seems completely unfazed by three winters of serious abuse. And Gore-Tex requires no special care. So I won’t be laundering it to death.

layers vert

Time: “Why You Should Change Your Amazon Password Now”

Entrepreneurship, Media

Part I in a series on personal online security. Parts II and III can be found here and here.

keep-calm-and-change-your-password- 400x467

“Why You Should Change Your Amazon Password Now”

So says the headline of a recent Time magazine article. The word “now” sure makes for provocative news. The article begins, “Hackers said Friday that they leaked data associated with 13,000 accounts on Amazon, XBox Live and other sites.” The writer concludes, “[This] news should underscore how important it is to change your passwords frequently.”

But is this just alarmist rhetoric? Should we really worry about such a small number of victims?

Online retailers say we have nothing to fear. Not only was the number of victims small, the 13,000 were spread out amongst 14 different retailers, not just Amazon. Some might point to the much larger 2014 Home Depot hack as cause for concern (56 million credit card numbers stolen). But the online retailers say the Home Depot crime wasn’t actually a “hack,” per se. In that attack, credit card info was stolen from Home Depot’s self-checkout machines in physical stores, not from the company’s computer database.

In other words, according to the spin doctors, cyber security is sound. They might admit the 2013 hack of Target was large (40 million credit card numbers stolen), or that the Sony hack of 2011 came with high costs for the company. But Sony, Target, Home Depot, and any big company watching the fallout of their hacks, have cried, Never again! They’ve elevated their cyber security. They declare online retailing to be safe–or even safer than–shopping in a physical store.

That’s plain wrong.

In a recent segment of CBS 60 Minutes, cyber security expert Dave DeWalt says “97 percent–literally 97 percent of all companies–are getting breached.”

What a mind-blowing figure. And DeWalt should know. Target has hired his security firm, FireEye, to prevent future breaches. “Even the strongest banks in the world . . . can’t spend enough money or hire enough people to solve this problem,” he says.

Perhaps the real takeaway from the 60 Minutes piece was that “80 percent of security breaches involve weak passwords. One of the most common is: 123456.” In other words, 80 percent of the passwords now in the hands of criminals were absurdly weak to begin with. Or, rather, 80 percent of us are still using passwords the way we did in the 1990s: simplistic, easily remembered (aka, easily guessed by strangers).

DeWalt says, “The days when we our username and password is our son or daughter’s name, or our cat or our dog, is not enough security to thwart today’s hackers.”

So, don’t just “change your passwords now.” Make them stronger.

My next post: Password managers, or Doing Passwords Right

Surviving Wisconsin Winters, Part 1: High Performance Business Casual?

Entrepreneurship, Health

Image

High performance work clothing? Does such a thing exist? And I don’t mean flame retardant electrician’s pants or stretchy business-bombshell blazers.

Answer:  Levi’s 511 Corduroys.

Although wool is my new favorite fabric for activewear, there are two applications for which synthetics still rule:  rain gear and winter work/weekend attire. I’ve already written a post on rain gear. As far as business casual goes, Levi’s 511 Cords are a surprising fabric that can double for winter cycling.

Especially good for winter bicycle commuting, their 66%/33% blend of cotton/elastane creates surprisingly efficient wicking of perspiration. Then, when the moisture is drawn up into the corduroy, the corded channels evaporate it to the outside air. Think radiator fins on an air-conditioning unit — the greater surface area vents moisture fast. That makes these pants high-performance street clothes. (Just FYI, the tag says “polyester.” But I verified it to be elastane.)

[UPDATE 10/23/2016:  See bottom for the bad news about more recent specimens of these cords.]

Jeans used to be my mainstay winter-biking pants. It’s only denim, so I didn’t stress out when the cuffs got crusted with salt or blackened with road slush. But getting sweaty in jeans meant the denim staying damp for hours, afterward, a.k.a., cold and clammy. By contrast, Levis cords dry out in minutes.

My ideal setup is to wear a wool base layer beneath the Levis cords. The wool breathes really well, too, moving perspiration to the corduroy, which then evaporates the moisture quickly. The wool also acts as a barrier to odor causing bacteria, allowing me to wear the same pair of cords for three-plus days between washings. How’s that for high performance?

[Image credit: Wikimedia]

[UPDATE 10/23/2016:  Sadly, I’ve just bought a new pair of these cords. Levi’s has changed the fabric, reducing the elastane content to a mere 2%. That’s 98% cotton and 2% elastane. I don’t know how long ago they changed up. Too bad. I predict this new pair won’t vent anywhere near as well as my three old, now threadbare pairs bought back in 2012. Curse you, Levi’s!]

The Heartbleed Bug: How to Keep Your Passwords Safe

Entrepreneurship

lastpass logo

As an entrepreneur, one of your most important tasks is securing your financial information.  In the wake of the Heartbleed Bug, I’ve been fine-tuning my digital security. I’ve especially been fortifying my passwords.  I already use a password manager called LastPass, which I highly recommend.

Though I’ve used LastPass for several years, until Heartbleed, I wasn’t utilizing LastPass to its full potential. The latent Luddite in me was on the fence about fully entrusting my most sensitive accounts to any password manager. But this past couple of weeks has shown me how important it is (and that it truly is safe) to use LastPass for even my bank accounts, PayPal, and other highly sensitive sites.

I’d been using LastPass for dozens of less sensitive sites, while continuing to use easy to remember, “secret” passwords for my bank accounts and Paypal. Not smart. By “easy to remember,” I mean actual words whose significance I believed to be too personal to be deduced by strangers.

How foolish.  Today’s password-cracking software can test out tens or even hundreds of millions of possible passwords per second. Against such brute-force juggernauts, my poor, easy to remember passwords would last mere minutes, if that.

Enter LastPass. LastPass is widely considered the best password manager out there.  You have one master password to log in to the LastPass browser plug-in. Whenever you visit a web service, the plug-in logs you in securely.  As long as your master password is chosen well (i.e., long and complex), LastPass offers excellent security. There’s even a multi-factor authentication feature to make remote hacking virtually impossible.  (Multi-factor authentication is like Google Two-step Authentication, which, if you aren’t using yet, I also highly recommend.)

LastPass generates a different, completely random, character-string password for each of your online logins. Randomness is the key. Randomness actually resists brute-force attacks, unlike actual words. This is how to leverage a single master password while never using the same password for more than one site.

LastPass stores only 256-bit encrypted versions of passwords on its servers. That way, if their servers are ever hacked, the thief would have a monumental task of decrypting just one password, not to mention any others after that one.

Also, LastPass doesn’t store your master password.  Only you know your master password.  That’s how they thwart the potential “inside job” by an unscrupulous Lastpass employee. (Inside jobs are actually the most common form of security breach involving passwords.)

Plus, the LastPass plug-in only decrypts your passwords on your local machine; it never sends an unencrypted password across the Internet. All individual passwords remain encrypted until the moment you use them.

And even then when LastPass decrypts a password to log you in to a site, the password fill-in remains masked (just asterisks), in case a hacker is mirroring your screen. (By the way, your master password is masked when you use it to log into the LastPass plug-in.)

 

Metro-style Wunderlist: a Productivity Tool that Hurts Productivity

Entrepreneurship
wunderlist_beta_windows

No taskbar!

Oh, how I loathe thee, Metro-style Wunderlist (the new version of Wunderlist made for Windows 8).

First I should praise Wunderlist to high heaven. I adopted it early on and continue to trust it with my entrepreneurial life.

But the Metro version? Not so much. Notice the absent Windows taskbar in the image above? Not only does Metro-style Wunderlist hide the taskbar by default, the settings contain no way to change that. If you want to see the taskbar, the only way to do that is to mash your cursor against the bottom of the screen, then . . . you . . . wait . . . Bounce the cursor around down there, and sometimes the taskbar emerges. Sometimes it doesn’t. Same goes for calling up “recent apps” in the upper-left corner. It often takes three or four tries to show the taskbar or recent apps.

My list of grievances goes on and on. But let’s just leave it at that. It feels funny to grouse about something I otherwise love and respect a great deal. Plus, I try to keep positive on this blog. Instead, I’ll just cut to the happy ending.

For anyone still struggling with this sorry app, it turns out you can ditch the offending Metro-style Wunderlist and retrieve the old-school, Windows 7, desktop version. The trick is to download it directly from Wunderlist, not from the Windows App Store. The Windows 7 desktop version works perfectly well in the Windows 8 environment.

https://www.wunderlist.com/download/

As a related side note, Wunderlist’s Android app performs really well. Because of its small footprint, it performs with nimble ease, even on my under-powered LG Volt. Despite its light weight, the app gives you virtually every functionality of its big, desktop brother, including sub-tasks and notes.

(Notice how I slipped in that “big brother” reference? Microsoft has acquired Wunderlist this year.)

A major bonus: the Android widget. I’ve got the widget on my phone’s lock screen. The widget displays any of my to do lists, in their entirety, without the need to unlock my phone.

IMG_20151012_102919

The Wunderlist Android widget on my lock screen

Exciting New Anime: Knights of Sidonia

Media

Knights of Sidonia lifeboat pod

No matter how much I like an anime series, I hesitate to make blanket recommendations. I’d hate for my writing to entice someone to watch anime for the first time and have them come away thinking I have terrible taste in TV. See, there’s a learning curve to watching anime. (The giant anime sweat drop? It means he’s embarrassed.) Without “anime literacy” an anime newbie can watch even the best series and think it’s silly, or worse, a product for children. Knights of Sidonia is definitely not for children.

Also, even the best anime suffers from radical swings in quality over the course of a long season. Think of Joss Whedon TV shows—Buffy, Dollhouse, Firefly. We love them for their high highs, despite the admittedly horrid lows.

That said, Knights of Sidonia (KOS), a recent Netflix Original Series, is some of the most thrilling military science fiction I’ve seen in a long time. It’s certainly not without its shortcomings. Its relationship drama doesn’t succeed the way the military aspect does; the several love-triangles and the central rivalry between the hero and his nemesis are so thinly drawn as to feel tacked on. Yet the stunning battle scenes–the eye-popping visions of sci-fi adventure futurism–make the series more than worth one’s while.

Although I don’t have time to review KOS in full, here, I’ll drop a few observations.

1) How to Repopulate the Human Race

The show’s renderings of deep-space survival create an intriguingly realized future. Sidonia is a “seed ship.” It’s a Battlestar Galactica setup. When the earth was overrun by aliens, the last survivors escaped on Sidonia and survived seven centuries drifting about the galaxy. How did the seed ship repopulate the human race? Successful cloning explains all the look-alike characters in the cast. Others form a “third gender,” changing sexes depending on available partners. Apparently there are limits to seeding “success”: Sidonia holds regular mass funerals for compulsory deaths to keep its fragile ecosystem in check. An “organic converter reactor” processes all the bodies and human excrement for fuel that powers Sidonia.

2) Hillarious Site Gags

KOS re-imagines space travel in (ahem) compelling detail, like the skin-suit catheter (see image). Not only is the catheter necessary for spending many hours (or even days) in the tiny cockpit of a giant robot, the skin suit also filters urine for drinking water.

In one quiet scene our hero averts his gaze to leave his co-pilot her privacy while she photosynthesizes. (Yes, in the future we will only eat once a week because, via genetic modification, we will all photosynthesize.) But because they’re in the glass-bubble cockpit, he can’t escape her nude reflection. Hence, he doubles over in discomfort at the emergence of his catheterized erection!

3) Space Opera!

The space opera (i.e., soap opera in space) elements are by turns wonderful and awful. In quieter moments, the romance between the hero and his love interest can be quite affecting, like when the two are stranded in deep space together, trying not to freak out in the face of dwindling food and water rations.

Sadly, the show’s fan service tends towards the sleazy: untold millions were spent to animate the zero-gravity jiggling of curvy female figures in skin-tight space suits.

4) Warning:  It Goes Fast

That the script doesn’t wait for slower viewers can be a bit frustrating at times. Like any good cyberpunk fiction, KOS respects the intelligence of its audience, rarely overexplaining its backstory and future-tech. The show assumes fans will take multiple passes by hitting rewind or will binge-watch the whole season again later, anyway.

For instance, there appears to be a blunder of failed script-supervisor continuity when we watch a pilot eject from her exploding robot in only her space suit. But in the next scene we see her floating in a spherical, escape-pod lifeboat (see image at very top of this post).

Where’d that come from? Turns out the escape pod is stored in each pilot’s backpack, in some futuristic wonder of nanotechnology. Very cool. I definitely missed it the first time around.

KOS escape pod A-0

KOS escape pod A

KOS escape pod B

KOS escape pod C

5) The Good with the Bad

It’s a shame the first half of Episode 5 gives us one of the most exciting battle scenes ever filmed, a thrill negated by the episode’s second half: an overlong, ham-fisted delivery of backstory, all in unnecessary and terribly written dialogue. When Captain Kobayashi argues with Dorm Mother Lala, she reminds her of a factoid neither could have possibly forgotten: “We’re the last two surviving members of the first strike team in human history to have destroyed a gauna, 600 years ago.” Ugh.

I guess it’s no worse than Rick Grimes in The Walking Dead talking out loud to God, the empty chapel amplifying his cartoonish Southern accent.

6) Coincidence or Cosmic Convergence?

Though spelled differently, the series shares its title with the Muse album “Knights of Cydonia.” Coincidence or cosmic convergence? Judge for yourself by watching the hilarious, sci-fi/kung-fu/spaghetti Western mashup video of Muse’s song on YouTube:

Beer Roundup #10: Three Coffee Stouts

Food and Drink

Lagunitas Cappucino Stout coffee beer

To Buy or Not to Buy?

1 = horrible
2 = bad
3 = average
3.5 = good (many better beers out there; won’t buy this again)
4 = very good
4.5 = great
5 = rare best

 

A Note on the Style:  Coffee Stout

Coffee Stout is actually not a style you find described in the BJCP (Beer Judge Certification Program).  A coffee stout is essentially an American stout in which the brewer has added coffee beans or grounds to the boiling wort.  The result is generally a beer of middling alcohol content (say, 5% – 7% ABV), low to middling hop bitterness (30 – 60 IBU), and a pronounced roasted coffee flavor.

Cappuccino Stout, Lagunitas Brewing Co.
Rating:  4.2 / 5
22 oz. bottle, 9.2% ABV, 82 IBU.

This is a double stout, by the way.  The other two beers in this roundup are regular stouts.

A nice looking pour from a bomber into a tulip glass. Somewhat thin-looking, black, to be sure, with a smallish head, and very sticky lacing.

Perhaps this bottle hasn’t benefited from sitting in my cellar for five months. The coffee aroma seems muted.  A lactose smoothness in the nose makes the coffee-and-cream character astonishingly accurate.  (Pretty sure this was not brewed with any lactose, though, so technically it’s not a “sweet stout” or “milk stout.”)  There’s some vanilla, biscuit, unsweetened cocoa, and a grassy bitterness that must be hops.

Coffee flavor in the mouth is highly bitter, a mouth-puckering acid disrupted some by a milky sweetness that renders the burnt flavor a semisweet chocolate. The vanilla comes forward, with lots of dark chocolate and a subtle buttery caramel. Finish dries out a bit . . . No. Scratch that. The finish is pretty dang sweet. Yes, it’s black coffee and sugar.

If not for being a bit watery in body, the lactose-seeming creaminess makes the “capuccino” element awesomely spot-on.

I used to be in love with this beer. I’m wondering, it should be noted, if five months sitting has hurt this beer. I’ll have to wait ’til next year to see if a fresh specimen recaptures that old magic.

Jingle Java, Bent River Brewing Co.
Rating:  4.55 / 5
12-oz. bottle, 6.5% ABV, 29 IBU.

How lucky to have found this winter holiday beer still lingering in the singles cooler of my neighborhood bottle shop.  It’s fabulous.

This is the most stunning coffee flavor I’ve ever had in a beer. It really is an iced-Americano, with carbonation. The aroma is pure cold coffee with milk.

Flavor in the mouth is uncannily straight-up fresh-brewed iced coffee. There’s a tart, tinny hop bitterness that tries to remind one this is beer. But the aggressive French-roast flavor resists such a notion. There’s a nice sweet vanilla in the background that helps a milk chocolate undercurrent emerge from the dark depths.

Best coffee stout I’ve ever had. Blows doors on New Glarus Coffee Stout. While there are better coffee-infused stouts of imperial strength (Central Waters Brewhouse, 8.2%; Southern Tier Mokah, 10%), Jingle Java beats anything in the 6% – 7% alcohol range.

I wonder how much the low bitterness (29 IBU) plays a part in this brew’s success?

Java Lava, Pearl Street Brewing Company
Rating:  3.9 / 5
12 oz. bottle, 6.0% ABV, ? IBU

Wow, a third really good coffee stout in one night. USA! USA!

Earlier I had Jingle Java, by Bent River, out of Rock Island, Illinois. I’ve heard Bent River has an amazing imperial stout festival. The Jingle Java was actually a cut above this one, but this is still rather decent.

It’s not over the top amazing, like the Jingle Java. But this beer has an excellent demitasse essence.   Great creamy mouthfeel, despite the high carbonation.

Hmm.  As the level in my glass recedes, I see it’s actually nowhere near as good as the Jingle Java.  But it’s a solid brew.