-1 Factor Authentication (negative trustworthiness elements)

a box full of used lanyards

Many places of work implement forms of security that are used as part of a human’s trust gestalt, their holistic group identity calculation, that are actually more trouble than they’re worth.

Take for example, the lanyard. Some are pretty fancy. Some might just be a colour, or have basic text on them like “STAFF” or “VISITOR”. Insisting that everyone wears one, as if it increases security, is counter-productive. It is being used as a visual shiboleth, when in fact it is trivial to (pronounce) get hold of. If I meet a stranger in the corridor, and they’ve got a lanyard on, I might be less inclined to challenge them, my internal Bayesian graph has just afforded them a bit more trust weight. I don’t ask to see their ID card. I don’t ask “can I help you?” or “who are you here to see?”.

Bad ID badges are possibly worse. These can be printed on any inkjet printer- indeed the hardest thing might be to simulate the crappy quality most specialised badge printers seem to be capable of. But they are trusted far more than a lanyard, and easier to replicate at home, from a photo taken covertly or downloaded from the company website.

Even in places where the badges are normally scrutinised closely on entry, a little fire drill, with the mass exodus and subsequent mass ingress, and you will sail right in.

The box in the picture? 10p per lanyard at a car boot sale. Didn’t rummage around, but you can see ones for Oracle. Granted, these were probably from where they were sponsoring a sporting event or conference, but you never know what little ledges you can use as a springboard.

Pair…configuring?

One of the aspects of XP that also shows up in related styles of development, such as agile, is pair programming.

This is where you work as a team of two, at the same workstation. One of you is the pilot, operating the keyboard. The other is the co-pilot or navigator, and they sit off to the side, observing. Every so often, you switch roles.

Two programmers at work, pair programming. The pilot on the right, at the keyboard, with the navigator to the left. CC BY 2.0 wocintechchat.com
Programmers working as a pair

Continue reading “Pair…configuring?”

CamShow – webcam document visualiser application for educators

CamShow is a simple desktop application for teachers, lecturers or anyone who wants to demonstrate little things up on a big screen.

CamShow in action
CamShow in action

The short version is this- it’s a little app that lets you use a webcam to show real, physical documents on your PC (and therefore your smartboard), and it has a vertical flip option in case you want to mount the camera at the rear of your table.

Continue reading “CamShow – webcam document visualiser application for educators”

Insecurity Questions

One frequent back door installed by the web site operators themselves, is the security question.

What was your first pet?
What was your mother’s maiden name?
Where were you born?
What was your first school?

These are very often what stands between an attacker and your account. Other info is used in more “serious” contexts, such as applying for a passport, or banking, but these are given out to many agencies, and crucially, never change over your lifetime. Who would countenance a single, life-long, and simplistic, password?

Give your friends a quick quiz, and find out how much of this they know already. How much of it do you know about them? Chances are, few if any know your National Insurance number off the top of their head, but they might know where you keep your household files. How many documents could they photo whilst you are in the bathroom?

You can’t choose your own NI or Social Security number, but you can choose to give fake information in response to security questions. Of course, they’re there as a backup form of access when you’ve forgotten your password, so how can you get better security without risking being permanently locked out?

No, I’m asking.

Product recall subterfuge

Here’s one that’s so simple it must be happening already.

Spam targets with emails containing an alarming, but plausible product recall notice. Receive their details, or even their product, in return.

I received an email a few days ago from a manufacturer of computing devices, and it came from a domain I didn’t recognise, making me immediately suspicious- turned out to be genuine, but it made me think of this.

Improvements

This’ll only work if people have that device, but you may be able to sharpen your spear by frequenting owner forums (especially check out .sigs where users may inform/boast of owning a particular model), or hacking product website data. Use their name or purchase date if you can.

Don’t go overboard with the fear angle, but make it something where their worry of going out-of-warranty can be used against them. Have it be a potential issue (“23% of affected models emit smoke” after 6 months). Provide a pre-paid label to download, or even offer to pick it up via courier, minimising.

Obviously, tech devices like phones and laptops are best, anything with data on, or otherwise compromisable- a smoke alarm could be fitted with a listening device.

The recall I received was for a laptop battery, which in modern laptops are usually well sealed up, and there’s certainly likely to be some where the electrical interface contains some data lines, which may be exploitable, or merely, again, somewhere we could hide a bugging device. What’s more, the option I chose was a self-install kit, really minimising our exposure to the target, and making them less likely to reject it (who wants to be without their laptop for long?).

Defence

Mainly, go to manufacturer’s site and check for product recall there, contact support.

Virtualmin admin scripts

The college’s neongrit linux server uses Virtualmin/Usermin to handle the admin of users, and providing those users with a web interface to configure things like how apache works for their virtual host, creating new databases, etc.

It’s a very useful framework, and has most of the essentials we needed, but I wrote a few scripts in Perl to assist me with some frequent tasks, the way that fit me- which is perhaps more true of sysadmin scripts than any other sort of software, that they are built to scratch an itch. Here’s one to assist batch adding of users and creating them a virtual web host.

Continue reading “Virtualmin admin scripts”

Grokking the subnet mask

I’ve noticed that many networking students have few problems answering questions about the simpler, classful networks and their subnet masks. But then many struggle when problems involve CIDR networks.

I think it’s because beginners have grasped the basics using some rules of thumb, but not the underlying principles.

When we take the class C netmask, 255.255.255.0, the shortcut thought is that the magic number 255 means “part of network”, and magic 0 means “part of host address”. But if that’s all you know, then as soon as you see a netmask like 255.255.192.0, you’re stumped. What does the 192 mean?

Continue reading “Grokking the subnet mask”

JavaScript userscripts

Problem

I was playing a browser-based game that required me to perform an action at 04:00. And I wanted to be asleep at 4am.

One thing I want all budding web developers to remember is this- your application front end is running on someone else’s computer. In what is effectively a debug environment. Developers need to ensure there is no trust between the client and the server (the other way around is fine, however).

Because the code is not compiled, it is even easier to dig into the code- the HTML and JavaScript -and make changes.

But I didn’t need to go that far.

Using Firefox, and hitting Ctrl-Shift-K, brings up the Web Console. From here, we can look at messages, errors and warnings, but we can also issue commands in JavaScript.

Solution

setTimeout(function() {document.getElementsByName("act_use")[0].click()}, 120*60*1000);

Let’s break it down. First, I need to trigger something in the future. That calls for setTimeout() (setInterval() if we wanted to keep triggering again and again).
setTimeout() takes two arguments, which we might call what and when. what needs to be a function- not the result of a function, but a reference to a function, and if you won’t be using it elsewhere, you might as well inline it, as above. The when is the delay time in milliseconds.

The function body will contain all the instructions we want to carry out. I wanted to simulate a button press on a button element. So the next step is to get a reference to that element. Looking at it, I could see it hadn’t got an id attribute, but it did have a unique value for its name attribute. So that indicates use of document.getElementsByName(). Note that it is “Elements” and not “Element”, because name isn’t necessarily unique on a page. So it returns an array, of which I wanted just the zeroth element- so my call needs the index [0] suffixed to it:

document.getElementsByName("act_use")[0]

This expression should now be a reference to the button element. And what did I want to do with it? Click it. Luckily, there is a function available to us, click(). We can just tack that onto the end, and that’s all our function needs to do.

There’s not much to say about the delay, but note how I have used an expression, not just a literal. That’s to allow me to edit it more easily in future. The 120 is the number of minutes, and I can change it directly, as opposed to working out how many milliseconds it would be.

So, leaving my computer awakw, and the browser open, I issued the command in the Web Console, and came back down in the morning to find it had worked like a charm. Itch, scratched.

If you want to explore this further, might I recommend you take a look at GreaseMonkey or TamperMonkey, for permanent scripting you can apply to pages you visit?

Homebrew Intervalometer

I wanted an intervalometer for my Canon DSLR, which at the time, rather miserly did not contain. An intervalometer is a device to take exposures at regular periods. It’s great for time-lapse work. Their own add-on was quite pricey. Even knock-offs were more than I thought was worth it. And besides, I wanted a project where I could make my own printed circuit board, or PCB.

So I thought I’d build one myself. The fanciest way would have been something to talk USB, which could have made all sorts of changes to the camera settings per-shot, but I went with the ultra-simple “bulb” interface. All you need to do is close the circuit between two contacts, present on an unscrupulously proprietary interface on the camera. A simple switch would work. So would a relay, if you want to automate it. But a relay uses quite a bit of current to operate, and one useful property any intervalometer can have is to run for a long time on a small battery.

So I elected to use an opto-isolator. These devices are totally electrically unconnected to the power they are switching, as they work by the input current switching on an LED inside an IC-style package, which shines onto a light-sensitive transistor, which switches on, allowing the current to flow through it. There is nothing other than light going between the two sides of the opto-isolator, and only in one direction at that!

I experimented to find what the shortest was that I could close the circuit and have the camera reliably take a photo, and wrote a short program to activate the pin that would turn on the opto-isolator for that time, and then sleep until time to fire again. I added an LED to visualise what was going on.

I designed the PCB in, erm, PCB.

This was printed out with a mono laser printer, onto the very glossy, flimsy inserts you get in newspapers, advertising, usually, cash for gold, or takeaways that sell EVERY FOOD EVER. Place this onto some clean, copper PCB board, and apply a hot iron. The kind you do shirts with, not a soldering iron. This melts the plastic toner binder, and it should preferentially stick to the copper. You then wash and very gently clean off the paper, and you’re left with the black toner where you want the copper to remain.

This goes into the etchant, which was hot ferric chloride in solution. Once this is complete, you can, again, carefully, clean off the toner, to re-expose the copper.

Next, drill the holes for the component pins. Highly recommend not doing this by hand, PCB drills are super brittle and will easily snap off. Then, solder the components in place. As a temporary housing, I think I used a box that some cufflinks came in.

The microcontroller was programmed with the following code:

/*
 * intervalometer.c
 *
 * Created: 22/07/2011 22:12:03
 * Author: Phil Bambridge <phil@swedeheart.net>
 */ 

#include <avr/io.h>
#include <avr/interrupt.h>

#define FALSE 0
#define TRUE 1

unsigned volatile int systime = 0;

ISR(TIMER0_COMPA_vect) {
	// Given our setup, this being called means a millisecond has elapsed
	systime++;
}

void delay (int mssecs) {
	int timenow = systime;
	while(systime - timenow < mssecs) {
		MCUCR |= 1 << 5; // Disable sleep guard
		asm("sleep"); // We'll wake up when the timer counts a millisecond and throws an interrupt
		MCUCR &amp;= ~(0|1<<5); // Enable sleep guard again
	}
}

int main(void)
{
	SREG |= 1 << 7; // Enable global interrupts flag
	ACSR |= 1 << 7; // Turns off the unneeded analog comparator
	PRR |= 1 << 0 | 1 << 1 | 1 << 3; // Turn off the ADC, the Serial and Timer 1 respectively

	// Set up timer for a 1KHz interrupt- for 8MHz operation, that's a 1/64 prescaler, and a count of 124.
	// For 1 MHz (default) operation we'd go with a 1/8 precaler.
	OCR0A = 124; // Count to 124
	TCCR0A |= 1 << 1; // Clear timer when we hit that count set above
	TIMSK |= 1 << 4; // Enable the interrupt
	TCCR0B = 0x2; // 1/8 prescaler, also enables the timer-counter.

	// Set all three output pins low, then set to output.
	PORTB = 0;
	DDRB = 0 | 1 << DDB0 | 1 << DDB2 | 1 << DDB3;

	while(1) // Run forever
	{
		// Put shutter and indicator high
		PORTB |= (1 << PORTB0 | 1 << PORTB3);
		delay(75);
		// Put shutter and indicator low
		PORTB &amp;= ~(0 | 1 << PORTB0 | 1 << PORTB3);
		delay(2000);
	}
}

By way of comparison, if I’d done this with an Arduino, the code would look something like this as a close approximation- it’s basically the blink sketch:

#define OPTO 12

// the setup function runs once when you press reset or power the board
void setup() {
  // initialize digital pin 12 as an output.
  pinMode(OPTO, OUTPUT);
}

// the loop function runs over and over again forever
void loop() {
  digitalWrite(OPTO, HIGH);   // turn on the opto-isolator (open camera shutter)
  delay(75);                  // wait for 75ms
  digitalWrite(OPTO, LOW);    // turn off the opto-isolator (close camera shutter)
  delay(2000);                // wait for a 2 seconds
}

As you can see, it’s a lot fewer lines of code. The Arduino preprocessor builds the real code after you hit the compile button (if/when you know C, you realise that what you see in the Arduino IDE can’t be the whole story), we can find the actual code in a temp file. In this case it was 8036 lines, 90% of which were comments. Not a bad read for a lazy Sunday afternoon. Point is, it’s doing lots of things behind the scenes that you don’t know about. Doing it by hand not only allows you to target more chips, but you can speed up a lot of routines, and save battery power.