How To Hack Your Own Password

[Haseeb] failed the marshmallow test as a kid. He has no self-control. He wastes a lot of time on reddit. There is a solution to this problem — simply lock yourself out of your account. The process is simple, and all you need to do is change your password to something random, change the recovery email address, and click submit. In the blink of an eye, all your imaginary Internet points vanish.

That’s the one guaranteed way to quit reddit. However, [Haseeb] wanted to hold onto those magic Internet points in the event they become worth something. This led to a far more baroque solution. He found a service that would email him at a later date, send an email to himself containing a random password, and quit reddit temporarily. Until that email was delivered, he was officially off reddit. When that email was received, productivity would stop.

A few years pass, and [Haseeb] had some time to kill at his new job. He decided to scrounge up his old password, only to discover he locked himself out of his Reddit account until 2018. What followed is a security exploit of an ’email me in the future’ service, and a great example of how much effort one person will commit to a lifetime of instant gratification.

The email service in question is LetterMeLater, a site that will send an email at some arbitrary point in the future. You can hide the body of the email from yourself, making this a fairly good solution for what [Haseeb] is doing. He was still locked out of his email, though, and emailing the people running LetterMeLater seemed absurd. Dopamine is fun, though, and [Haseeb] eventually found a workaround. This site indexes the body of an email for search. This is great, because the body of the email this site would send [Haseeb] in 2018 contained his reddit password and only his reddit password. With a little bit of code, he can perform substring queries on an email he can’t read. Now, extracting the password is simply a first year CS homework problem.

At this point, the only thing [Haseeb] knows about his password is that it’s a long string of random characters that probably doesn’t include upper-case characters. That’s 26 possible characters, 10 possible numbers, and a character bank that can be determined by searching his email one character at a time. [Haseeb] is essentially playing Hangman against his former self here.

After figuring out an API for LetterMeLater, [Haseeb] whipped up a quick bit of code that finds the password by searching substrings. It’s beautiful and recursive, although he did break it down into finding a suffix of the password then determining the remainder of the password. It took 443 iterations of the code to find the password, and when that was complete he logged into reddit. Math works, although [Haseeb] will have to figure out a way to wean himself off the opiate of the millennials again.

How to Find a Twitter Account

[Ashley Feinberg] is not one to say no to a challenge. When James Comey (the current Director of the Federal Bureau of Investigation for the United States of America) let slip that he has a secret Twitter and Instagram account, [Ashley] knew what she had to do.

At the beginning, [Ashley] knew only a few things: (1) Comey had recently joined twitter and (2) he only allows his “immediate relatives and one daughter’s serious boyfriend” to follow him. As such, [Ashely] deduced that “if we can find the Instagram accounts belonging to James Comey’s family, we can also find James Comey.”

To start, [Ashley] found the Instagram account of Comey’s 22-year-old son, a basketball star at Kenyon College. Not phased by Brien’s locked down Instagram account, [Ashley] requested access to Brien’s account in order to access the “Suggested for You” selections that are algorithmically generated from Brien Comey’s account. Sifting through the provided accounts [Ashley] found one that fit Comey’s profile: locked down with few friends. That account was named reinholdniebuhr. Not sure it was, in fact, James Comey, [Ashley] found Comey’s senior thesis on theologian Reinhold Niebuhr and televangelist Jerry Falwell as verification.

With Comey’s Instagram found, [Ashley] moved back to Twitter (something y’all can’t seem to get enough of). With only seven accounts on Twitter using some variation of “Reinhold Niebuhr” as a user name, [Ashley] was quickly able to narrow it down to one account (@projectexile7) via profiling, sealing the deal on an awesome hack filled quest. Can’t get enough of social media? Don’t worry, you never have to be disconnected.

Point and Click to an IoT Button

The availability of cheap WiFi boards like the ESP8266 and others means you can inexpensively put projects on the network. But there is still the problem of how to connect these devices to other places reliably. An Open Source project that attempts to make that whole effort point and click is Mongoose OS. The open source system works with the ESP8266, ESP32, and several other platforms. It is well integrated with Amazon’s IoT backend, but it isn’t locked to it.

Everyone wants to be your IoT broker and we see products appear (and disappear) regularly aimed at capturing that market. One common way to send and receive messages from a tiny device to a remote server is MQTT, an ISO standard made with resource-limited devices in mind. Many IoT services speak this protocol, including Amazon’s IoT offering. You can see how quick it is to flash an ESP8266 to make an Amazon IoT button in the video below. Although the video example uses Amazon, you can configure the system to talk to any public or private MQTT broker.

Continue reading “Point and Click to an IoT Button”

Amazon S3: Out Like a Light; On Like a Bathtub

You no doubt heard about the Amazon S3 outage that happened earlier this week. It was reported far and wide by media outlets who normally don’t delve into details of the technology supporting our connected world. It is an interesting thing to think that most people have heard about The Cloud but never AWS and certainly not S3.

We didn’t report on the outage, but we ate up the details of the aftermath. It’s an excellent look under the hood. We say kudos to Amazon for adding to the growing trend of companies sharing the gory details surrounding events like this so that we can all understand what caused this and how they plan to avoid it in the future.

Turns out the S3 team was working on a problem with some part of the billing system and to do so, needed to take a few servers down. An incorrect command used when taking those machines down ended up affecting a larger block than expected. So they went out like a light switch — but turning that switch back on wasn’t nearly as easy.

The servers that went down run various commands in the S3 API. With the explosive growth of the Simple Storage Service, this “reboot” hadn’t been tried in several years and took far longer than expected. Compounding this was a backlog of tasks that built up while they were bringing the API servers back online. Working through that backlog took time as well. The process was like waiting for a bathtub to fill up with water. It must have been an agonizing process for those involved, but certainly not as bad as the folks who had to restore GitLab service a few weeks back.

[via /r/programming]

Grant Anyone Temporary Permissions to Your Computer with SSH

This is a super cute hack for you Linux users out there. If you have played around with SSH, you know it’s the most amazing thing since sliced bread. For tunneling in, tunneling out, or even just to open up a shell safely, it’s the bees knees. If you work on multiple computers, do you know about ssh-copy-id? We had been using SSH for years before stumbling on that winner.

Anyway, [Felipe Lavratti]’s ssh-allow-friend script is simplicity itself, but the feature it adds is easily worth the cost of admission. All it does is look up your friend’s public key (at the moment only from GitHub) and add it temporarily to your authorized_keys file. When you hit ctrl-C to quit the script, it removes the keys. As long as your friend has the secret key that corresponds to the public key, he or she will be able to log in as your user account.

Continue reading “Grant Anyone Temporary Permissions to Your Computer with SSH”

Servo-Controlled IoT Light Switches

The Internet of Things is fun to play with; there’s all manner of devices to automate and control remotely. It can be sketchy, though — make a mistake when coding your automatic plant watering system and you could flood your house. Make a mistake with a space heater and you could burn it down. Combine these risks with the fact that many people live in rental properties, and it can be a difficult proposition to bring the Internet of Things to your home.

[Suyash] came up with a way around this by building 3D printed light switch covers that add servo control. It’s a great solution that it doesn’t require the modification of any mains wiring, and interfaces with the standard switches in the normal way. It makes it a lot safer this way — there are municipal wiring codes for a reason. This is a great example of what you can do with a 3D printer, above and beyond printing out Yoda heads and keychains.

The backend of things is handled by the venerable ESP8266, with [Suyash]’s custom IoT library known as conduit doing the heavy lifting. The library is a way to quickly build IoT devices with web interfaces, and [Suyash] claims it’s possible to be blinking an LED from the cloud within 5 minutes using the tool.

For another take on an IoT light switch, check out this Hackaday Prize entry from 2016.

Building an IoT Drill Press for Reasons Unknown

He’s a little cagey about the reasons, but [Ivan Miranda] plans to put a drill press on the internet. What could go wrong with that?

We’ll take [Ivan] at his word that there’s a method to this madness and just take a look at the build itself, in the hopes that it will inspire someone to turn their lowly drill press into a sorta-kinda 2-axis milling machine. [Ivan] makes extensive use of his 3D printer to fabricate the X-axis slide that bolts to the stock drill press table. And before anyone points out the obvious, [Ivan] already acknowledges that the slide is way too flimsy to hold up to much serious drilling, especially considering the huge mechanical advantage of the gearing he used to replace the quill handle for a powered Z-axis. The motor switch was also replaced with a solid state relay. The steppers, relay, and limit switches are all fed into a Teensy that talks to an ESP8266, which will presumably host a web interface to put this thing online.

The connected aspects of the drill press become a little more clear after the break.

Continue reading “Building an IoT Drill Press for Reasons Unknown”