If we wanted to take a look at the statistics behind 4-digit pin numbers how could we do such a thing? After all, it’s not like people are just going to tell you the code they like to use. It turns out the databases of leaked passwords that have been floating around the Internet are the perfect source for a little study like this one. One such source was filtered for passwords that were exactly four digits long and contained only numbers. The result was a set of 3.4 million PIN numbers which were analysed for statistical patterns.
As the cliché movie joke tells us, 1234 is by far the most commonly used PIN to tune of 10% (*facepalm*). That’s followed relatively closely by 1111. But if plain old frequency were as deep as this look went it would make for boring reading. You’ll want to keep going with this article, which then looks into issues like ease of entry; 2580 is straight down the center of a telephone keypad. Dates are also very common, which greatly limits what the first and last pair of the PIN combination might be.
We’ll leave you with this nugget: Over 25% of all PINs are made of just 20 different number (at least from this data set).
[Matt] has mixed up a batch of two RFID reading door lock systems. While the “door lock” part of the setup has yet to come into existence, the “RFID reading” section is up and running. By using the Parallax RFID readers (for cheap, remember?) and an Arduino, [Matt] is able to parse an RFID tag, look its number up in a database, and then have a computer announce “Access Denied” in a creamy “Douglas Adam’s sliding door of Hitchiker’s Guide” kind of way with Python.
Good books aside, catch a not as exciting as you’re thinking video after the jump.
Continue reading “Arduino, RFID, and you”
Whenever someone manages to expose vulnerabilities in everyday devices, we love to root for them. [Adrian] over at Irongeek has been inspired to exploit barcodes as a means to attack a POS database. Based on an idea from a Pauldotcom episode, he set out to make a rapid attack device, using an LED to spoof the signals that would be received by scanning a barcode. By exposing the POS to a set of generic database attacks, including XSS, SQL Injection, and other errors easily solved by input sanitation, he has created the first version of an automated system penetration device. In this case the hardware is simple, but the concept is impressive.
With the hardware explained and the source code provided, as well as a basic un-sanitized input cheat sheet, the would-be barcode hackers have a great place to start if they feel compelled to provide a revision two.
[Thanks Robert W.]
Starting a new robotics project and want to find the perfect servo for the job? It can be a real pain in butt sometimes. This is where ServoDatabase.com comes in. They’re compiling specifications and reviews on servos. We love seeing these databases pop up. Remember the online chip reference? You simply can not have too much reference material.
Quick: which pins are used for I2C on an ATmega168 microcontroller?
If you’re a true alpha geek you probably already know the answer. For the rest of us, ChipDB is the greatest thing since the resistor color code cheat sheet. It’s an online database of component pinouts: common Atmel microcontrollers, the peripheral ICs sold by SparkFun, and most of the 4000, 7400 and LMxxx series parts.
The streamlined interface, reminiscent of Google, returns just the essential information much quicker than rummaging through PDF datasheets (which can also be downloaded there if you need them). And the output, being based on simple text and CSS, renders quite well on any device, even a dinky smartphone screen.
Site developer [Matt Sarnoff] summarizes and calls upon the hacking community to help expand the database:
“The goal of my site isn’t to be some comprehensive database like Octopart; just a quick reference for the chips most commonly used by hobbyists. However, entries still have to be copied in manually. If anyone’s interested in adding their favorite chips, they can request a free account and use the (very primitive at this point) part editor. Submissions are currently moderated, since this is an alpha-stage project.”
mySQLgame is a quirky App Engine game that has decided to forgo flashy UIs and just stick with the core of the system: a database. You start the game by creating your own row in the shared game database. Game time increments your fuel and money resources every ten seconds. Fuel is spent on scanning other rows and for attacking. Money is used for upgrades and building units. Build up resources and attack your neighbors using database queries, just like any other game. Like a bit more gloss on your internet metagames? Have a look at trolling simulator Forumwarz.
Linux Journal’s [Mike Diehl] pointed out an interesting tool for manipulating data: Sprog. Sprog lets you assemble machines to complete specific data processing tasks. You snap together gears that read input data, process the data in different ways, and then output the results. The input could be a file, URL, database query results, or even MIDI notes. For processing you could be matching patterns, selecting csv columns, converting to uppercase, or executing arbitrary Perl code amongst many other options. Finally the output could be shown in a text window, inserted into a database, written to a file, or sent to your spreadsheet application. Sprog’s site has a section for user uploaded gears and a recipe section for examples like this crossword puzzle solver. Everything Sprog does could be done with scripting, but this is a simple graphical tool that could help you solve a problem without having to know the gory machinery behind it.