Developed on Hackaday: Setting Up the Project’s Infrastructure

2013-12_Developed_on_Hackaday

We’re pretty sure that most of our readers already know it by now, but we’ll tell you anyway: the Hackaday community (writers and readers) is currently developing an offline password keeper. In the first post of our first DoH series, we introduced the project and called for contributors. In the comments section, we received very interesting feedback as well as many feature suggestions that we detailed in our second write-up. Finally, we organized a poll that allowed everyone to vote on the project’s name.

The results came in: the project’s name will be mooltipass. We originally had thought of ‘multipass’ but [asheets] informed us that Apple and Canon had both applied for this trademark. [Omegacs] then suggested ‘mooltipass’ as an alternative, which we loved even more. A few days ago we set up a google group which is already very active.

An often under-estimated side of a community driven project is its infrastructure and management. (How) can you manage dozens of motivated individuals from all over the globe to work on a common project? How can you keep the community informed of its latest developments?

[Read more...]

Developed on Hackaday: First Feedback From Users

2013-12_Developed_on_Hackaday

Holy cr*p guys… we were amazed by the quantity of positive feedback that was left in the comments section of our last article. We have been featured by Slashdot ! We got plenty of project name suggestions, therefore we organized a poll located at the end of this post to let you decide which one is best. I also received many emails from people eager to start contributing to this offline password keeper project. If you missed the call and want to get involved, it’s still not too late. You can get in touch with me @ mathieu[at]hackaday[dot]com. So far, we have many beta testers, several software developers, one security assessor and a few firmware developers. Next step is to create a mailing list and a Hackaday forum category once the project’s name has been chosen.

Obviously, the very first post of our “Developed On Hackaday” series was to gauge your initial reactions to this ‘new’ project. Notice here the double quotes, as when someone has a new idea there usually are only two possibilities that may explain why it doesn’t exist in the market yet: either it is completely stupid or people are already working on it. In our case, it seems we are in the second category as many readers mentioned they wanted to work/were working/had worked on a similar product. As we’re selfish, we offered them to contribute to this new device.

To ensure that all of our readers are on the same page as to how the device will work we embedded a simple block diagram after the break, as well as a list of all new functionalities that we want to implement given the feedback we received. So keep reading to see what the future holds, as well as to vote on this new project’s name…

[Read more...]

Developed on Hackaday: Let’s Build Some Hardware!

2013-12_Developed_on_Hackaday

We’re pretty sure that most of you already know that a few months ago Hackaday was bought by SupplyFrame, who therefore became our new evil overlords. We do hope you’ve noticed that they’re actually quite nice, and in their divine goodness they recently gave the go-ahead on this series called Developed on Hackaday.

A new project will be made by the Hackaday staff & community and will hopefully be brought to the consumer market. For those who don’t have the time/experience to get involved in this adventure, we want to show and document what it takes to bring an idea to the marketable product stage. For the others, we would like to involve you in the design/development process as much as possible. Obviously, this project will be open source hardware/software. This time around, the hardware will mainly be developed by yours truly. You may already know me from the whistled platform (currently sold on Tindie) or from all the different projects described on my website, which makes this new adventure far from being my first rodeo.

What’s in it for the contributors? During all the steps of this project, we’ll offer many rewards as well as hand-soldered first prototypes of the device so you can start playing/testing it. Nothing is set in stone so every suggestion is welcome. Should we make a Kickstarter-like campaign to manufacture the final product, we’ll only do so once our prototype is final, our partners are chosen and all details of the production process are set and confirmed. In that case, we will just need to gather the required funds to make the device a reality. What are we going to build? Keep reading to find out.

[Read more...]

Hidden RFID reader locks workstation unless keys are present

hidden-rfid-workstation-lock

We don’t know how [Kristoffer Marshall] found himself with free time at work, but he used it to beef up his computer security. Above is the finished project. There is literally nothing to see here. He’s rigged up a hidden RFID reader which locks and unlocks his workstation.

The security of the system depends on xscreensaver, which has a password protected lock feature already built into it. When the tag is removed from the reader’s field it fires up the screensaver using a Perl script.

But waking up from the screensaver is a bit more tricky. The package doesn’t allow you to wake it from the command line — most likely for security. He found the xdotool to be of great use here. It is a command line tool which simulates keyboard and mouse entry. His script detects when the xscreensaver password prompt is on the screen and uses the xdotool to fill in [Kristoffer's] password. Since the script knows what has focus it won’t give away your password by accident.

See the complete setup in the clip after the break.

[Read more...]

25 GPUs brute force 348 billion hashes per second to crack your passwords

multiple-gpu-password-cracker

It’s our understanding that the video game industry has long been a driving force in new and better graphics processing hardware. But they’re not the only benefactors to these advances. As we’ve heard before, a graphics processing unit is uniquely qualified to process encryption hashes quickly (we’ve seen this with bitcoin mining). This project strings together 25 GPU cards in 5 servers to form a super fast brute force attack. It’s so fast that the actual specs are beyond our comprehension. How can one understand 348 billion hashes per second?

The testing was used on a collection of password hashes using LM and NTLM protocols. The NTLM is a bit stronger and fared better than the LM, but that’s not actually saying much. An eight character NTLM password will fall in 5.5 hours, while a 14 character LM hash makes it only about six minutes before the solution is discovered. Of course this type of hardware is only good if you have a copy of the password hashes themselves. Login protocols will lock out after a certain number of attempts and have measures in place to slow down automated systems like this one.

[via Boing Boing]

Token authentication for Gmail using a eZ430 Chronos watch

Two-factor authentication allows you to use your chosen password, as well as a one-time password to help keep your services secure. The one-time passwords traditionally come from a dedicated piece of hardware, but there are also solutions for smart phones. [Patrick Schaumont] shows how a TI eZ430 Chronos Watch can be used to generate authentication tokens. After walking through the process he uses it to beef up his gmail login.

This method of token authentication is often called Time-based One Time Passwords (TOTP). It’s part of the Open Authentication (OATH) initiative, which seeks to sort out the password-hell that is modern computing. A portable device generates a password by applying an algorithm and a private encryption key to an accuarte time-stamp. On the server side of things a public key is used to verify the one-time password entered based on the server’s own time-stamp. In this case the portable device is the Chronos watch and the server is Google’s own TOTP service.

You can do this with other simple microcontrollers, we’ve even seen an Arduino implementation. But the wrist-watch form factor seen here is by far the most convenient — as long as you always remember to wear the watch.

[Thanks Oxide]

Investigating the strength of the 4-digit PIN

If we wanted to take a look at the statistics behind 4-digit pin numbers how could we do such a thing? After all, it’s not like people are just going to tell you the code they like to use. It turns out the databases of leaked passwords that have been floating around the Internet are the perfect source for a little study like this one. One such source was filtered for passwords that were exactly four digits long and contained only numbers. The result was a set of 3.4 million PIN numbers which were analysed for statistical patterns.

As the cliché movie joke tells us, 1234 is by far the most commonly used PIN to tune of 10% (*facepalm*). That’s followed relatively closely by 1111. But if plain old frequency were as deep as this look went it would make for boring reading. You’ll want to keep going with this article, which then looks into issues like ease of entry; 2580 is straight down the center of a telephone keypad. Dates are also very common, which greatly limits what the first and last pair of the PIN combination might be.

We’ll leave you with this nugget: Over 25% of all PINs are made of just 20 different number (at least from this data set).

[Thanks Awjlogan]