Ask Hackaday: Security Questions And Questionable Securities

September 22, 2017 by Zoe Skyforest 41 Comments

Your first school. Your mother’s maiden name. Your favorite color. These are the questions we’re so used to answering when we’ve forgotten a password and need to get back into an account. They’re not a password, yet in many cases have just as much power. Despite this, they’re often based on incredibly insecure information.

Sarah Palin’s Yahoo account is perhaps the best example of this. In September 2008, a Google search netted a birthdate, ZIP code, and where the politician met her spouse. This was enough to reset the account’s password and gain full access to the emails inside.

While we’re not all public figures with our life stories splashed across news articles online, these sort of questions aren’t exactly difficult to answer. Birthdays are celebrated across social media, and the average online quiz would net plenty of other answers. The problem is that these questions offer the same control over an account that a password does, but the answers are not guarded in the same way a password is.

For this reason, I have always used complete gibberish when filling in security questions. Whenever I did forget a password, I was generally lucky enough to solve the problem through a recovery e-mail. Recently, however, my good luck ran out. It was a Thursday evening, and I logged on to check my forex trading account. I realised I hadn’t updated my phone number, which had recently changed.

Upon clicking my way into the account settings, I quickly found that this detail could only be changed by a phone call. I grabbed my phone and dialed, answering the usual name and date of birth questions. I was all set to complete this simple administrative task! I was so excited.

“Thanks Lewin, I’ll just need you to answer your security question.”

“Oh no.”

“The question is… Chutney butler?”

“Yes. Yes it is. Uh…”

“…would you like to guess?”

Needless to say, I didn’t get it.

I was beginning to sweat at this point. To their credit, the call center staffer was particularly helpful, highlighting a number of ways to recover access to the account. Mostly involving a stack of identification documents and a visit to the nearest office. If anything, it was a little reassuring that my account details required such effort to change. Perhaps the cellular carriers of the world could learn a thing or two.

In the end, I realised that I could change my security question with my regular password, and then change the phone number with the new security question. All’s well that ends well.

How do You Deal with Security Questions?

I want to continue taking a high-security approach to my security questions. But as this anecdote shows, you do occasionally need to use them. With that in mind, we’d love to hear your best practices for security questions on accounts that you care about.

Do you store your answers in a similar way to your passwords, using high entropy to best security? When you are forced to use preselected questions do you answer honestly or make up nonsensical answers (and how do you remember what you answered from one account to the next)? When given the option to choose your own questions, what is your simple trick that ensures it all makes sense to you at a later date?

We’d love to hear your best-practice solutions in the comments. While you ponder those questions, one mystery will remain, however — the answer to the question that nobody knows: Chutney butler?

Network Analysers: The Electrical Kind

September 22, 2017 by Inderpreet Singh 18 Comments

Instrumentation has progressed by leaps and bounds in the last few years, however, the fundamental analysis techniques that are the foundation of modern-day equipment remain the same. A network analyzer is an instrument that allows us to characterize RF networks such as filters, mixers, antennas and even new materials for microwave electronics such as ceramic capacitors and resonators in the gigahertz range. In this write-up, I discuss network analyzers in brief and how the DIY movement has helped bring down the cost of such devices. I will also share some existing projects that may help you build your own along with some use cases where a network analyzer may be employed. Let’s dive right in.

Network Analysis Fundamentals

As a conceptual model, think of light hitting a lens and most of it going through but part of it getting reflected back.

The same applies to an electrical/RF network where the RF energy that is launched into the device may be attenuated a bit, transmitted to an extent and some of it reflected back. This analysis gives us an attenuation coefficient and a reflection coefficient which explains the behavior of the device under test (DUT).

Of course, this may not be enough and we may also require information about the phase relationship between the signals. Such instruments are termed Vector Network Analysers and are helpful in measuring the scattering parameters or S-Parameters of a DUT.

The scattering matrix links the incident waves a1, a2 to the outgoing waves b1, b2 according to the following linear equation: $\begin{bmatrix} b_1 \\ b_2 \end{bmatrix} = \begin{bmatrix} S_{11} & S_{12} \\ S_{21} & S_{22} \end{bmatrix} * \begin{bmatrix} a_1 \\ a_2 \end{bmatrix}$ .

The equation shows that the S-parameters are expressed as the matrix S, where and denote the output and input port numbers of the DUT.

This completely characterizes a network for attenuation, reflection as well as insertion loss. S-Parameters are explained more in details in Electromagnetic Field Theory and Transmission Line Theory but suffice to say that these measurements will be used to deduce the properties of the DUT and generate a mathematical model for the same.

General Architecture

As mentioned previously, a simple network analyzer would be a signal generator connected and a spectrum analyzer combined to work together. The signal generator would be configured to output a signal of a known frequency and the spectrum analyzer would be used to detect the signal at the other end. Then the frequency would be changed to another and the process repeats such that the system sweeps a range of frequencies and the output can be tabulated or plotted on a graph. In order to get reflected power, a microwave component such as a magic-T or directional couplers, however, all of this is usually inbuilt into modern-day VNAs.
Continue reading “Network Analysers: The Electrical Kind” →

Linux Fu: X Command

September 21, 2017 by Al Williams 43 Comments

Text-based Linux and Unix systems are easy to manipulate. The way the Unix I/O system works you can always fake keyboard input to another program and intercept its output. The whole system is made to work that way. Graphical X11 programs are another matter, though. Is there a way to control X11 programs like you control text programs? The answer to that question depends on exactly what you want to do, but the general answer is yes.

As usual for Linux and Unix, though, there are many ways to get to that answer. If you really want fine-grained control over programs, some programs offer control via a special mechanism known as D-Bus. This allows programs to expose data and methods that other programs can use. In a perfect world your target program will use D-Bus but that is now always the case. So today we’ll look more for control of arbitrary programs.

There are several programs that can control X windows in some way or another. There’s a tool called xdo that you don’t hear much about. More common is xdotool and I’ll show you an example of that. Also, wmctrl can perform some similar functions. There’s also autokey which is a subset of the popular Windows program AutoHotKey.

Continue reading “Linux Fu: X Command” →

Inventing The Induction Motor

September 21, 2017 by Steven Dufresne 36 Comments

When you think of who invented the induction motor, Nikola Tesla and Galileo Ferraris should come to mind. Though that could be a case of the squeaky wheel being the one that gets the grease. Those two were the ones who fought it out just when the infrastructure for these motors was being developed. Then again, Tesla played a huge part in inventing much of the technology behind that infrastructure.

Although they claimed to have invented it independently, nothing’s ever invented in a vacuum, and there was an interesting progression of both little guys and giants that came before them; Charles Babbage was surprisingly one of those giants. So let’s start at the beginning, and work our way to Tesla and Ferraris.

Continue reading “Inventing The Induction Motor” →

Spy Tech: Nonlinear Junction Detectors

September 20, 2017 by Al Williams 122 Comments

If you ever watch a spy movie, you’ve doubtlessly seen some nameless tech character sweep a room for bugs using some kind of detector and either declare it clean or find the hidden microphone in the lamp. Of course, as a hacker, you have to start thinking about how that would work. If you had a bug that transmits all the time, that’s easy. The lamp probably shouldn’t be emitting RF energy all the time, so that’s easy to detect and a dead give away. But what if the bug were more sophisticated? Maybe it wakes up every hour and beams its data home. Or perhaps it records to memory and doesn’t transmit anything. What then?

High-end bug detectors have another technique they use that claims to be able to find active device junctions. These are called Nonlinear Junction Detectors (NLJD). Spy agencies in the United States, Russian and China have been known to use them and prisons employ them to find cell phones. Their claim to fame is the device doesn’t have to be turned on for detection to occur. You can see a video of a commercial NLJD, below

Continue reading “Spy Tech: Nonlinear Junction Detectors” →

The Narrowing Gap Between Amateur And Professional Fabrication

September 20, 2017 by John Baichtal 51 Comments

The other day I saw a plastic part that was so beautiful that I had to look twice to realize it hadn’t been cast — and no, it didn’t come out of a Stratysys or anything, just a 3D printer that probably cost $1,500. It struck me that someone who had paid an artisan to make a mold and cast that part might end up spending the same amount as that 3D printer. It also struck me that the little guys are starting to catch up with the big guys.

Haz Bridgeport, Will Mill

Sometimes it’s just a matter of getting a hold of the equipment. If you need a Bridgeport mill for your project, and you don’t have one, you have to pay for someone else to make the thing — no matter how simple. You’re paying for the operator’s education and expertise, as well as helping pay for the maintenance and support of the hardware and the shop it’s housed in.

I once worked in a packaging shop, and around 2004 we got in a prototype to use in developing the product box. This prototype was 3D printed and I was told it cost $12,000 to make. For the era it was mind blowing. The part itself was simplistic and few folks on Thingiverse circa 2017 would be impressed; the print quality was roughly on par with a Makerbot Cupcake. But because the company didn’t have a 3D printer, they had to pay someone who owned one a ton of cash to make the thing they wanted.

Unparalleled Access to Formerly Professional-Only Tools

But access to high end tools has never been easier. Hackerspaces and tool libraries alone have revolutionized what it means to have access to those machines. There are four or five Bridgeports (or similar vertical mills) at my hackerspace and I believe they were all donated. For the cost of membership, plus the time to get trained in and checked out, you can mill that part for cheap. Repeat with above-average 3D printers, CNC mills, vinyl cutters, lasers. The space’s South Bend lathe (pictured) is another example of the stuff most people don’t have in their basement shops. This group ownership model may not necessarily grant you the same gear as the pros, but sometimes it’s pretty close.
Continue reading “The Narrowing Gap Between Amateur And Professional Fabrication” →

There Is No Such Thing As An Invalid Unit

September 19, 2017 by Jenny List 356 Comments

The Mars Climate Orbiter was a spacecraft launched in the closing years of the 1990s, whose job was to have been to study the Martian atmosphere and serve as a communications relay point for a series of other surface missions. It is famous not for its mission achieving these goals, but for the manner of its premature destruction as its orbital insertion brought it too close to the planet’s atmosphere and destroyed it.

The ill-fated Mars Climate Orbiter craft. NASA [Public domain].

The cause of the spacecraft entering the atmosphere rather than orbiting the planet was found in a subsequent investigation to be a very simple one. Simplifying matters to an extent, a private contractor supplied a subsystem which delivered a reading whose units were in the imperial system, to another subsystem expecting units in the SI, or metric system. The resulting huge discrepancy caused the craft to steer towards the surface of the planet rather than the intended orbit, and caused the mission to come to a premature end. Billions of dollars lost, substantially red faces among the engineers responsible.

This unit cock-up gave metric-using engineers the world over a brief chance to feel smug, as well as if they were being honest a chance to reflect on their good fortune at it not having happened on their watch. We will all at some time or another have made an error with respect to our unit calculations, even though in most cases it’s more likely to have involved a simple loss of a factor of ten, and not with respect to a billion dollar piece of space hardware.

But it also touches on one of those fundamental divides in the world between the metric and imperial systems. It’s a divide that brings together threads of age politics, geography, nationalism, and personal choice, and though it may be somewhere angels fear to tread (we’ve seen it get quite heated before to the tune of 885+ comments), it provides a fascinating subject for anyone with an interest in engineering culture.

Continue reading “There Is No Such Thing As An Invalid Unit” →