Ask Hackaday: Security Questions And Questionable Securities

September 22, 2017 by Zoe Skyforest 41 Comments

Your first school. Your mother’s maiden name. Your favorite color. These are the questions we’re so used to answering when we’ve forgotten a password and need to get back into an account. They’re not a password, yet in many cases have just as much power. Despite this, they’re often based on incredibly insecure information.

Sarah Palin’s Yahoo account is perhaps the best example of this. In September 2008, a Google search netted a birthdate, ZIP code, and where the politician met her spouse. This was enough to reset the account’s password and gain full access to the emails inside.

While we’re not all public figures with our life stories splashed across news articles online, these sort of questions aren’t exactly difficult to answer. Birthdays are celebrated across social media, and the average online quiz would net plenty of other answers. The problem is that these questions offer the same control over an account that a password does, but the answers are not guarded in the same way a password is.

For this reason, I have always used complete gibberish when filling in security questions. Whenever I did forget a password, I was generally lucky enough to solve the problem through a recovery e-mail. Recently, however, my good luck ran out. It was a Thursday evening, and I logged on to check my forex trading account. I realised I hadn’t updated my phone number, which had recently changed.

Upon clicking my way into the account settings, I quickly found that this detail could only be changed by a phone call. I grabbed my phone and dialed, answering the usual name and date of birth questions. I was all set to complete this simple administrative task! I was so excited.

“Thanks Lewin, I’ll just need you to answer your security question.”

“Oh no.”

“The question is… Chutney butler?”

“Yes. Yes it is. Uh…”

“…would you like to guess?”

Needless to say, I didn’t get it.

I was beginning to sweat at this point. To their credit, the call center staffer was particularly helpful, highlighting a number of ways to recover access to the account. Mostly involving a stack of identification documents and a visit to the nearest office. If anything, it was a little reassuring that my account details required such effort to change. Perhaps the cellular carriers of the world could learn a thing or two.

In the end, I realised that I could change my security question with my regular password, and then change the phone number with the new security question. All’s well that ends well.

How do You Deal with Security Questions?

I want to continue taking a high-security approach to my security questions. But as this anecdote shows, you do occasionally need to use them. With that in mind, we’d love to hear your best practices for security questions on accounts that you care about.

Do you store your answers in a similar way to your passwords, using high entropy to best security? When you are forced to use preselected questions do you answer honestly or make up nonsensical answers (and how do you remember what you answered from one account to the next)? When given the option to choose your own questions, what is your simple trick that ensures it all makes sense to you at a later date?

We’d love to hear your best-practice solutions in the comments. While you ponder those questions, one mystery will remain, however — the answer to the question that nobody knows: Chutney butler?

Linux Fu: X Command

September 21, 2017 by Al Williams 43 Comments

Text-based Linux and Unix systems are easy to manipulate. The way the Unix I/O system works you can always fake keyboard input to another program and intercept its output. The whole system is made to work that way. Graphical X11 programs are another matter, though. Is there a way to control X11 programs like you control text programs? The answer to that question depends on exactly what you want to do, but the general answer is yes.

As usual for Linux and Unix, though, there are many ways to get to that answer. If you really want fine-grained control over programs, some programs offer control via a special mechanism known as D-Bus. This allows programs to expose data and methods that other programs can use. In a perfect world your target program will use D-Bus but that is now always the case. So today we’ll look more for control of arbitrary programs.

There are several programs that can control X windows in some way or another. There’s a tool called xdo that you don’t hear much about. More common is xdotool and I’ll show you an example of that. Also, wmctrl can perform some similar functions. There’s also autokey which is a subset of the popular Windows program AutoHotKey.

Continue reading “Linux Fu: X Command” →

Friday Hack Chat: All About Drones

September 20, 2017 by Brian Benchoff 4 Comments

In the future, drones will fill the skies. The world is abuzz (ha!) with news of innovative uses of unmanned aerial vehicles. Soon, our flying robotic overlords will be used for rescue operations, surveillance, counter-insurgency missions, terrorism, agriculture, and delivering frozen dog treats directly from the local Amazon aerodrome to your backyard. The future is nuts.

For this week’s Hack Chat, we’re going to be talking all about unmanned aerial vehicles. This is a huge subject, ranging from aeronautical design, the legal implications of autonomous flying machines, the true efficiency of delivering packages via drones, and the moral ambiguity of covering a city with thousands of mobile, robotic observation posts. In short, the future will be brought to us thanks to powerful brushless motors and lithium batteries.

Our guest for this week’s Hack Chat will be [Piotr Esden-Tempski], developer of UAV autopilot hardware for Paparazzi UAV. Paparazzi can be used for autonomous flight and control of multiple aircraft, and we’ll be talking about the types of embedded systems that can be used for these applications. [Pitor] is also the developer of the 1Bitsy ARM dev platform, the Black Magic Probe JTAG/SWD programmer/debugger and the founder of 1BitSquared.

In this Hack Chat, we’ll be discussing Open Source hardware design for UAVs, all things airborne robotics, the sensors that go into these flying robots, the stalled development (ay, another pun) of consumer and prosumer fixed-wing UAVs, ARM embedded systems, and JTAG and SWD programming and debugging. We’re also taking questions from the audience, and here’s the spreadsheet that will guide the discussion.

Here’s How To Take Part:

Our Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. This Hack Chat will be going down noon, Pacific time on Friday, September 22nd. Sidereal and solar getting you down? Wondering when noon is this month? Not a problem: here’s a handy countdown timer!

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

There Is No Such Thing As An Invalid Unit

September 19, 2017 by Jenny List 356 Comments

The Mars Climate Orbiter was a spacecraft launched in the closing years of the 1990s, whose job was to have been to study the Martian atmosphere and serve as a communications relay point for a series of other surface missions. It is famous not for its mission achieving these goals, but for the manner of its premature destruction as its orbital insertion brought it too close to the planet’s atmosphere and destroyed it.

The ill-fated Mars Climate Orbiter craft. NASA [Public domain].

The cause of the spacecraft entering the atmosphere rather than orbiting the planet was found in a subsequent investigation to be a very simple one. Simplifying matters to an extent, a private contractor supplied a subsystem which delivered a reading whose units were in the imperial system, to another subsystem expecting units in the SI, or metric system. The resulting huge discrepancy caused the craft to steer towards the surface of the planet rather than the intended orbit, and caused the mission to come to a premature end. Billions of dollars lost, substantially red faces among the engineers responsible.

This unit cock-up gave metric-using engineers the world over a brief chance to feel smug, as well as if they were being honest a chance to reflect on their good fortune at it not having happened on their watch. We will all at some time or another have made an error with respect to our unit calculations, even though in most cases it’s more likely to have involved a simple loss of a factor of ten, and not with respect to a billion dollar piece of space hardware.

But it also touches on one of those fundamental divides in the world between the metric and imperial systems. It’s a divide that brings together threads of age politics, geography, nationalism, and personal choice, and though it may be somewhere angels fear to tread (we’ve seen it get quite heated before to the tune of 885+ comments), it provides a fascinating subject for anyone with an interest in engineering culture.

Continue reading “There Is No Such Thing As An Invalid Unit” →

In-Band Signaling: Quindar Tones

September 19, 2017 by Dan Maloney 29 Comments

So far in this brief series on in-band signaling, we looked at two of the common methods of providing control signals along with the main content of a transmission: DTMF for Touch-Tone dialing, and coded-squelch systems for two-way radio. For this installment, we’ll look at something that far fewer people have ever used, but almost everyone has heard: Quindar tones.

Continue reading “In-Band Signaling: Quindar Tones” →

London Calling: The Hackaday UK Unconference Roundup

September 19, 2017 by Jenny List 22 Comments

A trip to London, for provincial Brits, is something of an undertaking from which you invariably emerge tired and slightly grimy following your encounter with the cramped mobile sauna of the Central Line, its meandering international sightseers, and stampede of besuited commuters heading for the City. Often your fatigue after such an expedition will be that following the completion of a Herculean labour, but just sometimes it will instead be the contented tiredness of a fulfilling and busy time well spent.

Such will be the state of the happy band of the Hackaday community who made it to London this weekend for our UK unconference held in association with our sponsor, DesignSpark. A Friday night bring-a-hack social in a comfortable Bloomsbury pub, followed by Saturday in an auditorium next to one of the former Surrey Commercial Docks for a day of back-to-back seven-minute talks laying out the varied and interesting work our readers are involved in.

Continue reading “London Calling: The Hackaday UK Unconference Roundup” →

AI: This Decade’s Worst Buzz Word

September 18, 2017 by Al Williams 84 Comments

In hacker circles, the “Internet of Things” is often the object of derision. Do we really need the IoT toaster? But there’s one phrase that — while not new — is really starting to annoy me in its current incarnation: AI or Artificial Intelligence.

The problem isn’t the phrase itself. It used to mean a collection of techniques used to make a computer look like it was smart enough to, say, play a game or hold a simulated conversation. Of course, in the movies it means HAL9000. Lately, though, companies have been overselling the concept and otherwise normal people are taking the bait.

The Alexa Effect

Not to pick on Amazon, but all of the home assistants like Alexa and Google Now tout themselves as AI. By the most classic definition, that’s true. AI techniques include matching natural language to predefined templates. That’s really all these devices are doing today. Granted the neural nets that allow for great speech recognition and reproduction are impressive. But they aren’t true intelligence nor are they even necessarily direct analogs of a human brain.

Continue reading “AI: This Decade’s Worst Buzz Word” →