Archive for June, 2009

Open Hack London : The soldering iron incident

June 24th, 2009

I thought I would mention the “Soldering iron incident” and the Open Hack Day London power cut that I kind of accidentally caused.

Stupidly I thought it would be one of those things that would just get forgotten about, but I was wrong, so I might as well say what happened.

So, there was less than two hours of hacking time remaining at Open Hack and we had a working prototype. We just needed to tidy some things up and prepare the presentation. Our hardware hack was using an Arduino with a borrowed LCD display shield, but this was being powered by a laptop. Rather than plug the device in to a laptop, that would not look impressive, we decided to knock up a battery adapter for it.

While Nigel went to practice with the iphone orchestra for there upcoming performance I nipped down to Maplin and purchased a few components and a battery. I borrowed a soldering iron and went back to our base to plug it in.

When I plugged in the soldering iron the plug lit up white, there was a poof like sound, and everyone’s power went off. Most people did not notice straight away as they were using laptops with batteries. It turned out that everyone who was plugged in to this distribution point, that was most people, were affected. Fortunately the wifi was unaffected so I was not killed dead by fellow hackers.

I still maintain that this was not really my fault. Soldering irons use around 40W and most are none inductive loads, while the average laptop uses 75W and is an inductive load. After further investigation the fuse in the soldering iron was dust and we suspect there was a short in the device it’s self.

Anyway, I am now getting presents from fictional ducks and competition rules are being amended for me. In short I don’t think it matters if it was my fault or nit, it is a fun memory to have a laugh at and I see the funny side.

Photograph above was taken by James Broad and kindly licensed under creative commons.

BarCampLeeds2009: Using second factor authentication

June 18th, 2009

At BarCampLeeds2009 I decided to chat about multi factor authentication and what we can do ourselves now. I will summarise my waffling here.

Multi factor authentication combines multiple factors to be more certain the person trying to log in is the person who should log in. Traditionally one factor of authentication is use, that being “something you know”, otherwise known as a password. Other factors include “something you have” such as a key, or “something you are” such as a fingerprint.

A multi factor solution that is being used by many organisations is a “something you know” and “something you have” combination. This is a really good combination in my opinion. Although I question the neutrality of many of the surveys I agree the biggest threats to accounts being compromised at the moment is malware capturing passwords, or social engineering where a user is persuaded to revel there password to a person or a fake web site. Using a physical “key” means that even if the user’s password is known it can not be used without the key.

So, how do you use a key on the Internet? There are a number of ways of doing this, but they all revolve around the concept of having a dynamic password that is used once. The device shows a pseudo random code that is unpredictable by anyone without a secret know by the key and the server, this is entered in to the web site by the user, and the server compares the code with what it was expecting.

The code has to change and each code should only be used once, but this can be changed in several ways. One solution is to have a timer in the key and change the code every 30 second or so. Another solution is to have a button that changes the number each time it is pressed and the server remembers how many times it has been pressed. The latter solution can be easily implemented on paper.

As part of Open Hack Day London 2009 we developed a open source security key.

One thing you can do at the moment is pay only £3 and buy a Pay Pal security key and I do recommend you do this. This generates a new number every 30 seconds and you enter this in addition to your password when logging in. The key is automatically linked to your PayPal account and you just need to activate it, and you can also attach the key to your ebay account so you can use it on that as well.

If you have a modern smart phone then you may be able to install the software version of the security key for free, but I am willing to pay £3 for the convenience of just pressing one button on my key ring rather than faffing around with the mobile. You can associate a phone and several keys with your PayPal account so you can use both, but only one device can be used with your ebay account at any one time.

The same security key can be used on any VeriSign VIP Network member web site in addition to PayPal and ebay. One of these members if VeriSign Labs. This is usfull because VeriSign Labs have a product in beta called Personal Identity Portal (PIP). This is an OpenID server and a service that stores you passwords and will log you in to a service without you having to enter your password. Although the latter requires a browser plugin to be instilled, and I believe the password may still be discoverable by some malware, it does remove the need for you to type in a password.

All these solution have a backup path to log in, so it you loose your token you can still log in. This is useful if you loose, forget or break your key, but it does lower the security to the security the lowest link.

Finally some people who arrived late to the discussion wanted to know what the relevance of the model train was. There was no link, I just wanted to play with the train. :-)

css.php