Friday, August 24, 2012

Automatic detection of a Google Mail log in

In the past I've written about measures I've taken to protect my Google Mail account: I use long random passwords and Google's two-factor authentication with no recovery options and I have a tempting canary waiting for any intruder.

But to further protect my account I created a system that automatically tells me when a log in occurs on my Google Mail account. The system sends me an SMS whenever there's a new log in. The system is able to distinguish a machine that's used on different IP addresses (such as when I move my laptop from home to an office) and brand new log ins from machines that have never been seen before. And unlike the canary it doesn't require any action. It happens automatically.

Here's the SMS chronicle of a trip to the San Francisco office of CloudFlare and my return home. The first SMS was received because I logged in in my hotel, later I went to the CloudFlare office and a few days later I returned home.


I'm posting this because I'm curious whether anyone else would like this as a service. How much would it be worth to you?

Wednesday, August 22, 2012

CloudFlare's ScrapeShield spots single line of text copy/pasted from my blog

Some months ago CloudFlare launched a service called ScrapeShield that's designed to protect web page content from content scraping. It's a free service and I enabled it on this blog. The ScrapeShield report shows where my blog content has been copied around the web.

It doesn't get copied very often, but just the other day there was a great example of how ScrapeShield spots taken content: I wrote a popular blog entry about Mars Curiosity; someone saw it and wrote their own version taking a single line of text from my blog. ScrapeShield caught it.

My article was Curiosity Rover writes Morse Code of JPL everywhere it goes and a web site owner obviously read it and added this section to an article called "Five awesome things about Curiosity":

That's not the photo that I used, nor is that the text I wrote, but the caption under the photograph is a copy/paste of the title of my article. How am I sure? Because when they copy and pasted, they copy and pasted one of the beacons inserted by ScrapeShield.

ScrapeShield inserts multiple page beacons of different types to spot manual and automatic page scraping. In this case just a single line of text was enough to know that the content came from this blog. Sadly, the web site did not link back here so people could read the full blog post.

Monday, August 20, 2012

Why don't they just..?

It seems every time I come across a story about the Mars Curiosity rover there will be many people commenting on the technology used starting with "Why don't they just..?" and usually pointing out things like: the processor in their smart phone is way faster than the one of Mars, or they have way more memory on their iPad, or their digital camera is way better than the one sending back pictures. These "Why don't they just..?" questions are both annoying and to be expected.

Annoying because the underlying thought is "Those NASA/JPL guys are so dumb LOL" and to be expected and encouraged because we wouldn't make any progress without asking questions and, in particular, asking why.

But it doesn't take much research to find the answer. (Even though I'm tempted to answer: "Because it's on friggin' Mars, doofus!")

1. The Mars Science Laboratory project was started eight years ago in 2004. So, all the technology on it is at least eight years old.

2. The trip to Mars means flying in an area with high amount of radiation (from things like cosmic rays, all manner of stuff flying out of the Sun and the Van Allen radiation belt). That means all the electronics needs to be radiation hardened. So, you don't start with just whatever you can get from Fry's Electronics in 2004. You need specifically radiation hardened components like the RAD750 processor in Curiosity.

3. You need to be a bit conservative. The thing you're sending to Mars is going to be on its own and unrepairable. It had better work. So, you're likely to reuse components and techniques that you know work. It has been reported that the skycrane used to land Curiosity used components derived from the 1970s Viking landers and algorithms used on the Apollo craft.

4. And once you've worried about radiation hardening, reliability, and weight you need to worry about bandwidth back to earth. It's no good taking gigapixel photographs if you can't get them back to Earth. For example, Curiosity can communicate with the Mars Reconnaissance Orbiter for a few minutes per day at 2Mbps and with Mars Odyssey at 256kbps.

But rather than explaining all this stuff, I think there's a better way: build, land and operate a rover here on Earth.

The Rover Challenge

I've done one high-altitude balloon flight and watched the progress of many others. Although going to Mars is a very different situation there are similar challenges: weight, environment, communications, landing.

A good way to see how hard it is to build and operate a rover would be to build one designed for operation in an inhospitable part of Earth. Launch it via a high-altitude balloon with parachute descent and then operate it without GPS over a slow, high latency radio link.

It would actually be a fun project. On a balloon you can probably have about 2kg of payload maximum for your rover. Now imagine 2kg weight budget for a semi-autonomous rover that would be dropped into a desert in the South Western USA, or the Sahara, or the Australian outback.

The rover would have to withstand high tempertures, dust, and wind; operate on a perhaps unstable sandy ground; communicate using HF radio; and operate without a human touching it.

To me it sounds like a fun challenge. Anyone else?

Monday, August 13, 2012

Security questions are salt

It's common for web sites to have a password recovery feature and some ask the user to set up answers to security questions which they can answer later. The main feature of these is that they are intended to be something the user knows and can answer later without remembering. So questions like "What was the make of your first car?" are common.

Unfortunately, these questions are weak because a determined attacker can often find out the information required to answer the questions. In one notable case a US Vice Presidential candidate's email was hacked by searching for and finding the target's high school name and date of birth. This leads to these questions being very insecure.

In addition, some questions, such as "What was the make of your first car?" have a very small likely answer space. If the target is British, for example, the number of car makers is small and a guess is quite likely to work, especially considering that it's unlikely that a first car will come from a luxury manufacturer.

My personal approach is to not forget my passwords (because I use unique passwords that I can access as needed), and I fill in these questions with nonsense.

But, if you do want the option of using the recovery feature then there's a simple solution: consider the question as password salt and answer using a hash.

Here's how that works:

1. Think of a password that you will remember, that's long and complex (perhaps even a passphrase as you will not need it often). You'll use this password to create answers to security questions everywhere.

2. When confronted by a security question answer with the result of hash_function(passphrase, security_question).

For example, suppose that you've chosen the passphrase "honi soit qui mal y pense" and you are being asked to choose an answer to the question "What is the make of your first car?" you would calculate (here I am using bcrypt (program below) because it's secure and slow) a hash:

    perl bcrypt.pl "honi soit qui mal y pense" "What is the make of your first car?"
  ouVXFntvrfbJCHwoEvfbF8Hn3gYik.W

and enter the response as "ouVXFntvrfbJCHwoEvfbF8Hn3gYik.W"

Any time you actually have to answer the question it's simply a matter of recalculating the hash from the question and the password you've chosen.

The security question is acting as salt, the security of this relies on: the long, complex passphrase chosen and the secure hash algorithm.
use strict;
use warnings;

use Digest::SHA1 qw(sha1);
use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64);

my ($passphrase, $question) = @ARGV;
my $salt = en_base64(substr(sha1($passphrase),0,16));

my $hash = bcrypt($question, '$2a$16$' . $salt);
$hash =~ /$salt(.*)$/;
print "$1\n";
PS As Damian points out below, reading one of these would be a nightmare over the phone. So an improvement is to find a sequence of words that encodes the hash. Here's one approach based on finding words that contain subsequences of the hash value in the dictionary.
use strict;
use warnings;

use Digest::SHA1 qw(sha1);
use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64);

my ($passphrase, $question) = @ARGV;
my $salt = en_base64(substr(sha1($passphrase),0,16));

my $hash = bcrypt($question, '$2a$16$' . $salt);
$hash =~ /$salt(.*)$/;
my $output = $1;
print "$output\n";

my @words;

open F, "</usr/share/dict/words";
while (<F>) {
 chomp;
 my $w = $_;
 if ( $w =~ /^[a-z]{5,}$/ ) { 
  push @words, lc($w);
 }
}
close F;

@words = sort { length($a) <=> length($b) } @words;

$output = lc($output);
$output =~ tr/0123456789/oizeasblxq/;
$output =~ s/[^a-z]//g;

print word($output), "\n";

sub word {
 my ( $w ) = @_;

 my $found = find_word($w);

 if ( $found ne "" ) {
  return $found;
 } else {
  foreach my $i (reverse 1..length($w)-1) {
   my ( $left, $right ) = (substr( $w, 0, $i), substr($w, $i));
   $found = find_word($left);
   if ( $found ne "" ) {
    return "$found " . word($right);
   }
  }

  die "Couldn't find a word";
 }
}

sub find_word {
 my ( $w ) = @_;

 $w = join('.', split(//,$w));

 foreach my $x (@words) {
  if ( $x =~ /$w/ ) {
   return $x;
  }
 }

 return "";
}

Then instead of trying to say "ouVXFntvrfbJCHwoEvfbF8Hn3gYik.W" you say "bogus vexed definitive prefab jackhammer whole vivify abaft exchange angry bilks aglow"

And you could likely get away with not the entire response but something shorter, say just take the first two words. So, the response to "What was the make of your first car?" could be simply "bogus vexed"

Monday, August 06, 2012

Curiosity rover writes Morse Code of JPL everywhere it goes

The Curiosity Rover that landed on Mars today has a neat feature in its wheels that allows it to spot if it gets stuck. The wheels have an asymmetric pattern of holes in them that leave a distinctive imprint on the surface of Mars. The rover views these marks with a camera to determine if it has traveled the distance it thinks it has. This 'visual odometry' means that Curiosity can spot if it's slipping or stuck and call home for help.

The visual odometry is mentioned in this video where the marks can be clearly seen:


Here's a close up shot of the marks on the centre wheel.


Look carefully and the pattern is

short long long long
short long long short
short long short short

or

. - - -
. - - .
. - . .

which is Morse Code for JPL, the home of Curiosity.

Wednesday, August 01, 2012

My TED Talk: The Greatest Machine That Never Was

For over a week now my talk, The Greatest Machine That Never Was, has been on the front page of TED. It's got over 170,000 views. If you haven't seen it, here it is: