Category Archives: computing

Protect Your Users from Credential Stuffing Attacks: Ensure they aren’t using passwords known to be breached

I created a service that website operators can deploy on AWS to check if their users are using passwords known to be breached, comparing them against Troy Hunt’s ihavebeenpwned database of ~600M breached passwords. Read about it out here: https://articles.hotelexistence.ca/posts/protectuserscredentialstuffing/

Mesh network in my neighborhood. Not how I had envisioned it.

I got an email from Amazon today. I’m automatically opted-in to “Amazon Sidewalk”, unless I choose to opt out. Amazon Sidewalk allows devices participating their Sidewalk program to connect to the Internet through Amazon devices, like the Amazon Echo.

Amazon Sidewalk – a mesh network for Amazon devices to connect to the Internet:
https://www.amazon.com/Amazon-Sidewalk/b?ie=UTF8&node=21328123011

Not exactly how I’d envisioned a neighborhood mesh, but their “read the fine print to opt out” strategy will probably work better than my asking neighbors to build a network.

1-Click Passwords

I was recently presented with a situation where I would have to regularly enter a 48 random character password for a month or more to log in to a computer that was assigned to me. Given that I couldn’t possibly memorize this string, and the computer is reasonably physically secure, I decided to build a device to do this for me.

I had previously used an Arduino to emulate a gamepad for a homemade Dance Dance Revolution mat. This time, I needed to emulate a keyboard. A search for “HID Arduino” returned the Arduino HID page, which suggested an Arduino with an Atmel 32u4 microcontroller. A search for Arduino 32u4 on Amazon returned the KeeYees Pro Micro clone, which I ordered.

Arduino Pro Micro Clone, button wired to I/O 4

It came in, I soldered a button to I/O 4, and uploaded the following code:

include "Keyboard.h"
include "Bounce2.h"
const int buttonPin = 4;
Bounce bounceTrigger = Bounce();
void setup() {
bounceTrigger.attach(buttonPin, INPUT_PULLUP );
Keyboard.begin();
}
void loop() {
bounceTrigger.update();
if ( bounceTrigger.rose() ) {
Keyboard.println("I put my password here");
}
}

Now, every morning, instead of copying 48 characters from a Post-it, I just click the button.

It should be said, this defeats the purpose of the password, and the password isn’t stored in a secure way on the microcontroller. But this technique is great for any time you need to automate a sequence of keystrokes.

iOS Safari’s WebSockets implementation doesn’t work with self signed certs

I’m building a Node application hosted on a Raspberry Pi, that will not be connected to the internet. A user will interface with the application through the browser on their phone. The application calls the browser for its GPS coordinates using the HTML Geolocation API.

In iOS, the HTML Geolocation API only works for HTTPS sites. I found an excellent post on Stackoverflow for creating a self signed cert that works in most browsers. I created the cert, added it to my desktop and phone. HTTPS worked great.

I first tried the Node ws websocket library, and the Node application would call out to the browser to fetch GPS coordinates when it needed them.

The application worked great in Firefox and Chrome, but it would not work in the iOS browser. If I dropped to HTTP (vs HTTPS) and WS (vs WSS), it worked fine. For some reason, the iOS browser accepted the cert for HTTPS, but not WSS. Unfortunately, I needed HTTPS to use Geolocation.

I couldn’t get it to work. I ended up moving my application to Socket.IO, which has a fallback method to HTTPS polling if a websocket connection cannot be established. This worked for my scenario. If you need a websocket like capability and have to use self signed certificates on iOS, try Socket.IO.

Alexa skill, written in Node JS, Using Express, with ask-sdk-express-adapter

In 2018, after reading an article on Hackaday, I picked up an Amazon Echo Dot to experiment with building voice interfaces. It was surprisingly easy, and with no experience, I got something up and running in a couple hours.

I haven’t looked at this in a while, and had another project in mind. Looking at the Alexa development documentation today, all the examples leverage Amazon’s Lambda’s compute service. For my project, I didn’t want to use Lambda, I just wanted to use Express on Node JS. Amazon has NPM library for this, ask-sdk-express-adapter, but I couldn’t find ANY end-to-end example, and I struggled for a bit to get it to work. I think it took me longer the 2nd time around!

SO – here’s a simple example, hopefully it’s got the right keywords for anyone who’s stumbling on the same problem. Keywords:

  • node js
  • javascript
  • ask-sdk-express-adapter
  • express
  • sample code
  • example code
  • alexa
const express = require('express');
const { ExpressAdapter } = require('ask-sdk-express-adapter');
const Alexa = require('ask-sdk-core');
const app = express();
const skillBuilder = Alexa.SkillBuilders.custom();

var PORT = process.env.port || 8080;

const LaunchRequestHandler = {
    canHandle(handlerInput) {
        return handlerInput.requestEnvelope.request.type === 'LaunchRequest';
    },
    handle(handlerInput) {
        const speechText = 'Hello World - Your skill has launched';

        return handlerInput.responseBuilder
            .speak(speechText)
            .reprompt(speechText)
            .withSimpleCard('Hello World', speechText)
            .getResponse();
    }
};

skillBuilder.addRequestHandlers(
    LaunchRequestHandler
)

const skill = skillBuilder.create();

const adapter = new ExpressAdapter(skill, false, false);

app.post('/', adapter.getRequestHandlers());

app.listen(PORT);

Hope that helps!

Playing around with Hugo and different ways of hosting content

When I initially built out this blog, I:

  • wanted a content management tool. I didn’t want to be writing pages in HTML
  • wanted to host it myself. Geocities came and went. I wanted ownership of my hosting.
  • wanted a VM on the Internet anyway. I wanted something always up, that I could host services on. I had hosted PCs on the Internet at home, but with cloud services, I just didn’t need this anymore
  • wanted very low costs
  • needed to support extremely low readership.

So, I built out a tiny VM on AWS I can deploy services on, and it costs next to nothing.

But my content is static. It really makes more sense to host the files on S3, and use a static content generator. It’s much more secure, I don’t have to worry about keeping OSs and applications patched, and it could scale if ever required.

So over Christmas break, I built https://articles.hotelexistence.ca/ with Hugo, hosted on S3, fronted by CloudFront, which seemed to be the only way to host content from S3 on my domain with HTTPS. With Hugo (and any other static site generator), you create your content, it applies a template, and creates the links – it reminds me of working with Fog Creek Software’s defunct CityDesk almost 20 years ago. This AWS Hugo Hosting article was really helpful for the AWS setup. I still can’t figure out how to use Hugo’s Image Processing features, but I didn’t need them. The new site is accessible from the ‘Articles’ section up top. I’m not sure if I’ll move everything over or what I’ll do that moving forward.

Detect web skimming with web automation

I was listening to the Darknet Diaries Magecart episode before the holidays and was thinking, “Magecart attacks should be pretty easy to detect with web automation”, so I wrote up how I would do it. If you run a web property that processes sensitive data, it might be of interest. Check it out here: https://articles.hotelexistence.ca/posts/browserautomationtodetectwebskimming/

I have been thinking about changing how I host this site, and decided to try it out for this article – more on this later.

Fixing ink blobs on epson xp-830 prints

Black ink blobs dropped randomly on pages

My Epson XP-830 started dropping black ink globs on my prints, which would smudge and wreck photos. As I had recently installed $150 worth of ink, I didn’t want to just go out and get a new printer. I also liked the compact format of this printer, and wouldn’t just buy the same one, as this was starting to look like a doorstop after its 2nd set of cartridges. I wasn’t concerned about breaking the printer at this point, because I was ready to throw it out.

I managed to resolve the issue – I’ve decided to write about what I did, and perhaps some will find this article and I’ll save a few printers from an early trip to the landfill. I expect this will work for any Epson XP printer.

First, I ordered a print head cleaning kit from Amazon (kit, Amazon link). In hindsight, I don’t actually think this was an issue with my print heads, but I did a number of things all at once, so I don’t know exactly which step resolved my issue. I recommend watching their video before ordering the kit.

The first step was getting the print head out of its right-side dock. Go to the menu, click maintenance, and then click Ink Cartridge Replacement.

Click proceed.

At this point, the print head will have moved to its change cartridge position. Disconnect the power.

I used card stock and paper towels to clean all of the ink I saw in the areas identified by red arrows

At this point, I took out the cartridges, and I wrapped them in plastic wrap, following the guidance of the Print Head Hospital.

I did clean the heads, as instructed in the Print Head Hospital video, but I think what really made the difference for the black ink globs was the following: using cheap papertowels and cardstock, I cleaned up all the ink in the areas highlighted by arrows in the above image. I cleaned under the print head by cutting a ~1″ piece of cardstock, wrapping it with a paper towel, and running it underneath the assembly as shown at the 3:40 mark in the Print Head Hospital video, and repeated until the paper towel would come out clean.

I plugged the printer back in, re-installed the cartridges, ran the regular print head cleaning cycle 3 times (until the test page came out fine), and am now getting perfect prints.

Good luck – hope this helps.

Code like it’s 1981

In my primary school years, I’d read my Dad’s “Compute!” magazines. Recently, I discovered they’ve been published on Archive.org https://archive.org/details/compute-magazine , and I browsed through a few issues.

I came across this ad in a 1981 issue:

Ad for SORT, an EPROM with a sorting algorithm for Apple and Commodore PET owners.
SORT algorithm on EPROM for Apple and Commodore Pet

It’s a sorting algorithm, written in assembler, distributed on an EPROM chip, mounted on a circuit board, that you’d plug into your Commodore PET or Apple II computer and call from your BASIC program.

I few things I find interesting about this ad:

  • How big was the market in 1981, for people who were writing BASIC programs, couldn’t write a sorting algorithm, and would pay $55 per seat for one?
  • If someone were looking to sell their program that they built, they’d have to bundle in this SORT product
  • At some point, sorting libraries were built-in

I actually found documentation for this product online:
http://mikenaberezny.com/wp-content/uploads/2013/10/sort-installation.pdf
http://mikenaberezny.com/wp-content/uploads/2013/10/sort-user-instructions.pdf
http://mikenaberezny.com/wp-content/uploads/2013/10/sort-review-compute-dec-1981.pdf