Browsed by
Author: marcus

#ThingsIWishExisted – Battery-Powered eInk BLE Frame

#ThingsIWishExisted – Battery-Powered eInk BLE Frame

Every 6 months or so I do a search to see if someone’s created something that’s been on my wishlist for years–an always-on, battery-powered, internet-connected wall display:

(like this one from http://hackaday.com/2013/04/01/kindle-weather-and-recycling-display/, but battery-powered)

The requirements are:

  • Display of 6″ or larger (touchscreen would be nice to have but not necessary)
  • Aesthetically pleasing when wall-mounted
  • Updated wirelessly (WiFi or Bluetooth or some other RF?)
  • Runs on battery for a long time (> 1 month)
  • Less than $100

I can think of a ton of uses for this around the house:

  • I’d like to stick one to the door of my wardrobe with the current and forecasted weather to help decide what to wear.
  • I’d put one with the train schedule up next to the front door so I’d know at a glance when leaving whether I needed to hustle for it.
  • Another with my shared family Google Calendar events so I’d stop forgetting birthdays and such.
  • Another one that was easy to drop-in with current dashboard stuff that I’d want to track, like stats or logs from in-progress projects or a graph of my weight measurements from my connected scale (until that becomes too depressing).
  • Probably need one more to track the battery levels of all the other ones, lol.

So, it needs to run on battery since I don’t feel like drilling a bunch of holes in the wall and running power cables through them or having super long unsightly power cables dangling off of them. Which makes the eInk display sort of a requirement since there’s no other way to run a backlit LCD for more than a day off of battery. And it needs some low-power wireless update mechanism, since the essence of its utility comes from being constantly updated.

Very pretty. $400 (plus $5/month hosting fee)

 

Now, there are commercial products that do this sort of thing but they are super expensive because they are geared towards businesses that don’t mind blowing $300 on a meeting room sign (with monthly access fees) or $700 for a single custom development kit.  There have also been a bunch of homebrew projects that do this, but generally require you to do nerdy things like solder an eInk screen to an Arduino and write custom drivers for the display. And buying eInk/ePaper screens in low volume is pretty expensive, with a tiny 4.3″ screen costing over $50 and looking like a science project when hooked up to the circuit board.

Ugly. $100-ish. Very low WAF1. (From someone else’s project)
So, the punchline to this is that the device I want actually kinda-sorta already has existed for years:

Ta-da!! The Amazon Kindle. $79.99

The darn thing has a great eInk touch screen, the battery lasts for weeks and weeks between charges and it’s got built in WiFi (and bluetooth). Someone just needs to take the guts and write a bare-bones OS that streams data from the cloud to display and does smart power management things like going to sleep between updates. I want to buy lots of this product! Someone make it!!

It’s clear the technology already exists for what I want and the price could probably be even lower than my target (Start with Kindle-like bill of materials, take out the speakers, WiFi, most of the local storage, lose the touchscreen and use a much cheaper/slower processor possibly with Bluetooth LE to reduce the power draw).

Please. Someone make it. I’ll check back in 6 months.

  1. Wife Acceptance Factor
Zones App for August Smart Lock on Android Wear

Zones App for August Smart Lock on Android Wear

Zones – Geofence API Launcher

If you’re wondering why after so many years there’s still no app to unlock your August Lock from your Android Wear watch, you’re not alone. But now you can unlock your August locks from your watch using the Zones app!

Just set up a geofence zone in the app with a special action url:

august://[key-offset]:[key]@[lock-id]

To get the key, offset and id, use the instructions here. Getting the keys is a little technical, but if you have an Android Wear watch you’re probably already a super nerd, so I trust you’ll get it.

Then when you’re “in the zone”, a wear notification will pop up and you can press it to unlock your door. Sweet!

You can also trigger other HTTP APIs using the app, if you’ve got any of those lying around. And if you’d like to integrate August Smart Locks into your Xamarin App, check out the plugin I wrote to provide this functionality, Plugin.Android.AugustLock. Happy unlocking!

Why is there no August Smart Lock API?

Why is there no August Smart Lock API?

Today in #ThingsIWishExisted: August Smart Lock API

I bought an August Smart Lock three years ago so I could stop carrying around door keys and have my doors magically unlock themselves. Actually that’s not really true, I really bought a crowdfunded Lockitron three years ago but the dang thing was going to be so delayed I impulse bought the August lock while in an Apple store. I later rationalized the purchase thinking that I’d compare it to the Lockitron when it eventually arrived, and return one of them. It ended up being OVER THREE YEARS before the Lockitron finally showed up, and by that time I’d moved out of my apartment in Boston to Texas where my new place had a door that no longer fit the Lockitron.

Long story short, I’ve been using the August lock for a while. The thing that sucks about it is that the August Auto-Unlock feature is pretty crappy. The dream is that I walk up to the door, it magically unlocks itself and I open it and stride through like a man from the future. The reality is that I do that about 25% of the time, I stand awkwardly in front of the door waiting for it to eventually open 50% of the time, and 25% of the time it never opens and I sigh and use the Android app to unlock the door (or I use the key I never stopped carrying). First world problems, right?

So pretty. But no API!

This wouldn’t be too much of a problem if August would create an Android Wear app for my smartwatch, so I could quickly just tap my wrist while walking up to the door to unlock it instead of fishing my phone out of my pockets, unlocking it, opening the app, waiting for it to start up and then tapping my house icon and waiting and then tapping the unlock button. Terrible! But they haven’t made an Android Wear app probably because there aren’t enough people willing to look like nerds and wear Android watches to justify the expense. Well, that’s fine, I could just write my own Android Wear app, but I’d need access to the August Smart Lock API and they don’t make it public. What’s the point of having a Smart Lock if the smart features aren’t available for tinkerers to tinker with? So frustrating.

A smart guy reverse engineered the bluetooth protocol and released a NodeJs program that could run on a Raspberry Pi to open the August lock, but running Wifi, Bluetooth and NodeJs on a Raspberry Pi was asking for trouble, and my setup crashed often enough to fail the WAT1. I ended up creating a horribly complicated system derived from the Node library which now involves an old phone, a Microsoft Azure Function and Google Firebase notifications to work with my old Geolocation Watch App to unlock the door. It’s working for now, so we’ll see if it ends up being reliable enough to pass the WAT.

UPDATE 3/18/2017: It ended up being too slow and unreliable so I ported the August bluetooth API to Xamarin (and made a plugin) so I could build this functionality into my Zones app. Works much better.

Oh, and the Lockitron that arrived 3 years late and doesn’t fit my door? It has a public API.

  1. Wife Acceptance Test
On the current state of email transport security in 2017

On the current state of email transport security in 2017

I had a bit of curiosity today while going through my email, wondering about how secure it was. As I logged back in to some sites requiring two-factor authentication due to my recent 2-F-Apocalypse after losing my Chrome cookies, a few were set up to send verification links through email. A few questions I didn’t know the answer to popped into my head: Is that safe? How secure is email today anyway? And down the rabbit-hole I went…

Anecdotally, I’d say that almost all messages I receive from real people (and most messages from mailing lists or companies) are transmitted securely to my Gmail (where you can check on the transport encryption status). Here’s an example of an email sent insecurely, and how you can tell whether a message you are about to send is going to be sent securely:

Tsk, tsk, bad company formerly known as Time Warner Cable (now Spectrum). Email sent without encryption.
Testing sending to cox.net. The red lock icon means it’ll be sent insecurely.

On Google’s Transparency Report for Safer email, the current numbers for Gmail’s outbound and inbound messages that are transported securely (encrypted) as of this writing are 87% and 81% respectively.1

Is that good? Does that mean we’re >80% safe now? What does that even mean?

I’ve always thought of email as being inherently simple and insecure. After all, email runs on the 35-year-old “Simple” Mail Transfer Protocol (SMTP). Having spent the last decade as a CTO of a health information technology company dealing with Protected Health Information (PHI) and constantly scolding my clients for sending PHI over email (frowned upon, though surprisingly not always illegal under HIPAA), I wondered if my beliefs about the insecurity of email were still true. Those beliefs were grounded in the days before encryption was available over SMTP2 (pre-2000) and when many more organizations ran SMTP servers internally. Before Yahoo! Mail & Hotmail were created in the late 90’s and Gmail burst onto the scene in 2004, nearly every small internet service provider (who most people got their email from at the time) and small- or medium-sized organization had an email server sitting in a closet somewhere running the email server software of the day3, which was insecure by design. This distributed nature of the internet’s email server infrastructure made it resilient but ultimately resistant to change. How do you convince a million server operators to update their email software to something more secure when it’s not technically broken? I would have imagined even a very simplified graph of the zillions of email servers on the internet back in 2000 to look something like this:

Not a real graph of the year 2000 but you get the point, everybody and their mother was running an email server

Fast forward to today, where almost every person and nearly every small- or medium-sized organization outsources their email to one of the big email providers (Google, Microsoft, Yahoo, AOL etc.). Not only that, but senders of bulk email also regularly outsource that task to one of a short list of professional email platforms (Mailgun, Mailchimp, Sendgrid, Amazon SES, etc). I’d wager a guess that the percentage of email being sent and received by the big email services is increasing, and that a very simplified graph of email being sent today would look more like this:

Once again, not a real graph but imagine most email being sent by huge services, not by servers run by non-pro’s

With such a large percentage of email under the control of a smaller cadre of email services, you’d think that the small number of “big guys” would be able to agree upon a way to send email securely, force the rest of the small fish to go along with them, and that our email would be secure today (and maybe even encrypted end-to-end!). While that may happen someday, here are a few harsh truths about the current state of affairs:

  1. Email transport encryption is still voluntary and optional. As the Google Transparency report showed, ~20% of email today is still being transported totally unencrypted. That means that any simple attacker with read access to the network between the email server of the sender and that of the email recipient has the capability to read the entirety of the message.
  2. Because transport encryption is optional, even the other ~80% of encrypted email traffic may be subject to a man-in-the-middle downgrade attack, so under many circumstances a sophisticated attacker with interception access to the network between the sender & recipient servers has the capacity to strip the encryption and read the message.

While that doesn’t sound very good, forces are in motion to improve the situation:

  1. A proposal published in 2015 (RFC 7672) called DNS-Based Authentication of Named Entities Transport Layer Security (DANE TLS) would use Secure DNS (DNSSEC) to specify and require email server encryption, but adoption of that proposal is dependent on the adoption of DNSSEC which itself is controversial and has been very slow to this point.
  2. A different proposal, SMTP MTA Strict Transport Security (SMTP MTA-STS) would use regular DNS and a secure web service to specify and require email server encryption, but is still currently in draft status and if/when it is published will still take time for significant adoption.

In conclusion, while >80% encryption of email transport is a great start there are still gaping holes in the picture that should prevent anyone today from calling email transport secure. A persistent and sophisticated enough attacker still has plenty of opportunities to break into your email as it’s being transported, even without hacking into your account specifically.

This was an interesting refresher for me, having looked into email security in the distant past4 but not having read much about the recent progress made. I’ll have to remember to check back in on it later, maybe we’ll be closer in 2018! Fingers crossed.

  1. I couldn’t find numbers for AOL, Hotmail/Outlook.com or Yahoo mail
  2. RFC 2487‘s introduction of the STARTTLS command in SMTP
  3. Software like sendmail or Lotus Notes or Exchange or my frenemy, MDaemon
  4. I worked on an implementation of Direct Messaging (a type of secure email) for my Electronic Health Record company‘s participation in the Massachusetts Health Information HIway health information exchange. If widely adopted by the health industry (a big if), it could serve as an example of a secure messaging network based on SMTP.
Keep your Chrome Cookies when reinstalling Windows

Keep your Chrome Cookies when reinstalling Windows

I reinstalled Windows on my desktop and laptop from scratch earlier this week to fix some nagging issues and clear out the cruft. Starting from a blank slate with a fresh install (vs an upgrade or install in-place) always makes me feel great. That’s a little sick, I know. But all the apps work like they’re supposed to and the computer just feels more… solid. As more of my life goes into the cloud, the list of software I need to reinstall gets shorter, and with Chocolatey and a USB drive with a few installers, I can do full OS reinstall in under an hour. With Chrome Sync, after reinstalling the browser and logging in, all my extensions, settings, saved passwords and bookmarks magically re-appear. Everything is awesome!

Until I try to open up a few of my favorite services and try to log in there…

Twitter login… 2-Factor Auth
Google login… 2-Factor Auth
Facebook… grr
All of my bank accounts too! What the FASDKFJASFSAKl111

I could go on for a while, since every site that I can turn on 2-factor authentication for I have done so. This greatly increases my security in case my password is ever hacked or I get phished. It also means that after reinstalling I got to spend tons of time and annoyance getting SMS text messages, Google Authenticator codes, security code emails, and typing in answers to security questions. Normally the 2-factor authentication only requires verification periodically, and you mark your browser as a “registered device” to avoid having to jump through the hoops. To do this, your browser stores a “cookie” with an authentication token used on future visits to the sites you register. And although Chrome Sync restored 29 apps, 16 extensions, 202 settings, 415 passwords and 52 bookmarks for me, it does not sync cookies!!

This is of course by design. Normally syncing cookies would be a really bad idea since it would defeat the purpose of 2-factor authentication. But when reinstalling your computer, it would be nice if there was a way to bring over cookies. You used to be able to do this by copying the Chrome User Data folder, but this was a bit of a security risk because that meant your passwords and cookies were sitting around on your disk unprotected and could potentially be stolen. So in 2014 Chrome started encrypting protected data like cookies, using a special encryption key that is different for every user and computer.

I’d reinstalled Windows a few times since 2014, so I’ve gone through 2-Factor-Apocalypse a few times, with each time getting worse as more sites allow 2-Factor Authentication or implement security questions or email processes. To make things worse, I’ve started installing Windows Insider pre-release builds, so I’ll probably reinstall from scratch again soon and have to go through the whole thing again. Madness!

I did a search to see if there were any solutions for backing up and restoring Chrome cookies, and it didn’t look like there were any suited to my use case, so I spent a few hours cooking one up. (See what I did there? lol)

Chrome Cookie Backup Tool

It slices, it dices, it backs up and restores cookies for multiple profiles at once. You can check out the tool on GitHub, and use it to avoid 2-F-Apocalypse the next time you update your machine! Just make sure you run the backup before you wipe out your old install since you need to log on with the Windows user account of the Chrome profile to create the decrypted backup file. And sorry, it doesn’t work on Linux1 or macOS since the encryption used there is different.

Hope that helps!

  1. Although for Linux the encryption key is literally “peanuts” for all users, so it shouldn’t require decryption to move your cookies there. I haven’t tried it though!