Browsed by
Category: Technology

Why is there no August Smart Lock API?

Why is there no August Smart Lock API?

Today in #ThingsIWishExisted: August Smart Lock API

I bought an August Smart Lock three years ago so I could stop carrying around door keys and have my doors magically unlock themselves. Actually that’s not really true, I really bought a crowdfunded Lockitron three years ago but the dang thing was going to be so delayed I impulse bought the August lock while in an Apple store. I later rationalized the purchase thinking that I’d compare it to the Lockitron when it eventually arrived, and return one of them. It ended up being OVER THREE YEARS before the Lockitron finally showed up, and by that time I’d moved out of my apartment in Boston to Texas where my new place had a door that no longer fit the Lockitron.

Long story short, I’ve been using the August lock for a while. The thing that sucks about it is that the August Auto-Unlock feature is pretty crappy. The dream is that I walk up to the door, it magically unlocks itself and I open it and stride through like a man from the future. The reality is that I do that about 25% of the time, I stand awkwardly in front of the door waiting for it to eventually open 50% of the time, and 25% of the time it never opens and I sigh and use the Android app to unlock the door (or I use the key I never stopped carrying). First world problems, right?

So pretty. But no API!

This wouldn’t be too much of a problem if August would create an Android Wear app for my smartwatch, so I could quickly just tap my wrist while walking up to the door to unlock it instead of fishing my phone out of my pockets, unlocking it, opening the app, waiting for it to start up and then tapping my house icon and waiting and then tapping the unlock button. Terrible! But they haven’t made an Android Wear app probably because there aren’t enough people willing to look like nerds and wear Android watches to justify the expense. Well, that’s fine, I could just write my own Android Wear app, but I’d need access to the August Smart Lock API and they don’t make it public. What’s the point of having a Smart Lock if the smart features aren’t available for tinkerers to tinker with? So frustrating.

A smart guy reverse engineered the bluetooth protocol and released a NodeJs program that could run on a Raspberry Pi to open the August lock, but running Wifi, Bluetooth and NodeJs on a Raspberry Pi was asking for trouble, and my setup crashed often enough to fail the WAT1. I ended up creating a horribly complicated system derived from the Node library which now involves an old phone, a Microsoft Azure Function and Google Firebase notifications to work with my old Geolocation Watch App to unlock the door. It’s working for now, so we’ll see if it ends up being reliable enough to pass the WAT.

UPDATE 3/18/2017: It ended up being too slow and unreliable so I ported the August bluetooth API to Xamarin (and made a plugin) so I could build this functionality into my Zones app. Works much better.

Oh, and the Lockitron that arrived 3 years late and doesn’t fit my door? It has a public API.

  1. Wife Acceptance Test
On the current state of email transport security in 2017

On the current state of email transport security in 2017

I had a bit of curiosity today while going through my email, wondering about how secure it was. As I logged back in to some sites requiring two-factor authentication due to my recent 2-F-Apocalypse after losing my Chrome cookies, a few were set up to send verification links through email. A few questions I didn’t know the answer to popped into my head: Is that safe? How secure is email today anyway? And down the rabbit-hole I went…

Anecdotally, I’d say that almost all messages I receive from real people (and most messages from mailing lists or companies) are transmitted securely to my Gmail (where you can check on the transport encryption status). Here’s an example of an email sent insecurely, and how you can tell whether a message you are about to send is going to be sent securely:

Tsk, tsk, bad company formerly known as Time Warner Cable (now Spectrum). Email sent without encryption.
Testing sending to cox.net. The red lock icon means it’ll be sent insecurely.

On Google’s Transparency Report for Safer email, the current numbers for Gmail’s outbound and inbound messages that are transported securely (encrypted) as of this writing are 87% and 81% respectively.1

Is that good? Does that mean we’re >80% safe now? What does that even mean?

I’ve always thought of email as being inherently simple and insecure. After all, email runs on the 35-year-old “Simple” Mail Transfer Protocol (SMTP). Having spent the last decade as a CTO of a health information technology company dealing with Protected Health Information (PHI) and constantly scolding my clients for sending PHI over email (frowned upon, though surprisingly not always illegal under HIPAA), I wondered if my beliefs about the insecurity of email were still true. Those beliefs were grounded in the days before encryption was available over SMTP2 (pre-2000) and when many more organizations ran SMTP servers internally. Before Yahoo! Mail & Hotmail were created in the late 90’s and Gmail burst onto the scene in 2004, nearly every small internet service provider (who most people got their email from at the time) and small- or medium-sized organization had an email server sitting in a closet somewhere running the email server software of the day3, which was insecure by design. This distributed nature of the internet’s email server infrastructure made it resilient but ultimately resistant to change. How do you convince a million server operators to update their email software to something more secure when it’s not technically broken? I would have imagined even a very simplified graph of the zillions of email servers on the internet back in 2000 to look something like this:

Not a real graph of the year 2000 but you get the point, everybody and their mother was running an email server

Fast forward to today, where almost every person and nearly every small- or medium-sized organization outsources their email to one of the big email providers (Google, Microsoft, Yahoo, AOL etc.). Not only that, but senders of bulk email also regularly outsource that task to one of a short list of professional email platforms (Mailgun, Mailchimp, Sendgrid, Amazon SES, etc). I’d wager a guess that the percentage of email being sent and received by the big email services is increasing, and that a very simplified graph of email being sent today would look more like this:

Once again, not a real graph but imagine most email being sent by huge services, not by servers run by non-pro’s

With such a large percentage of email under the control of a smaller cadre of email services, you’d think that the small number of “big guys” would be able to agree upon a way to send email securely, force the rest of the small fish to go along with them, and that our email would be secure today (and maybe even encrypted end-to-end!). While that may happen someday, here are a few harsh truths about the current state of affairs:

  1. Email transport encryption is still voluntary and optional. As the Google Transparency report showed, ~20% of email today is still being transported totally unencrypted. That means that any simple attacker with read access to the network between the email server of the sender and that of the email recipient has the capability to read the entirety of the message.
  2. Because transport encryption is optional, even the other ~80% of encrypted email traffic may be subject to a man-in-the-middle downgrade attack, so under many circumstances a sophisticated attacker with interception access to the network between the sender & recipient servers has the capacity to strip the encryption and read the message.

While that doesn’t sound very good, forces are in motion to improve the situation:

  1. A proposal published in 2015 (RFC 7672) called DNS-Based Authentication of Named Entities Transport Layer Security (DANE TLS) would use Secure DNS (DNSSEC) to specify and require email server encryption, but adoption of that proposal is dependent on the adoption of DNSSEC which itself is controversial and has been very slow to this point.
  2. A different proposal, SMTP MTA Strict Transport Security (SMTP MTA-STS) would use regular DNS and a secure web service to specify and require email server encryption, but is still currently in draft status and if/when it is published will still take time for significant adoption.

In conclusion, while >80% encryption of email transport is a great start there are still gaping holes in the picture that should prevent anyone today from calling email transport secure. A persistent and sophisticated enough attacker still has plenty of opportunities to break into your email as it’s being transported, even without hacking into your account specifically.

This was an interesting refresher for me, having looked into email security in the distant past4 but not having read much about the recent progress made. I’ll have to remember to check back in on it later, maybe we’ll be closer in 2018! Fingers crossed.

  1. I couldn’t find numbers for AOL, Hotmail/Outlook.com or Yahoo mail
  2. RFC 2487‘s introduction of the STARTTLS command in SMTP
  3. Software like sendmail or Lotus Notes or Exchange or my frenemy, MDaemon
  4. I worked on an implementation of Direct Messaging (a type of secure email) for my Electronic Health Record company‘s participation in the Massachusetts Health Information HIway health information exchange. If widely adopted by the health industry (a big if), it could serve as an example of a secure messaging network based on SMTP.
Keep your Chrome Cookies when reinstalling Windows

Keep your Chrome Cookies when reinstalling Windows

I reinstalled Windows on my desktop and laptop from scratch earlier this week to fix some nagging issues and clear out the cruft. Starting from a blank slate with a fresh install (vs an upgrade or install in-place) always makes me feel great. That’s a little sick, I know. But all the apps work like they’re supposed to and the computer just feels more… solid. As more of my life goes into the cloud, the list of software I need to reinstall gets shorter, and with Chocolatey and a USB drive with a few installers, I can do full OS reinstall in under an hour. With Chrome Sync, after reinstalling the browser and logging in, all my extensions, settings, saved passwords and bookmarks magically re-appear. Everything is awesome!

Until I try to open up a few of my favorite services and try to log in there…

Twitter login… 2-Factor Auth
Google login… 2-Factor Auth
Facebook… grr
All of my bank accounts too! What the FASDKFJASFSAKl111

I could go on for a while, since every site that I can turn on 2-factor authentication for I have done so. This greatly increases my security in case my password is ever hacked or I get phished. It also means that after reinstalling I got to spend tons of time and annoyance getting SMS text messages, Google Authenticator codes, security code emails, and typing in answers to security questions. Normally the 2-factor authentication only requires verification periodically, and you mark your browser as a “registered device” to avoid having to jump through the hoops. To do this, your browser stores a “cookie” with an authentication token used on future visits to the sites you register. And although Chrome Sync restored 29 apps, 16 extensions, 202 settings, 415 passwords and 52 bookmarks for me, it does not sync cookies!!

This is of course by design. Normally syncing cookies would be a really bad idea since it would defeat the purpose of 2-factor authentication. But when reinstalling your computer, it would be nice if there was a way to bring over cookies. You used to be able to do this by copying the Chrome User Data folder, but this was a bit of a security risk because that meant your passwords and cookies were sitting around on your disk unprotected and could potentially be stolen. So in 2014 Chrome started encrypting protected data like cookies, using a special encryption key that is different for every user and computer.

I’d reinstalled Windows a few times since 2014, so I’ve gone through 2-Factor-Apocalypse a few times, with each time getting worse as more sites allow 2-Factor Authentication or implement security questions or email processes. To make things worse, I’ve started installing Windows Insider pre-release builds, so I’ll probably reinstall from scratch again soon and have to go through the whole thing again. Madness!

I did a search to see if there were any solutions for backing up and restoring Chrome cookies, and it didn’t look like there were any suited to my use case, so I spent a few hours cooking one up. (See what I did there? lol)

Chrome Cookie Backup Tool

It slices, it dices, it backs up and restores cookies for multiple profiles at once. You can check out the tool on GitHub, and use it to avoid 2-F-Apocalypse the next time you update your machine! Just make sure you run the backup before you wipe out your old install since you need to log on with the Windows user account of the Chrome profile to create the decrypted backup file. And sorry, it doesn’t work on Linux1 or macOS since the encryption used there is different.

Hope that helps!

  1. Although for Linux the encryption key is literally “peanuts” for all users, so it shouldn’t require decryption to move your cookies there. I haven’t tried it though!
Free* Slack Email Integration

Free* Slack Email Integration

If you’re on the free Slack plan (I have a small personal Slack domain that I experiment with), the built in email integration is not available. There are a number of ways to work around this– IFTTT has various recipes, Zapier’s got a bunch of zaps, but I’d been playing around with the Serverless framework and figured it’d be a nice little project to try it out with. And I’d end up with almost free email integration.1

Serverless Framework Logo
And they have an awesome logo!

Although Serverless is built on AWS Lambda, and AWS has an email service (Simple Email Service), I decided to use Mailgun since it gives you a free sandbox domain so you don’t have to set up a custom domain for your email, and also gives you 10,000 free emails per month.

The code is configured to let you set up an email address like slack+[channel]@example.com, which will let you post notifications into a specific channel. I set up shipping delivery and last-minute travel deal notifications to #alerts, and all the Hamilton lottery rejection emails to go to #wah-wah.

slack
Hooray! SlackAttack commence.

Check out the code on Github at: https://github.com/Marcus-L/serverless-mailgun-slack

  1. OK, it might cost you a penny or two in AWS data transfer fees. Don’t say I didn’t warn you.
Feedability – Full Feed RSS Server with Readability

Feedability – Full Feed RSS Server with Readability

If you’re an avid reader of blogs and still got your head in the sand using RSS you probably use a feed aggregator service like Feedly to read your news. Putting aside the argument of whether RSS is dead and everyone uses Twitter or Reddit to get their news, feed readers can be useful at least to provide an app like Reeder or GReader content for you to sync offline and read while you suffer through internet withdrawal on a plane (although this has changed much in recent years with most flights, even over the Pacific or Atlantic getting internet service).

Offline content is great, but the dreaded “partial feed” can cause a particularly link-baity headline like “26 Things That Will Make You Say ‘Hmmm, That’s Interesting’” end in disappointment as you see the truncated excerpt and then the taunting “Click here to read more” link only you can’t click there since you don’t have internet!1

Feedability screenshot, GitHub link

Well, have no fear dear reeders, and enjoy whiling the time away in-flight (assuming you remembered to sync your feeds before you went into airplane mode), because Feedability is here! Feedability is a full feed readability server, which takes existing RSS or Atom feeds as input, and replaces the truncated article synopsis with the full Readability‘d version of the feed entry links. As shown in the screenshot above, you can preview article content to tweak it with CSS white/blacklist selectors before generating a feed link–the Readability library (the same one used in Firefox for its “Readability mode”) does a pretty good job at extracting the page content but sometimes needs a few hints to find all the article content and exclude non-content. Feel free to fiddle with the demo site, but if you want to use it for real you’ll have to set up your own server since the demo site has IP throttling to avoid tons of people from using it and overloading my demo server.

This is another tool that’s aimed at the techie crowd, but let’s face it–normals don’t really use RSS anyway. Besides, there’s some joy in tweaking the CSS selector rules to get your feed looking just right (until the authors change the page layout, but whatever). So, hope this is useful to you and if not at least now all of my feeds are full-feed, and as a bonus I got to learn about the Materialize CSS library (to the point: don’t use it, too immature) and then Polymer (two-word review: thumbs up!), and the recently released ASP.Net Core 1.0.

GitHub Link: https://github.com/Marcus-L/feedability/

  1. Or the internet in-flight is so slow that even a picture of a totally peeled watermelon can’t entice you to wait for the page to load