New Years Resolution: Secure Your Digital Life

Update: I will be putting together a HOW-TO for using the YubiKey to lockdown access to many popular websites. Stay Tuned!

New Years resolutions are tough and difficult, but here is one that you can keep: Secure Your Digital Life!. It seems like every day we read a news story about a corporation getting hacked, private details leaked, credit cards stolen. This New Years, resolve to lock down access to your online information, starting with your account access.

The password is dead, long live the password!

How hard do you think it is for someone to guess your password? Is it your mothers maiden name, or perhaps your drivers license? How long do you think it takes for a computer to try to brute force your password? Hint: Not long. The password is dead, long live the password! Well, almost. We need more than just a password, and most sites (Gmail, Facebook, etc) support 2 Factor Authentication. With 2Auth, a password is not enough, you also need to provide a time sensitive token, usually generated by your phone or key fob.

You may have seen this already, in fact, you may have Google Authenticator or Duo already installed on your phone, and thats great! Its definitely a step in the right direction… but did you know the secret keys stored on your phone are accessible to just about anyone? Yup. Those apps are storing the secret keys for deriving your login tokens right on your phone’s storage. They are there for anyone to see.

That’s where hardware comes in, which is harder to crack (but not impossible). Data can be stored in WRITE-ONLY areas, meaning that attackers will have a difficult time getting at the secret keys used to generate your login information. My favorite device so far is the YubiKey, which can do just about anything. From OTP to U2F (2 Factor Authentication), this little key does it all (including GPG keys). It even has native support for Gmail (and Google Apps).

Yubikey

The Two Factor Auth List has a list of popular websites that support 2 Factor Authentication. Most sites that support a hardware or software implementation will be compatible with the YubiKey, including the popular LastPass Password Manager.

Remote control your (now) headless Android phone

Last night a terrible thing happened, I dropped my Razr Maxx and shattered the screen. In its defense, I have dropped it on many occasions, including (accidentaly) throwing it across a concrete garage (face down), and kicking it into a wall (from bed). Without even a scratch on the screen, it has withstood my abuse like a champ, but last night it just couldn’t handle the sharp jagged rocks that broke the screen.

Sometimes people get lucky, and even though the screen is shattered, its still usable, (albeit, touch sensitivity probably sucks after that). If that was my case… I wouldn’t have anything to write about. No… my screen no longer turned on. So now what?

Remote control it! It is an android after all (pun intended).
Heres what we need:

First thing I did was start up the Android Screencast java program. This little program detected my plugged in phone and immediately brought up my screen. Apparently  if you have a rooted device, you can also send clicks from the program. Unfortunately, my device was not rooted.

In order to send commands to your phone, you are gonna need to use the Android SDK. Once you have it installed, find the platform-tools folder, cd into it, and run:

 ./adb shell

That should bring you into a shell command to which you can send commands to your phone.

ADB Shell
shell@cdma_spyder:/ $ input
usage: input ...
input text
input keyevent
input tap
input swipe

My first challenge was getting past my lock screen. I have a PIN number, which I was easily able to enter using the command:

input text 1234

Then, came the more challenging part: hitting the submit button. In order to submit my PIN, I had to guess/determine the X Y coordinates of the enter button, and send a tap via:

input tap 350 750

Remember that the Android coordinates screen starts at the top left. So, (0,0) is the top left, (MaxX, 0) is the top right, (0, MaxY) is the bottom left, and (MaxX, MaxY) is the bottom right.

In order to get the Notification Window, I had to swipe down:

input swipe 350 0 350 700

Another neat trick is sending KEYCODES via the

input keyevent

command. You can find a list of KEYCODES here. I particularly found

input keyevent 3

useful, which is the Home button.

Backing up my SMS messages

Luckily, I was able to navigate through Android, launch my SMS Backup program, and backup everything I needed, eventually transfering them all to my computer.

MySQL Triggers and Django

Django is a great Web Framework to build websites in. It handles so many things for you that sometimes it can’t handle the most basic things. If you have ever tried to use Triggers in MySQL and Django, you know what I mean (or will soon find out). Now, you may not have many uses for Triggers, especially when Django handles the majority of the work for your automatically, but in some cases, it is neccessary to define your own triggers at the database level (like for a Database course in college).

Django provides you with this really nice “syncdb” command, but there isn’t an obvious way to to insert custom triggers. Searching around, I found that you can provide “custom” sql during the process, which would seem like a great place to insert triggers. Just add a “sql/” folder to your Django app, and create a file called <model_name>.sql. Or, if you want to be more specific, <model_name>.mysql.sql. At first I thought this would be a great place for the trigger, but it didn’t work. Django kept getting hungup on the ‘;’ in the Trigger.

When creating a Trigger using a GUI like MySQL Workbench or ProSequel, the application sends SQL commands separately,  as delimited by the ‘;’. The problem is that a ‘;’ may exist within a Trigger statement. For example, the following would not work:

CREATE TRIGGER validate_enrollment_hours
BEFORE INSERT ON service_serviceenrollment
FOR EACH ROW
BEGIN
DECLARE event_start datetime;
DECLARE event_end datetime;
SELECT start_time, end_time INTO event_start, event_end FROM events_event WHERE id = NEW.event_id;
IF NEW.start < event_start OR NEW.end > event_end THEN
SIGNAL SQLSTATE '45000'
SET MESSAGE_TEXT = 'Invalid Start/End Time', MYSQL_ERRNO = 1001;
END IF;
END;

I spent the better part of an hour trying to figure out why. Turns out the ‘;’s really confused SequelPro and MySQL Workbench. The solution was to change the delimiter and execute the following statement.

delimiter |
CREATE TRIGGER validate_enrollment_hours
BEFORE INSERT ON service_serviceenrollment
FOR EACH ROW
BEGIN
DECLARE event_start datetime;
DECLARE event_end datetime;
SELECT start_time, end_time INTO event_start, event_end FROM events_event WHERE id = NEW.event_id;
IF NEW.start < event_start OR NEW.end > event_end THEN
SIGNAL SQLSTATE '45000'
SET MESSAGE_TEXT = 'Invalid Start/End Time', MYSQL_ERRNO = 1001;
END IF;
END;
|

Great! Now I can actually get this Trigger in the database, but if I use the latter example in the <model_name>.mysql.sql file, it still doesn’t work! Finally, I stumbled upon ticket #3214 on the Django website. While I wasn’t too keen on doing any kind of patch, there was a interesting little snippet I read in there.

“As a workaround, multi-line SQL statements have to have someting other than whitespace between their semicolons and newline characters.” -Sam Morris

Eureka! Finally!

CREATE TRIGGER validate_enrollment_hours
BEFORE INSERT ON service_serviceenrollment
FOR EACH ROW
BEGIN
DECLARE event_start datetime; --
DECLARE event_end datetime; --
SELECT start_time, end_time INTO event_start, event_end FROM events_event WHERE id = NEW.event_id; --
IF NEW.start < event_start OR NEW.end > event_end THEN
SIGNAL SQLSTATE '45000'
SET MESSAGE_TEXT = 'Invalid Start/End Time', MYSQL_ERRNO = 1001; --
END IF; --
END;

All is well now. The apocalypse has been diverted, and I can finally move on to the next million other things I need to do.

Energy Datapalooza 2012

So I thought I’d talk about my recent trip to Washington D.C. to attend the Energy Datapalooza conference. First thing I noticed in D.C. was this: the Metro system there is really nice. I mean really, really, nice. Cleveland’s RTA system could surely take a leaf out of D.C.’s book when it comes to the cleanliness of its stations.But I digress, the conference was very interesting. It started out like this: waking up at 6 in the morning and trying to not to look like a zombie. Getting to the conference was easy (see above: the Metro there is nice!).

Who is that dashing young man on the left? Oh! Thats me!

Ok ok, the conference. It started out with some really great talks, I especially enjoyed the one by the Found and CEO of WattzOn, Martha Amram. WattzOn has definitely got some good stuff going on, and a new app they just released that helps you choose new appliances that are both low-cost and energy efficient. There were quite a few good talks, and then Secretary of Energy, Dr. Steven Chu, gave a great speech on how there is such a large market of energy related applications that are just waiting to be developed.

[embedplusvideo height=”300″ width=”430″ standard=”http://www.youtube.com/v/cspiqloXVP4?fs=1″ vars=”ytid=cspiqloXVP4&width=430&height=300&start=&stop=&rs=w&hd=0&autoplay=0&react=0&chapters=&notes=” id=”ep7301″ /]
Oh, and you see the back of that kid’s head on the right side of the video? Thats me too!

There was also an award ceremony for the Apps For Energy contestants, where we were invited onto the stage to shake Dr. Steven Chu’s hand and get our picture taken.

Ok, so after all the presentations, we went up to the 4th? floor and setup our table. I think we took the prize for the most screens on a single table, 2 phones, two tablets, and my laptop (my gorgeous Retina Macbook Pro). Various people walked around checking out the displays. I got to talk with a lot of people and demonstrate our application. Even Martha Amram (WattzOn) stopped by and gave me her business card (which I was excited about). We definitely got some great feedback, so now its a matter of incorporating those suggestions into our application and releasing an update. When your one of two programmers, that can definitely take some time, but I’m working on it!

 

Update 10/8/2012:

Another video surfaced about the Energy Datapalooza.
[embedplusvideo height=”300″ width=”430″ standard=”http://www.youtube.com/v/CIgpX1lgPj0?fs=1&start=53″ vars=”ytid=CIgpX1lgPj0&width=430&height=300&start=53&stop=&rs=w&hd=0&autoplay=0&react=1&chapters=&notes=92%7eThere+is+the+back+of+my+head+again!” id=”ep6974″ /]

Java’s Quirky Modulus

When it comes to them modulus operator, Java can be kinda quirky. Consider the statement:

a % b

If “a” is negative, the result will be negative. On would expect that -1%12 would return 11, as it does in Python. You can get this desired behavior in Java by doing:

(a % b + b) % b

I definitly wasted 5 minutes  debugging this, but at least now I know.

Reference: http://stackoverflow.com/questions/4412179/best-way-to-make-javas-modulus-behave-like-it-should-with-negative-numbers

Energy Datapalooza

It’s hard to believe that only a few months ago, my team and I won second prize in the Student Division of the Apps For Energy Contest. It still hasn’t quite sunken in yet… we won a national competition….that is just amazing. One of my teammates was talking about it to a friend during a car ride (late Chinese food run), and she was totally amazed. Me?… I was amazed at her amazement. Did my team really just place in this national competition? I still feel like the same person. The whole thing just seems so surreal, like it was all a dream.

As a winning team, we have been invited to Washington D.C. to attend the “Energy Datapalooza”, with a booth demonstrating our application. I just got this in the mail, which drives home the impressiveness of what my team has achieved. I’m really proud of my team, but we have a lot more to accomplish before we can rest.

ENERGY DATAPALOOZA
Unleashing the power of data to advance our energy futureThe White House Office of Science and Technology Policy, Council on Environmental Quality, the U.S. Department of Energy, and the U.S. Environmental Protection Agency cordially invite you to join us for an “Energy Datapalooza,” highlighting innovators and entrepreneurs who are using freely available data from the government and other sources to build products, services, and apps that advance a secure and clean energy future.

Monday, October 1, 2012
8:30 am – 2:00 pm

Eisenhower Executive Office Building
South Court Auditorium
Washington, D.C.

Special Guests:

Steven Chu
U.S. Secretary of Energy

Todd Park
Assistant to the President
U.S. Chief Technology Officer

Bob Perciasepe
Deputy Administrator, EPA

Nancy Sutley
Chair, White House Council on Environmental Quality

Heather Zichal
Deputy Assistant to the President for Energy and Climate Change