We have been using passwords for too long

Every time I have to register to a website using a password, I grow more annoyed. Passwords were fine when you only had one, to log in to your corporate mainframe. But these days, computers are better at cracking passwords than humans at remembering them.

It only gets worse with the more sites you maintain profiles. You shouldn’t use the same password all over. If it was hacked, your entire online identity could be compromised. And nobody can remember good strong passwords for every site he visits. Password managers are no solution. You need to have them with you all the time. They are protected by a master password. So if an attacker can get hold of your database and your master password, which is easily attainable with a trojan, then good luck. He even gets a list of sites to visit.

OpenId and OAuth are a step in the right direction. In theory, you could maintain your identity with a central entity, and use it as a proxy to authenticate you. You have to choose that central entity that manages your identity well, as is can now track your every move. Hence, It would be best, if you could host it yourself. But it is usually still only protected by a password. Since you now only have to remember one, it’s easier to choose a strong one. But again, if an attacker gets hold of your password, he can impersonate you.

So, we need hardware based two factor authentication (something you have and something you know). For about one and a half years I’ve been using a CryptoStick for said two factor authentication. It works great for email, files, ssh, package signing, full disk and disk image encryption, but I couldn’t figure out so far how to use it for web authentication. They mention a service for a SmartCard backed OpenId. That would be just what I want, but I couldn’t figure out how to make it happen. Continue reading “We have been using passwords for too long”

Pimp my miner

For a while now, I thought about mounting a simple display somewhere that shows the most important parameters of my BitCoin miner. First I started with an AtMega equipped with an Ethernet module. But parsing json without any library support became too cumbersome quickly. So I copy pasted together a small python script, and used a nokia display that I already equipped with an i2c interface. If I knew how easy it is, to use those json interfaces, I would have implemented this display project earlier. The code is at the bottom. It is specific to my setup with p2pool and CHF, but it is so easy to change that you can adapt it to whatever your setting is. The python script now runs on an Alix on the same i2c bus as my simple home automation transmitter. Now all that is left to do, is adding a line to /etc/crontab to execute the script once a minute.

As you can see on the image below, the hash rate is too hight for a stock Saturn. That is because I recently added an extension module. So it has now three instead of two hashing modules. All of a sudden, KncMiner announced they had 200 extension modules for the October batch, and that future modules would be incompatible. So, that was pretty much the only chance for an upgrade. My existing power supply should have room for one more module, and they were moderately priced. The demand was high enough that they were sold out in three minutes. The i30 cooler that was recommended was not available at the time, so I had to use an Xtreme rev2. I had a fun time finding out how to correctly mount it. Even for the original, there was no manual or description how to mount it. Just look at the existing modules said someone in the forum.

Continue reading “Pimp my miner”

chording bluetooth keyboard

Wearable computing is much older than Google glass, and even head mounted displays were around for a while. Personally, I’m looking forward to affordable devices of that type. The display seems to be a very good solution, while voice entry can be awkward. The Hak5 podcast aired an episode last year about a guy that has walked around with a head mounted display and a computer in his backpack for a long time. While the display is certainly cool, what was most intriguing to me was the keyboard. He uses a one hand device with key press combinations that he can operate while walking around.

I didn’t find his exact model when searching the Internet, and while there are some devices around in this category, the selection is very sparse. They are called chorded keyboards, and were first introduced in 1968 at what is often called “The Mother of All Demos“. Then I found out that there is an open standard for this sort of thing. It’s called GKOS and stands for Global Keyboard Open Standard. They experiment in lots of different directions, but no commercial product seems to have come out of this so far. Amongst the different experiments, there is an Arduino project to build a GKOS keyboard, but I considered an Arduino with custom buttons too bulky for practical use.

A while ago, I ordered a cheap 6-key HID device that I wanted to use to try GKOS myself. I tried a while with key remapping but to no avail. And I strongly suspected, the device could not handle key combinations at all.

Last week, I somehow remembered my failed past attempts, and thought that a bluetooth device would be cool. I quickly confirmed that all the DIY bluetooth modules that I had were not capable of HID but only UART. Then I found a simple to use bluetooth HID module, that was apparently released just two months ago. What a coincidence!

The first test with the GKOS Arduino code on a breadboard was successful. So, I disassembled the USB device, and re-soldered the buttons to an AtMega8 and added a lithium battery from a defunct tiny quadrocopter.  But after I soldered everything together, only some keys would work. I was sure, an AtMega8 would be able to handle this simple task with ease, but I had to use an Atmega328 to make it work. It costs a few bucks more, but much less than the time for finding out what the problem with the AtMega8 was. I didn’t inspect the code throughly enough yet, but maybe the AtMega8 is just missing some hardware interrupts.

So far, I’m very slow at typing, and I have to peek at the cheat sheet for most characters, but with a bit of training that should improve. My prototype works well for two handed operation, but I think one handed operation would be the way to go, although I don’t know if GKOS is really suited for that.

BitCoin mining pools

As stated in an earlier post, after I was mining for a few days, the 50btc mining pool was hacked. A month later, I’m still waiting for my coins. So I tried some other pools. As advised in many places, I avoided the biggest pools, thus mitigating the risk of a 51% attack. I mined for about three days each with 50btc, slush, bitminter and eligius. Like 50btc, slush and bitminter required registration and payed for the submitted work to an account on the site. You could manually cash out, or define automatic payouts with a threshold. These pools are good for ease of mind when you start mining, or have underpowered hardware, as you get a predictable, steady flow of income. Because these pools pay for submitted work, they have to absorb the risk of bad luck periods. Thats when the pool doesn’t find as many blocks as it statistically should. Because of that, they naturally need to collect higher fees.

The eligius pool has an entirely different strategy. As happened to 50btc, the pools above accumulate funds for payouts, and are thus exposed to hacks. You don’t have to register for eligius. Instead, you just provide your payout address as user name. When a block is found, it is split amongst the miners, and no funds are kept on the server. This manifested in a different action in my bitcoin client. Rather than an usual transaction with an originating address, it showed two hammers, indicating that this came directly from mining. Though not vulnerable to hacks as the other pools, it is still attackable by DDoS. And yes, the BitCoin world is more hostile than the broader OpenSource community. That’s what money does to people.

Then I found what I consider much more in line with the bitcoin spirit: p2pool. It is decentrally organized as peer to peer network, just as bitcoin itself. Having no single point of failure, it is save from both hacking and DDoS attacks. It is very clever how it works: Continue reading “BitCoin mining pools”

trading agents

I always considered finance and accounting as the most boring things you can do with a computer. And while you can earn big bucks, working for a Swiss bank, I have always preferred topics with a more physical background.

But BitCoin got me interested in how some aspects of the established financial systems work. Looking at the bitcoin price fluctuations, I long suspected that it should be possible to write a trading agent to exploit the volatility. It could follow some fix pre-programmed rules, or find the rules by itself using machine learning. All the data it would need to work on, is easily available.

Last summer started btcrobot, a service that promised just that. They have a subscription model, and I’m sure, if it doesn’t work out, they still gain and the users loose. I didn’t really want to pay hundreds of dollars just to find out if it works. And to be honest, the whole site smelled like a scam.

So I completed the Coursera class “Computational Investing 1“. It was more about portfolio management and algorithmic trading of stocks. But a lot of the material can be applied to currency trading and in special to bitcoin as well. In the homeworks we built a small trading agent and portfolio optimizer. The main metric we used was the Bollinger Bands technical indicator.

So I started implementing a bitcoin trading agent that would use bollinger bands. I didn’t want to start completely from scratch, so I skimmed through github and sourceforge for a starting point. I selected funny-bot, and started extending it. But soon, my interest switched to other projects. Remember, finance is not my primary interest. In the last months I had an eye on the exchange rates, trying to see how such an agent might perform. And I think it would be very difficult to tune, at least without experience in that field.

Last week I found out again that I suck at trading. The bitcoin price started rising like cracy. I thought if it goes up so fast, it must come down again. In a rush, I sold some of my bitcoins. I wanted to buy again after the price would crash. But the price kept rising, and I would have gotten a lot more if I sold them just two days later. Apparently I was not alone with my false prediction.

Mining BitCoins

Today I read an article called “Why you should care about BitCoin” with a quote that I want to repeat here:

 “Hackers are the animals that can detect a storm coming or an earthquake. They just know, even though they don’t know why, and there are two big things hackers are excited about now and can’t articulate why – Bitcoin and 3D printing”
– Paul Graham

In late June I ordered a KncMiner Saturn BitCoin mining machine. I knew that it would be delivered in October. What I didn’t know was how the difficulty for mining would develop. It was rising fast, exponentially fast. Nevertheless it was tempting to see, that if I received the miner when I ordered it, return on investment would have been reached in 9 days. In the months since I ordered the device, the network difficulty went through the roof. So at the moment it’s not even sure if I will reach a break even point for the investment. It was a substantial investment for me. But I won’t complain, it was less than what I gained just by holding onto some BitCoins, that I earned with paragliding tandem flights. The mining business appears even riskier than just investing in BitCoin. But in late spring it looked as if the BitCoin price would stabilize, which would be a good thing for BitCoin adoption. Thus mining seemed to be a good strategy to gain something. And on top of that, everybody heard the stories of the people who made a fortune through mining BitCoins.

Last wednesday, I received an eMail from DHL, that they picked up a packet for me in Sweden and that it is on it’s way to me. With the tracking number I could see where it was. The first part of the voyage was quite impressive, but then they couldn’t locate my home, which shouldn’t be that hard. So I had it delivered to the office a day later:

October 16, 2013 14:13 Vasteras - Sweden     Shipment picked up
October 16, 2013 19:35 Vasteras - Sweden     Processed at Vasteras - Sweden
October 16, 2013 20:57 Vasteras - Sweden     Departed from DHL facility in Vasteras - Sweden
October 16, 2013 22:40 Copenhagen - Denmark  Transferred through Copenhagen - Denmark
October 16, 2013 22:42 Copenhagen - Denmark  Departed from DHL facility in Copenhagen - Denmark
October 17, 2013 00:52 Leipzig - Germany     Arrived at DHL facility in Leipzig - Germany
October 17, 2013 01:08 Leipzig - Germany     Processed at Leipzig - Germany
October 17, 2013 04:40 Leipzig - Germany     Departed from DHL facility in Leipzig - Germany
October 17, 2013 06:35 Basel - Switzerland   Arrived at DHL facility in Basel - Switzerland
October 17, 2013 06:43 Basel - Switzerland   Processed for clearance at Basel - Switzerland
October 17, 2013 06:44 Basel - Switzerland   Clearance processing complete at Basel - Switzerland
October 17, 2013 06:46 Basel - Switzerland   Processed at Basel - Switzerland
October 17, 2013 07:58 Basel - Switzerland   Departed from DHL facility in Basel - Switzerland
October 17, 2013 09:06 Basel - Switzerland   Arrived at DHL facility
October 17, 2013 09:19 Basel - Switzerland   With delivery courier
October 17, 2013 16:46 Basel - Switzerland   Address information needed; contact DHL
October 18, 2013 09:36 Basel - Switzerland   With delivery courier
October 18, 2013 15:03 Basel - Switzerland   Shipment delivered

Usually when I look at the tracking,  the steps that take minutes or hours for DHL, would take days or weeks for stuff that comes from China with economy shipping.

When I opened the package, I noticed that something shakes inside the case. When I opened it, I saw that the fans had fallen off the big heat-sinks. So I re-mounted them before starting the device. The software came fully configured, so this part was plug n play. Over the first few hours it was hashing at approx 240 GH/s. When I ordered it, 200+ GH/s was promised, but they stated that 275 GH/s would be normal after the first prototypes. For comparison: a high-end graphics card hashes at about 0.3 GH/s. So I upgraded the firmware to get some more diagnostics. One core was always at 57°C while the other was always at 44°C. So I guessed there should be a way to make the one with the lower temperature work faster.

On the KncMiner forum, I found a firmware mod called BertMod that should offer more detailed diagnostic. It didn’t work with the newest firmware though. Fortunately I could de-compose it, and run the perl script in an ssh session to get the diagnostics. It showed that on the second chip there were about 40 cores disabled.

The next thing I found was the official EnableCores patch. As the name suggests, it enables all the cores in case they were disabled erroneously. Shortly after applying it, the hashrate went up to 260GH/s, but not for long. It stabilized at 250GH/s. And now, I get lots of messages like this:

KnC: core 4-xx was disabled due to 10 HW errors in a row

The technical support told me they are working on a new firmware to improve the performance.

Since solo mining is too risky for my taste at the moment, I am participating in pooled mining. My device should statistically find about 1.3 Blocks in it’s lifetime. But if I were unlucky, it could find nothing at all. When experimenting with GPU mining a while back, I used the 50btc pool. Thus, it was my first choice for the Saturn as well. But after a day or two, they were attacked by a DDoS and later also their billing server was hacked. Mining still worked, but the situation seemed a bit risky, so I looked for alternatives. At the moment I configured slush, bitminter, eligius and solo mining as failover alternatives. They have problems of their own, but these can be worked around:

  • slush wouldn’t send confirmation emails to my regular account. So I had to use gmail.
  • bitminter uses OpenId for logging in, which is great. But the first two OpenId’s that I tried, didn’t work with their site. They would provide additional security as they are self hosted or backed by a client certificate. So I had to use my launchpad.net OpenId, which is only secured with a password.
  • eligius is based in the US

sniffing i2c with the BusPirate

I received my BusPirate v4 a while ago, but didn’t really use it so far. That’s a cool analysis/debug tool for serial buses such as uart, spi, i2c and the like. For me i2c is the most interesting. From time to time, the communication doesn’t work as it should, and so far, I worked it out with trial and error. I hope the BusPirate can be of help in such situations in the future. So, here is my first test run.

The BusPirate is controlled through an uart textual interface:

minicom -D /dev/ttyACM1 -b 115200

When you connect to it, it performs a self test, and then you can choose the mode by entering m. In my case, that’s 4 for i2c. Next I get to choose between hardware and software. I don’t know the implications yet, but what I see is that hardware offers higher speeds, and locks up more often. Then I get to choose the bus speed. 100KHz is the standard. With ? you can always get a list of possible commands. (0) shows a list of available macros. (1) scans all possible addresses for connected devices, just like i2cdetect would do it on the computer. (2) finally is what I was after, that’s the i2c sniffer.

I was actually hoping it could find out why I’m having problems reading back a simple value from an AtMega8 to a RaspberyPi. The AtMega8 is at address 0x11 and the command to read the value is 0xA1. I verified with a serial connection to the AtMega8 that it has a proper value, but on the RaspberryPi I always get a 0. At least the command was received on the AVR as I could verify with the UART, but writing the value back is the problem. So here is what the sniffer outputs for the attempted read:

[[[][]][[[0x01+][0x04-[][[0x20+][[[[[][0x20-[][0x4C+][0x04-[][0x24+][0x20-][]]]

Let’s decipher those numbers. Plus means ACK and minus means NACK. Opening square bracked means start bit, and closing square bracket means stop bit. The expected sequence would be 0x22 (the address for sending to the AVR) 0xA1 (send back which value) 0x23 (the address for receiving from the AVR) 0x08 (or whatever value was stored on the AVR). But the above output doesn’t look like this at all. So, lets try to communicate from the BusPirate to the AVR directly. Here we go: Continue reading “sniffing i2c with the BusPirate”

AtTiny Advent Wreath

An advent wreath in late spring, you ask? Yes, the timing is a bit off, and that’s not just because the coldest spring in ages has not finished yet. While browsing for the topic of my last post, I discovered a nice little one-evening-project: Geeky advent from tinkerlog.
I had all the required parts here, so I just gave it a try. The adaptation from the AtTiny13 to an AtTiny45 was straight forward. But finding the right threshold value for the ambient light sensor was a bit trickier. Especially, as the ADC didn’t work at first. That was probably a difference between the two AtTiny’s. But once I configured the ADC properly for the AtTiny45, I flashed it a couple of times with different values, and turned the room light on an off, until I had a good threshold value.
It’s interesting how the flickering is done with the random values and the manual PWM. And especially, how one of the LED’s is used to sense the ambient light was intriguing. To save battery power during the day, it goes to sleep and waits for the watchdog timer to wake it up. It then senses the ambient light. If it is bright, it goes straight back to sleep. If it’s dark, it lights up the LED’s. Going through the four modes for the four weeks of advent is done by resetting, or just quickly disconnecting the power from the battery.

But now I look forward for the summer to come, before we can put the mini advent wreath to use…

As my modified code is so similar to the original, it’s not really worth to create a project on github. So, I just pasted the code below.

Continue reading “AtTiny Advent Wreath”

AtMega breadboard header

A while ago, I ordered some AtTiny breadboard headers from tinkerlog.com. Unfortunately, they didn’t have any boards for AtMega’s left. The ones for the AtTiny’s are very handy, and I used them whenever prototyping something with an AtTiny. In fact, I used it almost whenever flashing an AtTiny. Many times I wished I had one of these tiny boards for the AtMega’s and at some point I even forgot that they existed. Often times I just included in ICSP header on the stripboard.

Last week I thought I must have such a board for the AtMega’s as well, and created one with a bit of stripboard. The wiring is not pretty, but the device works well, and is a real help when prototyping.

Fritzing layout on github

Jaguar headliners repair

Remember the Asterix & Obelix comics, and that the only thing they feared was that heaven would fall on their heads? That happened to me lately. But it was not as bad as that might sound. Well, the joke doesn’t quite work in English. In German, we call the headliners of a car “heaven”. Last summer, when I had the power steering of my vintage Jaguar XJS repaired, the car was in the sun for a few weeks. Thus, the fabric on the inside of the roof loosened and hung down.

Now, I finally had it repaired. I found a holstery  in Goldau (kk-cabrio). To bring the price down a bit, and also out of interest, we agreed that I would take a day off, and help with the tedious parts. While Kuschj would do the more complicated stuff that requires experience not to break anything.

That worked out really well. I dismounted and mounted the misc stuff from the car, and helped with the headliners. To make sure the new fabric wouldn’t fall off again, I had to scrub off all the old glue from the pressed glass wool mold. Also the trims at the side of the roof got new fabric. There was a spot which had a hole, that was visible for all of the eleven years I have owned that car.

In the afternoon, we disassembled the passenger seat. It was in need of sewing on the side.

After everything is done, it’s now much more pleasant to sit into the old cat.