Why was second factor authentication watered down?

As far as I can remember, two factor authentication was used since the first time I used online banking with BBS like text interface over a 14.4bps modem. Back in the day the second factor was a printed list with numbered codes.
The idea of using different factors is to prevent hackers form accessing your bank account in case they can sniff your password with a trojan keylogger on your system. The factors are generally divided into things you know, things you have and things you are. Hence the categorization of the factors is based on the user interaction. In general it is assumed that everything typed or stored on a multi purpose computing system can be extracted by an attacker. This is why I propose a different categorization farther down. My categorization is based on the threat it protects against.

Things you know (memorized):

  • username
  • password

The fist category is pretty much self explanatory. It is the typical password. Before we had hundreds of accounts, we were able to memorize our passwords. Single factor authentication with only a password is not only problematic because attackers can eavesdrop what we type, but also because computers are increasingly fast at trying different combinations.

Things you are (biometrics):

  • fingerprint
  • face
  • iris
  • veins

In theory biometrics would be the perfect method for authentication. Unfortunately the technical implementations have many weak points. There are countless stories of fooling fingerprint readers with sticky tape or jelly sweets. But even when you couldn’t fool the device itself, as long as the sensors are run on top of a general purpose computing device, the data can be stolen and manipulated. Once the biometric data are stolen, you can’t change a fingerprint or an iris as easily as you can change a password.

Things you have (possess):

  • printed list with codes
  • dedicated device for displaying codes
  • phone for receiving text messages
  • phone for running an app to display codes

This one is only simple at first sight. Lets dissect them a bit closer. For a printed list with codes it is not enough to install a trojan on your system. It generally requires physical access to make a copy of it, but you are not alerted when somebody with physical access makes a copy. As soon as you scan it and save a copy on your computer to make login more convenient for you, it also becomes more convenient for an attacker to steal your credentials. There are even banks who send a pdf with the 2FA codes electronically. As a general rule of thumb: once a secret is stored on a connected general purpose computer, its security is weakened considerably. Thus it is not only important how secret information is stored, but equally important how it was generated and how it was transported.

It may not be equally easy to compromise text messages with every cell operator, but it happened too may times and made this method become almost abandoned. As described above, information stored on connected general purpose computing devices can be extracted. This is an important fact to consider when using authentication apps such as Authy or Google authenticator. These apps are based on TOTP, but the important difference to TOTP hardware devices is how the secret is stored and protected.
That leaves us with dedicated hardware devices. These come in many forms. Some banks have used little TOTP devices for decades. There are devices that operate in conjunction with your plastic debit card and some that scan mosaic codes. What they all have in common is that they display a code that you enter on the logon screen.
And then there is FIDO U2FA. It is a standard that was established in 2014, but didn’t gain the traction yet that it deserves. The FIDO devices store a seed in protected memory, and generate a sub key for every site you want to visit securely, some even display the site you are about to login. This in fact also protects against phishing attempts. Meanwhile most Bitcoin hardware wallets can act as FIDO U2FA devices. But the most widely known and used dedicated 2FA device is surely the YubiKey which comes in a great form factor.

I propose a new categorization of factors:

  • things that a trojan can steal from your computer or smartphone
  • things that a thieve can copy when breaking into your apartment
  • things that can’t be copied and that you would notice immediately when stolen from your keyring

With this categorization, you realize that most snake oil app based 2FA belong into the first category along with good old passwords and password managers. Banking trojans that consist of a part for the computer and a part for the smartphone were around even before those 2FA apps became popular. And this is how you differentiate measures that improve security from security theatre. Security theatre is a term for measures that harass the users to give them a sense of security without really improving security. It only deters the opportunistic casual thieve, but does nothing against the well organized crima gangs. Its essentially all the pain without any gain. That is what 2FA smartphone apps are!

But I don’t want to carry around a device

Security is often a tradeoff with convenience. For me it was always clear that I want to protect every account that I can with the security offered by a dedicated device. But apparently there are enough people who don’t care about security, or simply don’t understand the tradeoffs. When I discovered that the Tesla account was only secured by a password, I was so shocked that I disabled remote access in the car. That was almost three years ago. In the forum discussions there were people arguing against carrying around a security device weighting a few grams. And indeed when Tesla introduced 2FA last week, they use solely TOTP. Whenever I have to use TOTP, I use it with my Yubikey. But still that procedure has one important weakness. When setting it up, the secret is displayed and/or entered on a general purpose computing device that must be connected to the internet. When this device is compromised, the whole 2FA is moot. Hence I will leave my car disconnected for the time being.
Since I have learnt about secure 2FA devices, I want to have all my accounts secured. Hence I switched my main bank account to a bank that supports hardware based 2FA a couple of years ago. Now at my new employer which also happens to be a bank, we use 2FA to logon to some systems. The default is a proprietary app that is only available for iOS and Android. My phones runs PureOS and UBPorts for security reasons. From the internal network, we can use TOTP and even FIDO U2FA. But when logging in from home, only the less secure method with the proprietary app is allowed. I will never understand the reason behind that. I can still work from home. I can access the git repos, but I can’t login to Jira nor Webex. Since I work for a bank now, I have an account with my employer, that has very favorable conditions. But again the 2FA is only possible with a proprietary app that is only available for iOS and Android. This is a real pity. I would love to make more use of that account. But even if that snake oil app was available for any of my phones, I would not deposit a lot, because of the weak security.

Why I am sending back my Librem5

After paying 0.163 BTC for a pre-order, I patiently waited two and a half years for the Librem 5 to finally arrive. Now after half a year with the phone, I finally lost patience. For some more context, please read my former blog posts The Librem 5 phone is still at an early stage and One month with the Librem5.

A computer that looks like a phone

When the phone arrived it could do computer things, but no basic phone tasks. The browser worked very well from the start. So it was more like a small tablet. Phone calls didn’t work at all for the first month. And text messages started working after about a week, but only with weird workarounds.

An expensive hand warmer

When the phone arrived, there was no power management implemented, meaning it constantly ran at full speed. No wonder was the device always warm and the battery was flat after an hour on average. It didn’t make a difference whether I used it or not. After about one or two weeks of having the device I charged it over the night while it was switched on. When I grabbed it in the morning, it was so hot that I could not hold it in my hands. The plastic part between the cellular and the wifi cards started melting together with the back cover.

Hot freezes

One common occurrence was from early on that it it would no longer react to any inputs after a while, but still burn the battery down at the same speed. It also at the same moment stopped responding from SSH connections, so it was not just the display.
The first freeze happened five minutes after I switched the phone on for the first time. When the issue started, I had a freeze about every second day, then every day, then twice a day. For a while it never ran for more than 15 minutes without freezing. Since about the time I had the phone for a month, it rarely runs for more than five minutes before freezing.
The freezing is the issue that rendered the phone completely useless for me. It triggered me to move the SIM card back to my five years old UBPorts phone. For the next few months I switched the phone on about once a week to install the latest software upgrades. Every time I hoped the freezing issue would be solved. From the responses on the forum, it appeared like my device was the only one experiencing these difficulties, but still it appeared like they were working on resolving the issue through software updates.

Bricked for the first time

Instead of fixing the freezing, an upgrade around Easter made the phone not boot any more. It started to boot, but was stuck at the terminal that is usually only visible for a second. Apparently it was a known issue, but the remedy that was provided, didn’t work on my phone. So I was advised to re-flash it. But the flashing procedure also didn’t work. After a while and some experimentation, I found out that, out of a computer and two notebooks, only my XPS13 was able to flash the phone. I am still puzzled why it didn’t work with the Librem13 especially. But to my disappointment, the freezing issue persisted.

Dead battery

I kept installing the upgrades on a weekly basis. In between I usually removed the battery. When I tested the voltage, it was always between 3.6 and 4 Volts. Then one day I left it plugged in with the original charger for about a week or two. Since then It wouldn’t boot any more. Not only did it stop booting in the middle of the process like before. This time there was no sign of life whatsoever. When I tested the battery, now it read 0 Volts no matter how many times I tried to charge it. I tried with the original charger as well as with others. I read somewhere that the L5 has an issue with the charging, in that it starts discharging after the battery is full. After that it apparently doesn’t start charging again until it is re-plugged. But I didn’t expect this to result in a battery that appears to be totally dead. Even if I wanted to charge it with an universal LiPo charger, I wouldn’t even know which way to connect it. The phone doesn’t run with a dead battery, and it also doesn’t boot without a battery.

Sending it back

The only thing left for me left to do is sending it back. I didn’t sign up for a museum piece. I just want a phone that works. It is up to Purism now if they can repair my phone, send me one from the current batch, or one from the mass production batch later on. After being through all this, I would prefer to wait for the batch that is hopefully more reliable. But I will take whatever Purism sends me.

Friends asking

I am often asked about this open source phone that I told everyone when waiting for it. I would love to tell them how great it was, and convince them to order theirs as well. I still think it is very important to have a phone that you can trust. But unfortunately I have to tell them what a disaster it was so far. I tell them that it appears that I got an exceptionally bad sample, and that most others are probably fine, or at least usable. But I can see from their reactions, that my experience is enough of a deterrent for them not to consider buying one.

Update September 2020

Soon after sending back the phone, I received a replacement unit. Unfortunately it came with a US modem. So I waited for another month for the correct modem. It arrived yesterday, and it was easy to replace. Now I finally have a working phone. I switched the SIM to the Librem5 and use it as my main phone now. Some things have improved a lot since last year. Especially the power consumption. Others not so much, such as bluetooth in the car. Anyway, I plan to write another post after gaining some more experience with it.

Working from home during the Corona shutdown

Like many people these days I currently work from home. Due to the corona pandemic, everything that is not essential is closed in Switzerland. Since I work in software development, it is possible to work at home. Most if not all people in my team do so. What is great about the new situation is that I can now eat lunch with my family. We also try to go for a short walk to the lake or the forest after lunch. But there are a couple of factors that make working at home challenging:

  • The factor that I anticipated to be the worst, is distraction. Normally when I try to work on something at home that needs concentration, it takes on average five minutes before somebody comes and wants something from me. And then again after another five minutes, and again and again. This is why I can usually only work at home, when everybody else is asleep. All the more astonished am I, that they leave me do my work now that it’s for my employer and not a hobby project of mine. A very important contribution is from my noise cancelling headphones. Without them this would not be possible.
  • The office at home is the size of a broom closet. It is 1.4 by 2.2 meters with no window or direct daylight. Thus it is important to go out to the patio from time to time to get some fresh air and some rays of sun light.
  • I have a very comfortable chair in my home office, and a nice solid table. But I grew so used to the table I have at work that I can raise to a standing position whenever I want. Even if I wanted to buy such a table, I couldn’t fit it in my small office at home. So I have to take care to move my body enough, not to develop back pain. Especially now that I can’t go swimming in the communal pool. I just hope the lock-down won’t get so bad that I can’t go running any more.
  • My screens are roughly 20 years old, and the low resolution makes it a bit challenging to work effectively. I wanted to order a new screen for years, but always postponed the purchase. Now that I knew that I would work from home, I figured it is the time to go ahead. Even though I ordered it very soon, delivery took more than a week, as the online shops and delivery companies are totally overwhelmed at the moment. The new screen is a blast. It is even bigger than I imagined.
  • And then, there is the elephant in the room. Let me begin by a quote I recently read on the website of the Session messenger: “Friends don’t let friends use compromised messengers”. This statement really resonated with me. On the opposite end of the spectrum, there is a communication software that is closed source, has a proprietary protocol, centralized infrastructure, no end-to-end encryption, constant access to the internet, the microphone, the webcam, the keyboard and the screen. On top of that it also has the capability to take over control of the computer. Back Orifice pales in comparison with these capabilities. That it is tedious to use and only fully works about half of the time is only the lesser evil. It was developed by a company with a long track record of deception and abuses. This software is called Microsoft Teams, and it was recently declared as the primary means of communication in our company. In the past, I flat out refused to use it. But in the current environment of emergency, I felt that I could not complicate things. Apparently, there was not much opposition against inviting the panopticon into our homes. When a co-worker told me that it could be used from within the browser, I was slightly relieved. As long as it is contained in the browser sandbox, the amount of harm it can do is somewhat limited. With the browser you have some control over what access you grant it. Unfortunately in the browser only the chat feature worked, but no audio or video calls. So my team lead asked me to install the desktop client. Installing malware directly on the machine was a no-go for me. So I installed it quarantined inside an empty virtual machine. This now works for audio conferences. But I feel uneasy, uncomfortable even stressed, whenever it is running. My stress level when Teams is running is comparable with sitting on a dentist chair. That is not healthy over time. Thus I often block access to the microphone and the network to the VM, but that brings only light improvement. So, when somebody writes on slack, I enable Teams, but I can’t have it running with full access all the time, I just can’t. I am reachable through slack, email, phone, text messages, tox, matrix, session, even telegram and soon Juggernaut. They all have an open source client that I can trust. I just need a quick note, to start Teams on request. Isn’t it ironic that with the struggle to care about physical hygiene, nobody seems to think about digital hygiene.

I often think about why I care more about digital security and privacy than average people. So many people carelessly ignore the security of their devices, it is completely reckless. How people voluntarily put something like an Amazon Alexa in their home is beyond me. I don’t think I have more to hide than other people. For a long time I have cared about FLOSS . It is not only that I dislike artificial barriers, vendor-lock-ins and planned obsolescence. It is also the trust gained through being able to inspect the software. But the biggest impact came, when I started to be involved with Bitcoin. This is when I really learned about the value of information, and how to protect it. There were times when I had more wealth sitting on my computer than on my bank account. Who wouldn’t think about how to protect it from the grabs of thieves. With Bitcoin, you are responsible for the private keys. When you fail to protect them, your wealth is gone. There is no bank you can beg to reverse the transaction. But on the plus side, If you protect your data well, nobody can steal it from you. If your bank goes bust, your Bitcoins are still save. Many people don’t want that responsibility, and prefer somebody else to handle it for them. I can see the same behavior with cloud computing. Bitcoin people are very passionate about OpSec. I am talking about the original cypherpunk people here, not the “get rich quick” crowd that showed up later on. There is a mantra in the Bitcoin world: “don’t trust, verify”. Everything that can’t be verified, such as closed source software has to be considered compromised.

Ok, enough of going on a tangent. This post is about working from home. My wive calculated the first day, that I should now be able to finish at least an hour earlier, because there is no more commute. Sounds reasonable, right? My usual day now looks like this: I get up at the same time as usual and take a shower. I dress the same way and groom the beard the same way as I would, if I went outside. Instead of having breakfast alone and driving to work, I start working. When everybody is ready, we have breakfast together. After that I work again until lunch is ready. When I have to go to the toilet, I also grab a fresh tea and go outside for a minute to get some fresh air and some sun. The lunch break is longer than at the office. The kids eat very slowly, and we have a rule at home that we all wait at the table for everybody to finish. Then we usually go for a walk to the forest and/or the lake. We are very fortunate that both are only about two hundred meters away. Because the lunch break is longer, I often work as long in the afternoon, as I usually am in the office. Sometimes I even work till the time I would otherwise arrive at home.

We also currently spend the weekends mostly at home. So I took the chance, to tidy up and clean my small office at home.

Interesting reading about privacy in the current state of emergency:

Last but not least, some conspiracy theory:

Bill Gates, The Caricature of a Villain

The Librem 5 phone is still at an early stage

When I learned that Purism was going to develop a privacy respecting and security focused smart phone, I was immediately very excited. So far the only real open source phone was the OpenMoko, and that was almost a decade ago. I ordered one as soon as they opened the pre-orders. A quick look in my Bitcoin wallet revealed that I paid the phone pre-order on Aug 24th 2017. Of course I knew that it would take a while, and that problems are to be expected, which result in later deliveries. When they finally prepared for shipping, they asked everyone for their preferred batch. They warned that early batches would be not as flush as later iterations, and that the software was still a work in progress. Having waited for so long, I was eager to get it as soon as possible. Using an OpenMoko and later Ubuntu Touch device as my main phone, I gathered some experience with unfinished products. A solid base is more important to me than the finished product.
To my knowledge it is the only phone that separates the main CPU from the base band (correction in the comments). Like the Purism notebooks, it has hardware kill switches. One for wifi/bluetooth, one for camera/microphone, and one for the cellular modem. This makes it the only phone on the market where the user is in control. It allows the owner to own the phone instead of Google/Apple in combination with the phone company. In today’s economy, this is a very important development. Modern phones track their users in so many ways that hey have become golden hobbles. This is the main concern with Android, but even Apple is not without doubts in this area. The main issue I have with iOS is that it patronizes its users. If you don’t want neither of these evils, then you cannot just walk into the next phone store and expect to find something. Devices that came installed with Ubuntu Touch have sold out a long time ago. Purism describe their phone as:

hardware and software that treats you like a person and not a commodity to be exploited for profit

Last Friday, the waiting was finally over, and I received my Librem 5.
The first impression when unpacking was, that it is thick and heavy. In fact it is so thick that my kids make fun of me. The build quality is a lot better than I expected after the warnings about the early batches.
The on-off button doesn’t always work reliably, so I first charged it like the manual suggested. It is quite quick to boot. When I can’t get it to start with the on/off button, I usually open the device, and remove the battery for a moment. This always makes it boot reliably. Did I mention that it boots really fast?
Here is another report with unboxing pictures, so that I don’t have to make the pictures myself.
Switching apps and general usage of the phone OS makes a good impression. Not as good as current ubports, but a lot better than OpenMoko in its best days.

Wifi and bluetooth

Unfortunately the phone froze during the initial setup when trying to connect to the office wifi. After a reboot, I removed the wifi in the settings, and connected again. This time it appeared to connect, but it didn’t get an IP address, and thus I was unable to fetch anything from the internet. At home, connecting to the wifi worked as easy as with every other device.
I talked to a sysadmin, and he told me there is nothing special with the company wifi. But he told me that the signal strength is not great everywhere. So I went straight to the physical wifi router. In close proximity, the phone connected successfully, and I was able to browse the web. This is probably the reason there was something about antenna optimization in the description of a later batch.
The bluetooth configuration doesn’t work at all. But the phone is discoverable, and when another device wants to pair, it displays the code to compare. The other device then reports success. But so far I was not able to make use of bluetooth with the device. Bluetooth audio is one of the sore points with my current ubports phone. It used to work perfectly for a long time. But then I got an update last winter that crippled bluetooth functionality. For almost a year already, I could receive calls in the car, but after one second the audio connection breaks every time. It was one of my biggest hopes that bluetooth hands free in the car would work out of the box with the Librem 5.
I haven’t tested mobile data connection yet. This is because I rarely buy mobile data. I have wifi at most places I go. My car has an internet connection and a browser which is enough for on the way. The only time really I need mobile data is when I want to pay with Bitcoin in a restaurant, and no friend is with me who can set up an access point on his phone.

Text messages

Sending a text message worked on the first try. Only the integration with the address book still needs to be improved. Speaking of the address book, I haven’t found out yet how to synchronize or import my contacts.
So far I didn’t receive any text messages. I strongly suspect that at least some should have come my way in the last couple of days. I tried testing it myself with LnSms, but it didn’t arrive. This is possibly due to a bug with non numeric senders. But that I didn’t receive regular text messages is bothering me. A friend sent some to me for testing, and none arrived.

Phone

Even before I wanted to place a call, I read in the forum that there is a problem with audio routing. I didn’t even get that far. I cannot initiate a call, because below the dial buttons there is a message warning me that there is no voice-capable modem. Somewhere in the bug tracker I found a post that claimed that it should be possible to work around this by killing the cally app five times in a row. That didn’t work for me. So if this smart phone is no phone yet, I hope that it is at least smart 😉

Browser

It is not the best browser that exists for phones, but it works good enough for everything I tried so far. For sure it is better than the browser in the Tesla.

Settings

The settings pages look very familiar. In fact they are the same as in any modern Gnome desktop operating system. Some pages are too big for the screen, and some don’t make much sense for a phone, while some phone specific settings are missing. I already installed the first update, although I don’t know what it actually contained.
The audio page reveals that there are lots of audio devices. I went through them all, and clicked the test sound button, but I couldn’t hear any sound coming from the device.

Terminal

A linux smart phone needs a terminal. The Librem 5 comes with Kings Cross pre-installed. The terminal app itself looks quite good. But the virtual keyboard is lacking arrow and tab keys which are extremely helpful when working with a terminal.
I was delighted to find out that unlike with ubports, you can hack around with the actual system, and the packages seem to be apt based. I never liked click, snap or flatpack. Apt is my favorite package format.

Clock

For the first three days, after every reboot, the system date was reverted to February 2019. This rendered all TLS certificates issued after this date invalid. Thus preventing me from upgrading the system until I manually fixed the date every time. I am not sure what I did yesterday, but I suspect that I re-enabled automatic time synchronization just AFTER correcting the date. Since then, the system time is correct IF the phone has an internet connection. It is not yet synchronized from the cell phone network, or preserved across reboots.
For the last 20 years I used my phone to wake me up in the morning. Some phones also worked when switched of, while others had to be enabled to reliably wake me up. In the settings of the Librem 5, I can set multiple alarm clocks, and specify how to repeat and on which days of the week. So far so good, this is on par with most phones. Problem is, when the time comes, no sound emits from the device, and not even a reminder is visible on the screen.

Battery life

Whether the screen is on or off doesn’t seem to make a difference. The device gets very, very hot. It is no surprise that the battery doesn’t last very long. It doesn’t even last an hour. So I just have to switch the phone off while it is not being used and not plugged in. People at purism are working to tweak the kernel to dial down the frequency, switch off cores, and put the CPU to sleep when not in use. I hope they assign this issue a high priority.
Charging time when the phone it is turned off is ok. But when it is turned on, I don’t really know if it is slowly charging or slowly discharging. That is with the provided charger. Be careful where you plug in the phone for charging!
When I plug in the phone to my notebook, the notebook often looses internet connectivity. I didn’t investigate why yet. Maybe it adds another connection and assigns it priority in the routing table. I will try with an USB condom and see how that goes…. Indeed, no problem so far if I use an USB condom.
When I plug in the phone to the USB ports in the car, I often get a warning on the dash that there is a problem with the touch screen. The big screen in the middle of the car still updates, but it no longer processes touch inputs. I then have to unplug the phone and reboot the MCU. I’m not sure if the phone registers as an HDI device, draws too much power or interferes in another way.

Apps

The phone comes with the following apps pre installed: phone, messages, browser, contacts, clock, settings, help, terminal, software, text editor
Anything can be installed from the software app or at the command line from the apt repository, but so far I have mostly installed command line applications. I suspect most regular desktop applications don’t behave well on a phone. I am not aware of a list of applications that run well on phones. And I don’t think there are a lot of apps that were developed specifically for this device other than the apps from Purism themselves.
As a test I installed my favorite desktop Bitcoin wallet: Electrum. Unfortunately it didn’t start. At the commandline I saw an error about something missing to bridge Qt5 to Wayland. So far I didn’t investigate much further.
After using ubports for the longest time, I am used to most apps not being available to me, so the whole app thing is no big deal for me.
What I miss most on my current ubports phone is a decent Bitcoin wallet. As long as there is none, at least a qr code reader would be cool. This would be necessary if I want to use a web based wallet.

Conclusion

I hate to say it, but at the current state, this phone is even less usable than both my previous linux phones in their initial condition. The previous phones improved quickly and got more or less usable. I abandoned the OpenMoko after half a year, because it was just not reliable enough as a phone, especially the audio in calls. The Ubuntu Touch phone on the other hand has been my daily driver for almost five years.
Maybe I am too optimistic in wanting to use the Librem 5 as my main and only phone from the start. Lets see how things progress from here… With some software updates I hope it will become the phone that I want to use for the next five years.
I hope I didn’t discourage anybody from ordering a Librem 5. If you want a phone that preserves your dignity, this is pretty much the only option at the moment. And I am sure it will improve.

Flying AdHoc Network

The first time I heard about FANET was at a gathering of some paragliding friends last year. They mentioned that they can display each others position on their flight computers. While that sounds cool, I don’t often get to fly cross country any more. Thus this feature was not of particular interest to me. Then some months ago I read an article about the Skytraxx 3.0 in a paragliding magazine. It was mainly focused on the builtin database of aerial obstacles, namely dangerous cables. But it also mentioned that weather stations could broadcast wind information on FANET, which the flight computer would then display in real time. Now that was more interesting to me. The part I like the most about the FANET technology is that it is an open LoRa mesh network. I watched a video where the developer explained that it is even possible to transmit landing procedures based on wind direction to be displayed on the flight computer. Further pilots can send messages to each other, and change the mode from “flying” to “retrieve car” or “need a ride”. All of this together was too much to ignore.
While FANET was developed by Skytraxx, it is an open protocol, and other companies started including support for it in their devices. The Skytraxx devices that come with FANET, also include FLARM. FLARM started as collision avoidance system for sailplanes. But in the meantime, most light aircraft are equipped. Devices for paragliders only transmit to FLARM. They are unlikely to crash into one another due to the slow speed. But by transmitting their position, faster aircraft can be warned soon enough about their presence. Like FlightRadar for big airplanes there is GliderNet based on FLARM and SkyNet based on FANET. These sites are fed by ground stations that decode the signals broadcast by the aircraft. All you have to do in order to appear on these sites, is register with the Open Glider Network. If you register in addition with LiveTrack24 and link your OGN registration (the FLARM id), then your flights are automatically archived. What I like most about this, is that I can give the URL to my beloved ones. If I’m not home in time, they can check if I am still airborne, and where my last recorded position was. So in the improbable case of an accident, they could send search and rescue in the right direction.

When a product is better than the description

When I was a kid I liked wrist watches from Casio. I had one with a calculator, one with an address database, one with an infrared remote control and one with an altimeter. But for the last 25 years I didn’t wear one. I don’t like to wrap anything around my wrist. And since I carry a phone, I have a way to find out what time it is.
When friends and neighbors started wearing fitness trackers, I thought I don’t need that. When I went running, I did it for my personal fitness, not to compare to somebody else. And I can care about my fitness without a device telling me to walk some more before going to bed. When my wive wanted to gift me a step counter for my birthday a couple of years ago, my response was: thanks, but no thanks. I have no use for a step counter.
Some times I brought my phone when I went running to record the GPS track just to try. Some co-workers upload all their activity to Strava, and claim “if it’s not on Strava, it didn’t happen”. Not so for me.
Since I started carrying my ultra light paraglider for run and fly, I took the phone with me more often. In the backpack it disturbs less than in the shirt. The main reason for carrying the phone was to be able to call for help in an emergency. And when I brought the phone with me anyway, I could just as well run the tracker app on it. But unfortunately it didn’t work very reliably. When the screen was off, it stopped tracking, and when the screen was on, it often registered fingers that weren’t there. So it happened often that it stopped tracking after a while, or deleted the track entirely. Sometimes I had a ton of apps open after running and I didn’t know what else happened to my phone. But still, with the few tracks that recorded at least the uphill running part, I could see my progress on that segment. That turned out to be more interesting than I anticipated.
So when my wife recently wanted ideas for my birthday, I told her “a cheap wristwatch with GPS tracker, that works without a crappy lock-in smartphone app”. My absolute nightmare is to have a closed source device that tracks my every move, where I have no control over the data it collects. Worst of all, it would become useless when the manufacturer decided to stop maintaining the app. I don’t want devices with planned obsolescence. Of course I had to do the research myself. On the product page they only mentioned their iOS and Android apps, which are of no use to me. I noticed a while ago, that there are some packages in the debian repo for Garmin Forerunner devices. Further research brought me to quite complicated methods to get the data from these watches. But then I found a page that stated that when you plug in the watch with its USB cable to a computer, it mounts a filesystem and you can just copy the activity files. If it is really that easy, then I really don’t understand all the fuss. Everything seemed to indicate that all Forerunner watches come with a USB cable for charging the device that also acts as a data cable. It is beyond me why they don’t mention that explicitly on the product page. So, for my purposes a relatively cheap Forerunner 30 or 35 should be just fine.
And so I got one for my birthday from my wive. It even has a heart rate sensor that I wouldn’t need. And indeed, just plugging it in with the USB cable, I can grab the fit files and either upload it directly to Strava, or convert it to a more common format using gpsbabel.

Bitcoin Advanced Course by 21lectures

Last week I attended a Bitcoin Advanced Course that was hosted by 21lectures. Lucas who is also the president of the Bitcoin Association Switzerland initially wanted Jimmy Song to teach his Bitcoin courses also in Switzerland. But when that didn’t work out, he decided to build the classes himself, with the help of great quality teachers and developers from the local community.
To guarantee fruitful interaction, the groups are kept small. But when I arrived, the group was even smaller than I expected. What surprised me even more, was that a good portion of the students came to Zurich from other countries especially for this course.
The biggest part of the course was taught by James Chiang. He is preparing a bigger course that he will host online. It consisted of theory and practical exercises.
Setting up the environment for the exercises proved to be almost as challenging as the hardcore crypto theory.
For me, the most interesting part was the last day, which was about the Lightning Network. As it is still new technology that is in heavy development, there is not a lot of learning material around. All the more valuable was the first hand information we received from Christian Decker.
An important part of the whole experience were the lunches. Most of the times, the teachers joined, so that we could ask additional questions and have interesting discussions.
If you are interested in Bitcoin and programming, I can definitely recommend this course.

A somewhat interesting aspect was also how to get to Zurich. Downtown parking during office hours is really expensive, and there can be traffic jams. The venue was very close to the main train station. So it would appear to be reasonable to get there by train. But a return ticket for one day costs CHF 56. Lots of Swiss people have a half price card for public transport. They changed their terms a couple of years ago. I made the mistake of reading the new terms and discovered that they are really not acceptable. So I drove there by car, which cost CHF 4.15 for the electricity and CHF 36 for the parking. Still a lot, but also a lot cheaper then by train.

CppOnSea

I meant to write about CppOnSea for a while. The event is already a month in the past. So I better write down my impressions as long as I can remember anything. My comments will probably be shorter than had I written it down earlier.
Last year I learned from a podcast about a new C++ conference in Great Britain. It made a good first impression. As the details trickled in over the course of the ensuing months, I started to think it would be worth visiting.
When I asked around in the office who would join, I got only one positive answer. Reaching the venue by plane would not only be impractical, but I also didn’t really want to pollute the atmosphere. So I proposed to drive there with my electric car.
I checked the weather in advance, since what I wanted the least, was driving through a snow storm for a whole day. Exactly the night before we left, we had a good portion of fresh snow. As it was even on the highway, we made rather slow progress in the first two hours. The rest of the trip was uneventful, with the exception of having to drive over a small pass because a tunnel was closed in the Elsass. We took the tunnel below the channel. It is different than riding through the Swiss mountains on the back of a train, but not too much different. We arrived late in the evening at a nice old hotel on the cliff right next to the event hall where the conference was going to be. The breakfast was a lot better than what I remembered from previous stays in the UK.
A baroque event hall built right into the cliff served as the venue for the conference. During the breaks we had a nice view onto the sea, and sometimes we had the impression we could see France on the other side.

Opening Keynote: Oh The Humanity

The opening keynote was funny and entertaining. That is all I remember.

Postmodern immutable data structures

The speaker presented his library for immutable data structures. They enable a more functional style. It sure has something to it, but I don’t see a use case in anything that I am currently involved.

What I Talk about When I Talk about Cross Platform Development

He had a much broader scope than what I considered so far. It is interesting to know, but I don’t think I will use any of it in the foreseeable future. But it triggered me to think about using emscripten again.

Better Tools in Your Clang Toolbox: Extending clang-tidy With Your Custom Checks

I have known and sporadically used clang on linux for some years. But even though it is a great compiler I didn’t use it too much because you would have to compile everything yourself, rather than using dependencies from the apt repository. Also I knew that clang is shipped with VisualStudio, but only for cross compiling to ARM. What was new to me, is that you can also compile (but not link) regular desktop applications on Windows, with some work even MFC applications. This in turn allows the usage of clang tidy, which a good portion of this talk was about. What was also new to me, is that the MSVC compiler switch /permissive- causes VisualStudio to use a completely new compiler that is no longer built with YACC, but is much more standards compliant. This better compiler introduces breaking changes to old code. That is why we didn’t use the flag so far. But I think it would be good to slowly introduce it module by module. This way we could sanitize the codebase, and maybe later start using the clang tools.

Deconstructing Privilege

This one was in the main hall, and for all attendees. It had nothing to do with C++ or with programming per se. It was more about social interactions with minorities. I still don’t know why there was such an emphasis on this topic. But it seems to be a phenomenon at lots of IT conferences lately.

The Hitchhiker’s Guide to Faster Builds

Building the CAD I am working on can take up to an hour if I build only locally. Over the years we optimize the pre compiled headers from time to time, but also the linker takes a lot of time. So this was especially interesting for me.
The speaker ran through an extensive list of approaches to reduce build times. Lots of it was not applicable for us, or too esoteric. But one main takeaway was that I should look into union builds. He mentioned cotire to help with that. When we switched to cmake a couple of years ago, I tried to use cotire to simplify the handling of pre compiled headers, but couldn’t really get it to work. Maybe it is time to re-visit it.

Diffuse your way out of a paper bag

This one was entertaining, but I didn’t learn much from it, except for the british humor.

A linear algebra library for C++23

In a way it is surprising that C++ has no linear algebra library standardized by now. Because of this many independent libraries exist, and many companies wrote their own implementations. This could lead to the conclusion that it comes too late. But I was delighted to learn, that the proposed library mixes well with existing libraries and data structures. So we will see how much of it we end up using when it is finally released.

Sailing from 4 to 7 Cs: just keep swimming

This one was about tooling. Nothing that I think will be applicable for us.

Keynote: What Everyone Should Know About How Amazing Compilers Are

This one was informative and entertaining. He had many good examples of how amazingly good modern compilers are at optimizing our code, and work around bugs in certain CPUs. This video is worth watching even if you don’t work with C++.

Why I deactivated Tesla app access

The official Tesla App is unfortunately not available for Ubuntu Phone. And there is no indication that it will be on my next phone, the Librem5 from Purism. On the bright side, from the computer I can control my car using the VisibleTesla desktop app running inside a docker container. But the best part about remotely controlling the car is that the API is publicly documented. Bindings are available for most scripting languages. That allows me to control the car from my Ubuntu phone at the command line. It also allows me to run a cron job to pre heat the car before I drive to and from work. It also allows me to precisely track how much electricity I charge, and where. It also allowed us to open the doors directly from an ethereum smart contract at Hack4Climate. And it allowed me to implement a cool live tracking for our summer holiday road trip. The possibilities are endless.

All my scripts authenticate using a token that is said to expire after 90 days. I set up my scripts so that I can enter my password to get a new token. And then the new token is used from there. Usually I enter the password on a maximally secured system, and then copy the file containing the access token to the other systems. That is because I saw in the API documentation, that remote starting the car requires the password explicitly. So if a hacker gained root access to my server or my phone, he could open the doors, but not drive away with my car.

When I first discovered that the Tesla account is secured only with a password, I was bewildered. I mean, this account is essentially a virtual key to my car. Everything that secures something with a value above a few hundred bucks, has used two factor authentication for many years. Having been in the Bitcoin space for some time, cyber security is very important for me. I refuse to use software based 2FA, instead I insist on hardware solutions. I have used a USB dongle with a secure element to manage my GPG keys for a long time. I use FIDO U2FA wherever I can. Most of my crypto currency holdings are secured by multiple hardware wallets. I switched my bank, because the former used text messages as second factor. And now, I find out that the most expensive thing that I bought in my entire live, is secured with only one factor. Wow! That was shocker No 1! So I picked a very long and hard to guess password. I didn’t store it anywhere. I am very cautious on which devices I even type it. But still I was uneasy about it all along.

Last week some of my scripts started reporting errors. As expected, an access token was expired. But I failed to get a new one by entering the password. So I tried logging in on the Tesla website. What I got to see, was a message that my account was blocked due to too many invalid login attempts. There was a button to reset the password. The result of that reset request was an eMail in my inbox with a link to a web form, where I can enter a new password. Hey, but wait a second. That eMail was NOT encrypted! Even if the link is only valid for a few minutes, everybody who sees it could take over my Tesla account, and steal my car. Seriously? That was shocker No 2!!! If a hacker gained access to my eMail account, he could even delete the mail, and I had no idea what’s going on.

I have regarded unencrypted eMails as an insecure means of communication for many years. And I thought that was common sense. For increased security, I run my own mail server. But my ISP added all the dynamic IP addresses to a spam list, and wants me to pay for an expensive business account in order to have eMail work well. Hence I use an externally hosted eMail address for most of the time, also for my Tesla account. So I wanted to quickly verify the security of that mail account. And while I’m at it, change the password to a more secure one. But the first surprise came in the form of the customer login to the management system. It was http only. No way to enter the password without running the risk of it being eavesdropped on. Seriously? That was shocker No 3!!!

Sure, it’s easy to blame my eMail provider, or me for selecting it. In reality it used to be hosted with another company that was later acquired. That just highlights the fact, that it is outside of your control. Email is not secure, and should not be used to transmit sensitive information, unless it’s encrypted – Period! I read about hacked eMail accounts and account takeovers every week. Lots of websites require some security questions in order to unlock an account. That’s better than nothing, if there is not a lot at stake. But if an account controls anything of value, solid 2 factor authentication is a must. Even if the mail account offers FIDO U2FA, I wouldn’t trust it with my car. For example gmail offers U2FA. But guess what happens when you log in with a browser that has no support for it. Yes right, convenience gets priority over security.

Account Recovery Exploitation is a known problem. Let me quote a paragraph from an article by yubico: 5 Surprisingly Easy Ways Your Online Account Credentials Can Be Stolen

Due to the large scale of users for many services and the general desire to keep support costs low everywhere, account recovery flows can be much weaker than the primary authentication channel. For example, it’s common for companies deploying strong two-factor authentication (2FA) solutions as their primary method to leave SMS as a backup. Alternatively, companies may simply allow help desk personnel to reset credentials or set temporary bypass codes with just a phone call and little to no identity verification requirements.
Services implementing 2FA need to strengthen both the primary and the recovery login flow so that users aren’t compromised by the weaker path.

Unfortunately, both the primary and the recovery login flow of the Tesla account are incredibly weak. As much as I love the cool and convenient features from remotely controlling my car, I disabled app access in the settings screen of the car. I would like to re-enable it very much. But only once I can trust the security of it again.

I read many times how important security is for Tesla. And how fast they respond to fix vulnerabilities. But then I found numerous reports of people complaining about the very same problems from FOUR years ago: 1 2 3. Sure, security means different things to different people. I’m grateful to the engineers who make sure, I don’t get killed in the car. But I also don’t want my car to get stolen or broken into so easily. When discussing this topic on a forum, one guy stated he doesn’t want to carry a secure hardware device the size of a key, and that he doesn’t care if his car is stolen. He has insurance. I have insurance too, but still don’t want to go through that experience.

Now, if you read this far and have a Twitter account, may I ask you to visit https://www.dongleauth.info/#iot, and click the button next to Tesla?

The mother of all hackathons

I just returned from #hack4climate. Even if it was just my third hackathon, I can state with certainty that this one was unlike any other. None of the 100 hackers from 33  countries experienced anything remotely comparable before.

The topic of the event was to develop solutions how blockchain technology can help fighting climate change.

First let me explore how the event differentiated from other hackathons. The hacking session was 24 hours, but the whole event lasted four full days. There were pre-workshops around the world. 100 participants were selected and invited to Bonn. Travel expenses were covered. We stayed on a five star hotel ship. It was adjacent to the UN climate conference. We had balcony suites on the ship. The food was appropriate for a 5 star ship, complete with wine to every dinner. The days before and after the hacking session were filled with interesting talks, a guided city tour, interesting discussions and lots of networking. There were so many interesting people and so much to talk about. At the last day they wanted to make a photo of us on the boat in front of the UN building. Drones were forbidden in the security zone, so the photographer rented a crane to get the perfect shot.

I knew nobody from the event in advance. But I knew that out of the sub topics, I was most interested in “sustainable transportation”. At the team building session, I headed straight to the guy with the most interesting pitch that contained something about cars. Our team was formed soon after, and I had a good feeling from the start. Two were from Singapore who already knew each other. Two were from India one living in San Francisco and the other in China. And one was also from Switzerland, but we didn’t know each other before.

When the hack session started at Tuesday noon, we shaped our rough ideas into a project that we could realize in the short amount of time. Then everybody stated what he would like to do. It all seemed to fit together wonderfully. I wanted to implement the smart contract. I didn’t have much experience in that area, and was grateful that the others could help me and answer my questions. Rather than drawing large diagrams, we collaborated on the interfaces, and then worked towards these. We didn’t hit mayor roadblocks or problems, everything seemed to flow in place. Most of us agreed that we are not productive after 2AM and that is is better to get some hours of sleep. In the morning we went out to shoot a video of our product in action.  The guys from SBB (who was a sponsor of the event) were around us most of the time. They helped where they could, and were generally very interested and engaged. We had many great discussions with them.

Our project was about end to end transportation. On the mobile app, you select a destination, and it identifies legs to use different means of transportation. We focused on car sharing, but other options include trains, bikes or buses. Our smart contract abstracts a car that can be rented over the ethereum blockchain. The owner of the car registers it by creating an instance of the smart contract. A person who wants to rent it can do so by sending ether. The required amount is determined by the price per km the owner wants, times the number of km the renter wants. If he doesn’t use up the credit, the rest is reimbursed at the end of the trip. But if he drives too far, the cars performance is degraded by the smart contract. The car was represented by a RaspberryPi running an ethereum node and our backend running on nodejs. Initially opening the car was indicated by an LED attached to the RPI. But to make it more realistic, the RPI then called the Tesla API to open a real car. At the end of the trip the RPI collected information about the car such as odometer and battery level as well as firmware version, stored it on the IPFS and registered the IPFS address with the smart contract to form an unfalsifiable audit trail. Last but not least, one of our team members used data from moving cars and turned it into an appealing 3D animation that highlights the hot spots in a city.

We were thrilled all along, even more after all the positive reactions to our presentation. And hooray, we made it into the finalists! That meant, we could present our project at the COP. That’s the fair for NGO’s which is attached to the UN climate conference. The team that won the hackathon, did so deservedly. Their project was about incentivizing land owners not to cut their trees. They used blockchain and game theory for the monetary part. In addition they trained a neuronal network to predict areas which are endangered most of deforestation, and need special attention.

A first official video appeared here, and I’m sure others will follow on the official website.

Update Dec 16 2017

The official after movie of #hack4climate was released:
https://youtu.be/UOANny6i0QM