June 9, 2012

## Cryptography, Secure Passwords, and why I’m no longer on LinkedIn

So you might have read about the recent leak of 6.5million LinkedIn passwords onto the internet. This comes at a fitting time for me since, having just completed the Udacity CS387 Applied Cryptography course, I’ve developed a new love for all-things cryptographic (in fact, I have some interesting ideas for a crypto-spatial library – encoding secret messages in the coordinate values of geographic instances – but that’s for a separate post).

Rather than just rely on the newspaper reports of the leak, I thought I’d practice some of my newly-acquired cryptography knowledge by examining the set of leaked passwords first-hand. It didn’t take long to acquire the 118Mb combo_not.zip source file – I’m not going to post a direct link here but I’m assuming you know how to search the internet, right? The file contains the leaked LinkedIn passwords not in plaintext, but hashed using the SHA-1 algorithm. This means that, while you can’t browse the list of passwords directly, it’s very easy to search whether a particular password is on the list, by just generating the SHA-1 hash of that password yourself, and testing whether the associated hash is on the list.

There’s one other thing to note, which is that the first five digits of many (if not most) of the hashed passwords in the combo_not.zip file have been overwritten with five zeroes: ‘00000’. So, although the SHA1 hash of the password “password” is not listed:

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

The following hash is on the list:

000001e4c9b93f3f0682250b6cf8331b7ee68fd8

Anecdotal evidence suggests that “00000” is a marker to indicate that this password has already been cracked by the hackers (which, if you set your password as “password”, it probably deserves to be!).

So, first things first, I wrote a small Python program to check whether the hash of any given plaintext password was included in the datafile, either in its original hash form or in the overwritten form:

```def check(filename, pass_to_search):
"""Test for occurrence of password hash within the file."""
with open(filename) as datafile:
return any((pass_to_search in line or '0'*5 + pass_to_search[5:] in line) for line in datafile)

import hashlib
# Create the hash of the password to check
hashed = hashlib.sha1("secretpassword").hexdigest()

# Look for the hash in the LinkedIn datafile
if check('combo_not.txt', hashed):
print "password hash found!"
else:
print "password hash not found."

```

Running this script reveals that, indeed, at least one LinkedIn user has chosen “secretpassword” as their password. To test other passwords just replace the string in the line hashed = hashlib.sha1("secretpassword").hexdigest(). Other secure passwords chosen by LinkedIn users that you can find in the file include “abc123”, “mylinkedinpassword”, “opensesame”, “startrek” and “bigcock”.

Google recently ran the ad campaign shown below to encourage users to pick better passwords. Probably best not to copy Google’s suggestion on this issue either – 2bon2btitq appears on the list of leaked passwords too:

Concerningly for me, my own password (which is semi-random, alphanumeric, and over 10 characters in length) also features on the list, and appears to be one of those that has been cracked. I briefly contemplated the advice to reset my LinkedIn password but decided it would be more effective to simply cancel my LinkedIn account altogether. Any organisation that can’t take even basic steps to protect my information such as salting hashes isn’t worth dealing with. Perhaps they should subscribe to the next Udacity cryptography course to find out more…

April 18, 2012

## Further Education (or, get yourself free university-level computing knowledge)

The notion of “Online distance learning” conjures up many different associations. The Open University, for example, is (rightly) regarded as a world-leading educational establishment, and has been offering distance-learning degree courses to students since 1971. OU Lectures, originally broadcast on BBC2 in the middle of the night, are now commonly distributed over the internet. At the other extreme, there’s the non-accredited American College of Holistic Nutrition – the institution from which disgraced TV nutritionist “Dr” Gillian McKeith claims to have received her PhD via the internet…

The first Open University lecture, broadcast on 3rd January 1971. Unusually, not hosted by a man with a beard.

Whereas the courses offered by the OU were always designed with distance-learning in mind, in recent years there has been growing momentum behind the idea of Open Courseware. Basically, this involves “regular” universities allowing their course materials to be downloaded by anyone over the internet, for free. And the idea has been taken up by some top-class (mostly American) institutions – M.I.T., Yale, and the University of Michigan, for example, offer a wide range of videos, downloadable lecture notes, and past exam questions that offer anybody access to the same material as if they were enrolled in that course in person. Click the links above to browse their course catalogues and learn something new today.

Whilst much of the OpenCourseware material is pretty amazing, it suffers from one problem, and that is that the courses are very one-directional. As an internet student, you sit and watch a pre-recorded hour long lecture video, but with no ability to interact with the lecturer. Although you can sit the exams, nobody will mark your paper (but you can get model answers and mark your own paper). And, even if you attend and “pass” all the required units, you won’t get any qualification at the end of it.

Or, will you?

Enter Udacity. Founded in January 2012 by Sebastian Thrun (Professor, Google Fellow, former director of the Stanford Artificial Intelligence Laboratory… amongst others), it offers free online computing courses. Where it differs from some Open Courseware courses is that the material has been explicitly designed to be studied over the internet. This means that the video clips are divided into nice short chunks, hosted on YouTube, and can easily be watched on a phone or tablet device, say. The Udacity courses use Python as their language of choice, but you don’t need to download any software to your computer – there’s an interactive, browser-hosted environment for you to write your code in. There’s a forum where you can discuss with other students enrolled on the course, and occasionally the lecturers will input there too. You don’t just sit and passively watch a video – there are plenty of interactive quizzes and homework assignments, and these are graded (albeit automatically). And, at the end of it all, you do get a certificate of completion of the course.

Sure, at the moment, a certificate from Udacity might not look so impressive as a degree from Stanford, but 5 years down the line I’m not so sure that will still be true. I’m enrolled on two courses at the moment, and I have to say that I think the quality of the material is fantastic.

If you have any interest in learning how to program, or learning to program better,  I highly recommend you look at the courses they have available – the introductory level 1 course requires no previous programming experience, while the level 3 courses include Applied Cryptography and how to build a robotic car.

These clever men want to teach you how to program. For free. Why not let them?

March 25, 2012

## Fun with NFC Part Three – Make-your-own Sony Xperia SmartTags

(Before continuing, I should state that I am indebted to a reader, “James”, who provided the Sony SmartTag URIs in a comment to my previous post.)

My explorations into the world of NFC on my Android mobile phone continue. After initial disappointment at the pre-installed Sony Xperia SmartTags application (which is apparently unusable without Sony Xperia-branded SmartTags, which aren’t currently available in the UK), I then had moderate success with two alternative applications from the Google Play shop: NFC Task Launcher and NFC Quick Actions Free, which can both be programmed to perform a range of actions on your phone in response to scanning a custom NFC tag. Neither application was perfect for my purposes, but perhaps the most impressive feature about them was that, within a day of writing about them, I had direct communication with the developers of both applications. What’s more, both applications are clearly under active development and show lots of potential for the future, and I wish them both luck.

However, then came an interesting twist in the story, as “James” provided a key bit of information – the URL that is encoded on each of Sony’s Xperia SmartTags. With this knowledge, you can create your own SmartTags using any regular, generic NFC tag, saving yourself the ridiculously overinflated £15 price asked by Sony, and make use of the built-in SmartTags application in the process. Here’s how:

## 1.) Get some NFC tags

Head over to somewhere like http://rapidnfc.com/ and pick up four generic NFC tags. You can get wristbands/key fobs/stickers – whatever you want really. I’ve tried “ultralight”, “NTAG203”, and “1k” tags and they all seem to work fine with my Xperia S. Note that the SmartTags application only recognises four different tags, so there’s no point getting more than that (not for this exercise, anyway).

## 2.) Program the Tags

To simulate the different-coloured SmartTags, you need to write the appropriate corresponding URI to an NFC tag. The only slight problem is that, instead of a website like http://www.example.com, the SmartTag URIs use a custom URI prefix of semc://.

Not all NFC writers are capable of writing URIs using custom prefixes. Unfortunately, neither NXP TagWriter nor NFC Quick Actions – the two applications I already had installed on my handset are currently capable of doing so:

 NXP TagWriter forces you to create a URL that begins with the http://www. prefix NFC Quick Actions will generate an error if you try to write a URL that does not begin with http.

Fortunately, there are still plenty of other alternatives, and the free NFC Tag Writer & Reader from Connecthings allows to specify any custom URL you want. So, install and launch the application, and write the following URLs to each of your four NFC tags:

• Blue (Car) tag: semc://liveware/A1/1/NT1/1/smarttags1
• Red (Home) tag: semc://liveware/A1/1/NT1/2/smarttags1
• Black (Bedroom): semc://liveware/A1/1/NT1/3/smarttags1
• White (Office): semc://liveware/A1/1/NT1/4/smarttags1

## 3.) Assign actions to your new “SmartTags”

Now, return to the home screen and try scanning one of your newly-programmed “Smart” tags. The Xperia SmartTags application should recognise it and launch accordingly. You can then assign a set of actions that should be carried out every time each tag is scanned.

The range of actions that can be assigned using Sony’s SmartTags application seems pretty similar to those available in other NFC applications. The advantages of the SmartTags application is that it is free (unlike NFC Task Launcher) and supports multiple actions assigned to the same tag (unlike NFC Quick Actions). The biggest disadvantage, however, is that it only seems to recognise four unique tags. I did try programming the hypothetical next URI in the series: semc://liveware/A1/1/NT1/4/smarttags1, but, perhaps unsurprisingly, it wasn’t recognised.

As I said previously, both NFC Task Launcher and NFC Quick Actions seem to be under active development, and the discovery of how to make the SmartTags app work with generic NFC tags certainly doesn’t negate the possible use of other NFC applications on the Xperia S – it just opens up another possible avenue of NFC. Hopefully this post will help let you explore that avenue while saving you 15 quid or waiting 2 months for the official Sony SmartTags to come out

Tags: , , ,
March 23, 2012

## Fun with NFC Part Two – Performing Actions with NFC Tags

In my last post I described my rather underwhelming first experiences with NFC, using the apps that came supplied with my Sony Xperia S Android handset. I then got slightly more success using the excellent (and free, I might mention) NXP TagWriter app from the Google Play store. But, so far, I’ve only written and read simple text strings over NFC. What about if you wanted to program some action that should be taken when a device reads an NFC tag?

This, I believe, is the intended function of the Sony Xperia SmartTags app, but the required SmartTags themselves are still not available in the UK (and those stockists that are advertising them for pre-order suggest that, when they do become available, they will be at a hugely inflated price compared to regular unbranded NFC tags:- £15 for 4 SmartTags compared to £6.50 for 10 generic NFC tags…). So, it was time to turn to the Google Play shop again to see what alternative apps were out there.

There were two apps that caught my eye, which both seemed to provide the required functionality:

So, I decided to take them for a whirl:

## NFC Task Launcher

 NFC Task Launcher has excellent reviews (4.7/5.0 stars average) and lots of positive comments. In addition to the paid app (costing £1.21), there’s also a free version. Seeing as I’m only fiddling with NFC, it made sense for me to download the free version first so that I could evaluate the sorts of actions available that could be programmed on my handset. Or so I thought.

Installing and firing up NFC Task Launcher Free, I was a little surprised not to find any menu options relating to creating tags, reading tags, or assigning actions. Those, I thought, would be pretty key features for any application that allowed you to create and read tags that performed actions… Instead, the only options were to upgrade to the full version, some settings, an about page, and a link to purchase NFC tags:

Reading the description on the Google Play shop, I then saw: “This is the free version of NFC Task Launcher. It can be used to READ and EXECUTE tags created with the full version”. Hang on… the only thing that the free version can do is read and execute tags created by the full version? How does that help me evaluate its functionality, when I need access to the paid version to make it do anything?

The paid version of NFC Task Launcher might be great, but there’s certainly no way of knowing that from trying out the free version first, so NFC Task Launcher Free is another app that can be added to the “list of useless apps to be deleted”.

## NFC Quick Actions Free

When installing this application, you’ll notice it asks for a lot of permissions. I’m normally very reluctant to install applications that ask for more permissions than necessary but, when you think about it, the whole point of using this application is to automate different parts of your phone. For every possible action you might want to take in response to reading an NFC tag, this application needs to have permission to perform that action, so expect to see it request permissions for everything from taking videos to turning on Wi-Fi and making calls:

Having installed and launched NFC Quick Actions, you can select from one of a number of actions to assign to a tag:

The available actions are:

• Launch an application
• Dial a number
• Check into Foursquare
• Turn on/off the device light
• Send an email
• Load Google Maps
• Launch the “Android Market” (now Google Play shop)
• Navigate to a chosen destination
• Toggle Wi-Fi/Bluetooth/Airplane Mode
• Send an SMS
• Load Streetview
• Write Text
• Navigate to a URL
• Play a Youtube video

Having selected an action, and set any corresponding parameters (i.e. the addressee to which an email or SMS should be sent, or the point on which to centre the map), hold up an NFC tag to the back of the phone to write that action to the tag.

Subsequently, every time you hold up the tag to the phone (so long as the phone is unlocked and NFC is enabled), the given action will be performed – you don’t need to have the NFC Quick Actions application open. In the example above, waving my phone above the programmed NFC tag causes Google Maps to open, centred on Norwich. Neat, huh?

I tried out a few of the actions, and they seemed to work relatively well. However, there’s still a few improvements that could be made to the application: the UI is a bit clunky and a lot of the descriptive text could be made clearer. The biggest limitation, however, is that NFC Quick Actions can only assign a single action to a tag. In practice, I would normally want to specify sets of actions to occur- for example:

• When touching my phone on the NFC tag on my bedside table, I’d like to set my alarm for the morning, turn off Wi-Fi, and dim the screen brightness.
• When touching the NFC tag in my car, I’d like to enable GPS, turn on handsfree mode, and fire up the Navigation app.
• etc. etc.

I’ve written to the developer with suggestions for a few more actions, and to ask whether multiple actions are likely to be supported in the future. I’ll let you know if I hear anything. In the meantime, if anyone can recommend whether it’s worth investing in the paid version of NFC Task Launcher, or if there are any other NFC actions apps out there, please let me know….

Tags: , , ,