We know HTTP is insecure since across the web IANA’s assigned port list is used by default which says port 80 should be used for HTTP traffic, but it’s not that you cannot run anything else which is “non-standard” in port 80.
Anyways, coming to point you could be running HTTP server on any port 80, 8080, 8090 whatever, HTTP protocol by design is left insecure. Since we cannot change the standard 80 usage everywhere (IPv6 is still on way even after decades) there are multiple remediations that can be used to avoid common challenges with HTTP.
Instead of serving anything on port 80/HTTP, use it solely for redirecting to correct HTTPs/443. As recommended by cio.gov, letsencrypt
Enforce HSTS Policy on your domain, by nature it will be effective only when your domain is access by the client once. if you don’t know what HSTS is, it is just a HTTP header that tells browser to always open website in HTTPS.
Blocking or disabling doesn’t make your server any secure, in fact it makes things worse.
There is still an open opportunity of MITM attack. The flaw is in protocol not in the implementation of HTTP, which is why anyone can sniff and serve you alternate content, even if you have port blocked in server.
You will make things worse for your users, they won’t be able to access your website as normally they would.
if you serve HSTS headers over HTTP, at least HSTS will be enforced on one hand.
Everywhere you have to type HTTPS, which people don’t do, it is a painful thing to enforce.
It is not about 80, it is more about not using HTTP anywhere, if you have other ports that serve content over HTTP it is still an issue!
Hardware based tokens are widely used in India to generate signed PDF’s like invoices and agreement. We wrote small Python code to sign the invoices automatically where token was attached to a local server.
Windows drives are widely available but rare to find linux drivers are listed https://www.e-mudhra.com/Repository/index.html
You can uncomment to get the token name print(self.pkcs11.getSlotList(tokenPresent=True)) print(self.pkcs11.getTokenInfo(1)) to get token name, for PROXKey the name "WD PROXKey" was generated.
So I am developer and maker – basically a keen person who is interested in almost everything which sounds logical. As hard it is to understand more interested I become in something.
In current “vast” space of information, On an average I read 10-15 articles a day that is being done since last 8 years but there hasn’t been a sense of knowledge satisfaction. If I compare it to my school days where I used to read through books which were related to computers, technical but outdated there is significant difference in satisfaction. (Do note, here I am not debating about articles in digital form & books in physical form.)
To understand the problem I started by creating a new habit.
Reading books – few pages as I wake up, few pages in evening. (Not a strict goal but 2 books/month – where each book averages to 200 pages and isn’t fictional )
So far it has been good and satisfaction level is quiet high !
but why ?
It seems it has to do with us :
We skim not read, We skim news paper for information, we usually skim articles for information which we seek, we skim most of the content. With time, when brain see’s similar organization of content it activates the skimming mode.
Information online is volatile; You might find similar or same piece of advise everywhere, copied & in few days it might disappear – & when not used it is trashed by brain. We need to see something once in a while to automatically recall & become more persistent.
Eg: You read a book, keep it somewhere, you might stumble across it someday & open it – might check few things – you brain will start recalling many events but how many times you re-read same article ?
Content doesn’t have a sense of authenticity; You come across articles, read them, understand them but mostly you can’t trust a content. How many people spend a month or a year in writing an article ? Articles have one key focus SEO, even if content is genuine it should have click baits, keywords etc but authenticity is not something search engines seek.
Effort is missing; Again I am not talking about every article but publishing an article doesn’t require enough effort. While writing a book takes money, getting a publication house to agree and years of effort to put down thought – because once it is printed – it is printed.
if you write something wrong – you can’t take book from people, there is error – it will persist for your lifetime. People will judge you by your book and it’s cover.
Information is not organized; When you get a book, it’s always on specific theme and in all those pages it will talk just about that. You read related content such that slowly it starts persisting in your brain. And that how I got a sense of knowledge.
Irony is – this is an article.
This doesn’t mean that articles are bad but I have following perception on how articles should or shouldn’t be :
Not for SEO : Yes, check the site if a lot of articles are of clickbait nature they will actually not convey good enough information. if a person is writing articles very frequently – those are there just for sake of being there.
Should convey meaningful information : Now days most articles are just DERIVED from some other article, it is a good thing if article can innovate in certain manner or atleast put effort to organise certain information.
There is no way but experience – on one hand you should not trust every source and should get information from trusted sources, but on other a good source doesn’t write frequently or broad topics. With time if one observes he/she can come to know how to identify bogus sources.
Refer to official sources for information, yes just as in programming there are millions of tutorials but if I ever want to learn about something new I refer to official documentation – it doesn’t matter how badly it is written but usually documentations are accurate and explain logic as they are written by developers not content writer having bleak understanding about underlying principles. Same if for everything – if you want to read about some rules refer to government issued rule book – might not sound good – but it’s best way to have accurate information.
I know this is not a popular blog and there are not million followers but since you have read this articles feel free to comment and share what I missed – what else should be incorporated.
Phishing is a never ending war thug of war where one side is only trying to stop other side from winning, “Attackers are always trying to be innovative while defenders are trying to innovate on the innovation done by defenders.”
Ironic as it may sound, but this is what it is.
This article is not about blaming some organisation not doing enough to protect the customers here it is more about the vendors who are trying to defend, while current time doesn’t demand defence – instead it needs aggressive attack mechanism, even proactive attacks before damage could be done.
Approach
To solve the problem I am proposing a N step approach to solve the problem of phishing.
Get ready with your defenses – Just as in war, first strengthen your defenses. It can be done by proactively doing following:
Training your employees
Asking cybersecurity team to be vigilant
Performing vulnerability assessment and penetration testing.
DDOS prevention (you might need, DDOS is cheap these days)
To get an idea monitor what type of attacks are originating.
Measure similarity among phishing attacks – you might be able to figure out active APT groups.
Initiate takedown’s, publish something about them in media (yes, you heard me – more aggressively, see how they react)
Attack the psychology
Setting up “honeypot” (honeypot is key, I cannot write the process in detail, but trust me – they are something you will need) to gather information.
Giving the attacker bogus information
You win !
But how ?, the key part of approach is psychology – if you attack infrastructure it can be bought easily, success of a phishing attack depends on how good results the attacker gets.
Reasoning
if you ever conducted an actual phishing attack or have observed programmatic logics – attackers have adopted methods to get 2FA from clients but once verified data is valuable. Let’s do some math.
Let’s say you are conducting a phishing attack & it costs you to 100$ to compromise a web site or host it, sending email might cost you 0.001$. Assuming 1/1000 spam are clicked – you are technically going to spend 1$ per click, let’s say 10% of clickers turn to victim. To get useful data you will require 10$.
if captured data is being sold in market at 20$ for every good data – you are going to make profit of 10$ excluding hosting cost.
but what if you are getting bogus data, which feels just good but now it is useless since 2FA has failed, or may be the server’s are not responding. Overall if vendors can make cost of Phishing high, only those will survive who have willingness to catch a whale.
The below article discusses my point of view in a mix technical fashion.
…and everyone is aware hot and cool are relative terms. Long before you touched ice, you never knew what is cooler than water. The moment you touched ice, you immediately altered your definition of cold. Moreover, definition of hot and cold are relative to your expectations. Even though you touched ice, it became coldest thing ever, you would have started imagining about living in igloo, but you never expected to build one in middle of thar.
To give you more feel of what I am saying, imagine back in middle ages, a person living in the middle of desert introduced to a water cooler, he would say it is the coolest thing. But if we take the same person to Greenland he stays for a week there, will he feel the same when he comes back ?, Probably not. Why ? because now he knows there is a cooler place possible where he can live.
Fast-forward to near present, Long before AC’s were just an idea – water cooler were luxury and fans were the things which gave chill while cool breeze used to give a chill. Slowly, globalization took over – science innovated, AC’s were reality. Water coolers became more like fan, their cool wind was now filled with moisture, fans became dry.
The perception of world has changed, that’s the reason – global warming can never be stopped, it can only be slowed, why ?
When you were out in open, it felt hot why ? – because recently you were in some cool place, you turn on fan – still hot, water cooler – still hot, AC at 25c – felt better, you go outside – sit in ac set to 17 – you come back you feel hot – turn on AC – Set to 25c – it is still hot – set to 17 – now it’s normal.
All this would feel normal , but this is a loop where once we are caught it’s hard to get out (probably never) why? – Let’s dig deeper.
AC is cool, Some Rich X Company gets it’s rich CEO a cool place with a million dollar AC.
People move in & out – while surviving in cool breeze of water coolers
They want to enjoy same cool environment as CEO – they work hard to get one.
Their collegue want same and everyone keeps getting AC.
As AC’s got cheaper, more people bought it as luxury.
More than People’s feeling of hot and cold changed , it impacted it’s surrounding.
The outside got hotter – why ? because of heat emitted by AC’s
People lowered temp – the heat emitted increased
People lowered it more and the outside world felt hotter.
Eventually the cool breeze can’t be cool – because the breeze are hot with heat emitted.
Forcing others to get AC.
Now, everyone is in AC – the world is hotter – we are installing AC’s to make it cooler.
Now, You can’t live without AC – because outside is hotter. It’s us making it hotter to make it cooler. The out will feel hotter day by day – people will lower the temperature – world will keep getting hotter because you want it to be cool. Sad thing – it will never end.
What can we do ? One could say move to nature, it will take a lot more effort to educate everyone on this planet. My suggestion ? Sit in AC room and discuss possible solutions.
Amazon Dash button is an incredible piece of hardware and another example of “applied engineering” in Amazon, just like Kindle.
The inspiration for this project isn’t directly derived from amazon dash, I wasn’t aware of it until I started digging the internet but at end, I had to set the performance goal to Amazon dash, because no other piece of hardware was up to mark. A detailed teardown of dash button can be found here.
So, Since “decades” I wanted to build some piece of hardware which I could dynamically program for any functionality like playing next youtube video, unlocking door, rebooting a machine, minimizing all open tabs or whatever with a push of a button. The button should be portable and independent of device for operation.
To meet my requirements I had to remove BLE or any other radio-based technology which needed a receiver or additional unit to operate. ESP-12F is power intensive and somewhat large if compared to esp-01. The end prototype looked like this and worked as expected.
Below is list of components I used.
1x LiPo Battery – 150mAh
1x ESP8266-01
1x 1k Register
1x Tactile Switch Button
You might require a soldering iron with fine tip, basic desoldering skills, access to 3d printer, FTDI board or similar setup.
The schematics of setup would look like below:
The functioning would be like – We turn on ESP using push button, but it would take time to log in to wifi, authenticate – so we need to keep it on for pretty long time – which could be done by using programming output pins, As soon as ESP turn on GPIO2 can be set to HIGH, Once operation is finished it can be set to low. Few challenges which I found on way (with fixes):
Power is very limited – So we need to remove LED’s from the esp, this would save a lot of power and would increase battery life by almost a fold!
You should use diode and transistor to limit current, since I am not an electronic nerd I would not comment on it.
You should set a timeout period, in case you are writing custom logic else battery will drain and you will never come to know why!
After soldering – You have to upload following code which need to be tweaked according to need, but it has basic logic code –
The code can set in hotspot mode if couldn’t connect to wifi and if could connect it would make a connection to mqtt server and make an announcement then shutdown.
#define DEVICE_ID "YOUR_USERNAME"
#define DEVICE_NAME "iot-" DEVICE_ID
#define WIFI_SSID "mad-" DEVICE_ID
#define WIFI_PASSWORD DEVICE_ID
#define MQTT_SERVER "YOUR_SERVER"
#define MQTT_USERNAME DEVICE_ID
#define MQTT_PASSWORD "YOUR_PASSWORD"
#define MQTT_SEND_CHANNEL "pushbutton"
#define MQTT_RECV_CHANNEL DEVICE_NAME
#define BUTTON_MODE 1
#define USE_SSL 1
#define GPIO2 2
#define BUTTON_TIMEOUT 30000
#include <ESP8266WiFi.h>
#include <WiFiClient.h>
#include <ESP8266WebServer.h>
#include <ESP8266mDNS.h>
#include <PubSubClient.h>
#include <DNSServer.h>
#include <WiFiManager.h>
#include <ArduinoJson.h>
#include <stdarg.h>
#if USE_SSL
# include <WiFiClientSecure.h>
// WiFiClientSecure client;
# define PORT 443
#else
// WiFiClient client;
# define PORT 80
#endif
void reconnect();
void sendMessage(String action, String data, char* num = "", ...);
char* stringToChar(String str);
WiFiClient espClient;
PubSubClient client(espClient);
WiFiManager wifiManager;
long lastMsg = 0;
char msg[50];
int value = 0;
String DEVICE_FEATURES = "";
void setup() {
DEVICE_FEATURES += "pushbutton;";
pinMode(GPIO2, OUTPUT);
digitalWrite(GPIO2, HIGH);
//Serial.begin(9600);
// wifiManager.resetSettings();
if (!wifiManager.autoConnect(WIFI_SSID, WIFI_PASSWORD)) {
//Serial.println("failed to connect, we should reset as see if it connects");
delay(1000);
ESP.reset();
delay(1000);
}
client.setServer(MQTT_SERVER, 1883);
}
void loop() {
//if button mode, & time since start is greater than TIMEOUT close the time.
if (millis() > BUTTON_TIMEOUT)
digitalWrite(GPIO2, LOW);
//if MQTT Client not connect connect it back.
if (!client.connected())
reconnect();
client.loop();
}
/**
Send message to server
example: sendMessage("hello", DEVICE_NAME,"ksks","mac",getMacAddress(),"localIP",WiFi.localIP().toString());
k for key
d : double, f : float, s : string, l : long,
No char type
*/
void sendMessage(String action, String data, char *types, ...) {
StaticJsonBuffer<200> jsonBuffer;
JsonObject& root = jsonBuffer.createObject();
root["action"] = action;
root["data"] = data;
//find length
int count = 0;
while (types[count++] != '\0');
--count;
//if not even args
if (count % 2 != 0)
return;
//for argument parsing.
va_list arguments;
va_start ( arguments, types );
String key;
//even length validated already
for (int i = 0; types[i] != '\0'; i += 2) {
//this is intentionally done, default key as type k can be used, but developer might mistake, causing lot of debugging
if (types[i] != 'k')
continue;
key = va_arg ( arguments, char * );
switch (types[i + 1])
{
case 'd': root[key] = (va_arg(arguments, int));
break;
case 'l': root[key] = (va_arg(arguments, long));
break;
case 'f': root[key] = (va_arg(arguments, double));
break;
case 's': root[key] = (va_arg(arguments, char *));
break;
default: ;
};
}
va_end ( arguments ); // Cleans up the list
char tmp[root.measureLength() + 2];
root.printTo(tmp, sizeof(tmp));
client.publish(MQTT_SEND_CHANNEL, tmp);
}
void reconnect() {
// Loop until we're reconnected
while (!client.connected()) {
//Serial.print("Attempting MQTT connection...");
// Attempt to connect
if (client.connect(DEVICE_NAME, MQTT_USERNAME, MQTT_PASSWORD)) {
//Serial.println("connected");
// Once connected, publish an announcement...
sendMessage("hello", DEVICE_NAME, "ksks", "features", (DEVICE_FEATURES).c_str() , "localIP", (WiFi.localIP().toString().c_str()));
digitalWrite(GPIO2, LOW);
} else {
//Serial.print("failed, rc=");
//Serial.print(client.state());
//Serial.println(" try again in 5 seconds");
// Wait 5 seconds before retrying
delay(2000);
}
}
}
I hope you enjoyed the article, it wasn’t a detailed writeup and I dropped many details – but if you have any questions you can comment or drop mail – I will surely help.
Disclaimer : This post is based on my experience which is completely subjective, in no way I am promoting any application or product 😉
I have been trying to get my hands into BLE4.0 modules since long. As always I was looking for small, cheap solution, JDY-08 was one of solution I came across – it seemed just Perfect !
It is based on TI-CC2541 SOC, Low power consumption – long range Voila!
Below is what is being advertised by most vendors:
maximum transmit power of 0db, the maximum transmission distance of 80 meters.
support serial allowing users to modify the device name through AT commands service UUID, transmit power, pairing password instructions, convenient to use and flexible.
Ultra-low standby power consumption 400uA ~ 800uA
Ultra-long connection distance 100 ft / 60 m
Fast reaction speed 0.4 secondsFor Apple, AndroidReceive no byte limit, up to 6K Bytes/sec.
You are doomed if your laptop has only one HDMI Port & you are running Linux in that box.
Unlike windows – where there are tons of easy to run solution, & there are still tons of solutions if you have big numbers in your pocket.
Certainly – I neither wish to spend money on external VGA/HDMI extender or docking station nor to change OS. So after googling a lot I discovered a solution which utilized a different machine to act as the streaming client. You can use RPI or an old p4 machine.
Below is how it works.
Adds a virtual display on your machine, usually all graphics card support at least one virtual display. You do all this using xrandr
Create a VNC Server to stream that display – but since you cannot each time run two commands just to connect display – we are running VNCViewer in listen mode
Connect to vnc viewer & keep running it in the background.
You Laptop —[Display Data]—> Network —-> VNCViewer
As suggested above you data is being streamed over the network – you cannot run 4k data. But if you have good Lan speed you won’t face any problem.
I have also optimized settings for best experience – so far I can use terminal, watch videos – the only drawback is you feel the lag when you use keyboard or mouse for realtime feedback.
In Client Machine, i.e. your laptop.
You will need to install x11vnc & screen
#!/bin/bash
#Run VNC server in remote device. 10.0.0.2 is my machine which has monitor connected.
ssh [email protected] "nohup /root/vncserver.sh > /dev/null 2>&1 &"
xrandr --addmode VIRTUAL1 1920x1080
xrandr --output VIRTUAL1 --mode 1920x1080 --right-of eDP1 # find your main display
screen -X -S vnc quit
killall x11vnc
# adjust postion 1920x1080+3511+180, i.e. 3511+180 accordingly
# i have different resultion display so had to move.
screen -dmS vnc x11vnc -connect 10.0.0.2:5500 -display :0 -clip 1920x1080+3511+180 -wirecopyrect -viewonly --nossl -ncache 10 -ncache_cr
In server Machine (LAN address 10.0.0.2)
if [[ $(ps -ef | grep -c vncviewer) -ne 1 ]];
then
echo "Running"
else
export DISPLAY=:0.0;
vncviewer -listen 0 -fullscreen -owncmap -viewonly;
fi
You will need to install VNC Viewer in client side.
Note : This article was written after project was partially completed, so i don’t have better images.
There are hundred’s of projects for building “Smart watch using arduino”, I have curated a list of better projects at end of this article. I didn’t plan to copy any of given projects but at end it turned out that world is a big place. So this blog post is my effort in developing “My smartwatch”.
Hardware :
Arduino Pro mini
Bluetooth module (HC-05)
OLED Module (SSD1306)
LiPo Battery (110 mAh)
Thin copper wire, single strand if possible.
FTDI Breakout board or any way to program Arduino pro mini.
Micro USB female pins
Membrane Tape
Tools :
Soldering iron – along with soldering wire, flux, etc.
3d Printer/Good Crafting Skills to make a case
Working brain ! (Recommended)
Software :
Android Phone (BTTerm) /Linux System(minicom, rfcomm), Windows Phone, Windows *, Mac OS Users are on their own but you can search for “Bluetooth serial terminal”
Arduino IDE
Common Sense ! (Recommended)
The guide here is definitely not a step by step guide, it just tells the flow (an algorithm not code).
Desolder pins in your OLED display. Yea, all header pins.. for noobs like me it’s a tough task.
Desolder pins of HC-05/HC06 if it has, if you got module without header, skip
Connect all GND, VCC pins of arduino, hc-05, oled Easy ?
Solder oled pins SCL -> A5, SDA -> A4 to arduino.
Solder hc-05 pins TX -> 10, RX -> 11 to pro mini.
Then Solder VCC with a switch (Any you prefer) & to battery.
#include "U8glib.h"
U8GLIB_SSD1306_128X64 u8g(U8G_I2C_OPT_NO_ACK); // Display which does not send AC
#include <SoftwareSerial.h>
// software serial #1: RX = digital pin 10, TX = digital pin 11
SoftwareSerial bluetooth(10, 11);
#define buflen 10
char str[buflen+1];
int strCount=0;
// setup input buffer
#define LINE_MAX 30
uint8_t line_buf[LINE_MAX] = "Booting...";
uint8_t line_pos = 0;
// setup a text screen to support scrolling
#define ROW_MAX 12
uint8_t screen[ROW_MAX][LINE_MAX];
uint8_t rows, cols;
// line height, which matches the selected font (5x7)
#define LINE_PIXEL_HEIGHT 7
// clear entire screen, called during setup
void clear_screen(void) {
uint8_t i, j;
for( i = 0; i < ROW_MAX; i++ )
for( j = 0; j < LINE_MAX; j++ )
screen[i][j] = 0;
}
// append a line to the screen, scroll up
void add_line_to_screen(void) {
uint8_t i, j;
for( j = 0; j < LINE_MAX; j++ )
for( i = 0; i < rows-1; i++ )
screen[i][j] = screen[i+1][j];
for( j = 0; j < LINE_MAX; j++ )
screen[rows-1][j] = line_buf[j];
}
// U8GLIB draw procedure: output the screen
void draw(void) {
uint8_t i, y;
// graphic commands to redraw the complete screen are placed here
y = 0; // reference is the top left -1 position of the string
y--; // correct the -1 position of the drawStr
for( i = 0; i < rows; i++ )
{
u8g.drawStr( 0, y, (char *)(screen[i]));
y += u8g.getFontLineSpacing();
}
}
void exec_line(void) {
// echo line to the serial monitor
Serial.println((const char *)line_buf);
// add the line to the screen
add_line_to_screen();
// U8GLIB picture loop
u8g.firstPage();
do {
draw();
} while( u8g.nextPage() );
}
// clear current input buffer
void reset_line(void) {
line_pos = 0;
line_buf[line_pos] = '\0';
}
// add a single character to the input buffer
void char_to_line(uint8_t c) {
line_buf[line_pos] = c;
line_pos++;
line_buf[line_pos] = '\0';
}
void setup(void) {
Serial.begin(9600);
bluetooth.begin(9600);
Serial.print("Hello");
// bluetooth.println("Hi");
// u8g.firstPage();
// u8g.drawStr( 0, 0, "Booting..");
// set font for the console window
u8g.setFont(u8g_font_5x7);
//u8g.setFont(u8g_font_9x15);
// set upper left position for the string draw procedure
u8g.setFontPosTop();
// calculate the number of rows for the display
rows = u8g.getHeight() / u8g.getFontLineSpacing();
if ( rows > ROW_MAX )
rows = ROW_MAX;
// estimate the number of columns for the display
cols = u8g.getWidth() / u8g.getStrWidth("m");
if ( cols > LINE_MAX-1 )
cols = LINE_MAX-1;
clear_screen(); // clear screen
delay(1000); // do some delay
exec_line(); // place the input buffer into the screen
reset_line(); // clear input buffer
}
void loop(void) {
// Keep reading from HC-05 and send to Arduino Serial Monitor
if (bluetooth.available()){
char c = bluetooth.read();
Serial.write(c);
// uint8_t c;
if ( line_pos >= cols-1 ) {
exec_line();
reset_line();
char_to_line(c);
}
else if ( c == '\n' ) {
// ignore '\n'
}
else if ( c == '\r' ) {
exec_line();
reset_line();
}
else {
char_to_line(c);
}
}
if (Serial.available())
bluetooth.write(Serial.read());
}
As told initially my build is not the best one, there are people with better electronics & better output check these :
Recent Comments