Standard Notes

I’ve been using SimpleNote for a long time. It’s a great simple cloud-synced notepad and a very nice free service Automattic maintains. Type some text at it and it remembers, you can access it with a nice desktop app or a nice mobile app or any website. The problem is SimpleNote isn’t built for much security. They store your notes in plaintext on their servers. That’s probably OK but if they ever have a security breach we’re in trouble. And oddly, my notes turn out to have some pretty secure content in them. In particular I often temporarily save a password or SSH key to them. Not permanently, but with undo it’s not clear you can ever really delete anything.

Enter Standard Notes. It looks to be very similar to SimpleNote in concept, but it has end-to-end encryption built in, so it’s more secure. (Also you can never recover your notes if you lose your password.) It’s free and open sourceish, looks like they have a Freemium business model where you pay for extra features like fancier editors with formatting, reskinning the UI, etc.

Notes are tagged; in that way it’s a little like Notational Velocity / nvAlt.

The Windows desktop app is Electron and looks to share code with the web interface. The UI is a bit funky, it does not look like a native app, but it’s totally usable. Not sure how the iPhone app is implemented (I’m guessing Javascript as well) but it looks fine.

Trying it out is easy, there’s an import from SimpleNote that works OK, main wrinkle is all my deleted SimpleNotes showed up again.

I love the voice of their help page. Someone very opinionated (in a good way) is building this product. I particularly like this quote:

Your data is a liability to us, not an asset.

 

Door King 1812 programming notes

I have a gate at my house. It’s driven by a LiftMaster Miracle 1 motor unit, which in turn is commanded by a Door King 1812 gate controller. This was all installed around 2000 but the design probably predates that. I got deep into the setup of these things trying to make the gate do what I want, and failed. Mostly because I don’t understand the Miracle 1.

The Door King 1812 is still sold today, still supported. The manual is here, I reference it by section number (like 2.2.1 for master code).

Programming it seems daunting. I tried at first to get it working using the PC software and a modem, but that requires a monthly $$ subscription to use and seemed pretty rickety anyway. Instead I used the touchtone programming interface. This is overwhelming at first, but really not so hard.

The key thing here is the gate controller is wired into my phone line. It’s listening in-line and can be programmed to work as an intercom using the phone wires, to synthesize a ring on my phone line, and even to answer and make phone calls. I talk to the controller via my phone; just pick up and press *7 at the dialtone to get the gate’s attention and it answers with a beep.

One wrinkle: some steps require you press 0 and # simultaneously to end programming. (I write this as 0-#). I found neither phone keypad I have is able to send two tones at once. I ended up having to use the gate keypad to program things so I could enter 0-#.

Here’s some stuff I learned:

Master code. You need this to do anything else. Old ones had a default of 9999, newer ones have a default of the last 4 digits of the serial number. Someone had written mine down on a sticker inside the keypad box. See 2.2.1 for setting a new master code; you open the keypad box and flip a switch. I’ll use “xxxx” to stand in for this code later.

Attention. The gate listens for a code, *7 by default. It beeps when it responds. All commands to the gate start with that. See 2.2.2 to change the number 7. You can inspect the state of the gate relays with this attention command, as described in 4.11. After a brief delay the gate will beep at you to tell you which relays are open.

Basic operation from house phone. *7 9 to open the gate. In detail: the controller is programmed to respond to simple commands on digits 1-9, described in 4.13. *7 gets the gate’s attention, and then it’s sent the command 9. These commands are called “tone open numbers” in the manual and their programming is explained in 2.3.2.

Basic operation from keypad. #zzzz to run an entry code program, described in 4.4. Typically this is something to open the gate. You program codes (like #1234) and give them to friends who you want to get in.

Program strike time. Described in 2.3.1. Various commands tell a relay to operate for N seconds before turning off again. That’s how you have it open the gate for N seconds, then close it again automatically. I believe my gate was programmed to do this for 2 seconds (much less than the time it takes to swing the gate). I think this is the way the Door King signals the motor controller; a short pulse on the relay.

Program tone open number. Described in 4.13 and 2.3.2. *7 *05xxxx 1* 987#* 0-#. This is super complicated. I’m telling relay 1 that when I press 9 I want “momentary activation” for the strike time, when I press 8 I want “hold open”, when I press 7 I want it to deactivate, and nothing for the 4th command (#).

I’ll be honest and say I’m confused about what I ended up with. *78 seems to cause the gate to hold open. Then *78 again will cause it to hold closed. *77 doesn’t do anything?

Program entry codes. Described in 2.6.1, see 4.5 for definitions of “momentary” and “hold”. I entered *7 *02xxxx 18* zzzz* 0-#. That sets up the new entry code zzzz to location 18, a “hold” location. That should cause it to hold the gate open when #zzzz is entered, then close when #zzzz is entered again. If I’d set it to a “momentary” location again like the number 11 then it would only open the gate for the strike time, then close it again.

Security hardening. The controller can answer and make phone calls. I don’t want that. Sections 2.3.5, 2.5.1, 2.5.3 all seem relevant things to turn off.

Garage door remote. My gate also comes with garage door buttons to open. The Door King doesn’t have anything to do with this; it’s wired directly to the Miracle 1.

There’s more the gate controller can do. You can set it so some codes only work at certain times, or certain days. You can program it to accept and make calls. Etc etc. I didn’t do any of that.

The relay and the Miracle 1 motor. This is key to the whole programming. All the Door King is doing is turning a relay off and on. What does that mean to the motor?

I got lost here. The Miracle 1 isn’t really programmable, but does have a few configurable options. I believe ours was configured so that a signal from the relay means “open the gate, wait 45 seconds, close the gate again”. What I want is a signal to open the gate, then a second signal to close it again. The Miracle 1 manual suggests that’s not really possible but I know it used to work that way, so it must be. But in the process of tinkering with it I got the gate in a state where I couldn’t even make it open reliably. It may be that something’s wrong with the limit switches or the power supply. I got fed up and quit.

Two factor authentication overview

Bit of kerfuffle this week around Reddit, which had a security breach despite having two factor authentication enabled. Some basic introductory notes for folks wondering what’s going on.

  • Two-Factor authentication (or 2FA) is any login protocol that requires a second thing for logging in besides your password. Passwords are a terrible form of security, you should use 2FA for any account you care about. Definitely your email account and your bank. Also whatever is important in your job: your Amazon Web Services account, or your Twitter account, or whatever.
  • SMS (text messages) are often used as the second factor in 2FA: the website text messages you a one-time code you type in to the login page. You give the website your cell phone number to set it up. But SMS is not secure; it’s far too easy to convince a mobile phone company to hijack a cell phone number. SMS is better than no 2FA, but if you have any other option at all don’t use SMS. Note many accounts have a backdoor SMS recovery option that you only use if you lost your password; these are also insecure and seem to be what tripped up Reddit. SMS 2FA is also vulnerable to phishing and MITM attacks.
  • TOTP / HOTP, one-time passwords, are also a common 2FA option and are pretty good. App generates codes every minute / every login and you type them into the page. You set it up by scanning a QRCode when you set up the login, then run an app like Google Authenticator, Authy, or 1Password to generate a number that you type in to log in. It’s what I use in practice. Not positive how safe it is to use 1Password to store both passwords and this second factor in the same system, so mostly I don’t use that. These are still vulnerable to phishing and MITM attacks.
  • U2F / Yubikey is the new hotness in 2FA. You have a physical device, a little USB key, and a special protocol that lets web sites authenticate through your browser to the key itself. The hardware is designed to be secure. Also the second factor that’s used is phishing resistant. Yubikeys are quite common in the tech industry but does require software support that’s not available everywhere.
  • Push-based 2FA, where you have a custom app on your phone that pops up a confirmation dialog. You press a single button to approve the login and you’re done. It’s very convenient. I first saw this in the Blizzard Authenticator. Duo Push is a product you can use to implement push-based 2FA on your own sites. Apple’s iCloud 2FA also does a variety of push 2FA along with also requiring you type in a code. I don’t know how secure push-based is but I’m guessing pretty good, at least the obvious phishing attacks won’t work.

tl;dr: use 2FA on important accounts. Avoid SMS if you can.

Using a modem in 2018

I’m wanting to program my Door King gate controller. It’s hooked into our phone line and can be programmed via touchtones or with a modem. So why not? I bought a modem. $16 for a USB 56kbps modem. I even made an unboxing video.

I plugged it in to my Windows 10 box and it was just recognized, no driver futzing at all. It even seems available for use for faxing and dialup. But that’s far too new-fangled, so I looked around and found that Tera Term still exists and can be used as serial port console software. Also found at least one dialup BBS online. A few half-remembered Hayes AT commands later and we have connection! Not sure why it only connects at 26400kbps, but I’ll take it.

Screenshot_1.png

 

Having a bit of trouble finding the modem to connect to it. Tera Term seems to think my modem is COM3 and worked first time I tried it. Windows Fax & Scan sometimes identifies a fax device, sometimes doesn’t. And the Door King software is not identifying any modems although I can manually tell it to use COM3.

Worse, the Door King software seems to require an account that I pay for in order to use the programming software. I got as far as registering for the software and getting my password mailed back to me in plaintext before I saw it was $6/month. Forget that. The manual talks about a “DoorKing Auto-Programming Software for Windows” which is different from the “DKS Access Plus” software I can find online. I’ll dig a bit more tomorrow, but this whole ridiculous escapade into modems may be coming to an abrupt end.

AXIS 1034-W security camera setup

A couple years back I bought a wireless security camera, an AXIS 1034-W, and did a halfass setup using the ancient Linux program “motion” to do the heavy work of recording video. I just revisited all this using the on-board features of the camera itself and it’s so much better. This product is obsolete; the newer Axis M1065-LW looks better in lots of ways and some of these notes probably don’t apply. And there’s a whole world of other manufacturers making security cameras, but for me anything with cloud based video uploading like NestCam is a non-starter.

The hurdle is this old camera is really designed to be configured in MSIE, with ActiveX controls (no really) and a Java applet (I know, I know!). Once I got IE 11 fired up it got a whole lot easier to set up the camera. You literally can’t configure the motion detection without running Java. Dumb!

Anyway I’m not going to document everything I did. But the basic thing was to enable audio recording (off by default for some reason), then set up a “quality” stream profile to capture 1280×800 H.264 with audio. Then I configured the image motion detection to trigger on very small objects (ie: far away from the camera) and set up an action for it to record any detected motion to an SMB share on the local network.

End result is pretty good. The main drawback of this camera model is it doesn’t illuminate the scene nor record with infrared. So it doesn’t work very well in the dark. Newer models do. It does have a passive infrared sensor for motion detection but it doesn’t seem to work well enough.

 

One long wire

Three years ago I kludged up my Internet access in Grass Valley using a Ubiquiti wireless ethernet bridge. Today I was able to remove that and replace it with a simple long wire. Yay! We finally got some electricians out to run cable through existing conduit. The conduit was crushed, but fortunately not under the driveway like we’d been told by the last electrician. The break was right at the edge of the driveway, probably where a heavy truck fell off once and crushed the conduit. Dug that up, fixed it, ran three new Cat 6 wires and now I’m wired from my house to the antenna up in a tree.

Shout out to the Ubiquiti Nano M5 and Nano Loco M5 though. Those things worked like a champ, rock solid for 3 years. It wasn’t too demanding a problem; 12 Mbps wirelessly over a couple hundred feet. But it worked great for three years with zero problems. I don’t think I ever even had to reboot them. And when the power went out, they rebooted themselves just fine. Very nice hardware and software.

I’m gonna do some tinkering with my new wired setup. I have about 450′ of cable run total from my router to the tree antenna. That’s broken up into three pieces. A 100′ segment from router to an ethernet switch in my garage, a 300′ segment from the ethernet switch to a PoE module at the tree, and then a 50′ segment from the PoE module to the antenna up in the tree. I’m gonna see if I can get away with a passive RJ45 coupler between the ethernet switch in the garage and the cable that goes up the tree to the antenna, move the PoE module down into the garage. That’d let me not rely on outdoor power up by the tree any further. Update: turns out this works fine.

Ethernet has a well known a 100 meter / 328 feet limit on cable runs. But is that a real hard limit? The folklore is it has to do with timing and collision detection, but apparently that might have only been true for very old 10BaseT and/or with non-switched networks. In modern times it may be more a soft standard for signal strength and attenuation in which case there’s some wiggle room. I’ve heard from friends with 500′ or longer runs who say it works.

Identify Reddit deplorables

Interesting new Reddit tool: Masstagger. You install it and it pops up little red warnings next to user’s posts. “the_donald user”, or “kotakuinaction user”, or the like. A quick way to get some insight into a Redditor’s history and reputation. Makes it easy to identify the Nazi-wannabes at least.

More about it in this Reddit discussion. I particularly like the author’s responses to the kind of crap these projects always attract. “Why not open source? … Because I don’t want to”. “This is just like giving Jews yellow stars! … No, not really.” “Can I add my own subreddits to tag to meet my own personal desires? … No, this identifies Nazis. My old tool was editable and people used it to stalk porn posters.”

Behind the scenes the way it works is they have a list of deplorable subreddits (104 right now) that they monitor. The server on the backend is constantly downloading posts to those subreddits and keeping statistics on which users post there. There’s a second service that lets you look up the scores for a list of usernames. That’s used by the browser addon; when you load a Reddit page it gets the scores and annotates accordingly.

They had some scaling problems today;  unfortunately the service is dynamically generating the statistics data when users ask. I was thinking they could just do things statically, generate a statistics file once an hour for the addon to download. But tracking 100,000 users over 100 subreddits that’s 10M records, or maybe 200M of static data. That’s a lot to serve in a single file.

There’s a variety of existing “profile Reddit users” sites; see SnoopSnoo, Reddit User Analyser, and Reddit Investigator. I wonder if any of them have a backend suitable for this use? Reddit User Analyser works by fetching comments from Reddit directly in the browser page; no server, so probably too heavyweight for this addon. SnoopSnoo appears to have a database on the backend, the report pages come back with little bits of data injected as scripts in the HTML source. Reddit Investigator is down right now.

Anyway it’d be pretty simple to build a custom service for this. Less clear how hard it’d be to make it scale. Static files are clearly the best choice, but it’s a lot of data. Maybe one static file per profiled user? That would require the addon fetch like 40 static files with each page load, that’s not great but it’s not awful.