Heres a little something that has come about from a related project I have built (and need to test)
Maybe I’ll write up both projects together!
Relevant hashtags #RaspberryPi #HTML5 #WS2812b
One of my bosses sent me this, his favourite easy recipe for a nice hot chocolate style drink. Saving it here so I remember to do it..
Half a tin of coconut milk in a saucepan.
Stir in as much cocoa as you want, and chunks of chocolate too, if you like it thick.
Add some xylitol to sweeten.
Pour into a mug.
Thick, astonishingly satisfying and good for you.
(Obviously, only pour into a mug once all the cocoa has mixed and chocolate melted – I use a whisk, and add a capful of vanilla essence too).
An explanation more beautiful than my words could ever be:
Giving Is The Best Communication – Thai Mobile Ad…: http://youtu.be/JPOVwKPMG8o
The World full of horrible injustices, life is cruel and unfair. Survival of the fittest is now survival of the richest.
And the worst thing?
It feels like you’re just too powerless, poor or insignificant against the size if it.
Starvation, Cancer, HIV, Natural disasters whatever.
Well the truth is there is something you can do to change the world.
And its cheap, and simple and should make someone smile.
Its called A Random Act Of Kindness or RAOK.
Just do one small thing to improve the life of a stranger.
See that a Girl sobbing? Go give her a tissue.
Give your elderly neighbour a Christmas card or invite him round for a cup of tea.
Hold the door open for someone.
Carry a lighter just in case someone asks for a light.
Give out free hugs (I did this once. It was hugely fun. I made sure I got all the people with the saddest expressions ).
Have a think. Be good to people, even if you don’t know them.
Leave a note that says ‘pass it on’
Now you may never know the difference that a small random act of kindness makes to that stranger. But this is not about fame or fortune, its about changing the world one small random act of kindness at a time.
My hot tip? Why just one RAOK?
Share the love.
And Dear stranger,
If you find this, pass it on, and have a brilliant week!
(I know my name is on here, but who I am doesn’t matter. Thank me by doing a RAOK and asking them to pass it on )
Here’s a list of cookies wordpress sets when you login. Because I can’t find this list anywhere on the net and I need it.
wordpress_[HASH] — admin panel auth cookie
wp-settings-3 — settings cookiewp-settings-time-3 — settings cookie
wordpress_test_cookie — cookie used to test that wp can set cookies. Honestly guys, really?
wordpress_logged_in — another auth cookie
Garreth Tinsley’s Curriculum Vitae
Just a quick and cheeky post to hopefully get myself listed on google ;-). (SEO baby!)
If you’re looking for my CV, here it is
/[Microsoft Word On-line Viewer] bit.ly/ GarrethTinsleyCV
bit.ly/GarrethTinsley [CV and Acheivements bundle, Word Online Viewer]
It goes a little something like this (first page only):
Now, I’m sick of the sight of my own name, so Hi JT, thanks for hosting this ridiculously self-promoting post on your blog!
Well, I’ve now debugged a few issues with my scripts from my last post.
(made them a bit more fault tolerant and actually take notice of $? exit statuses) .
Recap: Temperhum (USB) -> Raspberry Pi -> Xively chart, now also
RFDuino (bluetooth wireless) -> Raspberry Pi -> Xively chart
Tip: If you’re struggling with the bluetooth on linux giving rx timeout errors (check the syslog if it’s not in the console),
update the software with the following commands:
sudo apt-get update sudo apt-get upgrade
The Rfduino has been sitting next to my usb Temperature and Humidity sensor for a few weeks collecting data.
Since it had been both collecting data for a few weeks and sending them to Xively / Pachube / Cosm, I had a quick look to see how closely the readings match.
The graphs do show correlation, thank goodness, but it looks like the RFDuino’s temperature scale isn’t right. The RFDuino is only updating the graph once a minute whereas the Temperhum is 2x a minute.
I didn’t really expect great accuracy for the RFduino thermometer seeing as it’s measuring from the chip. But this would still be useful in some more basic cases.
I think next on the roadmap for the RFduino is connecting sensors/remote controls (it would be cool to attach my RelaySockets to this and control the 2 connected relays via bluetooth from my Pi and Android smartphone!
A Temperhum from PCSensor.
A great little bit of kit – once you work out the conversion values for the C++ USB/i2c/HID code that lets linux talk to the thing!
I ordered this nifty ‘RFduino’, an arduino-compatible device which was also my first ever kickstarter purchase over a year ago now.
However, when the device arrived, the company behind it seemed exclusively interested in the iPhone handset to the detriment of all other platforms.
Personally, the lock in monopolistic attitude of Apple and its customers really gets my goat, but I digress.
The lack of support and that the device arrived half a year late left me with a sour first taste of Kickstarter.
Since then, I’ve played with the Rfduino using JT’s iGear (no, I don’t know why fell into the Apple pit either) using the only app available to use the sketch it comes with – the internal thermometer
But that’s rather limiting!! I bought this device with plans to build a Wireless ‘Internet of Things’ sensor network for my house.
This is something I’ve been dreaming and sketching out for years, because lets face it, who doesn’t think having the lights turn out when you leave is super cool?
So without further ado, how do we get the RFduino to talk to a linux machine, in my case a Raspberry Pi running Raspbian.
- RFduino (assumes preloaded Temperature sketch, but this procedure will work if you are running a sketch sending a Float value)
- USB Bluetooth 4.0 adaptor (RPi compatible devices here, note must be 4.o [or above])
- Linux computer (Raspberry Pi in my case)
You will need
- Internet connection to download tools
- Bluetooth packages installed (bluez-tools)
Power on the RFduino and linux machine. I used two Alkaline AA batteries to power the RFduino although Rechargeables do work.
Install the Bluetooth 4 usb adaptor on the linux machine
Install the necessary bluetooth programs:
sudo apt-get install bluetooth bluez bluez-utils bluez-firmware
(you may need to reboot the machine afterwards, I don’t believe I did)
Bring up the bluetooth interface:
sudo hciconfig hci0 up
Run a Low Energy scan to find the address of your RFduino:
sudo hcitool lescan
Should elicit results similar to this:
Select and copy the MAC address given for the RFduino on your system.
(I have no idea why you have to scan as root, someone please leave a comment if you do, and if theres a way to run as a normal user…groups?)
Read the temperature attribute from the RFduino using gatttool. Paste your devices MAC address in instead of mine of course.
sudo gatttool –device=DD:AF:13:17:23:80 –interactive
[ ][DD:AF:13:17:23:80][LE]> connect
handle: 0x000e value: 00 00 a8 41 00 00 00 00 00 00 00 00
Now from that exchange with the RFduino, we have gained a long hexadecimal string.
From a post on the RFduino forum, I learned that the value we want is always after the ’00 00′ string (in bold above).
This is the temperature read from the RFduino’s internal sensor * 8.
So we need to convert this to Decimal and divide by eight to retrieve the temperature value in celsius (American readers, why aren’t you on SI units yet? :P).
Convert the hex value to decimal temperature
The above method returns an integer value. This is because Bash has limitations working with numbers that are not whole (decimals).
Workarounds use the command bc to interpret string inputs as decimal numbers. I think there is a method to define variable types in bash, but I didn’t get very far with this.
My attitude is that once you start hitting the limitations of a shell scripting language, it’s time to migrate to a proper programming/interpreted language (at least python).
Spending hours and using multitudes of additional programs make it work is often pointless.
Just think, if you had to run the script on a embedded system without most of those commands, wouldn’t it just be better to do it in C++?
Now that I’ve successfully read the values being sent by the RFDuino I need to figure out how to automate the process – in non-interactive mode.
These commands do the same thing but respond differently
sudo gatttool -b [MAC] –char-read –handle=0x000e
Characteristic value/descriptor: 00 00 a8 41 00 00 00 00 00 00 00 00
sudo gatttool -b [MAC] –char-read –uuid=2221
handle: 0x000e value: 00 00 a8 41 00 00 00 00 00 00 00 00
Simple bash script to read temperature in celsius (accuracy is lost here as the decimal is converted to an integer)
stringZ=$(gatttool -b [MAC] –char-read –handle=0x000e)
chmod +x [whatever you called the script]
and run it as root:
sudo [whatever you called the script]
I won’t pretend to understand the naming conventions of Bluetooth 4.0/LE.
I don’t! I spent a whole day looking into it and could not find a single source that easily explained the structure, naming, and profiles. If someone has seen something good, please post in the comments!
It’s frustratingly close, like I can see there is a neat logic to it, but I just don’t care to spend any more time trying to figure it out, when all I want to do is use it. This does make it slightly more hacky and less neat and quick of course, but that’s life!
gattool commands to read the sensor:
/ lilyhack.wordpress.com/ 2014/ 02/ 03/ ble-read-write-arduino-raspberry-pi/
howto convert hex to decimal on the command line:
/ linuxcommando.blogspot.co.uk/ 2008/ 04/ quick-hex-decimal-conversion-using-cli.html
howto do calculations on the command line:
/ www.tldp.org/ LDP/ abs/ html/ arithexp.html
Hacked up way of using gatttool non-interactively, using ncurses and a python script:
/ thomasolson.com/ PROJECTS/ BLE/ RFduino/ LINUX/
Bash string manipulation:
/ www.thegeekstuff.com/ 2010/ 07/ bash-string-manipulation/
/ joost.damad.be/ 2013/ 08/ experiments-with-bluetooth-low-energy.html
This is a rant. It’s a long one. I’ve not proof-read it much, there’ll be mistakes.
So, unless you’ve been hiding under a rock of late, you’ve heard about Heartbleed. Heartbleed is a bug in one of the core programs used in the open-source world to keep secret those things you need, like credit card details. This particular bug is important, because it can leak information that shouldn’t be leaked, like credit card details. Just click the link above, it gives a really good basic idea as to how it works. It mainly affects those things protected by SSL.
So, now that everyone knows what it is, why is it important? The information leaked can be anything that the computer (hence -forth called “server”) responsible for keeping the website involved on the internet has in it’s memory. That can include, requests for websites, file transfers, emails, ssl certiticates, ssl keys, credit card numbers and passwords.
Passwords, memory and maths
Now that last one, that’s the one the media, and certain people, have been shouting about. This bug has the small potential to leak passwords. However, this is totally not as serious as it sounds. Passwords are only kept in plain text for a short time – normally, as long as it takes to hash them (one-way-encrypt), and check them against a database. So, your passwords aren’t sitting out in the open, for anyone to steal. Additionally, you have to have entered your password within a second (or two at the latest) of someone using this bug to pull information from a server. As problematic as this bug is, it’s limited. It lets you get 64 kilobytes of information from the server memory. That sounds a lot, till you remember that modern servers have up to 16,777,216 kilobytes, or 262,144 blocks of 64KB. Even servers a few years old (and in server terms, that can be really quite old) have 4,194,304 kilobytes, or 65,536 blocks of 64KB. So, someone has to have managed to use this bug, to grab exactly that block at the right time, to get your password. Also, trust me, we would notice if someone started reading that much information out of our servers constantly. It would be obvious something was wrong. Additionally, not every server is vulnerable to this weakness. Those running IIS, or an older (but still patched) version of operating systems used to host websites remain safe. It’s something like 2/3rds of sites, and crucially, only those 2/3rds of servers setup for SSL.
So, why all the “RESET ALL YOUR PASSWORDS!” screaming? There is a small chance of grabbing an SSL key. Now, due to the way this bug works, this is more likely than other things to have happened. Why is the key important? It’s the set of random numbers that says you ‘own’ a certificate. So in theory, it can be exposed. Why is this a problem? With the key, you can pretend to be the person for whom it was created — if you got google.com’s key, you could pretend to be google.com. Now, this *still* isn’t that easy to use, you basically have to perform a Man In The Middle attack, which is hard, and complex, and will only get you really limited information, depending where you can do it.
No, this is not as serious as it sounds
So, why have I been tweeting lots saying you shouldn’t rush out to reset all your passwords? Three reasons. The first; the likelihood of anyone actually getting your password is really, really really small. Remember, there’s that (at best) 65,536 places your password could be, and only 2 seconds to find it before it vanishes. Per affected website. Add that to the fact that these bugs are hard to find, and using them to get information is hard. Using them to get useful information is also hard – all the bug comes back with is a load of data you have to run through conversion routines to get anything out of. Additionally, due to the way this data is stored, there’s no guarantee it’ll be easy to match your password to your username, which is crucial if you don’t want to have to guess usernames.
My second reason is one of worry about the affect telling those who aren’t used to strong password security will have. You’re going to be telling people to dump every single one of their current passwords and start again. It’s already really bad – the top 2 passwords of last year were “123456” and “password”. So, though I have no studies on this, I would bet, with hard cash, that forcing those not using good passwords to reset their passwords with fear, will weaken passwords as a whole. I suspect that we’ll find a lot more weak passwords, and a lot more passwords shared amongst websites in the next few batches of password leaks.
Finally, my third reason. Evidence. We’ve had no evidence of large scale, source-less password leaks recently. Hackers, especially some of the nicer ones have a habit of dumping their finds publicly, and a large-scale capture of passwords would show up in activity around the internet. Additionally, passwords aren’t the only thing heartbleed can expose. It can expose credit card numbers. And the credit card companies do not like sites to whom they’re traced back a hack. In fact, they have a habit of forcing said companies to go through a rigorous, lengthy, and painful auditing process, to find out exactly *how* the passwords leaked. The security community would have heard of these audits turning up nothing, of credit card data vanishing out in any significant quantity, or even the audits would have thrown up the bug.
So, this password thing. It’s being pushed by the media, and by the guys who created the ‘heartbleed’ website as a much bigger impacting issue than it really is. Now that the bug is out in the open, script-kiddies will start using the heartbleed website, as will advanced state agencies. I’ve heard some rumours of people seeing internet-wide scans originating from state agencies, shortly after the bug was announced. So, it’s important that it’s patched quickly, it’s a big problem for the tech community, but with the low chance of password exposure, it’s not that important. So, why are the media saying “CHANGE ALL YOUR PASSWORDS”. Two reasons mainly, first is that’s a far better headline than “There was a bug. We’ve fixed it.” The second, is that that’s the response we, the hosting & security community, have ingrained as ‘the’ response to any sort of compromise. Yahoo got hacked? Change your passwords. last.fm got hacked? Change your passwords. So, when they hear about this hack, which they do not understand, they fall back on the thing they know, and since this bug affects ~60-70% of ssl protected servers, they think “ALL” instead of just a limited set.
Responsible Disclosure – how not to do it
In my opinion, the heartbleed release is a perfect example of how NOT to do responsible disclosure, no matter what certain lucky parties claim. First, create a website with inflammatory content. Then, get those who have insider access to patch. But crucially, don’t inform operating systems before you make it public. Don’t let anyone know in the security teams of Ubuntu, Debian, RedHat or SUSE. You know, just the people who actually have to *create* and *deploy* the patch to the millions of affected servers. Don’t let big publishers or sites know (Yahoo, BBC, Facebook). Instead, publish your site, and wait for the shitstorm to hit, as the media companies take this up, shout about it, and make customers scared. Now, in a boon, the debian OpenSSL team got a patch out for this bug, 30 minutes after they had a bug report. But they didn’t have a bug report when heartbleed went public. No, the bug was reported hours later, after the viral-news effect had got around to someone who knew where and how to report a bug in debian’s bug tracking system.
Other, big bugs
You know, there’s a package that runs a good 22% of the internet. In the past week, they published a really critical bug, one that allows remote authenticated access to their sites. This package? WordPress. The bug will allow an attacker to gain administrative-level access to any wordpress site. In actual damage terms, this bug will cause me far, far, far more grief, and likely our customers, than the heartbleed ever will. Heartbleed was patched out in our network in the space of a few hours, with some minor services taking maybe a day or so. If we’re not running a vulnerable version of WordPress on our network, this time next year, I’ll eat my hat. If some clever black-hat hasn’t written an automatic compromise bot, to exploit this within the next few months, I’d be very surprised.
Another package that had a critical security patch in the past week? Just an addon to wordpress, that a good proportion of wordpress sites also use; Jetpack. They found that they had another remote-access, post, and privilege escalation bug in their code. Again, this single bug will cause us far more trouble in the long term, simply because people won’t upgrade.
Other, easier ways of loosing your password
Every now and then, someone’s website gets hacked, crap gets uploaded. We trace it back to their computer, using their login details. What happened? Though we’ve never been able to say with 100% certainty, they were probably infected with a keylogging virus, that saw them typing in their (s)ftp login details, and which automatically used said details to deface their site. That has become less common in the last year, but it was almost a weekly occurrence only last year. How did the keylogger get installed? Simple, our customers either didn’t have anti-virus, weren’t maintaining it, or actively ignored it’s alerts. They click on links in emails they’re not expecting, open files in emails they’re not expecting, and get infected. Just this week, something has been quite determined to infect me – sending me ‘delivery notes’, asking me to ‘print a zip file’. The ‘zip’ file was a Microsoft Excel .xls file, and likely not an xls file, but something quite nasty.
Internet cafes. Ever used one to pick up your email? There’s a good chance that someone knows your email account password — those computers often have keyloggers installed, or have someone on the same network watching the net traffic, or intercepting it. Use that same password on paypal? Oh well, say goodbye to your money. Ever used a public wifi connection? You know, one of those unencrypted ones on your iPhone? Your iPhone logs into your email accounts without encryption? Say goodbye to your username and password.
Is heartbeat serious? For webhosts, yes. For users, in the brief period after heartbleed.com went live, till our servers were patched? Yes. Now? Not really. It could have been a lot better, and it could have been a lot worse. Hopefully, this will give the OpenSSL guys more resources to stop any future bug like this slipping through the net. Do you need to reset your passwords? Only if you connected to a vulnerable https:// site, in the brief period that the bug was around. Better would just to watch your bank statements, something you should be doing anyway. Use 2-factor authentication if you can. Use a password manager, my favourite is Keepass, with it’s database stored on Dropbox, and a key file stored elsewhere. Use separate passwords for every site, and don’t try to remember them, just auto-generate them using keepass’s algorithms.