This is the blog, but if you want to know more about me and my projects, check out the Projects and About pages.

DEFCON 28 Wrap Up

Devil Cold Caller

DEFCON, the world’s largest hacking convention and always one of the highlights of my year, was last weekend and, of course, remote. I missed being in Vegas with tens of thousands of hackers, but there were still some fantastic talks and conversations over Discord.

A quick “Top Five” highlights:

  1. If your password is eight characters or less, you essentially don’t have a password. With a small amount of money and a few hours, eight character passwords can be broken with a fair amount of ease. Your password should be at least 12 characters.

  2. That wifi security camera you bought off Amazon for $40 is completely insecure and shares your video, credentials, and even location, with other cameras unencrypted.

  3. Two-factor authentication is an important security measure for every account you have, but it can be beaten with a good phishing attempt. You can’t sleep on phishing just because of 2FA!

  4. The disinformation campaign to instill doubt in mail-in voting is real and huge. Researchers have seen preparations for “time and place” digital attacks since 2017 that can shut off internet or power to voting locations on election day…but then COVID-19 hit and those kinds of attacks don’t work if everyone voted by mail! Since the pandemic has started various nation states launched campaigns to poison the public’s belief in mail-in voting so they can get people back to the polls on election day and back in the target radius of their attacks.

  5. I passed my FCC radio Technician exam!

A Home Office DND Button

I’m extremely fortunate that I have a true home office at our house. It’s my favorite room in our whole place with an both an internal door and a door to to the back yard, and it affords me plenty of room to store my various projects and geeky collections. Of course, the most important aspect of my home office is that it’s a room where I can get some time work on…well…these days I work on work in there. Not exciting, but it is important.

This has made Pandemic Life pretty easy for me but, and of course I have a but, there is one problem that has come up. When I’m in my office, and the door is shut, it’s really hard to tell if I’m on an important Zoom meeting that shouldn’t be interrupted by a family member creeping in from the door behind me or not.

This is a problem that needed a solution.

A solution far more complicated and awesome than any of the following: knocking, a small white board, a post-it note, or a shared calendar. Those are fine solutions that any sane person would be proud of, but…I mean…honestly…no. No, we won’t be doing any of those.

Here’s what I came up with (click to see a short demo video):

Demo Video

The Problem

The core issue is that I want to be able to remotely trigger some kind of visual indicator that I am busy and can’t be disturbed at the moment. The additional problem is that there is no existing power source in the little area outside of my office door so unless I add a new plug to the wall I can’t hang a Raspberry Pi screen or a tablet to be a little billboard, also that kind of stuff wouldn’t have been as obvious.

The Solution

I replaced the one ceiling light bulb in the landing outside of my office door with an color LED bulb from Amazon. If the color is the standard incandescent yellow then all clear, but if the color is red, please hold. Yes, it makes the back of our house look like a hooker might take up residence there when I’m in a meeting, but it’s a fairly elegant solution that didn’t involve and moderate house surgery.

To control the bulb I have a multi layered solution that involves a complete software solution augmented by some hardware. The software part is really what’s doing all of the actual automation, but the hardware…that little glowing button…is the fun part, and does actually serve one real benefit in that it shows me when DND is on as it’s easy to forget. Also, clicky buttons are awesome.

Let’s start with the software.

The Software

We’re a Google Assistant household as that platform seemed to work the best and better fit how my family and I want to use various “smart home” features. That’s important context, because the automation path I settled on is through Google Assistant. It wasn’t my first or most likely path, but it’s where I ended up after starting with trying to find the API for that random Amazon bulb (Nope!), then looking in to Home Assistant (I already have this running in my home) but found their component for those bulbs has been broken for some time (Strike Two!). Then I realized that my Google Assistant devices could manipulate the bulb just fine. How do you “talk” to Google Assistant over a script? The answer is Assistant Relay. Check out their site for the details, but for my story, I got an Assistant Relay instance running via Docker on my home server, configured it and managed to send text commands to Google Assistant from my computer within 15-30 mins. I then wrote a very simple script that I can put on my primary computer to simplify the command to > dnd.sh on or > dnd.sh off.

Success! …and this could have been enough. Certainly typing the above commands in a terminal window I always have open anyway is trivial…but it’s not as fun as a button! Let’s make a button with some stuff I have lying around my workshop!

The Hardware

Final Button

I had a small Arduino board, the ItsyBitsy, laying around from a previous project so let’s start there. I also had one of these small clicky buttons with an LED in it, so let’s throw that in as well. Wiring the button with the LED was straight forward once the right resistors arrived from Amazon, and I soldered it down to a proto board I also had in my stash.

Button Wiring on Bread Board

I then flashed the board with this code tell tell the computer it is a keyboard and to toggle the LED while executing a set of keyboard commands to start the script.

Yes, I could have designed by own button housing, but that is a skill I haven’t yet mastered and I found this lovely little box design on Thingiverse and after scaling it up a bit, it fit my proto board perfectly. It’s bigger than it needs to be but it’s stable and looks fun on my desk. Once the print was complete, I used a stepper bit (these are great for drilling in to plastic) to create a hole in the lid and in the back for the USB cable to connect to the ItsyBitsy.

The Final Result

This was a fun little project that solved a problem in a way that makes everyone in the house happy. There are still some issues on the hardware side such as it firing a “DND OFF” command when the board first boots, but they are minor enough that I’ve chosen to ignore them for now.

The Parts List

Hardware:

Software:

The Infosec Cold Call

Devil Cold Caller

I get asked occasionally about ways to improve corporate information security or what kinds of things get easily missed, and while I’m no expert, and there are an endless number of little things you can miss these days, there’s one way I rarely hear mentioned and I like to remind technical leadership about:

Don’t talk to security sales cold calls!

Studio71, where I’m the CTO, isn’t some huge enterprise company or constantly in the news garnering press and attention, and yet I still get at least a couple of these kinds of calls every week.

ring

Me: “This is Mike Flynn”

Them: “Hi, this is __ from WhateverSec. I just have a few questions for you.”

Me: "Ok, but I really need to go." (No I don't.)

Them: “Sure, I’d just like to tell you about our new AI-powered blah blah crypto currency security solution. Let me ask you, what are you doing now for your corporate security?”

Me: “Ah, we’re happy with our current solution.”

Them: “What is your current solution? What kind of firewall are you currently running in your office? Are you using any monitoring devices on the network?”

Me: “I’m not going to detail our security infrastructure over the phone to someone I don’t know.”

Them: …

Them: “Ok, right. That makes sense.”

Me: “Thanks for calling, but I have to go.” (No I don’t)

click

How many people do you think happily gave up the brand of firewall…maybe the software version…maybe the network appliances they have at their office? A lot, I bet…but please don’t. What this person trying to research a hack? Honestly, probably not, but it only takes one, and even if they are legit they don’t need to know anything anyway. Oh, did they say they were from Rapid7 or another established company? No they weren’t because they usually don’t ask those kinds of questions, but even if they did, it doesn’t matter.

Feel free to buy whatever it is they have to sell, but whatever it is they don’t need to know your security infrastructure to sell it!

The Sandwich List

Little Lucca Sign

I’m a sandwich guy. Ok, that’s an understatement. I’m really in to sandwiches. I love the variety, the simplicity (or occasionally the complexity), the different textures, the bread, the meat (yes, meat), and usually, the cheese! I’ve spent my nearly 40 years in existence looking for the best sandwiches and then going to great lengths to eat them again and again. For example, I once flew in to San Francisco for business in the afternoon and realized I have just enough time to grab a particular favorite sandwich. I raced out of SFO and after three different and hurried Uber rides I managed to get settled in to my hotel with that beautiful white paper tube of sandwich sitting on one of the two queen beds in my room.

Yes, I rank the sandwiches because of course I do! I’ve told people “Oh you’re going to Portland?! One of my top five favorite sandwiches is from there!” but I’ve never actually written the list out in a place where I can refer back to it. It’s only fair that I do that now as I always feel like there’s an element of cheating when people say something is “one of my favorites.” Out of how many and how often does this list change?! Today’s the day I write that list down, throw it in to the internet, and make my favorites as official as some middle schoolers current Facebook relationship status!

…but first a few ground rules. Well, one really. When I mean sandwich I don’t mean hamburgers, burritos, gyros or any other “sorta sandwiches”. Yes, in a technical sense they are all sandwiches, but also they aren’t because you have to draw the line somewhere and I love all of those things too much to get a “Top Five” out of them that didn’t engulf me in angst. For this list, a sandwich is defined as various non-patty ingredients stacked between two pieces of bread.

5. Sugarfire’s Grilled Cheese (St. Louis, MO)

Sugarfire Smokehouse is a BBQ chain in St. Louis, MO. I love Sugarfire, and I always hit it up when I’m back in St. Louis, because they are great BBQ but also really inventive and downright weird with their specials. So many places have great BBQ, but Sugarfire does some weird stuff and it’s brilliant. I was there in June and say “grilled cheese” as a special and thought to myself “Who the hell would come to a BBQ joint and get a grilled cheese?!” …and then right before I ordered I heard the three guys in front of me all order the same thing: Grilled Cheese. Then I looked at the ingredients and it…well…it’s not…I mean, there are multiple cheeses and it is grilled, but there’s also a ton of meat and a jalapeno popper on top…that was stuffed with smoked pork.

It was messy and it was top five good.

4. Dan’s Super Subs’ Hotel California (Los Angeles, CA)

Comes With: Canadian Ham, Turkey Breast, Swiss, Cheddar, Our Avocado Spread, Crispy Bacon Deli Mustard, Mayo, Lettuce, Tomato, Onions, Our 1000 Sauce, and Diced Pickles.

It’s just a great sandwich and one time I was there I saw Mark Summers eating at the counter. What else do you need to know? The bread is great, the avovado spread and 1000 sauce are in the perfect amounts, and it seems like a small thing but damn I love that chunky diced tomato and pickle “relish” on top.

3. Joan’s on Third’s Fried Chicken Sandwich (Los Angeles, CA)

With jalapeño cole slaw, garlic aioli and butter lettuce on rustic roll

Another LA institution, but this one is tucked in the middle of Beverly Hills off of…wait for it…third street. As you might guess, this sandwich isn’t cheap, but good god is is amazing. For one, fried chicken is one of the world’s most perfect foods and then you put it on a lovely roll with aioli and a little heat from the slaw?! It’s a beautiful thing. The key is to get your order and get the hell out of there before the paparazzi show up chasing Justin Bieber while he’s grabbing a coffee.

2. Lardo’s Porchetta Sandwich (Portland, OR)

It’s a delightfully simple sandwich: porchetta, piquant gremolata, and caper aioli on a crunchy roll and it tastes extra awesome on a rainy day in downtown Portland. I love Portland, and there are so many good places to eat that have great sandwiches (hell, Lardo has several others that are amazing), but nothing is a beautiful, simple, and delicious as the Porchetta at Lardo.

1. Little Lucca’s Ultimate Club (San Francisco, CA)

Turkey, Ham, Bacon, Cheese

Look at that description. It’s a bit of a lie. There’s more to it than that, but also not really. It is truly turkey, ham, bacon, and cheese (I go with swiss), but it also includes the Little Lucca garlic and pepper spreads and your choice of huge fresh roll (I go with the soft sweet roll). I also will add jalapeno bacon because that’s how I roll, but it’s not needed. This sandwich is just unquestionably awesome. It’s huge, it’s relatively simple, every ingredient is fantastic and eating it makes me happy and then very full and then happy and then sad that it’s gone. When I describe this sandwich to people they never sound impressed, but if I bring them along they take a few bites and look up from across the picnic tables we’re sitting at behind the South San Francisco location that was clearly someone’s little house at some point, and say “You were right. This is amazing.”

Paywalls are OK, but Dumb Paywalls Aren't

I have hacked the paywall of my hometown newspaper’s website, STLToday.com, two or three times now. The first time came with more fanfare than I expected and the subsequent times have been more quiet, but each time I get some version of this pushback:

Twitter Convo

Look, I understand this point of view. You can, and many have, debated the business merits of paywalls for media companies such as the St. Louis Post Dispatch (yes, they over-thought the hell of their domain name). I think paywalls can and do work well, but it’s only viable for the big national sources and it doesn’t make business sense for regional news sources, but I understand why their employees might disagree.

What I can’t understand, and it’s the same reason why I keep testing their paywall every time they roll out a new version, is why they keep implementing their supposedly critical business solution is such a crappy way at a technical level.

To review, every single paywall has been implemented entirely on the client side. The first version was based off of a meta tag, and the most recent version was done primarily in CSS. It is even a paywall at that point? You’re requesting the article with their browser and they are giving the whole thing to you, but then they hide some of it…but you still have all of it sitting on your computer! This is akin to them giving out free newspapers with the last few sections stapled together unless you pay for it. All I did was leave a staple remover on the table. If your media business is struggling to survive you should come up with something stronger than a staple to keep your business together.

Previous:

mikeflynn @ GitHub thatmikeflynn @ Twitter