I get up to a lot of trouble and have more hobbies than time & storage space. One I'm most proud of is being a part of founding We Love DC.
22 stories
·
7 followers

Klockit

1 Comment

This is a follow up to Kevin’s post on Recomendo regarding using DST adjusting wall clocks. If you have old clocks with mechanical, electrical, or non-functional movements that either don’t work you are tired of correcting for daylight savings time, Klockit.com has a variety of quartz replacement movements for almost any size set of clock hands. These are fairly reasonable cost, quartz crystal based movements with a WWVB receiver that adjusts for DST.

They also have a variety of other clock products from movements, clock hands, plans, to complete kits. I’ve bought their movements to replace old mechanical movements that were irreparable including one with a faux pendulum so that the pendulum swings but the clock still keeps quartz-based time.

-- Marc Goldfarb

Quartex Atomic Clock Movement ($9)

Read the whole story
donw
2010 days ago
reply
This seems dumb till you own a decorative clock that you like which is forever needing adjustment. I drilled a hole in the back plate of the one in our living room because undoing the three thumbscrews to get to the time adjuster every week was making me nuts. I think I'll get this and update the clock once and for all.
Arlington, VA
Share this story
Delete

Links #357

1 Comment

Luke is in the desert and whining.  –  Palette-Swap Ninja

I adore double parodies; they take real skill to pull off well, but the results are so often amazing.  Today’s video, the first in a series of 11, is both the funniest Star Wars parody and one of the cleverest Beatles parodies I’ve ever encountered.  It was called to my attention by Mistress Matisse, and the links above it were provided by Tim Cushing (“nope”, “Loki” and “black”), Grace (“amateurs”), Rick Horowitz (“Star Trek”), and Lenore Skenazy (“lockdown”).

From the Archives




Read the whole story
donw
2738 days ago
reply
Great videos.
Arlington, VA
Share this story
Delete

The Relay Car Hack Reinvented – with $22 Hardware and Up to 1000 Foot Range

1 Comment

Wired reports:

A group of researchers at the Beijing-based security firm Qihoo 360 recently pulled off the so-called relay hack with a pair of gadgets they built for just $22. That’s far cheaper than previous versions of the key-spoofing hardware. The Qihoo researchers, who recently showed their results at Amsterdam’s Hack in the Box conference, say their upgrade also significantly multiplies the radio attack’s range, allowing them to steal cars parked more than a thousand feet away from the owner’s key fob.

The attack essentially tricks both the car and real key into thinking they’re in close proximity. One hacker holds a device a few feet from the victim’s key, while a thief holds the other near the target car. The device near the car spoofs a signal from the key. That elicits a radio signal from the car’s keyless entry system, which seeks a certain signal back from the key before it will open. Rather than try to crack that radio code, the hacker’s devices instead copy it, then transmit it via radio from one of the hackers’ devices to the other, and then to the key. Then they immediately transmit the key’s response back along the chain, effectively telling the car the key is in the driver’s hand.

Watch this dramatization:

Read more.

(The basis of the Wired article comes from the Chasing Cars: Keyless Entry System Attacks talk given at Amsterdam’s recent Hack in the Box conference; you can find the slides from this talk here (PDF).)

Read the whole story
donw
2740 days ago
reply
Super neat. I think the dramatization should have instead showed them attacking a parking lot used by a valet service. A giant box of keys all in one place? You could probably just walk up to any car in the lot and assume you'd get a signal for that vehicle.
Arlington, VA
Share this story
Delete

NoIR laser goggles

1 Comment and 3 Shares

I have had insomnia issues for as long as I can remember. This year, I came across some research that seemed to indicate that blue light caused insomnia in some people. I started experimenting with all sorts of strategies of restricting blue light exposure, and now consider myself cured. The best way I found to block any light that would interfere with sleep was my NoIR laser goggles.

As a bit of scientific background, the pineal gland in the brain reacts to blue or green light received by the eyes, and stops generating melatonin when blue/green light is sensed. In our natural habitat, this would only happen during the day – in the unnatural world we live in, we are exposed to a lot of light with a blue/green component at night. This causes insomnia and poor sleep due to the lack of melatonin.

The frequency of light that affects the pineal gland is blue, green, and (partly) yellow. So, it’s not enough to just block the blue frequency – it’s important to block all light frequencies up to about 550 or so (red). Also, even a little blue/green light will still affect the pineal gland, so the optical density of the glasses has to be high (above 5) – they have to really block all light at those frequencies.

I wear my LaserShields for 2 hours before going to sleep. Because their optical density is so high, they really do not let any blue/green light through. I can use my laptop or my smartphone with no ill effects; I fall asleep immediately afterwards and sleep like a baby.

[Amazon sells laser protection goggles that are much cheaper. This model claims to filter light from 190nm to 540nm and costs $5. It might be worth trying these first. – Mark Frauenfelder]

-- L.M.

NoIR LaserShields
$130

Available from Kry Filter

Read the whole story
donw
3312 days ago
reply
@gregvr this struck me as something that would tweak several of your areas of "huh!" interest
Arlington, VA
gregvr
3312 days ago
At first I thought he was saying to wear them to bed, which seemed insane, but wearing them before bed is very interesting. LASER goggles, though, is insane. You do not need to blog 99.9999% of blue and green light to get this effect! (as Mark points out, there are cheaper versions)
Share this story
Delete

Cognitive disconnect: Understanding Facebook Connect login permissions

2 Comments

[Nicky Robinson is an undergraduate whose Junior Independent Work project, advised by Joseph Bonneau, turned into a neat research paper. — Arvind Narayanan]

When you use the Facebook Connect [1] login system, another website may ask for permission to “post to Facebook for you.” But what does this message mean? If you click “Okay”, what can the site do to your profile?

Motivated by this confusion, we explored Facebook Connect login permissions with the twin goals of understanding what permissions websites are given when a user logs in with Facebook and whether users understand that they are authorizing those permissions. Here is a working draft of our research report.

As it turns out, allowing an app to “post to Facebook for you” allows it do quite a bit. It can update your status, upload photos, upload videos, share things with your friends, check you in at locations, publish your activity on that site, create notes—basically, it can put anything on your timeline.

Facebook Connect provides a plethora of permissions developers can request to allow their website to access various parts of a user’s profile. The majority are for reading information, others are for particularly sensitive areas such as sending text messages. Eight are permissions to publish. But quietly these eight permissions have been combined into one. If a developer requests any one of the eight, they will get them all.

Two blog posts by Facebook (1,2) explain that they “simplified” and “clarified” the permissions process by combining all of the publishing permissions into a single one called publish_actions. However, the other seven more limited permissions (such as a permission to create a note and another to upload a photo) can still be requested. Many apps still request them but now get the full set whether or not they realize it.

We filed a security bug report with Facebook stating that requesting one publishing permission gave access to all of them. Facebook Security reiterated the position from their blogs, stating that “this behavior is by design” and claiming that all-or-nothing write permissions are “easier for users to understand.”

To evaluate this claim, we surveyed hundreds of users to see if they actually understand what sites will be able to post on their profiles when they log in. Respondents were actually significantly worse at identifying what could be posted than if they had just guessed randomly. However, this was not true of read permissions—users were significantly more likely to understand read permissions correctly with their granular model. This suggests that fine-grained permissions may be easier for users to understand.

Percentage of respondents that correctly understood each read permission

Percentage of respondents that correctly understood each write permission

We identified several other major gaps in user understanding of Facebooks’ permissions model. Users generally don’t understand that their privacy settings only affect what other users can see, not what the apps they authorize can see. They also tend to think apps can only perform actions that make sense for that application: they expect Flickr can post photos and TripAdvisor can post checkins, but don’t realize either app can take both actions. This suggests users implicitly have a contextual integrity model of privacy.

Building user interfaces that intuitively reflect user expectations about privacy is always challenging. In the case of all-or-nothing write permissions, however, it appears Facebook is using a model which is much harder for users to understand than the granular system despite claiming publicly that the new model is easier. So why the discrepancy? Facebook may be unaware that their new model is actually more confusing. It’s likely that the consolidation of write permissions is a technical artifact of the ways Facebook has changed. It used to be that uploading a photo and updating your status were distinct actions, but now they’re both posts on your timeline.

A more cynical possibility is that Facebook is intentionally creating vague messages so users do not understand all the permissions they are giving up. This would let developers obtain more permissions to share content without putting off users. Facebook’s own documentation claims that “apps that ask for more than four permissions experience a significant drop off in the number of completed logins.”

Single sign-on systems have the potential to make the web more secure (fewer passwords can mean stronger and more secure passwords). Facebook Connect’s data sharing features allow sites to do some really cool things and have been a major factor in making it the most deployed single sign-on system on the web. But this potential win-win depends on giving users effective understanding and control of the data they’re sharing, as Facebook recognized when launching the system back in 2007.  Our research suggests that there’s still significant room for improvement.

Note: On April 30, after the conclusion of our research and our correspondence with Facebook security, Facebook announced an update to its permissions system which allows users to reject individual read permissions or login anonymously. However, this change does not address our concerns: there is still only one publishing permission and it is still presented with the same vague message.

I would like to acknowledge my coauthor and adviser on this research, Joseph Bonneau.

[1] The system is now officially called Facebook Login and not Facebook Connect. We stick with the latter term which is still more widely recognized.

Read the whole story
donw
3794 days ago
reply
Gross
Arlington, VA
Share this story
Delete
1 public comment
reconbot
3795 days ago
reply
That one bar in Germany where you're expected to go and hangout.
New York City

iMessage Purgatory

4 Comments

Adam Pash:

I recently switched from an iPhone to Android, and discovered shortly thereafter that my phone number was still associated with iMessage, meaning that any time someone with an iPhone tried texting me, I’d receive nothing, and they’d get a “Delivered” receipt in their Messages app as though everything were working as expected.

Read the whole story
donw
3827 days ago
reply
Very interesting from an engineering standpoint. iMessages needs for the servers to know if a number if capable of iMessages even if that number is currently unavailable, so the fact that the number isn't logged it - or hasn't even done it all that recently - isn't necessarily cause for iMessage servers to stop "showing blue."
Arlington, VA
Share this story
Delete
1 public comment
ravenel
3829 days ago
reply
I also recently switched from iPhone to Android (love it, BTW--Android may have been flaky and poorly designed years ago, but no longer), and had similar struggles. Not quite so bad, and luckily my work phone is an iPhone so I was able to resolve that way, but it was shockingly difficult.
ÜT: 40.673477,-73.975108
Next Page of Stories