Make Every Week: Bluetooth Device Sniffer

This week became “Tinker Every Week” more than “Make Every Week,” as I tried to make a new device-sniffing device.

Previously, I managed to detect wifi signals around me, and I wanted to do the same for Bluetooth devices, including gadgets using new “Bluetooth Low Energy,” or BLE, signals. These include iBeacons and other tracking systems being deployed more and more around us.

I got myself a Bluefruit LE Sniffer from Adafruit ...

... and rigged it up to my Raspberry Pi.

Make Every Week: Seal Watch

The buzz in our corner of Manhattan is all about the Inwood Seal.

Not only did the seal appear on a dock in Spuyten Duyvil Creek just off the Hudson River, but he came back. So naturally, we keep an eye out for the cute critter when we visit Inwood Hill Park.

But what about when we’re not there? How will we know if he’s returned?

Now, there’s a bot for that.

Make (Almost) Every Week

I learned a lot this week:

I also used some that new knowledge to write a little program that pulls the title, lead image and date from pages like the one you’re reading right now.

But I didn’t make anything, really. Except a base to build upon.

So while I don’t have a cool thing to post just now, I’m glad for what I’ve learned.

Including the fact that this year has 53 weeks.



#MakeEveryWeek is a challenge to myself to do just that for all of 2015. The original post on the idea is here, and the running list of projects so far is here.

Make Every Week: Remote-Controlled Egg

In a nod to the egg-dying we’ll be doing this weekend, I made an egg I can color from my phone.

In truth, it was the perfect excuse to play with a Metawear board I picked up a while ago. Hatched from a Kickstarter campaign, it’s a bunch of sensors and an LED packed onto a board the size of a postage stamp. You talk to it over Bluetooth Low Energy (BLE).

The idea is that Metaware can help quickly build smart wearables and fitness trackers. To dip my toes into the process, I made an egg.

Hi, Weatherbot

(This post originally appeared on the Opennews Source blog.)

The students’ eyes opened wide in a mix elation and evil-mad-scientist.

Lines of code projected at the front of the class had just done something in the real world: They sent a tweet. And you could see it, right there on the internet.

The power of this little exercise was crystal clear to the undergraduates. And they couldn’t hide their giddiness.

“Use this only for good,” I admonished.

They had followed along as I built basic Twitter bot. You can do it, too.

Email Encryption & My PGP Info

My PGP Info

Updated July 19, 2017

If you’re ready to start encrypting your email, scroll down just a bit to read about how I got started. If you already use PGP (or GPG), here’s the info you may be looking for about me:

I’m currently using a key with the ID of 6A9C5F59. Its full fingerprint is:

30D1 B2EF ECD0 BCA9 EBFA E13A CC77 A709 6A9C 5F59

Publishing the fingerprint and full public key in several places helps you be more certain that this key actually belongs to me. So I’ve included the key on my Twitter bio; put the fingerprint in the sidebar of this website, in this tweet, and on my employer's website; and published my full public key both on the MIT Public Key Server here and at https://s3.amazonaws.com/pgp.johnkeefe.net/6A9C5F59.asc.

These keys have belonged to me in the past, but I am no longer using them:

7FDCF763 

6E87C2D0 

A984EFF1

Encrypting Email

Most email these days zips across the internet in an open format someone can read in transit — even though the sender’s and receiver’s mailboxes are password protected. In that way, emails are more like postcards.

Encryption can help keep information private in transit. PGP, or “Pretty Good Privacy,” is one way to encrypt email and other text. (GPG stands for “GNU Privacy Guard,” and is basically the same thing.)

Encrypting email seems the like one of the most natural ways to communicate securely, but it’s unfortunately complicated to set up. I’ve jumped in, and I'm sharing my steps here so they might help others.

Caveat & credit

I’ll say upfront that I am not an expert on encryption or operational security. By any means. I'm a journalist who would like the option of keeping his communications secure. If your life or livelihood depends on secure communications, please rely on resources provided by experts.

Also, I’ve benefited from generous journalists who are more experienced and have shared their tips and tricks. These include Jeff Larson, Mike Tigas, Harlo Holmes and Aruelia Moser. Look up their stuff. They’re awesome.

Here, then, is how I started using encryption for email.

Download

First I downloaded the GPG Suite at gpgtools.org for my system, which is Mac OS. My apologies, but I’m not familiar with GPG on other platforms.

Verify

Since the whole point of this effort is security and integrity, I wanted to be sure the file I downloaded was an exact copy of the file distributed by the GPG developers — and not something that was altered or corrupted. There are helpful verification steps described here. Here’s what I did:

  • Opened Terminal
  • Went to my Downloads folder and checked the name of the downloaded file (yours may be different, depending on the current version): GPG_Suite-2015.03-b6.dmg

  • Typed:

    /usr/bin/openssl sha1 GPG_Suite-2015.03-b6.dmg

    and got

    SHA1(GPG_Suite-2015.03-b6.dmg)= 6621fc1da5211650b6ef4aa959fdd385a6a5a6d5

  • The part after the equals sign is a “hash” of the file, providing a kind of fingerprint based on all of the data in the file. It will be different for different versions of the software.

  • I compared that result with the SHA-1 hash posted on the gpgtools.org website (again, yours may be different — though the two should match)

    That's a match, so I'm good.

(Now that I’ve been using a version of GPG I trust, when I download updates I also use GPG to do a verification. Here’s how I do that.)

Install

Having verified the software is intact, I launched the .dmg file to install GPG Suite. The suite contains a set of modules. One is called “GPG Keychain,” and another modifies Apple Mail, which likely came with your computer, so it can send and receive encrypted email.

Make a new key

Once everything was installed, I launched "GPG Keychain" from my Applications folder.

I then made a new key, with the “New” icon. (If you have an existing key, you can look it up with “Lookup Key,” searching by your email address or name, and import it.)

  • I use my real name, so people can find me in key services
  • The email address matches the one I use to send and receive my email
  • I upload my public key so people can find me
  • I use the longest key possible
  • I have my key expire
  • I use a strong passphrase (GPG tools warns you if you don’t)

Making a key this way publishes your “public key” to the world. It also stores your super-secret “private key” on the computer you are using. This “private key” is what GPG Keychain and Apple Mail will use to decode messages sent to you. It is super important to keep it super secret. This means things like using a strong passphrase, using full-disk encryption on your computer and keeping your private key off cloud services like Dropbox. Some folks keep it off their computers entirely and use a sub-key instead.

Make a revoke certificate

This was an important step, I learned. If my private key gets lost, stolen or otherwise compromised, I need a way to disable it even if I don’t have it. A revoke certificate does that.

In GPG Keychain, I clicked on my key and then went to the top menu to Key -> Generate Revote Certificate ... 

I keep the resulting file in a safe place apart from my key.

All good?

Now I fire up the Apple Mail app. If all is working well, there is a shiny green "OpenPGP" box at the top edge of a new message window.

And in the Mail preferences, there’s now a GPG window with happy indicators.

As you can see, I’ve chosen to encrypt and sign all of my Mail emails whenever possible.

If things are not working well, here are a couple of bumps I hit and solved:

  • My Mail email account’s address needed to match the address in my key. Another option is to add a second “User ID” to the key, which I did by going into GPG Keychain, clicking on the key, clicking on “User ID” and clicking on the + sign.
  • I hadn’t used Mail before, and it seemed to hang initially. Turns out it was actually was downloading all of my online mail. This can take hours(!) When it was done, I restarted Mail and things worked.

Sending encrypted email

To send someone an encrypted email, I go to “GPG Keychain” and and look up their public key, either with their email address or — even better — with their PGP key fingerprint.

As a test, I used teammate Alan Palazzolo’s fingerprint to search for his key, and then imported it.

Switching back to Mail, I typed his email address into the "To:" field and the lock icon turned blue. That means I’m ready to send him an encrypted message. (The second symbol indicates I have digitally signed the email, which is useful but not an indication that it is encrypted. The lock is what I want.)

Importantly, the subject line and other meta information, including the fact that he and I are corresponding at all, is not encrypted. Also, I trust Alan to keep our conversation private, but there’s really nothing preventing him from copying a decrypted version of my note and posting it on the internet.

What do I have wrong?

This stuff gets complicated, fast. If Citizen Four is any indication, even journalists working on the most sensitive stories make mistakes with “OpSec,” or operational security.

If you see a mistake here, or have links to more resources, please let me know. You can leave a message in the comments … or send me an encrypted email.


Top photo (CC) David Bruce / Flickr

Make Every Week: Fish Tank Carbon Dioxide Generator

We have a moderately successful family fish tank: The fish seem to survive, the plants do not.

(Also we’re really good at growing algae, and may start feeding it to the children.)

With a coding problem, you Google it and get several excellent solutions. With a fish tank problem, you Google it and get several excellent solutions that contradict each other.

So the excellent solution we’ve chosen to make the plants happy is to add carbon dioxide to the tank. Plants need it, and one of my favorite in-store tanks uses it. So it's settled.

I thought I’d need to pick up a heavy tank of CO2, like when I rented a tank of helium.

Turns out you can coax yeast to make it for you. This Instructable describes how, and is what I used to make ours.

Make Every Week: Fitness Wristband

The same week we got details about the new Apple Watch, my Nike Fuelband died.

That got me thinking about what I really want — and don't want — on my wrist, and whether I could build something that fit my needs exactly.

So expect a few #MakeEveryWeek weeks devoted to iterations of a fitness watch. This is one of them.

My Fuelband had a clock, which I used for timing my midweek runs of about 20 minutes (don't judge). But I had to keep checking my wrist, and pressing a button in the band, to see if time was up.

I really wanted something to simply tell me when 20 minutes was up. So that's what I made.

Make Every Week: Selfies from Space

This is a snapshot of my town — taken yesterday.

It is crazy-amazing that I can get an image from space on my computer in damn-near real time.

The camera is Landsat 8, a U.S. Geological Survey satellite with a dozen sensors on it. I got an introduction to using satellite imagery at the NICAR 2015 Conference in Atlanta last week, so I thought I’d give it a whirl for this week’s #MakeEveryWeek.

I wondered if I could see from space the lovely thaw we had the past couple of days, with highs hitting near 60.