Ask HN: I'm quadriplegic – can you help me with my security?
I've run out of places to look so I hope you guys can help me with this. I would like to:
1. Securely login to my various websites 2. Securely lock and unlock my MacBook Pro.
Easy, right?
Except I'm quadriplegic. I use DragonDictate[1] to input text, and invoke keyboard shortcuts verbally, and SwitchXS[2] with a single button switch[3] (to move the mouse around and switch between applications etc). With these I have nearly total control over my laptop.
I use a password manager and once I've spoken the master password out loud the rest of my password challenges are automated. This is necessary, but not so secure as my laptop is then just open to anyone who picks it up. But I can't password lock my whole laptop because OS X requires that password before it will load up any applications, and I can't put a password in without my apps.
I was thinking of getting a YubiKey, but for that I would need to touch the sensor on the key to activate everything, but as you might imagine the whole quadriplegic thing gets in the way of this!
Some other sort of hardware master key, maybe? What do you guys think?
A word on the adversary: I want my personal information secure from casual passers-by who after having a quick peck on the keyboard would more than likely give up; I'm not looking for PRISM dodging security here :-)
Anyway, any help would be greatly appreciated!
[1]: http://www.nuance.co.uk/for-individuals/by-product/dragon-for-mac/dragon-dictate/index.htm [2]: http://www.assistiveware.com/product/switchxs [3]: http://www.ablenetinc.com/Assistive-Technology/Switches/Buddy-Button-and-Big-Buddy
171 comments
[ 2.5 ms ] story [ 241 ms ] threadI wonder if it could be set to lock at boot unless your phone (or BT headphones or whatever) is nearby.
I doubt this can be all that secure since it can be downloaded from the App Store, I'm pretty sure that means it can be force quit (it could not prevent this key combo since its restricted in the sandbox). It may be just enough.
[1] http://www.appuous.com/products/mac/keycard.html
I am assuming that the OP is simply taking steps to mitigate an ever present fear of "being taken advantage of". There are some real arseholes out there, for example a friend of a friend was a blind dumb mute who was mugged in the street - nothing stolen except her cane and cards she used to communicate. She had no way to communicate with anyone, and they had no way to communicate with her.
She had to walk home...
Pain medication, from somebody with nerve fire… I just don't understand that mentality!
Anyone know of anything?
Edit:
Found one! https://www.keylemon.com/download-other-versions/
Then the bad guys would make a sculpture.
Then the good guys could add some kind of mannerism detection (smile?, wink?).
Then the bad guys would work on latex masks.
....I quite want to see how this evolves tbh.
Removed it the day a friend of mine unlocked it with his face(he looks quite different).
Reliable facial recognition would be great though, just not managed to find it!
I would guess something like this- an arduino hooked up to something you can operate (BigBuddy?). This could then ask you for your PIN code (2 taps, 3 taps, 2 taps)
Once arduino is happy it will quirt a pre-stored key sequence into the USB port, acting as a keyboard, and unlock what you need.
I have no idea if it is really viable but its the best I have.
http://grathio.com/2010/05/secret_knock_detecting_gumball_ma...
There's also QuickLock which was/is a workaround to lock OS X quickly without using the screen saver + immediate password requirement. http://www.quicklockapp.com/
Note: I haven't used either, I'm just googling and looking at videos.
Well, OK, a mugger might, but would they recognize little fob thing as something of import that must be close to the computer?
Or, you know, just fence it.
The interface could just be a python script reading for serial over USB. I built some Raspberry Pi based RFID terminals that ran a python script in a loop, no problems running them for days on end.
That's the extent to which I know, someone else would have to chime in on exactly how to interface the script with access control.
.
---going further---
Then just encrypt the home folder's contents on a file-basis & sync it with a privately owned server. This improves the chances of data-recoverability on crashes or on filesystem corruption. Add a kill-switch toggle that erases all important files on the mac on 5 unsuccessful login attempts, and enables surveillance mode permanently using different tracking software (prey-project for example).
Could you expand a little or point me at some resources, that would be great thanks :-)
But here are opensource solutions:
http://musicbrainz.org/doc/Fingerprinting
http://echoprint.me/
http://www.politepix.com/openears/
http://cmusphinx.sourceforge.net/wiki/
Something like that would be ideal if a system could be implemented that was reliable enough, there's always going to be some degree of false positive/negative but it would be cool otherwise.
I think you might also be able to make use of a kinect or Andriod/iPhone and some eye-tracking.
Also, do you know of these guys? It's where my colleague worked about twenty years ago. http://www.tirrfoundation.org/
How about an RFID tag fixed to your wheelchair, and a transceiver for it mounted on your computer desk?
That said, I've heard of some quadriplegics with basic finger function using morse code-style inputs in various ways. I don't know details, but this[1] popped up in Google. It seems old but potentially interesting.
I wonder how much work it would be to put together something like an Arduino-based device that takes morse-like input and simulates a USB or Bluetooth keyboard?
[1] http://www.makoa.org/jlubin/morsecode.htm
>I wonder how much work it would be to put together something like an Arduino-based device that takes morse-like input and simulates a USB or Bluetooth keyboard?
IMO it has never been easier.
- Figure out how to add a text filter between DragonDictate and your system.
- Program the filter to look for a special sequence, e.g. "cipher_mode"
- When in cipher mode, feed characters through a simple cipher. E.g. A -> C, B -> D, etc. No passerby is going to be able to figure out what you're doing.
- When the filter sees "cipher_mode" again then it stops filtering.
But you make a good point. I think this approach can still work though.
- Rotate the cipher based on the current day/time, or rotate it based on the previous use.
- You could prime the next password each time you successfully login. So e.g. every time you login, you offer 3 additional letters in "clear mode", but then have to give them back in cipher mode.
I think I'd go with the last one.
The worst part about all this is that it requires custom programming.
[1] https://helpdesk.lastpass.com/account-settings/security/
I'm based in the Netherlands so I probably can't help you, but maybe you could ask an electrician near you to help you with it.
You're on OSX, so let me see what I can come up with. No promises, but I'm looking.
1. http://www.yubico.com/products/yubikey-hardware/yubikey-neo/...
EDIT: I see that the Yubikey NEO is sold out for the next 5 weeks, so this may not be the best option for you.
EDIT2: The best solution was referenced by silverlight above, it's called TokenLock for Mac OSX, and it's $3 in the App Store. You can use it with bluetooth devices. Just get some little $20 bluetooth device or headphones you can pair it with, and have someone put it in your pocket. Please take a look here (again, thanks to poster silverlight above): http://www.map-pin.com/tokenlock-home/ Never used it, but it looks pretty versatile and can be used with all sorts of login approaches.
For securing your browser passwords, I think the Yubikey with the NFC chip will be your best bet. Right now, they don't have OSX software available specifically for the NFC, but I imagine they will release some eventually. I'd call and ask them.
As for TokenLock, I downloaded the free trial and during the setup process my laptop locked up for apparently no reason; I had to have my partner stop at she was doing and come and restart the computer for me. Clearly not an ideal situation.
It really was a case of;
Download and install application Run through the setup process, which appeared to go flawlessly Read's helpful message that laptop will be locked when iPhone goes out of range … Laptop locks up as I'm reading the message, whilst my iPhone has sat resolutely still about 5 inches from my laptop!
That is a terrible level of reliability for me I'm afraid :-)
What if you install virtual box w/ some free OS (like ubuntu). Store all your personal information within the virtual machine which is configured with a secure login. Then you can leave the laptop unsecured so you can use your other apps to dictate the password to the ubuntu OS for login.
The idea probably has some other practical problems though.
If they can password-less auto-login to the main computer, then use their dictation software to load up a VM, that VM could be considered secure.
As a side note, can't you also run Mac OS X as a VM guest from a Mac OS X host? I thought that Apple made that license change a while back. If that's the case, they could keep it all Mac, if they'd like.
[1] http://kb.vmware.com/selfservice/microsites/search.do?cmd=di...
("...you are granted a limited, non-transferable, non-exclusive license... (iii) to install, use and run up to two (2) additional copies or instances of the Apple Software within virtual operating system environments on each Mac Computer you own or control that is already running the Apple Software, for purposes of: (a) software development; (b) testing during software development; (c) using OS X Server; or (d) personal, non-commercial use...")
OP could get at least get screensaver-lock functionality, but actual security in this situation is hard.
Using a VM as the "real" machine seems to be at least as effective as any other suggestion made here and far less brittle.
>Ring....
>Ring...
[pickup]
>"Adversary profile precludes this vector"
[/hangup]
I've now got one for "press one if you're calling me about an unbelievable sales opportunity" that gives the exact response. I have no idea if anybody has called it yet, but it's kept me laughing for the past three days!
[1]: http://pbx.sipcentric.com/
https://itunes.apple.com/us/app/bluetooth-unlock/id576603568...
It looks like it may work with any BT device, so even if you don't have a BT-enabled phone, you could get a cheap BT headset or something, and keep it on you.
I'd also like to say that it's great to see you doing so well with technology. I had a quadriplegic friend when I was little (he was an adult) who had a nice setup for the time, but his independence was limited to a few things like Clappers for lights, TV remotes, and such. I sometimes wonder just what crazy things he'd be getting up to if he was still around today with a setup like yours.
This app does claim to support any BT device, just in case the other one doesn't:
https://itunes.apple.com/us/app/tokenlock/id402433482?mt=12
Hope you figure out something that's to your liking.
Perhaps a Pebble Watch?
You can also get a proximity alarm for your iPhone.
Easy to say things like that isn't it.
Perhaps even a very ugly iPod Touch might work.
It took practice to talk perfectly clearly, but it could be mastered.
Google "throat microphone".
Seriously though, I'm connected to this computer with a ton of cables and if that could be made to play nice with Dragon, and it wasn't too tight across where the break is in my neck it would be brilliant!
But fingers crossed this one will work!
EDIT: You can even pick colors: http://dx.com/s/throat
An Arduino can act as a keyboard ( http://hackaday.com/2012/06/29/turning-an-arduino-into-a-usb... )
You could then hook that into some controls you've already got on the chair - the obvious choice being to have "Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start" trigger the Arduino to type out your password.
(Where are you from? I know if someone asked for help with this on my local (Sydney, Australia) hackerspace mailing list, there's probaby be three or four people building prototypes by the weekend…)
That being said this solution could be implemented wirelessly maybe? I mean have the arduino sitting somewhere connected to the laptop wirelessly, and then have a switch connected to the arduino wirelessly as well?
The only sticking points I could see are that obviously I can't assemble these things myself, and travelling to a Hackerspace would be impossible unfortunately.
Also, I'm in the UK.
I'm in Australia, so the UK is a bit far to be prototyping - did you see Helgosam's post else-thread? Sound's like he's at least in the same country as you and capable of helping out (and/or putting you in touch with other locals who're in this space…)
https://news.ycombinator.com/user?id=Helgosam https://news.ycombinator.com/item?id=6054049
[1] http://www.emotiv.com/
It looks like it could be applied to all sorts of accessibility situations and problems though!
The laptop only being accessible via voice recognition and one button should be enough to render the entire system unusable to casual snoops.
edit: Looks like you can disable/reenable the builtin keyboad/touchpad with terminal commands, so it'd just be a matter of scripting them to voice shortcuts: http://superuser.com/questions/214221/how-can-i-lock-the-mou...
ps: be sure to have a plan B to reboot your laptop while experimenting with this in case it locks out your controls somehow.
Do you have exemples of websites that use technology to facilitate surfing for disabled people , that could be shown as an exemple of good accessibility practice ?
thanks and take care.
Obviously that would take a little feat of memory, or at least some kind of prompt, but you could memorize a poem or something and use that - it would prevent replay attacks.
Or, use an algorithmic password, perhaps one where you do a sum based on the time of day.
All these solutions require some level of coding sadly, but I would have thought it would be something a freelancer could knock up relatively cheaply.