Fullscreen HTML5Med Res (??MB)HTML4

Net Work Alan Winstanley This month’s column explains how the use of passkeys improves online security and eliminates password logins. The author also transfers data to a new phone and shares some hints and tips. E very web user will recognise the annoying requirement to log into any website that retains a user’s personal details. Even trivial online transactions usually involve inputting our name, address, mobile number and email address. Some even impertinently ask for our date of birth, or they might offer to remember debit and credit card numbers as well, an offer I never accept! Much has been written about the need to use a mix of special characters that makes passwords harder to guess. The old idea of substituting alpha characters with numbers (called ‘leetspeak’) such as p455w0rd has fallen out of fashion, and probably the best practical advice is to use a ‘passphrase’ of several words and maybe a special character at the end, such as: bread-coffee-7281#. A longer string of random words makes passphrases even harder to guess, for example: tulip.sugar.lawn.yoyo. To help users to memorise their passwords, I’ve noticed how special notebooks are sold, helpfully labelled ‘Password Book’ or similar, which would undoubtedly be goldmines in the wrong hands. Recording logins and PINs openly in clear print this way would also breach the terms and conditions of banks and credit card providers, rendering the account holder entirely liable for any losses caused by fraud. If you can’t remember logins, and you’re maybe liable to forget where you last left your password book, they’re not a good idea. A limited choice of online password managers is available that automates the task of logging in or filling in online forms. In the author’s case, having accumulated over 400 different logins over time, online security has been managed for 15 years with Roboform password management software. Roboform has been established 25 years and is something of an unsung hero in my opinion, as without it, life at a busy desk would soon grind to a halt; it’s one of the very few online services that I’m happy to invest time and money in, and it also works across mobile devices. It’s a powerful programme with many features and a few quirks, and you soon wonder how you managed without it. Another popular password manager is LastPass, a product that has suffered at least two security breaches in the recent past. The Tech Republic website doesn’t recommend LastPass for that reason alone, and tech website The Verge reckons LastPass may ‘have a lot of work to do if it wants people to trust it again’. LastPass is striving hard to restore credibility and has now implemented a minimum standard of 12-character passwords. Others to try include highly-rated NordPass (https://nordpass.com) and 1Password (https://1password. com). Obviously, you must also safeguard access to your PC and any password manager software as well, so explore those security options carefully. Common Captcha screens ask ‘how many traffic lights’ or ‘what is four times two’, or they may ask users to drag a jigsaw puzzle piece into position, but advanced hacking can nevertheless still defeat some of them. Admittedly, even I struggle to make sense of some Captcha screens, but, sadly, the ones who struggle most with this hurdle are those with vision problems who rely on screen reader software to surf the web. Web page screens that say ‘I am not a robot’ might seem deceptively simple or pointless, but they’re designed to be screenreader friendly, and Google’s reCAPTCHA v3 doesn’t need a challenge at all. Another log-in annoyance is the cookie opt-out screen, necessitated by the European GDPR and ePrivacy Directive. Cookie screens have spread like a rash across the web, and seem intended to punish website visitors seeking to safeguard their own privacy. Standardised cookie modules are often Crumbling cookies This Captcha screen uses a sliding jigsaw puzzle piece to confirm you’re really human. 10 During the log-in process, users are often interrupted by a ‘Captcha’ screen, which aims to prevent automated scanning or hacking of a website by ‘bots. A Captcha (Completely Automated P u b l i c Tu r i n g t e s t t o t e l l Computers and Humans Apart) ‘challenge-response’ causes a user to physically respond to a question, supposedly proving Some cookie opt-out screens make it onerous for users that a real human is logging in. wanting to opt out of receiving unwanted cookies. Practical Electronics | August | 2024 ‘Take Five’ is a UK Government campaign with lots of resources to highlight the risks of scams, fraud and identity theft. used on websites. The smartest ones have a simple ‘Reject All’ or ‘Essential only’ button allowing users to quickly opt-out before proceeding, while others annoyingly require visitors to opt out of a dozen ‘legitimate interest’ cookies, one by one. As often as not, this latter type gets a thumbs down from the author and I will simply go elsewhere instead. As an aside, web surfers will often see click-through URLs containing strings of characters that register web server statistics (Google Analytics) – an example might be: https://anywebsiteurl.com/ ?utm_source=google&utm_medium= emaillist&utm_campaign= 128465419&utm_content= 468754&utm_term=cookietest&ad_ source=2&gclid=Cj... etc. The term ‘UTM’ means ‘urchin tracking module’ which is Google’s website analytics at work. The string might include search terms, your username or email address in plain text or other data that identify trends and visitor behaviour in the stats. Facebook does the same, and the string ...url/?fbclid=blah... often appears in website tracking code, containing the Facebook Click Identifier. These days, I usually cut and paste these URLs into Notepad and delete the question mark and everything after it, in order to defeat Google Analytics. Only then do I paste the shortened URL into my browser. Apart from being hard to remember, another major problem with passwords is that, despite using multiple words and special characters to defeat hackers, they’re inherently insecure in the first place, simply because users can be tricked into revealing them through the use of fraud or phishing scams, for instance. Or maybe that Password Book could be stolen or lost. A phishing email or a highly targeted spearphishing mail may trick a victim into visiting a fraudulent website, where the password can be captured by crooks, or ransomware could be downloaded onto a visitor’s computer. Some phishing emails can be highly convincing, especially if they are timely ones (eg, one supposedly from ‘DHL’ arrives when I really am waiting for a DHL delivery), and even the author has had to hit the brakes once or twice before clicking a likely-looking link. It’s so easy to fall for this type of fraud when busily working online; as the UK’s National Cyber Security Centre (NCSC) says, ‘Asking users to examine, in depth, every email they receive will not leave enough hours in the day for work tasks. It’s an unrealistic and counter-productive goal because responding to emails and clicking links is an integral part of work.’ The Government advice to guard against these threats is to ‘Take Five’, see: www.takefive-stopfraud.org.uk Take Five contains many educational resources, web banners and information that can help to spread the word: if you’re involved with a local Facebook group or have vulnerable friends or relatives, the Take Five campaign is a timely reminder of these potential risks and it’s worth directing them to it. No pesky passwords – get a Passkey In extreme cases, passwords or user data may be stolen from a website’s database following, say, a ransomware attack, and within a few seconds they can fall into the hands of fraudsters anywhere in the world. Some websites are beginning 1554/1554F Polycarbonate IP68 Major websites such as eBay offer to create passkeys for users – they’re far more secure and easier to use than passwords, and are worth setting up on your device. to offer alternative logins using much more secure passkeys. These are fully encrypted and use a unique ‘private’ key on the user’s device together with a corresponding ‘public’ key stored by an online service. Old hands will recall PGP (Pretty Good Privacy) which was one of the few ways of encrypting or signing messages or transactions using PGP keypairs. Put simply, it’s rather like a user giving out open padlocks (the public key) to all and sundry, asking them to lock up messages with them before delivering them to you. It doesn’t matter who has an open padlock, because you’re the only one with the (private) key who can open them again. The private key is then safeguarded on your device by a PIN, a password or biometrics like fingerprints or facial recognition. Accessing the private key also proves that you are physically in control of the device on which it is stored. Websites including PayPal, eBay and Amazon now offer to set up passkeys as logins and they are an excellent idea for safeguarding security. Passkeys also make logging in from a device much simpler, as there’s no password to remember. Amazon has a useful primer on how passkeys work at: https://bit.ly/pe-aug24-amz A token gesture Other methods of enhancing security include the use of physical devices new sizes! Learn more: www.hammondmfg.com/1554 uksales<at>hammondmfg.com • 01256 812812 Practical Electronics | August | 2024 11 These Yubico security keys provide a physical ‘touch token’ that protects your logins securely against fraud or ID theft. Both USB-A and USB-C types are available. or ‘tokens’ such as the USB security keys produced by Sweden’s Yubico. These are used by all Google’s staff and contractors for secure computer and server logins, Yubico says. I covered Yubico’s secure keys in the June 2020 issue of Net Work and more details of these hardware devices are online at: www.yubico.com The author’s Facebook account is secured with a Yubico USB security key which, as an ID confirmation check, needs a simple touch-tap to prove that I’m physically present when logging in. Other higher-security types have a proper biometric fingerprint reader built in, but they become pricey – around €95, exc. tax. Yubico keys are available in USB-A and USB-C styles, and a tiny ‘Nano’ version is designed to reside in the port. The buzzword here is ‘FIDO authentication’ which is a powerful encryption protocol at the heart of Yubico secure keys. You can learn more about FIDO at: https://bit.ly/pe-aug24-fido and a catalogue of products and services that are ‘Yubico-aware’ is at: https://bit.ly/ pe-aug24-yub Over time, I expect to see more acceptance of hardware tokens like these as online security becomes ever more challenging. Time to swap phones Like many people, the writer has come to rely on a smartphone for helping with many everyday tasks or keeping track of communications. In some applications they are virtually indispensable: I wish it wasn’t always the case, but services including routine banking, shopping or even buying a parking ticket now use apps and, at the very minimum, consumers are often expected to have a mobile phone to receive security codes 12 – One-Time Passwords (OTPs) – sent by financial institutions or service providers. Just to reiterate a vital point: OTPs that you receive should never be given out to anyone else, as they may well be fraudsters looking to steal from you. If you unexpectedly receive an OTP, it may be a sign of fraudulent activity taking place, so be on your guard and investigate if necessary. An authenticator app on a smartphone can also be used to generate a code number as part of the 2FA process – both Google and Microsoft offer them. In the past few weeks, I finally upgraded my Huawei P20 smartphone as it was showing its age and was starting to buckle under the workload. It must be said that the Huawei has proved faultless, and it was generally a pleasure to use, but US sanctions against the brand effectively killed off the UK market, and so the next task was to transfer its contents to a new Samsung Galaxy 5G. I’ll summarise my experience of upgrading a phone, with hints and tips that I hope will help readers to prepare for the same eventuality. Although I rather dreaded the task, in reality, the job of moving everything over to a new phone went exceptionally well. For good measure, a cloud backup of my thousands of photos and video files is offered by Huawei and is still available for as long as I pay the negligible annual running cost. Huawei has kept its side of the bargain, and the cloud backup works efficiently, so I downloaded the cloud backup onto my PC as an extra measure. old phone, after which the process of copying contacts, mail, apps and media – including all those photos and videos – started automatically. This can be handled over Wi-Fi or via USB. Note that iOS as well as Android are supported. Happily, Switch it up On powering up the new phone, a setup routine asks whether you want to transfer data to it from another device, and Samsung’s Switch app is duly installed. The same app is also needed on the The Samsung Switch app worked flawlessly when transferring data and apps from an old mobile phone to a new Samsung smartphone. Practical Electronics | August | 2024 You can safeguard a smartphone camera lens with a low-cost tempered glass protector. the process was very simple, and no particular problems were experienced, but be ready to input those pesky usernames and logins when launching them on the new phone for the first time. WhatsApp, which is encrypted end-to-end, will only operate one account on one device at a time, so the ‘old’ account was automatically disabled on the old phone, but all WhatsApp media were migrated effortlessly to the new device. What I thought would be the trickiest transfer of all – the HSBC online banking apps – was totally seamless; HSBC allows you to use up to three devices and a QR code helped complete the operation very smoothly, with no issues experienced at all. As another benefit, the much better camera on the Samsung ‘snaps’ QR codes with just a cursory glance (see later). Everything went commendably smoothly, and I reflected that, finally, modern technology had delivered on its promises. Samsung, Google and Microsoft will jostle to offer cloud backup plans as well, and it’s worth spending time getting to know at least one of them. Thumbs up Next, biometrics can be set up as your fingerprint ‘dabs’ must be scanned by the new device for the first time. This was a slow process, and it’s wise to scan multiple fingertips in case one suffers cuts or abrasions. Samsung allows up to four prints to be scanned, but this idea won’t work if fingertips are wet through rain or moisture, so it’s definitely worth remembering PIN number alternatives and do practise using them to remain familiar with the code. Facial recognition scanning is another biometric option, but I didn’t bother setting it up. It was then a matter of getting to know the new phone. Tempered glass screen protectors costing just a few pounds are sold on eBay which safeguard against damage. A seller called ‘Pixfab’ supplied mine at low cost and it fitted perfectly thanks to the kit containing a screen wipe and drying tissue. It’s a one-shot operation so align everything carefully before releasing it onto the screen. A couple of ‘bubbles’ disappeared by themselves after a few hours and the screen protector is totally invisible. (An option in Settings can increase touchscreen sensitivity if screen protectors are used.) A tempered glass protector for the triple camera lens array, also supplied by Pixfab, fitted perfectly as well. The biggest headache was probably finding a suitable case, as the web is awash with Chinese-made products, but one branded ‘Qltypri’ proved fine, without spending silly money. What is comically marketed as ‘PU leather’ is – of course – actually polyurethane! The experience taught me that it’s feasible to set up a cloud backup, especially useful in case your phone is stolen or lost, with data uploaded over Wi-Fi rather than using mobile data. It’s critical to keep on top of account logins too, as these are needed the first time apps are opened on the new device. For anyone interested, Samsung fully explain the details of the Switch app, giving readers a good insight into compatibility and how it works – see: https://bit.ly/pe-aug24-sam Back on the topic of QR codes; as far back as the February 2012 issue I described how these new pixelated peculiarities would transform the way we captured data, by using our camera phones as scanners. As I explained above, I found my new smartphone scans even large, complex QR codes instantly, but it’s worth remembering that fake QR codes sometimes appear in public spaces. Counterfeit QR codes might sometimes be stuck over genuine labels: one car park was covered with them, with scammers trying to rake in cash from motorists. Railway station car parks and posters are another prime target. The UK’s NCSC offers advice which is worth recalling before you go and ‘snap’ a likely-looking QR code: https://bit.ly/pe-aug24-ncsc Fun with FLIR The July 2024 issue of PE included a design for a Pico-based thermal camera which, compared with the cost of commercial units, is an inexpensive and worthwhile introduction to capturing infra-red heat maps and exploring the emissivity of materials. My computer colleague recently dropped into the office with another toy to play with: a ‘CAT’ branded ruggedized smartphone with a difference, as it has a built-in FLIR (Forward-Looking Infrared) thermal camera. The CAT S60 battery was on its last legs, but I managed to power it up with a USB powerbank. The Terrington Components • Project boxes designed and manufactured in the UK. • Many of our enclosures used on former Maplin projects. • Unique designs and sizes, including square, long and deep variaaons of our screwed lid enclosures. • Sub-miniature sizes down to 23mm x 16mm, ideal for IoT devices. MADE IN BRITAIN www.terrington-components.co.uk | sales<at>terrington-components.co.uk | Tel: 01553 636999 Practical Electronics | August | 2024 13 This toughened ‘CAT’ smartphone includes a FLIR thermal camera. It can also highlight hot (or cold) spots and heat emitted by ‘vampire’ gadgets. FLIR camera can capture heat maps in colour, as well as imaging in monochrome and highlighting hot spots in red, or cold spots in blue. Spot-readings of temperatures are displayed. Checking a hot water supply or looking for ‘vampire’ electrical gadgets is fascinating. FLIR phones crop up on eBay from time to time, and as our project designer agreed last month, thermal cameras could help diagnose trouble spots in all sorts of situations. As for replacing the CAT’s battery, well, that’s a project for another day! Aiming for the stars Next, a roundup of current space missions and projects from around the world. China’s Chang’e 6 probe, launched in May, successfully touched down on the far side of the moon, and it’s hoped soil samples will eventually be returned to Earth. After a false start or two, Boeing’s Starliner launched its first crewed flight for NASA on 5 June, docking successfully with the International Space Station on a mission initially intended to last about ten days. A number of small helium leaks in the capsule are being investigated, and the next mission will carry three or more astronauts sometime in 2025. Sierra Space and NASA are now testing the ‘Dream Chaser’ spaceplane ready for launching later this year. The vehicle is the first ever uncrewed winged ‘space-shuttle’ style vehicle to be manufactured commercially (see Net Work, August 2023). The maiden flight of the 30-foot long (9m) vehicle, named Tenacity, will deliver cargo to the ISS using its ‘Shooting Star’ module. Sierra Space also has ambitions to build the first commercial ‘inflatable’ space station in the future. The inaugural flight of the European Space Agency’s long overdue Ariane 6 heavy lifter is scheduled for the 9 July, launching from French Guiana on the South American coast. A key feature of Ariane is that its upper stage main engine can stop and start up to four times, allowing it to deliver payloads at four locations along its trajectory, bus-stop fashion, rather than having to release an entire payload all in one go. The ESA has striven to replace Soyuz launches with Ariane ever since co-operation with Russia ceased following the Ukraine invasion. Space fans can, however, marvel at the Soyuz ‘User’s Manual’ still available on the ESA website at: https://tinyurl.com/mv7zpukd It contains a fantastic wealth of detail plus a history of USSR Soyuz rockets, starting with Sputnik’s launch 67 years ago, an Teach-In Check Point answers – see page 66-67. 1. c 2. b 3. b 4. c 5. c 6. b 7. b 8. a 9. b 11. a 12. c 13. a 14. a 15. c 16. a 17. b 18. b 19. a 14 10. c 20. a The first test flight of the European Space Agency’s Ariane 6 heavy lifter is scheduled for early July. (Image: ESA) accomplishment that heralded the start of the space race, and in turn saw the creation of a new, resilient, self-healing packetswitching data network – what became known as the Internet. And finally The arrival of the 1990s ‘Internet’ for consumers is where I came in, with the first column appearing in August 1996 when the world-wide web barely existed. This month’s Net Work is sadly the last one to appear under the auspices of the current Editor and Publisher, Matt Pulzer. Matt has edited PE successfully for many years and also became the Publisher in 2018, and has worked tirelessly to bring PE readers the widest choice of projects, tutorials and interesting topical features. Navigating us safely through the stormy waters of pandemics and lockdowns, Matt’s dedication and expertise has given each issue a touch of finesse and class. With Matt’s encouragement Net Work grew into a feature bringing readers news and trends covering the Internet, technology, space, energy and more. Matt explains elsewhere what’s in store for your favourite hobby electronics magazine, so here’s my personal ‘thank you’ to Matt for supporting Net Work throughout all these years, and more importantly, for bringing readers their copy of Practical Electronics every month. Good luck, Matt! See you next month for the latest The author can be reached at: alan<at>epemag.net from Net Work! Practical Electronics | August | 2024