This is only a preview of the August 2024 issue of Practical Electronics. You can view 0 of the 72 pages in the full issue. Articles in this series:
Articles in this series:
Articles in this series:
Articles in this series:
Articles in this series:
Articles in this series:
|
Net Work
Alan Winstanley
This month’s column explains how the use of passkeys improves online security and eliminates
password logins. The author also transfers data to a new phone and shares some hints and tips.
E
very web user will recognise
the annoying requirement to
log into any website that retains
a user’s personal details. Even trivial
online transactions usually involve
inputting our name, address, mobile
number and email address. Some even
impertinently ask for our date of birth,
or they might offer to remember debit
and credit card numbers as well, an
offer I never accept!
Much has been written about the need
to use a mix of special characters that
makes passwords harder to guess. The
old idea of substituting alpha characters
with numbers (called ‘leetspeak’) such
as p455w0rd has fallen out of fashion,
and probably the best practical advice
is to use a ‘passphrase’ of several words
and maybe a special character at the end,
such as: bread-coffee-7281#. A longer
string of random words makes passphrases
even harder to guess, for example:
tulip.sugar.lawn.yoyo.
To help users to memorise their
passwords, I’ve noticed how special
notebooks are sold, helpfully labelled
‘Password Book’ or similar, which would
undoubtedly be goldmines in the wrong
hands. Recording logins and PINs openly
in clear print this way would also breach
the terms and conditions of banks and
credit card providers, rendering the
account holder entirely liable for any
losses caused by fraud. If you can’t
remember logins, and you’re maybe
liable to forget where you last left your
password book, they’re not a good idea.
A limited choice of online password
managers is available that automates the
task of logging in or filling in online forms.
In the author’s case, having accumulated
over 400 different logins over time, online
security has been managed for 15 years
with Roboform password management
software. Roboform has been established
25 years and is something of an unsung
hero in my opinion, as without it, life at a
busy desk would soon grind to a halt; it’s
one of the very few online services that
I’m happy to invest time and money in,
and it also works across mobile devices.
It’s a powerful programme with many
features and a few quirks, and you soon
wonder how you managed without it.
Another popular password manager is
LastPass, a product that has suffered at
least two security breaches in the recent
past. The Tech Republic website doesn’t
recommend LastPass for that
reason alone, and tech website
The Verge reckons LastPass
may ‘have a lot of work to do
if it wants people to trust it
again’. LastPass is striving hard
to restore credibility and has
now implemented a minimum
standard of 12-character
passwords. Others to try
include highly-rated NordPass
(https://nordpass.com) and
1Password (https://1password.
com). Obviously, you must also
safeguard access to your PC and
any password manager software
as well, so explore those security
options carefully.
Common Captcha screens ask ‘how many
traffic lights’ or ‘what is four times two’, or
they may ask users to drag a jigsaw puzzle
piece into position, but advanced hacking
can nevertheless still defeat some of them.
Admittedly, even I struggle to make sense
of some Captcha screens, but, sadly, the
ones who struggle most with this hurdle
are those with vision problems who rely
on screen reader software to surf the web.
Web page screens that say ‘I am not a
robot’ might seem deceptively simple or
pointless, but they’re designed to be screenreader friendly, and Google’s reCAPTCHA
v3 doesn’t need a challenge at all.
Another log-in annoyance is the
cookie opt-out screen, necessitated
by the European GDPR and ePrivacy
Directive. Cookie screens have spread
like a rash across the web, and seem
intended to punish website visitors
seeking to safeguard their own privacy.
Standardised cookie modules are often
Crumbling cookies
This Captcha screen uses a sliding jigsaw
puzzle piece to confirm you’re really human.
10
During the log-in process,
users are often interrupted by a
‘Captcha’ screen, which aims to
prevent automated scanning or
hacking of a website by ‘bots. A
Captcha (Completely Automated
P u b l i c Tu r i n g t e s t t o t e l l
Computers and Humans Apart)
‘challenge-response’ causes a
user to physically respond to a
question, supposedly proving Some cookie opt-out screens make it onerous for users
that a real human is logging in. wanting to opt out of receiving unwanted cookies.
Practical Electronics | August | 2024
‘Take Five’ is a UK Government campaign
with lots of resources to highlight the risks
of scams, fraud and identity theft.
used on websites. The smartest ones
have a simple ‘Reject All’ or ‘Essential
only’ button allowing users to quickly
opt-out before proceeding, while others
annoyingly require visitors to opt out
of a dozen ‘legitimate interest’ cookies,
one by one. As often as not, this latter
type gets a thumbs down from the author
and I will simply go elsewhere instead.
As an aside, web surfers will often see
click-through URLs containing strings of
characters that register web server statistics
(Google Analytics) – an example might be:
https://anywebsiteurl.com/
?utm_source=google&utm_medium=
emaillist&utm_campaign=
128465419&utm_content=
468754&utm_term=cookietest&ad_
source=2&gclid=Cj... etc.
The term ‘UTM’ means ‘urchin tracking
module’ which is Google’s website
analytics at work. The string might
include search terms, your username or
email address in plain text or other data
that identify trends and visitor behaviour
in the stats. Facebook does the same, and
the string ...url/?fbclid=blah...
often appears in website tracking code,
containing the Facebook Click Identifier.
These days, I usually cut and paste
these URLs into Notepad and delete
the question mark and everything after
it, in order to defeat Google Analytics.
Only then do I paste the shortened URL
into my browser.
Apart from being hard to remember,
another major problem with passwords
is that, despite using multiple words and
special characters to defeat hackers, they’re
inherently insecure in the first place, simply
because users can be tricked into revealing
them through the use of fraud or phishing
scams, for instance. Or maybe that Password
Book could be stolen or lost.
A phishing email or a highly targeted
spearphishing mail may trick a victim into
visiting a fraudulent website, where the
password can be captured by crooks, or
ransomware could be downloaded onto a
visitor’s computer. Some phishing emails
can be highly convincing, especially if
they are timely ones (eg, one supposedly
from ‘DHL’ arrives when I really am
waiting for a DHL delivery), and even the
author has had to hit the brakes once or
twice before clicking a likely-looking link.
It’s so easy to fall for this type of fraud
when busily working online; as the UK’s
National Cyber Security Centre (NCSC)
says, ‘Asking users to examine, in depth,
every email they receive will not leave
enough hours in the day for work tasks.
It’s an unrealistic and counter-productive
goal because responding to emails and
clicking links is an integral part of
work.’ The Government advice to guard
against these threats is to ‘Take Five’, see:
www.takefive-stopfraud.org.uk
Take Five contains many educational
resources, web banners and information
that can help to spread the word: if you’re
involved with a local Facebook group or
have vulnerable friends or relatives, the
Take Five campaign is a timely reminder
of these potential risks and it’s worth
directing them to it.
No pesky passwords – get a Passkey
In extreme cases, passwords or user data
may be stolen from a website’s database
following, say, a ransomware attack,
and within a few seconds they can fall
into the hands of fraudsters anywhere in
the world. Some websites are beginning
1554/1554F
Polycarbonate IP68
Major websites such as eBay offer to
create passkeys for users – they’re far more
secure and easier to use than passwords,
and are worth setting up on your device.
to offer alternative logins using much
more secure passkeys. These are fully
encrypted and use a unique ‘private’
key on the user’s device together with
a corresponding ‘public’ key stored by
an online service. Old hands will recall
PGP (Pretty Good Privacy) which was
one of the few ways of encrypting or
signing messages or transactions using
PGP keypairs. Put simply, it’s rather like a
user giving out open padlocks (the public
key) to all and sundry, asking them to lock
up messages with them before delivering
them to you. It doesn’t matter who has
an open padlock, because you’re the
only one with the (private) key who can
open them again. The private key is then
safeguarded on your device by a PIN, a
password or biometrics like fingerprints
or facial recognition. Accessing the private
key also proves that you are physically in
control of the device on which it is stored.
Websites including PayPal, eBay and
Amazon now offer to set up passkeys as
logins and they are an excellent idea for
safeguarding security. Passkeys also make
logging in from a device much simpler, as
there’s no password to remember. Amazon
has a useful primer on how passkeys work
at: https://bit.ly/pe-aug24-amz
A token gesture
Other methods of enhancing security
include the use of physical devices
new
sizes!
Learn more:
www.hammondmfg.com/1554
uksales<at>hammondmfg.com • 01256 812812
Practical Electronics | August | 2024
11
These Yubico security keys provide a physical ‘touch token’ that protects your logins securely against fraud or ID theft. Both USB-A
and USB-C types are available.
or ‘tokens’ such as the USB security
keys produced by Sweden’s Yubico.
These are used by all Google’s staff and
contractors for secure computer and
server logins, Yubico says. I covered
Yubico’s secure keys in the June 2020
issue of Net Work and more details of
these hardware devices are online at:
www.yubico.com
The author’s Facebook account is
secured with a Yubico USB security
key which, as an ID confirmation check,
needs a simple touch-tap to prove that
I’m physically present when logging in.
Other higher-security types have a proper
biometric fingerprint reader built in, but
they become pricey – around €95, exc. tax.
Yubico keys are available in USB-A and
USB-C styles, and a tiny ‘Nano’ version
is designed to reside in the port.
The buzzword here is ‘FIDO
authentication’ which is a powerful
encryption protocol at the heart of Yubico
secure keys. You can learn more about
FIDO at: https://bit.ly/pe-aug24-fido and
a catalogue of products and services that
are ‘Yubico-aware’ is at: https://bit.ly/
pe-aug24-yub
Over time, I expect to see more acceptance
of hardware tokens like these as online
security becomes ever more challenging.
Time to swap phones
Like many people, the writer has come
to rely on a smartphone for helping with
many everyday tasks or keeping track of
communications. In some applications
they are virtually indispensable: I wish
it wasn’t always the case, but services
including routine banking, shopping
or even buying a parking ticket now
use apps and, at the very minimum,
consumers are often expected to have a
mobile phone to receive security codes
12
– One-Time Passwords (OTPs) – sent by
financial institutions or service providers.
Just to reiterate a vital point: OTPs that
you receive should never be given out
to anyone else, as they may well be
fraudsters looking to steal from you. If
you unexpectedly receive an OTP, it may
be a sign of fraudulent activity taking
place, so be on your guard and investigate
if necessary. An authenticator app on a
smartphone can also be used to generate
a code number as part of the 2FA process
– both Google and Microsoft offer them.
In the past few weeks, I finally upgraded
my Huawei P20 smartphone as it was
showing its age and was starting to buckle
under the workload. It must be said that
the Huawei has proved faultless, and it
was generally a pleasure to use, but US
sanctions against the brand effectively
killed off the UK market, and so the next
task was to transfer its contents to a new
Samsung Galaxy 5G. I’ll summarise my
experience of upgrading a phone, with
hints and tips that I hope will help readers
to prepare for the same eventuality.
Although I rather dreaded the task, in
reality, the job of moving everything over
to a new phone went exceptionally well.
For good measure, a cloud backup of my
thousands of photos and video files is
offered by Huawei and is still available
for as long as I pay the negligible annual
running cost. Huawei has kept its side of
the bargain, and the cloud backup works
efficiently, so I downloaded the cloud
backup onto my PC as an extra measure.
old phone, after which the process of
copying contacts, mail, apps and media
– including all those photos and videos –
started automatically. This can be handled
over Wi-Fi or via USB. Note that iOS as
well as Android are supported. Happily,
Switch it up
On powering up the new phone, a setup
routine asks whether you want to transfer
data to it from another device, and
Samsung’s Switch app is duly installed.
The same app is also needed on the
The Samsung Switch app worked
flawlessly when transferring data and
apps from an old mobile phone to a new
Samsung smartphone.
Practical Electronics | August | 2024
You can safeguard a smartphone camera lens with a low-cost
tempered glass protector.
the process was very simple, and no particular problems were
experienced, but be ready to input those pesky usernames and
logins when launching them on the new phone for the first time.
WhatsApp, which is encrypted end-to-end, will only operate
one account on one device at a time, so the ‘old’ account was
automatically disabled on the old phone, but all WhatsApp
media were migrated effortlessly to the new device.
What I thought would be the trickiest transfer of all – the HSBC
online banking apps – was totally seamless; HSBC allows you
to use up to three devices and a QR code helped complete the
operation very smoothly, with no issues experienced at all. As
another benefit, the much better camera on the Samsung ‘snaps’
QR codes with just a cursory glance (see later). Everything went
commendably smoothly, and I reflected that, finally, modern
technology had delivered on its promises. Samsung, Google and
Microsoft will jostle to offer cloud backup plans as well, and
it’s worth spending time getting to know at least one of them.
Thumbs up
Next, biometrics can be set up as your fingerprint ‘dabs’ must
be scanned by the new device for the first time. This was a
slow process, and it’s wise to scan multiple fingertips in case
one suffers cuts or abrasions. Samsung allows up to four prints
to be scanned, but this idea won’t work if fingertips are wet
through rain or moisture, so it’s definitely worth remembering
PIN number alternatives and do practise using them to remain
familiar with the code. Facial recognition scanning is another
biometric option, but I didn’t bother setting it up.
It was then a matter of getting to know the new phone.
Tempered glass screen protectors costing just a few pounds
are sold on eBay which safeguard against damage. A seller
called ‘Pixfab’ supplied mine at low cost and it fitted perfectly
thanks to the kit containing a screen wipe and drying tissue.
It’s a one-shot operation so align everything carefully before
releasing it onto the screen. A couple of ‘bubbles’ disappeared
by themselves after a few hours and the screen protector is
totally invisible. (An option in Settings can increase touchscreen sensitivity if screen protectors are used.) A tempered
glass protector for the triple camera lens array, also supplied
by Pixfab, fitted perfectly as well. The biggest headache was
probably finding a suitable case, as the web is awash with
Chinese-made products, but one branded ‘Qltypri’ proved fine,
without spending silly money. What is comically marketed as
‘PU leather’ is – of course – actually polyurethane!
The experience taught me that it’s feasible to set up a cloud
backup, especially useful in case your phone is stolen or lost,
with data uploaded over Wi-Fi rather than using mobile data.
It’s critical to keep on top of account logins too, as these are
needed the first time apps are opened on the new device. For
anyone interested, Samsung fully explain the details of the
Switch app, giving readers a good insight into compatibility
and how it works – see: https://bit.ly/pe-aug24-sam
Back on the topic of QR codes; as far back as the February
2012 issue I described how these new pixelated peculiarities
would transform the way we captured data, by using our
camera phones as scanners. As I explained above, I found
my new smartphone scans even large, complex QR codes
instantly, but it’s worth remembering that fake QR codes
sometimes appear in public spaces. Counterfeit QR codes
might sometimes be stuck over genuine labels: one car park
was covered with them, with scammers trying to rake in cash
from motorists. Railway station car parks and posters are
another prime target. The UK’s NCSC offers advice which is
worth recalling before you go and ‘snap’ a likely-looking QR
code: https://bit.ly/pe-aug24-ncsc
Fun with FLIR
The July 2024 issue of PE included a design for a Pico-based
thermal camera which, compared with the cost of commercial
units, is an inexpensive and worthwhile introduction to capturing
infra-red heat maps and exploring the emissivity of materials.
My computer colleague recently dropped into the office with
another toy to play with: a ‘CAT’ branded ruggedized smartphone
with a difference, as it has a built-in FLIR (Forward-Looking
Infrared) thermal camera. The CAT S60 battery was on its last
legs, but I managed to power it up with a USB powerbank. The
Terrington
Components
• Project boxes designed and manufactured in the UK.
• Many of our enclosures used on former Maplin projects.
• Unique designs and sizes, including square, long and deep
variaaons of our screwed lid enclosures.
• Sub-miniature sizes down to 23mm x 16mm, ideal for
IoT devices.
MADE IN BRITAIN
www.terrington-components.co.uk | sales<at>terrington-components.co.uk | Tel: 01553 636999
Practical Electronics | August | 2024
13
This toughened ‘CAT’ smartphone includes a FLIR thermal camera. It can also highlight hot (or cold) spots and heat emitted by
‘vampire’ gadgets.
FLIR camera can capture heat maps in colour, as well as imaging
in monochrome and highlighting hot spots in red, or cold spots
in blue. Spot-readings of temperatures are displayed. Checking
a hot water supply or looking for ‘vampire’ electrical gadgets is
fascinating. FLIR phones crop up on eBay from time to time,
and as our project designer agreed last month, thermal cameras
could help diagnose trouble spots in all sorts of situations. As for
replacing the CAT’s battery, well, that’s a project for another day!
Aiming for the stars
Next, a roundup of current space missions and projects from
around the world. China’s Chang’e 6 probe, launched in May,
successfully touched down on the far side of the moon, and
it’s hoped soil samples will eventually be returned to Earth.
After a false start or two, Boeing’s Starliner launched its first
crewed flight for NASA on 5 June, docking successfully with
the International Space Station on a mission initially intended
to last about ten days. A number of small helium leaks in the
capsule are being investigated, and the next mission will carry
three or more astronauts sometime in 2025.
Sierra Space and NASA are now testing the ‘Dream Chaser’
spaceplane ready for launching later this year. The vehicle is the
first ever uncrewed winged ‘space-shuttle’ style vehicle to be
manufactured commercially (see Net Work, August 2023). The
maiden flight of the 30-foot long (9m) vehicle, named Tenacity,
will deliver cargo to the ISS using its ‘Shooting Star’ module.
Sierra Space also has ambitions to build the first commercial
‘inflatable’ space station in the future.
The inaugural flight of the European Space Agency’s long
overdue Ariane 6 heavy lifter is scheduled for the 9 July,
launching from French Guiana on the South American coast.
A key feature of Ariane is that its upper stage main engine can
stop and start up to four times, allowing it to deliver payloads
at four locations along its trajectory, bus-stop fashion, rather
than having to release an entire payload all in one go.
The ESA has striven to replace Soyuz launches with Ariane
ever since co-operation with Russia ceased following the
Ukraine invasion. Space fans can, however, marvel at the
Soyuz ‘User’s Manual’ still available on the ESA website at:
https://tinyurl.com/mv7zpukd
It contains a fantastic wealth of detail plus a history of USSR
Soyuz rockets, starting with Sputnik’s launch 67 years ago, an
Teach-In Check Point answers – see page 66-67.
1. c
2. b
3. b
4. c
5. c
6. b
7. b
8. a
9. b
11. a 12. c 13. a 14. a 15. c 16. a 17. b 18. b 19. a
14
10. c
20. a
The first test flight of the European Space Agency’s Ariane 6
heavy lifter is scheduled for early July. (Image: ESA)
accomplishment that heralded the start of the space race, and
in turn saw the creation of a new, resilient, self-healing packetswitching data network – what became known as the Internet.
And finally
The arrival of the 1990s ‘Internet’ for consumers is where
I came in, with the first column appearing in August 1996
when the world-wide web barely existed. This month’s Net
Work is sadly the last one to appear under the auspices of the
current Editor and Publisher, Matt Pulzer. Matt has edited PE
successfully for many years and also became the Publisher in
2018, and has worked tirelessly to bring PE readers the widest
choice of projects, tutorials and interesting topical features.
Navigating us safely through the stormy waters of pandemics
and lockdowns, Matt’s dedication and expertise has given each
issue a touch of finesse and class. With Matt’s encouragement
Net Work grew into a feature bringing readers news and trends
covering the Internet, technology, space, energy and more. Matt
explains elsewhere what’s in store for your favourite hobby
electronics magazine, so here’s my personal ‘thank you’ to
Matt for supporting Net Work throughout all these years, and
more importantly, for bringing readers their copy of Practical
Electronics every month. Good luck, Matt!
See you next
month for the latest The author can be reached at:
alan<at>epemag.net
from Net Work!
Practical Electronics | August | 2024
|