Earth is the Hackerspaces Planet

February 20, 2017


Introduction to Arduino Workshop on Saturday, 1st April

Nottingham Hackspace will be hosting an all-day Introduction to Arduino Workshop, run by James Fowkes and Ian Dickinson, on Saturday, 1st April.

Introduction to Arduino Workshop FlyerThe Arduino system is a microcontroller board and software designed for extreme ease-of-use and learning, and has been wildly successful all over the world – not just in electronics, but for all sorts of maker projects. If you want to learn how to incorporate electronic control into your projects, this is definitely the workshop for you.

This workshop will cover:

  • What an Arduino is, and how to program it
  • Components and tools
  • Basics of electronics (voltage, current, resistance, etc.)
  • Arduino input and outputs
  • Controlling high-power components
  • Analog output
  • And more!

Aimed for complete beginners, this workshop doesn’t require you to have written a single line of code, switched on a soldering iron or even own an Arduino to take part. All the electronics equipment, including Arduino boards, will be provided on the day, but you will need to bring a laptop to program the Arduino with. It would also help if you installed the Arduino software onto your laptop before the workshop.

This workshop will run from 11am to 4pm, with a break for lunch at 1pm, and will cost £20, which includes use of all tools, boards and components, and free tea or coffee.

Arduino Unos will be available to purchase for £18 and Arduino Starter Kits will be available to purchase for £35. Please bring cash if you would like to buy either of these.

You can purchase your tickets now at EventBrite. This is a very popular workshop, with only 15 spaces, so please buy your tickets early to avoid disappointment.

by Kate at February 20, 2017 08:00 AM

February 19, 2017

Hackspace Manchester

How to make a Twin T Notch Filter

Analogue Electronics can be hard!  If an engineer doesn't do much design or calculations all the time the skills can be lost.  I have personally probably forgotten far too much.  Helpfully there are reference materials both online and in books to help remind ourselves what we need to do!

I need to design and implement a band stop filter.  This because I need to make some circuit measurements and the 13.56 MHz signal (inherent to the circuit being measured) is swamping the input stage of a spectrum analyser.  I would like to be able to measure all the signal above 30 MHz without it being affected by out of band noise.  This is a common problem when using sensitive electronic instrumentation...what appears on screen is not always correct due to unknown out of band noise.

A Twin T Notch Filter Circuit
The go to circuit of choice in these situations is known as the Twin T Notch filter.  It's a great filter circuit that is easy to implement because of its low component count.  The websites below discuss the theory behind band stop filters and Twin T Notch filters:

The quick way to design such a filter is to set the required parameters and then use the formula given. The parameters for my filter are:
  • Must use preferred component values
  • Must not filter signals above 30 MHz
  • Must have at least 30 dB of rejection at 13.56 MHz
The formula for calculating the component values is:

Now we can either plug some numbers into the formula above and try and get close to where we want to be or we can use an online calculator tool.  I am all for quickness and see little point in doing mathematics when I don't have to!  Here is a very useful site for calculating Notch filter component values:

Credit should definitely be given to the engineers and Okawa-Denshi Electronics Design in Japan!

The useful thing about simulators is the component values can be selected based upon those available and not some pie in the sky value...some less helpful calculators prescribe using component values which either do not exist in the real world or require the skill of a police detective to obtain!

I also have found that when using online circuit calculators it is important to fix at least one of the component values before you start calculating things.  I entered 13.56 MHz as the centre frequency for the filter and set the value of C1 to 10 pF and C2 and C3 to 4.7 pF as these are real world (preferred) values in the E6 series.

Useful site for preferred values: 

The online calculator did it's thing and provided the circuit below:
The Centre frequencies were:
  • Flow = 13.555950 MHz
  • FHigh = 13.679649 MHz
The frequency response of filters is often shown as a special type of graph known as a Bode plot. This is shown below:

I have no doubt that if properly constructed this circuit would provide the filter response I'm looking for - It has 40 dB of rejection at 13.56 MHz, it doesn't filter the signal for frequencies above 30 MHz but the resistor values whilst available are not values I have readily to hand.  Because of that I'm going to tweak the capacitor values and run the calculator again.

I have changed the values of C2 and C3 to 22 pF which follows the rule that C2 and C3 must be roughly double C1....Here is the circuit that the calculator came up with:
Again...this circuit would probably work but I'm still not happy with the resistor values.  They are hard to obtain.  I'm going to increase the values of the capacitors again and see what happens.  The values I have chosen are C1 = 15 pF, C2 and C3 = 82 pF
The resistor values are now much more common and available.  Lets hope the filter response is good enough.

The Centre frequencies were:
  • Flow = 13.496806 MHz
  • FHigh = 13.654780 MHz
The corresponding Bode plot:

From the numbers given and by interpreting the Bode plot this circuit meets my requirements. If I wanted I could fit a 22 pF capacitor in the C1 position and a similar result will be obtained.  That will also change the resistor values as well:

I'm liking these values the most as I am certain I have all of these components available.  I wasn't sure if I have a 15 pF capacitor. It's not a value I use much - easily obtained from any good component vendor but always best to use what you have!

The resistor values are now much more common and available.  Lets hope the filter response is good enough.

The Centre frequencies were:
  • Flow = 13.374485 MHz
  • FHigh = 13.587897 MHz
The corresponding Bode plot:

Now that we have our component values we need to calculate the power requirements.  In this case I want to be able to put as much electrical power through the filter as possible.  The signal strength of the 13.56 MHz signal in my case will be at least 20 Watts.  Therefore each component must be capable of withstanding that power level without being burnt out.

I happen to know that the 13.56 MHz signal will be coming from a signal generator and amplifier at +30 dBm.  If we convert +30 dBm into Watts we find that it is 1 Watt.  So all components need to be rated for one Watt or better. Just for fun here is the formula:

dBm = 10 * Log10 * 1 * 10^-3 (Watts)

We need to rearrange to get Watts:

10^-3 (Watts) =10^(dBm/10)) 

If we now plug the values in we get:

10^-3 (Watts) =10^(30/10))

Which is equal to 1000 * 10^-3 Watts or 1000 milli-Watts which is 1 Watt 

So all of the resistors need to be 1 Watt rated or better.  I'm going to need a small enclosure with connectors for this circuit and that means I'm probably going to need a printed circuit board.

I have used these diecast boxes in the past for this purpose - they are useful because they come with BNC connectors already fitted:
They are made by Pomona Electronics and are available from most good electronics vendors like RS components and Farnell Electronics.  My only complaint is the cost - £28.04 - yikes!

The datasheet for the box is here:

The dimensions of the Box are below:

Rather unhelpfully the inner dimensions are not provided - I hate it when that happens. However it isn't too much of a concern, reasonable estimations can be made.

If the printed circuit board is 36 mm x 33 mm and when populated is less than 25 mm high it will fit the above box well enough.

Here is how the layout came out:

I have chosen to use surface mount components throughout and 2512 size resistors so that the power requirements are met.  The board should easily fit inside the enclosure chosen.  The dimensions shown are in mm - for those that might be interested.

Just for fun here is how the PCB will look when populated:

ISO view of the Notch Filter PCB
The top side of the Notch Filter PCB
The side view of the Notch Filter PCB
Just for fun and because I wanted to practice my 3D drawing and modelling skills I have drawn up the Pomona 3231 Box.  It is available for download at the 3D warehouse if people are interested. Here is the PCB inside the box:

Top view of the PCB in the 3231 Pomona Box

ISO view of the PCB in the 3231 Pomona Box
Finally all that is left to do on this is create a bill of materials and calculate the total cost for this Filter.  I normally buy my components from Farnell Electronics but anywhere would do.

Component Value Quantity Footprint Part Number Cost (£) Notes

Resistor 390 Ohms 5 2512 2476478 0.604 3 Watt resistor from Farnell
Resistor 27 Ohms 5 2512 2476450 0.604 3 Watt resistor from Farnell
Capacitor 82 pF 10 0603 722078 0.015 C0G from Farnell
Capacitor 22 pF 10 0805 1759489 0.0323 C0G from Farnell
PCB N/A 10 N/A N/A 14.04 10 PCBS from Elecrow
Pomona 3231 Case N/A 1 N/A 1234948 28.04 From Farnell

Unfortunately I could not get an 0805 82 pF capacitor which is annoying but I can fit an 0603 part. The total cost for the above is £43.34 - That is enough components and PCBS to make one complete unit with plenty of spares.  The cost of a single unit alone is £29.70 which I think isn't too bad.  Those pomona cases are very expensive - I might investigate a cheaper solution at some point.

The good news is all of the resistors I found are 3 Watt parts which means the filter will be able to work with high power signals!

The more astute readers may know that it is possible to buy a notch filter from various RF vendors.  I did consider these options and for those that may be interested the following websites have them on sale:

I couldn't find one that specifically sells a 13.56 MHz Band Stop Filter although I suspect such products do exist.  I doubt that I would be able to buy one for less than £30

If I do decide to make one of these I will test it and provide the results and photos.  Hopefully this was of interest to someone - Take care always - Langster!

by langster1980 at February 19, 2017 10:08 PM

February 18, 2017


Working Effectively with Social Justice Movements by Hannah Howard: Watch Online

This event was a part of the Civic Engagement Survival Guide: a series of free talks and workshops focused on creating a community that is informed, organized, and engaged.

In December, we met Hannah Howard, an engineer with a long history of activism. With over a decade of experience working both as the developer and the client in the non-profit space, Hannah delivers a unique and informed perspective on how technical people can best utilize their skills to assist social justice efforts. Her talk, Working Effectively with Social Justice Movements: A Primer for Techies, provides a beginner-friendly onboarding for technical people, complete with tips, tricks, and common pitfalls to avoid.

Learn more about Hannah by following her on twitter. Watch past videos or view upcoming events on the Civic Engagement Survival Guide.

CRASH Space is a 501(c)3 non-profit organization which works to promote education through individual projects and social collaboration. CRASH Space is also a member of the EFF Electronic Frontier Alliance: a grassroots network of community and campus organizations across the United States working to educate our neighbors about the importance of digital rights.

Leading an event in this series is a paid opportunity. We are interested in events which encourage community action and education, on topics such as: civic engagement, social justice, support for marginalized groups, environmental protection, and more. Please send proposals to [info at crashspace dot org]. To support our work, you can donate here.

by at0mbxmb at February 18, 2017 11:31 PM

Intersectionality & Allyship by Patricia Realini: Watch Online

In November, CRASH Space kicked off the Civic Engagement Survival Guide: a series of free talks and workshops focused on creating a community that is informed, organized, and engaged.

Our first speaker in the series was Patricia Realini, a software engineer and artist who engages in efforts to raise the level of public debate on issues that affect underrepresented minorities. Her talk, Intersectionality & Allyship, provides an introduction to social justice, as seen through the lens of intersectional feminism.

Learn more about Patricia by following her on twitter. Watch past videos or view upcoming events on the Civic Engagement Survival Guide.

CRASH Space is a 501(c)3 non-profit organization which works to promote education through individual projects and social collaboration. CRASH Space is also a member of the EFF Electronic Frontier Alliance: a grassroots network of community and campus organizations across the United States working to educate our neighbors about the importance of digital rights.

Leading an event in this series is a paid opportunity. We are interested in events which encourage community action and education, on topics such as: civic engagement, social justice, support for marginalized groups, environmental protection, and more. Please send proposals to [info at crashspace dot org]. To support our work, you can donate here.

by at0mbxmb at February 18, 2017 10:50 PM

February 17, 2017

Freeside Atlanta

A Capacitive-Touch Janko Keyboard: What I Did at the 2017 Georgia Tech Moog Hackathon

Last weekend (February 10-12, 2017) I made a Janko-layout capacitive-touch keyboard for the Moog Werkstatt at the Georgia Tech Moog Hackathon. The day after (Monday the 13th), I made this short video of the keyboard being played:

"Capacitive Touch Janko Keyboard for Moog Werkstatt"

(Text from the video doobly doo)

This is a Janko-layout touch keyboard I made at the 2017 Moog Hackathon at Georgia Tech, February 10-12. I'm playing a few classic bass and melody lines from popular and classic tunes. I only have one octave (13 notes) connected so far.

The capacitive touch sensors use MPR121 capacitive-touch chips, on breakout boards from Adafruit (Moog Hackathon sponsor Sparkfun makes a similar board for the same chip). The example code from Adafruit was modified to read four boards (using the Adafruit library and making four sensor objects and initializing each to one of the four I2C addresses is remarkably easy for anyone with moderate familiarity with C++), and code was written to send a gate (key down) signal to the Werkstatt, and to write a binary representation of the pressed key (low note priority) to an Arduino port connected to a precision R-2R ladder to generate the voltage for the VCO exponential input.

The capacitive touch sensors can be used to make a touch keyboard with any configuration, not just the Janko. With these sensors it's remarkably easy to make a functioning electronic musical keyboard, as no mechanical switches or moving parts are needed. The feeling is at least as responsive as a "real" keyboard, as response to touch and release feels instant as far as I can tell. If anything, there's a "problem" in that if you accidentally, even slightly, touch a key it will sound, whereas with a mechanical keyboard you have to "accidentally" press a key down for it to sound.

A traditional seven-natural-and-five-sharp-keys layout would have been just as easy, but less "interesting." I chose the Janko layout after having read about it for many years (see Paul Vandervoot's piano video "Demonstration of 4-Row Janko Keyboard" - he describes the layout at 4:06). The Janko has, from left to right, six whole steps per octave, thus is one less key wide per octave than the traditional keyboard, so with the same key spacings the Janko octave is a shorter distance. Going up or down diagonally is a half step, so a chromatic scale of all 12 notes is a zig-zag pattern. A major scale is the first three notes in a line (whole steps), diagonally up or down to the next key (a half step), this and the next three keys across (whole steps), and then diagonally again (a half step) to get to the octave key. You can start on any key and the major scale is the same description. This is the remarkable property of the Janko layout, there are very few patterns to memorize for the different scales and chords.

(End text from the doobly doo)

I used an Arduino Mega 2560 (actually the Inland brand compatible board from Micro Center), because I thought I would use more I/O pins than on an Uno. This project can be done on an Uno, but the direct write to the Mega DDRC and PORTC registers (and perhaps other I/O pin assignments) may need to be changed for the Uno. If you don't know how to use the AVR port registers directly, you may be better off just using a Mega 2560 rather than trying to change the code for an Uno.

No direct work for this project was done at Freeside Atlanta (nor at Georgia Tech's Invention Studio - I cut these pieces of wood to size at home using a circular saw just before going to the hackathon, then hot-glued everything together at the hackathon), but I did some preliminary work done at Freeside. I had been wanting to make some sort of Janko keyboard for a while, and in recent months I've 3d-printed a couple of rounded-rectangle "keys" to help get the feel of what I wanted. (The short time of a one-weekend build kept me from using anything other than a rectangle shape on this project, and even then I only had one octave done by 5PM Sunday.) I decided on key spacing the same as "standard" piano keys, which are about about 165mm (6.5 inches) per octave. Since the Janko layout has six (whole-step) keys per octave instead of the traditional seven (major scale) keys, this octave is about 141.4mm or 5.57 inches wide. The distance from one row of keys to the next above it is 1.8 inches, and each row up is 0.53 inches (the approximate heigth of a sharp note on a standard keyboard) higher than the previous. These numbers are mostly just "good guesses" as to what the dimensions of such a keyboard should be for good ergonomics. If you make one of these, feel free to make whatever changes you like, even a traditional key layout or something totally different.

The keys are made of brass strips. I had a brass sheet, dimensioned 6 inches by 24 inches by 0.004 inches. I cut this into rectangles of 1.5 inches by 0.75 inches. I soldered wires to one side and glued the soldered side down to a plywood board with hot glue. Each vertical pair arranged (first-and-third row, or second-and-fourth row) were connected together and connected to a sensor input on the MPR121 breakout board.

For greater versatility, each key could be connected to a separate sensor input (doubling the number of sensor inputs required). This would allow the vertical pairs to be "wired together" in software for the Janko layout, or for each key to generate a different note. This would be ideal for generating microtonal scales such as 24 notes per octave.

The current code implements a monophonic keyboard for a single voice analog synthesizer. The keyboard priority is for the lowest note played, and retriggering is off (you have to lift off all keys and press a key again to get a new gate signal). Many enhancements can be done, such as highest or last note priority, retriggering, and sending polyphonic MIDI data, and adding adding modulation wheels on the left side for pitch bend, LFO modulation amount, and other possible performance parameters (I think there should be at least three such wheels, with the third one changing the filter cutoff frequency). These are, as always, left as an exercise for the student.

Blatant Blurb for Synthesizer Class

This Tuesday, February 21 2017, I'll be putting on a class at Freeside:
"Introduion to Electronic Musical Instruments."
I'll cover analog music synthesizers, and have this Janko keyboard instrument and others in the Synth Petting Zoo after the class. There is a $10 charge, this covers the time and cost of setting up and of using Freeside to put on this class. Sign up here:

Schematic (power supply connections for Werkstatt and Arduino not shown):

Arduino code:

// tkey - read capacitive touch keys and control Werkstatt
// Ben Bradley Feb. 11-12, 2017
// for Moog Hackathon

// substantial code taken from the MPR121test program from the
// Adafruit library.

// From other keyscan program for the Mega2560:

// AVRpin AVR name   Arduino name
//   1    PG5         D4
//   2    PE0         D0
//   3    PE1         D1
//   4    PE2
//   5    PE3         D5
//   6    PE4         D2
//   7    PE5         D3
//   8    PE6
//   9    PE7
//  12-18 PH0-PH6     D17-D16,X,D6-D9
//  19-26 PB0-PB7     D52-D50,D10-D13
//  27    PH7
//  28-29 PG3-PG4
//  35-42 PL0-PL7     D49-D42                   // out to r-2r ladder
//  43-50 PD0-PD7     D21-D18,X,X,X,D38
//  51-52 PG0-PG1     D40-D41
//  53-60 PC0-PC7     D37-D30             ***  Voltage control output, port C
//  63-69 PJ0-PJ6     D15-D14,X,X,X,X,X
//  70    PG2         D39
//  71-78 PA7-PA0     D29-D22             ***
//  79    PJ7
//  82-89 PK7-PK0     A15-A8
//  90-97 PF7-PF0     A7-A0
//  98    AREF

This is a library for the MPR121 12-channel Capacitive touch sensor

Designed specifically to work with the MPR121 Breakout in the Adafruit shop

These sensors use I2C communicate, at least 2 pins are required
to interface

Adafruit invests time and resources providing this open source code,
please support Adafruit and open-source hardware by purchasing
products from Adafruit!

Written by Limor Fried/Ladyada for Adafruit Industries. 
BSD license, all text above must be included in any redistribution

#include <Wire.h>
#include "Adafruit_MPR121.h"

// You can have up to 4 on one i2c bus but one is enough for testing!
Adafruit_MPR121 chip1 = Adafruit_MPR121();
Adafruit_MPR121 chip2 = Adafruit_MPR121();
Adafruit_MPR121 chip3 = Adafruit_MPR121();
Adafruit_MPR121 chip4 = Adafruit_MPR121();

// Keeps track of the last pins touched
// so we know when buttons are 'released'
uint16_t lasttouched1 = 0;
uint16_t currtouched1 = 0;
uint16_t lasttouched2 = 0;
uint16_t currtouched2 = 0;
uint16_t lasttouched3 = 0;
uint16_t currtouched3 = 0;
uint16_t lasttouched4 = 0;
uint16_t currtouched4 = 0;

const int GateOut = 48;   // Mega digital output

void setup()

  while (!Serial) { // needed to keep leonardo/micro from starting too fast!
//  Serial.println("Adafruit MPR121 Capacitive Touch sensor test");

//   The MPR121 ADDR pin is pulled to ground and has a default I2C address of 0x5A
// You can adjust the I2C address by connecting ADDR to other pins:
// ADDR not connected: 0x5A
// ADDR tied to 3V: 0x5B
// ADDR tied to SDA: 0x5C
// ADDR tied to SCL: 0x5D

  // Default address is 0x5A, if tied to 3.3V its 0x5B
  // If tied to SDA its 0x5C and if SCL then 0x5D
  if (!chip1.begin(0x5A))
    Serial.println("MPR121 chip1 not found, check wiring?");
    while (1);
//  Serial.println("MPR121 chip1 found!");

  if (!chip2.begin(0x5B))
    Serial.println("MPR121 chip2 not found, check wiring?");
    while (1);
//  Serial.println("MPR121 chip2 found!");

  if (!chip3.begin(0x5C))
    Serial.println("MPR121 chip3 not found, check wiring?");
    while (1);
//  Serial.println("MPR121 chip3 found!");

  if (!chip4.begin(0x5D))
    Serial.println("MPR121 chip4 not found, check wiring?");
    while (1);
//  Serial.println("MPR121 chip4 found!");

  Serial.println("All chips found.");

  DDRC = 0xff;
  PORTC = 0;
  pinMode (GateOut, OUTPUT);
  digitalWrite(GateOut, 0);
} // void setup()

void loop()

  int notepressed = -1;
  // Get the currently touched pads
  currtouched1 = chip1.touched();
#ifdef __print_touched_
  for (uint8_t i=0; i<12; i++) {
   // it if *is* touched and *wasnt* touched before, alert!

    if ((currtouched1 & _BV(i)) && !(lasttouched1 & _BV(i)) )
      Serial.print("c1 "); Serial.print(i); Serial.println(" touched");
    // if it *was* touched and now *isnt*, alert!
    if (!(currtouched1 & _BV(i)) && (lasttouched1 & _BV(i)) )
      Serial.print("c1 "); Serial.print(i); Serial.println(" released");
#endif #ifdef __print_touched_

  currtouched2 = chip2.touched();
#ifdef __print_touched_
  for (uint8_t i=0; i<12; i++)
    // it if *is* touched and *wasnt* touched before, alert!
    if ((currtouched2 & _BV(i)) && !(lasttouched2 & _BV(i)) ) {
      Serial.print("c2 "); Serial.print(i); Serial.println(" touched");
    // if it *was* touched and now *isnt*, alert!
    if (!(currtouched2 & _BV(i)) && (lasttouched2 & _BV(i)) )
      Serial.print("c2 "); Serial.print(i); Serial.println(" released");
#endif #ifdef __print_touched_

  currtouched3 = chip3.touched();
#ifdef __print_touched_
  for (uint8_t i=0; i<12; i++)
    // it if *is* touched and *wasnt* touched before, alert!
    if ((currtouched3 & _BV(i)) && !(lasttouched3 & _BV(i)) ) {
      Serial.print("c3 "); Serial.print(i); Serial.println(" touched");
    // if it *was* touched and now *isnt*, alert!
    if (!(currtouched3 & _BV(i)) && (lasttouched3 & _BV(i)) )
      Serial.print("c3 "); Serial.print(i); Serial.println(" released");
#endif #ifdef __print_touched_

  currtouched4 = chip4.touched();
  for (uint8_t i=0; i<12; i++)
    // it if *is* touched and *wasnt* touched before, alert!
    if ((currtouched4 & _BV(i)) && !(lasttouched4 & _BV(i)) ) {
      Serial.print("c4 "); Serial.print(i); Serial.println(" touched");
    // if it *was* touched and now *isnt*, alert!
    if (!(currtouched4 & _BV(i)) && (lasttouched4 & _BV(i)) )
      Serial.print("c4 "); Serial.print(i); Serial.println(" released");

  if ((lasttouched1 != currtouched1) ||
      (lasttouched2 != currtouched2) ||
      (lasttouched3 != currtouched3) ||
      (lasttouched4 != currtouched4))
    // find lowest note.

    if (currtouched1)
      for (int8_t i=11; i>=0; i--)
        if (currtouched1 & _BV(i))
          notepressed = i;
    if (currtouched2)
      for (int8_t i=11; i>=0; i--)
        if (currtouched2 & _BV(i))
          notepressed = 12 + i;
    if (currtouched3)
      for (int8_t i=11; i>=0; i--)
        if (currtouched3 & _BV(i))
          notepressed = 24 + i;
    if (currtouched4 & 0x01)
      notepressed = 36;     // highest key
//    Serial.print("lowest note ");
    if (notepressed != -1)
      PORTC = 37 - notepressed; // invert bits for negative sum
      Serial.print (' ');
    if (currtouched1 | currtouched2 | currtouched3 | currtouched4)
      digitalWrite(GateOut, 1);
      digitalWrite(GateOut, 0);
  } // if ((lasttouched1 != // note changed

  // reset our state
  lasttouched1 = currtouched1;
  lasttouched2 = currtouched2;
  lasttouched3 = currtouched3;
  lasttouched4 = currtouched4;

} // void loop()

by benbradley ( at February 17, 2017 11:41 AM

February 15, 2017


One Thing To Do Today: Border Control Advice Round Up

Lots of bad advice is getting floated around about border crossings, including creating weird partitions or fake lightweight logins. Sadly, as this 2011 EFF guide shows, border control overreach isn’t a new problem, but their is a new scope of ruthlessness. The social media password request is certainly a new wrinkle. Take this EFF quiz to see how your knowledge stacks up. As mentioned in the Jan 31st Tuesday sweep, the new pressures are damaging US based tech conferences and research institutions.

Wired has put out an article that seems to sum up the best advice, but that 2011 EFF article is MUCH more complete in terms of actual processes. (UPDATE: also New York Times, Ars Technica about your rights.)

The essentials:

  • Do not attempt to lie, deceive, obstruct or hassle a CPB official. Maintain your cool and be polite.
  • Have as little with you as possible in terms of number of items and what data they carry.
  • Biometrics are not protected by the 5th amendment the way passwords are.
  • Call someone (your lawyer?) before going into, and after leaving customs.

Not planning on traveling anytime soon? With the current political climate, those 200 million of us living inside the 100 mile border zone (set in 1953, btw) might need to consider following some of this advice on a more daily basis.

If you are hassled, document it the incident following this advice from the EFF.

These policies and practices of DHS/CBP must be chronicled and opposed.

Please tell us your border search stories. You can write to us at If you want to contact us securely via email, please use PGP/GPG. Or you can call us at +1-415-436-9333.

We also encourage you to contact your congressional representatives in the Senate and House of Representatives.

You may also contact the DHS Office of Civil Rights and Civil Liberties ( and the DHS Inspector General (

by carlyn at February 15, 2017 06:27 PM

Tuesday Sweep: Feb 14 2017


What’s are the frictions keeping you from doing “what’s right”? Regret is only useful if it leads to a plan on how to improve.

Confessional:  I’ve been coughing and oozey and asleep for the last week and a half, and am hopefully coming around the corner now. I apologize for missing last week. This is the thing about routines, they can be knocked off pretty quick if something goes wrong early in the game. But we’re back now. I actually left the house today! Whee!

Continuing Set Up

We’ve covered so much so fast. You’re not behind, you’re just where you are. Pick something to do.

  • If you’re having trouble with all the set up, the coach tool at the Crash Override Network has a great step by step break down for many of the same introductory steps we did here.
  • Review the list of OneThing articles so far and pick one to catch up on.


This list will be getting longer, but lets keep it simple while folks are still setting up.


Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.


We are a community. You are a welcome part of it.

by carlyn at February 15, 2017 12:04 AM

February 10, 2017


Magic Mirror Builds – February 2017

Ever wanted to create a Magic Mirror? Look no further than this build session! RSVP Link Session #1: Wednesday, Feb 22, 2016 6-9PM Powered by Eventbrite Session #2: Saturday, Feb 25, 2017 10AM-1PM Powered by Eventbrite Q: What is a Magic Mirror? A: A Magic Mirror is a reference to a 2 way mirror with […]

by Daniel Johnsen at February 10, 2017 11:25 PM

NYC Resistor

Motors class on February 25

We’ve got a motors class coming up on February 25th! Make Things Move: Intro to Motor Control with Arduino is a three-hour intro to the wonderful world of motors. From RC cars, Robot Arms, or 3D printers, this class gets you started learning how to use a variety of motors. Learn about the different types of motors and make them move! This class will combine a discussion of motors best-practices as well as hands-on experience controlling them with an Arduino. Ticket price includes all the supplies you’ll need (and get to take home!).

Tickets available on Eventbrite.

by Bonnie Eisenman at February 10, 2017 05:29 PM

February 09, 2017

NYC Resistor

We’re open tonight

Come brave the snow and the cold, and join us for Thursday Craft Night – we’re still open as usual.

by Bonnie Eisenman at February 09, 2017 10:53 PM

February 05, 2017

NYC Resistor

Advanced Laser-Cutting Class on March 5th

We have a new laser class coming up on March 5th! This advanced class is geared towards people who use the laser often and/or want to understand how to get the most out of the machine. Laser Cutting II: Optimize Your Laser Cutting will cover a variety of topics – from re-sequencing your artwork files in order to reduce cut time, to when to use different focus levels for specific cutting tasks.

Please note that you must have taken a previous laser-cutting class at NYC Resistor to qualify for Laser Cutting II.

by Bonnie Eisenman at February 05, 2017 07:51 PM

Knit Knight is taking a break this week

Your Knit Knight teachers are taking the night off! Don’t worry – NYC Resistor will still be open as usual for Craft Night on Monday 2/6/17, so you’re still welcome to come and knit.

You can check our calendar or the EventBrite event for future Knit Knight dates.

by Bonnie Eisenman at February 05, 2017 03:30 PM

February 04, 2017


WHERE: CRASH Space (Directions)
WHEN: Saturday, Feb 11th, 1:00P – 3:00P.
WHO: Open to the public!

About this Talk
This discussion will cover the diverse and surprising wildlife which live right here in our own backyards, detailing their habitat and the critical roles they play in our unique ecosystem. What are some of the serious threats local wildlife will face from the expansion of urban sprawl, and what can be expected with the predicted rise in human wildlife conflict? How can we coexist with and protect other species, why does this matter, and how can we keep our cities as both biodiverse and enjoyable environments for generations to come?

About the Speaker
Samantha Sullivan is a graduate student in pursuit of a Masters in Biology with an emphasis in wildlife conservation. Currently, she works with communities both locally and internationally on assessing barriers and collaborating with locals and conservation organizations in the region to create solutions that work toward coexistence between wildlife and the community. She has worked with many conservation organizations including; Spectacled Bear Conservation Society in Peru, the Ara Project in Costa Rica, Primate Education Network in San Francisco and locally with Citizens for Los Angeles Wildlife. Her interests include being in nature, yoga and all things cat related. Samantha has articles published with Earthwise Aware, a non-profit organization that addresses the ethics of conservation around the world, and is a conservation blogger on her website, openspacescoalition.

CRASH Space is a 501(c)3 non-profit organization which works to promote education through individual projects and social collaboration. CRASH Space is also a member of the EFF Electronic Frontier Alliance: a grassroots network of community and campus organizations across the United States working to educate our neighbors about the importance of digital rights.

This event is a part of the CRASH Space Civic Engagement Survival Guide: a series of free talks and workshops focused on creating a community that is informed, organized, and engaged.

Leading an event in this series is a paid opportunity. We are interested in events which encourage community action and education, on topics such as: civic engagement, social justice, support for marginalized groups, environmental protection, and more. Please send proposals to [info at crashspace dot org]. To support our work, you can donate here.

by at0mbxmb at February 04, 2017 09:15 PM

February 03, 2017

NYC Resistor

February Make-Along: Chocolate Molds

Our February Make-Along, Custom Chocolate Molds, is happening on February 19th! Learn how to create your own custom molds from everyday objects using re-usable Composimold. We’ll show you how to melt down chocolate and make some delicious creations together.

Tickets are available on Eventbrite.

by Bonnie Eisenman at February 03, 2017 05:28 PM

February 02, 2017

NYC Resistor

Pocket Party: This Sunday, 3pm

NYCR member Kari Love is leading our first -ever Feminist Pocket Party this Sunday, February 5th, from 3pm-5pm. Tickets are available on Eventbrite. Come learn how to make 1 pocket variation in a low-key class+hangout environment. This session will focus on in-seam pockets (aka side seam pockets).


All materials to make practice pockets along with some kind of pocket-themed snack will be provided (bring your own clothes to alter if you’re feeling ambitious). Ability to sew a straight stitch by machine and seam rip are recommended, but not required, skills.

by Bonnie Eisenman at February 02, 2017 03:34 PM

KwartzLab Makerspace

2nd Annual Sew-a-Thing-a-Thon! Feb 12

Date: Sunday, February 12, 2017

Time: noon – 6 pm

Location: kwartzlab makerspace, 33 Kent Ave. Kitchener

RSVP and help share the Facebook event

Join us for a drop-in event where you can make your own hand or machine sewn accessories! Learn how to make a bow-tie from scratch. We’ll have sewing experts on hand to show you how it’s done.

Other projects include: hair bows, draw-string bags, pom poms, paper cards & more! All these wonderful DIY projects just in time for Valentine’s Day! Nothing says “Thinking of You” quite like a handmade gift.

PWYC donation at the door.

Family-friendly event, most activities are intended for ages 7 + up.

Hot drinks will be served.

Presented by, Mindful Makers




The post 2nd Annual Sew-a-Thing-a-Thon! Feb 12 appeared first on KwartzLab Makerspace.

by Agnes at February 02, 2017 06:47 AM

February 01, 2017

Pumping Station: One

Pumping Station: One needs Makers for Maker Faire Chicago!

Maker Faire Chicago BadgeDo you make things at Pumping Station: One? Do you want to volunteer and help us show the awesomeness of PS:One at Maker Faire? We need you! Pumping Station: One will have a Makerspace booth at Maker Faire Chicago, April 22nd-23rd 2017, and we want to help you exhibit your stuff! Click HERE for our volunteer and exhibition form and let us know when you want to show your work, or when you’re free to help us set up and run our booth.

Call to MakersIf you have a larger project, or a demo, or something that you just want to show independently, you can go HERE to fill out an independent Maker Exhibit application, and make sure you let them know you want to be set up near the Pumping Station: One booth. We want a HUGE PS:One presence at this Chicago Maker Faire, so please, sign up, tell your friends, and let them know we need Makers!

by celtwolf at February 01, 2017 02:17 AM


Tuesday Sweep: Jan 31 2017


What’s are the frictions keeping you from doing “what’s right”? Regret is only useful if it leads to a plan on how to improve.

Confessional:  AAAAHAAHHAHAHHAHA. I’ve not really been paying attention to proper OpSec this week. I’ve been weird about it. One minute refusing to use twitter DMs, the next pulling out my phone in the most compromising of places when I know my carrier is on the list of supreme baddies. This is why setting up habits are so important. When your brain is leaking out of your ears, habits is what will get you through.  Mine suck.

Continuing Set Up

We’ve covered so much so fast. You’re not behind, you’re just where you are. Pick something to do.

  • If you’re having trouble with all the set up, the coach tool at the Crash Override Network has a great step by step break down for many of the same introductory steps we did here.
  • Review the list of OneThing articles so far and pick one to catch up on.


This list will be getting longer, but lets keep it simple while folks are still setting up.


Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.


We are a community. You are a welcome part of it.

by carlyn at February 01, 2017 12:07 AM

January 31, 2017

NYC Resistor

Intro to Arduino Class on Feb 18

Our Arduino class is back on February 18th. Want to get into physical computing but don’t have any previous electronics experience? Great – this is the class for you. You’ll learn to program your Arduino, use a breadboard to prototype simple circuits, and work with sensors and LEDs.

Get your tickets on Eventbrite!

by Bonnie Eisenman at January 31, 2017 09:38 PM

January 29, 2017

Hackspace Manchester

Git stuff and 52 Weeks of Code

Sometimes I feel that my geek credentials are lacking given the lack of code I write, yes I make cool things occasionally, I work as an EMC Engineer for a small Stockport Company, I am a Director of Squashed Fly a small independent Hosting and General Geeky company with Tas, and hope to be a good Daddy to MiniBoyGeek.

My Git skills are a little lacking, and my coding skills are a little rusty, For the first few weeks I am going to work through .:oomlout:.’s Getting started with Arduino kit guide, given the simplicity of the examples I think I will try and get more than one done a week, but I will list them all together.

I will be putting everything on github at, where you can follow where I am up to.

let us set up Git

In make a new repository

I have called mine

CodeAWeek because I am amazingly imaginative…

Make a folder and set it up as

I keep my Projects in Dropbox (even when they also are git repositories (Yes I can hear a lot of people cringing)).

So in ~/Dropbox/Projects:
mkdir CodeAWeek
cd CodeAWeek
git init

Grab the SSH location of the git repository from git hub:

and paste it onto the end of git remote add origin (Sets the new remote) making something like:
git remote add origin
You will now want to do some more git magic (Verifies the new remote URL) git remote -v and to pull down the files in github git pull origin master and we are all up to date…

Add a few files on the computer and you will need to do the following:
git add .
git commit -m "some helpful comments, apparently WIP is not helpful and people will glare at you for that kind of thing"
git push --set-upstream origin master

The other thing I tend to do that may make people squeak is store largish binary files in repos, I have a copy of the .:oomlout:. ARDX-EG-OOML-DD Guide and ARDX-circuit-sheets for the first few weeks stashed in a reference folder.

Week 1a.

The first circuit in the .:oomlout:.

If you look at the above image you will see that the resistor is listed as 220 Ohm rather than the 550 Ohm listed in the ARDX-EG-OOML-DD Guide.

Looking at Fritzing again I have found out how to adjust the value of the resistor, Click the resistor, on the right hand side it brings up the Inspector:

I have updated the image showing the correct value of resistor on pin 13:

The code for week 1a is:

/* Blink
* Turns on an LED on for one second, then off for one second,
* repeatedly.
* Created 1 June 2005 By David Cuartielles
* based on an orginal by H. Barragan for the Wiring i/o board
int ledPin = 13; // LED connected to digital pin 13
// The setup() method runs once, when the sketch starts
void setup()
{ // initialize the digital pin as an output:
    pinMode(ledPin, OUTPUT);

// the loop() method runs over and over again,
// as long as the Arduino has power
void loop()
    digitalWrite(ledPin, HIGH); // set the LED on
    delay(1000); // wait for a second digital
    Write(ledPin, LOW); // set the LED off
    delay(1000); // wait for a second

Uploading the code to the Arduino Uno is simple from the IDE, and then causes the LED to flash (at 0.5 Hz with a 50% duty cycle) thusly:

However there are several problems with using the delay command, while the processor is executing the delay command it is blocked from doing any thing else; no other reading of sensors, mathematical calculations, or pin manipulation can go on during the delay function, so in effect, it brings most other activity to a halt.

There is a better way:

Week 1b

/* Blink without Delay

 Turns on and off a light emitting diode (LED) connected to a digital
 pin, without using the delay() function.  This means that other code
 can run at the same time without being interrupted by the LED code.

 The circuit:
 * LED attached from pin 13 to ground.
 * Note: on most Arduinos, there is already an LED on the board
 that's attached to pin 13, so no hardware is needed for this example.

 created 2005
 by David A. Mellis
 modified 8 Feb 2010
 by Paul Stoffregen
 modified 11 Nov 2013
 by Scott Fitzgerald

 This example code is in the public domain.

// constants won't change. Used here to set a pin number :
const int ledPin =  13;      // the number of the LED pin

// Variables will change :
int ledState = LOW;             // ledState used to set the LED

// Generally, you should use "unsigned long" for variables that hold time
// The value will quickly become too large for an int to store
unsigned long previousMillis = 0;        // will store last time LED was updated

// constants won't change :
const long interval = 1000;           // interval at which to blink (milliseconds)

void setup() {
  // set the digital pin as output:
  pinMode(ledPin, OUTPUT);

void loop() {
  // here is where you'd put code that needs to be running all the time.

  // check to see if it's time to blink the LED; that is, if the
  // difference between the current time and last time you blinked
  // the LED is bigger than the interval at which you want to
  // blink the LED.
  unsigned long currentMillis = millis();

  if (currentMillis - previousMillis &gt;= interval) {
    // save the last time you blinked the LED
    previousMillis = currentMillis;

    // if the LED is off turn it on and vice-versa:
    if (ledState == LOW) {
      ledState = HIGH;
    } else {
      ledState = LOW;

    // set the LED with the ledState of the variable:
    digitalWrite(ledPin, ledState);

This code looks quite a bit more complex, we have broken out the delay time to a constants called interval that allows the frequency for the flashing to be changed, so to get a 1 Hz flash we would put the interval to 500 ms rather than 1000 ms for the current 0.5 Hz.

There are some more things that you can do with this circuit, if we move from Pin 13 to a pin with a ~ (tilde) next to it, we can do PWM, but I will do that next time.

by Skippy at January 29, 2017 12:28 AM

January 27, 2017


One Thing To Do Today: Don’t fall for “resistance” data parasites

There will be a lot of people who want to capitalize on the new activist energy that you should consider staying away from, both shady actors and the incompetent sincere. If a website, twitter account or special number requires you to hand over identifying information like an email address, or especially a US phone number, before they offer up any information to you, run screaming. Trust goes both ways.  An organization that’s in it for the greater good will empower you to protect yourself, not slurp up your data with next to nothing to give back.   Remember the Beyoncé Rules and have some standards.

  • WHY do they need your information to be helpful? Why can’t they give you the information you need without collecting yours?
  • Are they collecting ONLY the information they need for the task?
  • How MUCH information are they giving you up front? Is it a paragraph or multiple pages of resources?
  • How do you know they are who they say they are? Clever names, mission statements and even slick HTTPS hosted websites are crazy cheap and not good enough. Twitter accounts and URLS can be made to look legit by playing on the names and logos of real organizations. Be careful.
    • Do they have a listing in Charity Navigator? If they aren’t a 501(c)3 where does the money come from?
    • What PEOPLE, verifiable real human beings, are behind the project? Can you find them on social media? Wikipedia? Talks posted on YouTube? Alumnae networks? Have you ever met anyone who’s met them?
    • Do they list phone numbers? If you do a reverse lookup on the number what comes up?
    • Do physical addresses resolve on google maps? Does the street view look shady?
    • Do a whois lookup on the URL. If its a private listing that’s fine, but how long has it been active?
  • Where is the organization sourcing its information from? In house research? By whom? What process did they use to collect it? Do they let others use it? If no, why not?
  • How long will they keep your data? Can you ask them to delete it? Who can verify that they actually did?
  • Is the code they’re using to collect and store this data open? If not, is it vetted by 3rd party auditors? Are they using a reputable service / platform to manage their data? Will they even tell you who?
  • Are they even pretending that your data is safe? What technical measures do they say they’ve taken? “We take industry standard security measures” means “we do nothing” because there are none. You want details. Don’t worry if you don’t understand the jargon, that’s what search engines are for.
  • Are there events you can attend to BEFORE handing over information?

And if there is no website? Just a number to text? Don’t do it. Don’t do it. Don’t do it unless:

  • It’s for an organization that you’ve vetted.
  • They already have your phone number.
  • You have confirmed that the text/request has come from them by getting human on the phone from a number you’ve looked up independently first. (Or, you know, it is exactly the number you heard them announce from a giant stage)
  • It’s clear whether or not the request is being handled by a 3rd part contractor (likely). If so, vet the contractor. The contractor will have you in their database now, too. You will be tracked across campaigns.

Even when these small little pop up organizations are the nicest people, they still won’t know how to protect you. Even many longer running organization don’t, but at least they aren’t a flash in the pan. If you hand over your information it will be going into a database that isn’t encrypted, with no protocol for controlling what employees or contractors get a hold of it. Some little pop up certainly can’t afford the lawyers for when the DOJ comes knocking. Privacy policies are a pinky promise. If the organization has no assets, they have nothing to loose by ignoring them.

The best way to get active is to get ACTIVE.  Push past the clicktivsm and go meet people face to face at meeting you don’t have to sign up for to get into. People amassing databases will never consider you a friend or stand with you when they’re needed. People you keep running into at meetings just might.

by carlyn at January 27, 2017 07:45 PM

January 26, 2017

Hackspace Manchester

Designing a pressure sensor using Velostat

In the previous post I designed a circuit which was supposed to read in when pressure was applied to a custom sensor made from velostat.

The first post on the Piano conversion

I made a sensor out of some single sided FR4 printed circuit board material, some foam tape, two pieces of wire, a small 1 cm x 1 cm piece of velostat and some sticky tape!

Custom Pressure Sensor using Velostat
This is just a prototype and may not be my final version of the sensor. I wanted to see how well velostat worked and how it would behave. It seems to work really well!

I found from measurements with my multimeter that when the pressure sensor is not touched the resistance across the wires is 30 kΩ. When pressure is applied it drops to 1 kΩ. That should be more than good enough for the purposes of detecting a key-press!

The constructed pressure sensor
Next the PCB designed in the previous post was etched, drilled and populated. It etched well and I populated it with the designed components:

The Underside of the PCB 
The topside of the PCB with components

I then wrote some quick test code for the arduino because I'm leaning towards using an arduino for the microcontroller:

Pressure Sensor test Code
For Electronic Piano
(c) A. Lang 2016


// These constants won't change. They're used to give names
// to the pins used:
const int analogInPin = A0; // Pressure Sensor connected to A0

int sensorValue = 0; // value read from the pressure sensor via the amplifier stage
float outputValue = 0; // value output to the Serial port

void setup() {
// initialize serial communications at 9600 bps:

void loop() {
// read the analog in value:
sensorValue = analogRead(analogInPin);

// print the results to the serial monitor:
Serial.print("sensor = " );

// wait 10 milliseconds before the next loop
// for the analog-to-digital converter to settle
// after the last reading:
The code is very similar to code I had written before - what is it with me and pressure sensors at the moment! I then uploaded the code to the arduino and tested it - It didn't work as planned - I may have been a little disappointed at this point....

I then thought about my circuit and looked at the schematic:

The original Key Press schematic

I realised I had made a mistake. I didn't account for how the velostat would behave in terms of it's resistance. I thought it would have a resistance of around 1 kΩ and doesn't it's resistance is 
30 kΩ and varies down from that when pressure is applied. Because of this I need to tweak my circuit from behaving as a two stage buffer to a simple analogue comparator and buffer. Luckily it won't be too hard to change things!

Here is the new circuit:

Add caption
The Key Press Schematic Version 2 

The new circuits works in a similar fashion as the previous one. The velostat pressure sensor makes up a voltage divider. The output of the voltage divider is connected to an analogue comparator made with the first op-amp in an LM358 dual op-amp IC. The negative input has a 2.75 V reference set by the 8.2 kΩ resistor and the 10 kΩ resistor. The output of the 1st op-amp is then connected to a buffer amplifier with a gain of two and then the output is connected to a FET and an LED. The output will be sent to the ADC of the micro-controller which will probably be an Arduino.

To test the circuit I removed a 10 kΩ resistor and then added a 7.5 kΩ resistor (because I couldn't find an 8.2 kΩ resistor). Here is a photo of the modification:

Here is the modified PCB layout although I probably won't etch this board again. I'm going to re-design it to use surface mount components and be a smaller form factor. It would be nice if each board fit snugly under each piano key.

The New Key Press Layout
I then connected the circuit back up to the arduino and pressed the sensor! It worked. The LED lit up - although I wish I had used a brighter LED...but SUCCESS!! So sweet...

Here is a graph I made from the serial monitor results. It looks very similar to the simulated oscilloscope trace from the first post!
The results from the serial monitor
So now we have a valid method of reading key presses we need to scale things up - and shrink a few things down. I will redesign the key press PCB layout to use surface mount components to take up as little room as possible. Then we need to look at multiplexing all of the signals together...and for that I'm going to use the 74HC4076 integrated circuit breakout board.

That's all for now people - take care!

by langster1980 at January 26, 2017 05:48 PM

January 25, 2017



Details here! RSVP not required.

Join us for a community-driven skill share. All levels of privacy and security knowledge are welcome! Teach what you know and learn what you don’t! There will be no leadership at this meeting. Instead, consider this an opportunity to gather, discuss, and share information and tools.

Possible things you might want to bring: a laptop, a phone, a burner laptop, a burner phone, some usb thumb drives, raspberry pi.

Possible things you might want to discuss: GPG encryption, secure communication, secure collaboration tools, bitcoin, etc!

by at0mbxmb at January 25, 2017 07:25 AM

Engineering as Artistry: The Intersection of Art, Tech, and Music

WHEN: Wed 25th, 8P-10P
WHO: Open to the public!
RSVP: Here!

About this Event

Join visiting international artists Adam John Williams, Portrait XO and Burle Avant for a discussion on the intersection of art, tech, and music! The discussion will cover a variety of Adam’s digital & audiovisual artworks, and will show off some Max MSP live coding, generating some live electronic music whilst the process of it’s creation is shown in realtime on a projector. For some examples of Adam’s work, check out Portrait of an Inventor.

About this Artist

Adam John Williams is:

An award-winning multi-disciplinary digital artist working primarily with music, visuals & electronics.

A hardware hacker, Max MSP patcher, creative technologist and director of the Music Tech Fest Hack Camp.

A musician, DJ & VJ also known as Artemis Beats.

Creator of the maxome audiovisual performance controller.

by at0mbxmb at January 25, 2017 06:57 AM

January 24, 2017


Tuesday Sweep: Jan 24 2016


What’s are the frictions keeping you from doing “what’s right”? Regret is only useful if it leads to a plan on how to improve.

Confessional:  I posted pictures on a non-anonymous twitter account at a rally while I was there. Some would argue that this is a mistake.  I say that if you’re a cis hetero white woman like me, it’s essential.  White ladies get insidiously punished when we break the mold of the genteel, soft spoken, pleasant helpmate. But we can use that expectation to shield those that society implicitly labels as threatening and scary. If all the pleasant little white ladies are here, it must be the done thing. If this blondish, make-up wearing, pie-baking, hat-knitting, smiling married lady who’s never gotten more than a speeding ticket is worried about privacy and security, it must be normal. Just relax and go along, all you market-based, vote depending folks who get worried when someone mentions the H word. Here’s just a “normal person with legitimate concerns” by your own messed up definition.  Sometimes refusing to take certain types of precautions, if you have the privilege, might be the protest. That’s what I went with. Your milage may vary.*

* this goes for putting yourself at risk, not others. If the information you’re handling isn’t yours, opting to not to take precautions is not your call.

Continuing Set Up

We’ve covered so much so fast. You’re not behind, you’re just where you are. Pick something to do.

  • If you’re having trouble with all the set up, the coach tool at the Crash Override Network has a great step by step break down for many of the same introductory steps we did here.
  • Review the list of OneThing articles so far and pick one to catch up on.


This list will be getting longer, but lets keep it simple while folks are still setting up.


Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.


We are a community. You are a welcome part of it.

by carlyn at January 24, 2017 08:42 PM

January 23, 2017

Pumping Station: One

NERP Next: Up to Speed on Motors (Jan 30th)

If you’re a maker, hacker or DIY person, you don’t need to understand how a motor works “under the hood” to use it. However, a bit of theory will help you make the best design choices for your thing that runs in circles. At the next NERP, Jerry Morrow will bring us up to speed on motor technology.


Jerry’s presentation is a full overview of DC and Brushless DC (BLDC) motors and their associated drive circutriy.  Topics include the physics of electric motors, DC motor operation, motor bridges/inverters, control topologies, motor terminology, brushless DC motor operation, hall effect and encoder position feedback, current and velocity control, Park/Clarke transformations, and Space Vector Modulation (oooh..).

People need to make things go ’round. Car wheels, train wheels, drone propellers, compressors and fans in HVAC and refrigeration, hard drives (at least for the moment), reclining seats, robots, power tools, and on and on. Motors are everywhere. The variety of sizes, shapes, and internal structures is bewildering. About the only functional elements that the different types have in common is a moving part and a stationary part joined by a changing magnetic field. Whether or how you can controll the speed, direction, torque, or power consumption depends on the type of motor. Electric motors have been around for about 150 years. Most of the older classes of motor types are still in use, still useful, and still suited to new design.

We are seeing a revolution in motor technology. Software is eating the world, and it’s finding electric motors pretty tasty. The new generation of motors depends on embedded processors to the extent that the software is as much a part of the motor as the shaft. Sophisticated driver algorithms (and in some cases new materials) are making motors smaller, stronger, and more efficient. In addition to making better citizens of existing applications, the improvements open doors to new classes of applications.

Jerry Morrow is, or has been, a bass player, electrical and computer engineering student, home rehabber, sound technician, electro-mechanical actuation software engineer, Japanese student, father, and maker, and member of Pumping Station One,  He prefers the command line, VI editor, and makefiles over IDEs, and wont hold it against you if you don’t.

NERP is not exclusively Raspberry Pi, the small computer and embedded systems interest group at Pumping Station:One in Chicago. NERP meets every other Monday at 7pm at Pumping Station:One, 3519 N. Elston Ave. in Chicago. Find NERP and Pumping Station:One at



Doors open at 6:30pm. NERP is free and open to the public. Ed Bennett ed @ kinetics and electronics com Tags: electronics, embedded, NERP, Open Source, raspberry pi, hackerspace, Beagle Bone, Pumping Station One

by edbennett at January 23, 2017 10:16 PM

January 22, 2017


One Thing To Do Today: Find new heroes.

TL;DR: When the sun goes out, you can see the stars.

I developed an allergy to demagogues and popularity contests early on, so I was never was the type of kid who put posters of people on her wall. Yet I’m not immune to wanting, needing, to have people whose work I admire succeed.  While researching these articles I’ve been happy to find a TON of people who know way more than me who have been putting out high quality work for years if not decades.  These folks have been working in a field that hasn’t really been getting its due. The American public revels in exhibitionism. CEO’s don’t understand the hit on the bottom line for features that can’t be marketed. Privacy and security has been kind of a thankless field in many ways, only noticed when things go wrong.  I’m going to say some thank you’s today, focusing away from those who’ve disappointed me onto those who will keep me inspired and informed.

Michelle Leonhart, our VP, herself inspires me. And she’s brought in via the Civic Engagement Survival Guide a full cast of people to admire. In fact CRASH Space members themselves never stop being a source of inspiration. Thank You.

We aren’t the only LA hackerspace by far. Where CRASH Space, was, does, will continue to focus on STEAM more than security issues as a whole, Null Space Labs has been committed to security based content from its inception.  My ass hasn’t shown up at one of their events in YEARS. It’s over due.  Thank you. A little further afield 23b also carries the torch. Thank you.

Yesterday I went to a book talk at UCLA by Jennifer Granick, lecturer-in-law and director of civil liberties at the Stanford Center for Internet and Society. The book, American Spies, intends to “educates readers about how the reality of modern surveillance differs from popular understanding.” She wrote the book for general audiences, but the talk was geared to the law students in the room. I’m doubly impressed by her for coming at this all from the legal angle. We’re about to understand viscerally how fragile the rule of law really is, and how much we need them on that wall. And whats beautiful about Prof. Granick is that she is just one example. Think of all the lawyers at EFF, ACLU, SPLC, Sierra Club, NRDC, NAACP, Lambda Legal, MALDEF, NLGBeakman Center, Center for Internet and Society working hard for little to no celebrity. Thank you.

This will have unequal weights for folks reading this, but I also want to thank all the Ladies in the House. I withdraw too far back sometimes because I get tired of my presence in a room becoming “a teachable moment.”  I was thrilled to find this Top 50 Women in Internet Security as a reminder to not let the bad apples get me down.  Following some of them on twitter has lead me to other women, and ultimately to Prof. Granick’s great talk yesterday. Thank you!

I have a growing Tuesday Website List (link not comprehensive) and Twitter Feed of folks who generously put themselves and what they know out there.   A large handful of accounts that will lead to the discovery of other accounts: @SarahJamieLewis@hacks4pancakes, @snipeyhead (comes with warning), @pwnallthethings, @swiftonsecurity, @pinboard, @thegrugq, @zeynep. Thank you.

Another way to find people, go to the trouble of watching conference proceedings when going can’t happen. The Chaos Computer Club Conference, DefCon and HOPE are the obvious ones for this field. But I’d like to shout out to the Hack-a-Day Superconference, SCALE and LayerOne. Thank you to the organizers and speakers all.

Real change happens from groups working together. The lone hero, “Great Man” approach to history has been severely debunked. Thats good news because that means there are countless folks around us to take inspiration from. When the sun goes out, you can see the stars.

by carlyn at January 22, 2017 06:55 PM

January 19, 2017


One Thing To Do Today: Schedule requesting copies of your credit report

Plane tickets to DC to march cost money. Donations to the EFF cost money. Hard drives to backup your system cost money. Paying for VPNS and private email costs money.  Dinner in the evening so you can get up raring to go in the morning costs money.  Baddies will aim for financial resources because of the double pay off. They undercut the opposition and they have more for themselves!

We’ll be adding checking your bank and credit card balances to the Tuesday Sweep because false charges typically sign number one that either you or a vendor you’ve shopped with has been exploited.  Take action and report them quickly. No matter how small.  False charges are just one of many red flags for identity theft.

What also needs to go on the schedule? Requesting credit report copies from the big three on a staggered rotation.  January, after taxes in May, and back to school time in September will spread it out nicely.  According to the FTC –

You’re entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies. Order online from, the only authorized website for free credit reports, or call 1-877-322-8228. You will need to provide your name, address, social security number, and date of birth to verify your identity.

Other conditions to get a free copy:

  • If you have been denied credit (you must request a copy within 60 days)
  • If you are unemployed and intend to apply for employment in the next 60 days
  • If you are on public welfare assistance
  • If you have reason to believe your file contains inaccurate information due to fraud or identity theft
  • If an adverse decision related to your employment has been made based in whole or in part on information contained in the report
  • If your report has been revised based upon an investigation you request

For more information on credit report basics, how to understand your credit score, or otherwise respond to identity theft the folks at the Privacy Rights Clearing House house have created several guides worth reading.

by carlyn at January 19, 2017 06:15 PM

Build your own Voice-Crusher with Moldover Sunday January 22nd at 4 PM

Moldover came by CRASH Space last January with his Light Theremin kit and did a great soldering workshop. He has a new kit, the Voice Crusher, and we have another workshop scheduled!

It’s this Sunday, January 22nd, from 4-7 PM. Cost is $55, which includes the kit, instruction, and a copy of Moldover’s latest album, Four Track. No soldering experience necessary – we’ll teach you, and we will supply the tools!


Here’s a video about the album and Voice Crusher

After everyone finishes their kits, Moldover will give a short presentation on the design of The Voice Crusher and his other circuit board projects.


by theron at January 19, 2017 03:52 AM

January 18, 2017

Pumping Station: One

Celebrations in Pictures – PS:One March Potluck 5th Tuesday

More pictures……

5th Tues. on March

5th Tues. on March

5th Tues. on March

5th Tues. on March

5th Tues. on March

by lyn at January 18, 2017 07:29 PM

Celebrations in pictures 2016 – Pi Day

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

by lyn at January 18, 2017 07:25 PM

Celebrations in Pictures – PS:One’s 7th Birthday

Another picture….

PS:One 7th Birthday Party
Cake decorated by Shelly Loke

by lyn at January 18, 2017 07:20 PM

Celebrations in pictures from 2016 501c3 Party!!!

501c3 status party

501c3 status party

501c3 status party

501c3 status party
cake decorated by Shelly Loke

PS:One had some wild events, here are some of the pictures…..

501c3 status party
The aftermath

501c3 status party
Our song!!!

by lyn at January 18, 2017 07:18 PM

NYC Resistor

Feminist Pocket Party on February 5th

Our first Feminist Pocket Party is happening on Feb 5. People who wear women’s clothing are plagued with an unjust lack of pockets! Time for us all to learn to level the playing field. Come learn how to make in-seam pockets in a low-key, class + hangout environment.


by Bonnie Eisenman at January 18, 2017 05:11 PM


Tuesday Sweep: Jan 17 2016


What’s are the frictions keeping you from doing “what’s right”? Regret is only useful if it leads to a plan on how to improve.

Confessional:  This is a reverse confession. I did some things “right” by security standards that I’m not happy about.  Emblematic, looking at an exuberant thread of people posting images of their pets with their pets names all my panic bells went off. “That’s the stupidest thing I’ve ever seen. Why would they give up potentially sensitive information like that.”  What. A. Terrible. Reaction.  It’s not totally wrong, though. Starting with security questions, I came up with a list of at least a dozen ways I could use that data in under 15 minutes. I hope @evacide writes her harm reduction approach essay soon. And yet, even with the OneThing series, in my ideal world the average folks not thinking about security wouldn’t have to start.  I want developers to take responsibility for making it safe to play.  That inconsequential thread about puppies represented people trying to create connections during a fractious time. It was beautiful. We need more of that, not less.

In the mean time…

Continuing Set Up

We’ve covered so much so fast. You’re not behind, you’re just where you are. Pick something to do.

  • If you’re having trouble with all the set up, the coach tool at the Crash Override Network has a great step by step break down for many of the same introductory steps we did here.
  • Review the list of OneThing articles so far and pick one to catch up on.


This list will be getting longer, but lets keep it simple while folks are still setting up.


Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.


We are a community. You are a welcome part of it.

by carlyn at January 18, 2017 04:12 PM

January 16, 2017

NYC Resistor

Next Laser-Cutting Class on Jan 22

Want to learn to use our laser cutter to cut and etch your own designs? Take our three-hour class to get laser-certified, then come back and laser to your heart’s content. The next laser class will be on January 22.

Our laser-cutting classes fill up fast! Tickets are available on Eventbrite.

Random boxes


by Bonnie Eisenman at January 16, 2017 05:18 PM

January 15, 2017

NYC Resistor

January 14, 2017


One Thing To Do Today: Truth vs. Checksums

Reality is that which, when you stop believing in it, doesn’t go away.
― Philip K. Dick, I Hope I Shall Arrive Soon

So now we have all these records and backups made. What if we want to share them with someone else? We’re moving more into the Sanity section here, where we want there to be information that can be verified by more than keeping our fingers crossed. Perversely, I have trouble conveying how deeply sacred I think the transference of an idea from one person to another to be.  As a poor substitute lets talk about the fragility of the process. Successful communication has so very many steps, each vulnerable to failure, shown to hilarious effect in the screwball comedies of the 1930s and to great tragedy by Shakespeare.

  • Is the requestor of information who they say they are?
  • How can they be sure I’m who I say I am?
  • Did I understand the nature of their request?
  • Do I have the relevant information?
  • Do I have permission to distribute the relevant information?
  • Can my response arrive in a timely manner?
  • (Will my message get there unread by 3rd parties?)
  • Will my response message get there unchanged?
  • Will my response be properly understood?
  • Is the person delivering the message actually sent by me?
  • Accept that the message is from me, and it’s what I sent. Can they verify that my message accurately portrays a situation? The receiver should wonder, could I be delivering information that is:
    • uncertified. I haven’t done sufficient work to check it
    • accurate but irrelevant
    • inaccurate because its that’s how it was delivered to me by my own sensor network
    • inaccurate because its that’s how it was delivered to me by a third party
    • inaccurate because I ran a faulty algorithm on good quality data
    • inaccurate because I ran a good algorithm on bad quality data
    • inaccurate because I mean it to be
  • How can I maintain a record which can prove the actual content of my sent messages?

Whether you call this Epistemology or Information Theory, whether mediated through computers or not, trust is hard.   From secret pass phrases, to sealing wax, to handwriting analysis, to… checksums? It’s all a arms race through time. The more sophisticated the tech, the more clever the attacks.

Companies with products designed to enhance the privacy or security of communications don’t litter their marketing materials with jargon only to dazzle the uninitiated. Specific technologies protect very specific elements of the communication process.  The jargon communicates what narrow slice of the puzzle the company will be attempting to certify. When companies won’t name the names of the techniques used, but instead float fluffy words like “safe,” “private,” “secure” heck even “encrypted”, start to worry.

So lets make an example out of some words frequently used together that someone evaluating this type of software might mistake as an absolute promises of truth and authenticity:  “hashed,” “checksum”  and “fingerprint.”

Let’s say my mom’s very reliable mail carrier delivers to her a wooden crate filled with tasty looking chocolate chip cookies with my return address on it. Inside the crate is an envelope with a message, “Hey Mom, I’ve sent you a brown cardboard box that is 8″x12″x4″, weighs 2lb 6oz, and sealed with purple packing tape. Inside is a dozen oatmeal raisin cookies.” This apparent conflict will hopefully make her suspicious enough to call me before she actually eats the snacks.  If my message had only said, “here are cookies I hope you’ll like,” she would have no clue that perhaps someone had intercepted my package and swapped it with their own.   However, if our cookie crook had been capable of either exactly duplicating the package or swapping in their own note, we’d have a problem again.

My decision to sum up my package as a description of its volume, weight, color of tape, type and number of cookies was the hashing algorithm I used to create the checksum represented by the included note. If I had sent my note separately from the package instead of inside it, that would have been more like a fingerprint.

There’s not really a shared secret that only she and I would know to really ensure that someone isn’t trying to impersonate me. Also, nothing about any of this means that I sent cookies that my mother would actually even like the taste of or that I haven’t used an ingredients that she’s allergic to, etc. Heck, she could even be in the middle of a dream.  All she’s got is that as far as the situation is actually happening, someone claiming to be me sent her cookies that match what they said they’d be sending. It’s not the Complete Truth about who sent the cookies, why and what’s in them, but it’s not nothing either.

This Computerphile video explains how computers implement these schemes in a way which is perhaps much more useful than my care package analogy.

If you want more on this topic, Computerphile also has a short playlist on some related Information Theory topics.  I also quite liked Eddie Woo’s Parity and Checksum videos that came at the end of his very accessible Communications & Network Systems playlist.

So how is that we know what we know? What information can be trusted? These questions tangle up the best minds that have ever lived, so no, there is never going to be an App for that. Us mere mortals have hope though. We can add thin layers with specific processes building up confidence.  When trust has been devastatingly corroded, baby steps make the fastest progress.


by carlyn at January 14, 2017 12:15 AM

January 12, 2017

NYC Resistor

Nail Art Make-Along this Sunday

Last call for our Nail Art Make-Along this weekend! This unisex class is aimed at tricking our your manicure (or pedicure)… in simple but unique ways using templates & stamps. We’ll also be doing a nail polish swap, so bring your unwanted nail polish to trade.

Tickets are available on Eventbrite.

by Bonnie Eisenman at January 12, 2017 08:36 PM


One Thing To Do Today: Keep a clean disk image on hand

TL;DR – Keep copies of your system image and vital files completely offline. 

So today I’m going to talk about something easy to do with computers and comic books, but not so easy to pull of in real life.

I’ve been using computers a fairly long while, and having to wipe the whole drive clean and reinstall the software at one point was almost a quarterly event. I got in the habit then, and admittedly have fallen out of the habit now, of having a hard drive that held a disk image of JUST the operating system and the crucial application that could get me up and running fast, with all my current active work backed up nightly on a rotating set of zip disks which served as both back up AND version control.

These days my computer doesn’t crash so much and I keep back ups of lots of things in lot of places online, so that particular set of processes has fallen by the way side. Maybe it should be resurrected. The joy of my current back up application? It’s always on doing it’s thing. Apparently that means ransomware can find it. Keeping a pristine disk image with just the operating system and critical applications in safe place with no contact with the internet would certainly come in handy again.  I might even go back to saving active files to rotating disks that get wiped down to the zeros regularly. I’ll have to come up with something to get over my USB drive phobia.  I miss floppies and CDs. At least they didn’t have firmware to worry about!

For making that disk image, MacOS has Disk Utility, but I have to make a fond shout out to Carbon Copy Cloner. Windows has Storage Spaces. Linux has dd. None of these work great for when you have a large number of computers that need to wiped and pushed clean images regularly. The answer used to be Ghost,  now there are decent open source tools like Clonezilla that are worth giving a try.

Museum exhibits, retail stores, academic computer centers… for all these places best practices call for having a clean disk image that gets to pushed to terminals on a regular basis. I really wish I had an real-world image from 2015 squirreled away right now. Marvel, can you get on that?



by carlyn at January 12, 2017 06:02 PM

January 11, 2017


One Thing To Do Today: Learn an anti-normalization design pattern

TL;DR Written records are your friend. 

Today, moving on to the moral compass attack vector. Once the fight starts, can we remember our values in the thick of it?  Humans can adapt to new set points very quickly. This makes it vital to take steps to prevent normalization of new horribles.

I advocate designing systems in your life that enable you to:

  • Document where you want to be (both what’s within tolerances, what’s optimal, what’s unacceptable)
  • Maintain a record where you’ve been
  • Analyze where you are

In non technical scenarios this might mean:

  • While not discounting media that serve as warnings to be vigilant, also have a shelf of books, documentaries, a YouTube channel, anything, that reminds you of what good really looks like and that it’s possible. Actually write down WHY these examples represent goodness to you. What behavior specifically would you like to model. What behaviors specifically were abhorrent. I suggest real world examples, but fiction can work too.
  • Start keeping a journal to document the actions of public figures.
  • How do the recorded, observed behaviors line up with the examples from step one?. Compare those actions against other periods in history to make apt, accurate comparisons to the current situation, without sensationalizing. Where are we on the road either towards or away from our ideals?

To extrapolate the same design pattern to a technological system, detecting attacks means not just accepting that “my computer just runs slow sometimes” or “sometimes my network is flakey.” When technical systems start behaving strangely, it is possible to check what going on using system messages and log files.

  • Have a written model for what normal operations looks like. Provide it to others.
  • Configure logs to record information relevant to that model. (Write software that can log relevant information)
  • Actually monitor and analyze logs against that template, developing tools that automate the process.

Log Files

Many safety and privacy concerned services tout that they “don’t keep log files.” What is this log file? Well, computers watch what we do, and they take notes.  Lots of notes. On lots of different things. In the case of privacy mined VPNs they are specifically talking about a servers ability to jot down the locations of where you came from and where you’re going.

If you’ve never heard of log files before, overviews for SEO folks try to break what they’re for down in relatively plain language. Finding out what a computer is up to can be as simple as taking a peek at the end of a log file and pasting the text into a search engine.

Top 3 Links For Jumping Right In

These links presume some command line knowledge. I apologize for that, but these article jump to how actually to use them.

Guides from Operating Systems

When trying to learn about how your computer uses log files, try the search term “log file $YOUR_OPERATING_SYSTEM troubleshooting”

  • Ubuntu, overview of linux log files
  • Apache, introduction to debuging
  • Mac OS, the Console utility. Link within the article on using the console tool to debug.
  • Windows, I am too unfamiliar with Windows to evaluate the links.  so this one is too the cleaning and optimization guide at Decent Security.
  • iOS, use iTunes system log files, or Xcode.

Guides from Hosting Companies

Hosting companies want you to be able to catch shenanigans happening on their hardware fast. Many of them have guides on using log files.

Generating Your Own

Tools for Handling Logs

How do I find tools for log analysis? A starting point would be, a github search sorted by stars. Many of these projects have done the work of figuring out what normal should look like, and come with documentation that provides guidance on how to set them up. Top projects tend to be maintained by professionals for professionals to be used on a large scale. Even if they don’t fit your needs, skimming the documentation can be an education.  OSSEC HID and ModSecurity in particular have an eye towards log analysis for security purposes.

Some projects that might otherwise escape notice:

  • LNAV  “an advanced log file viewer for the small-scale”
  • Glogg a “A fast, advanced log explorer.”
  • AWStats “generates advanced web, streaming, ftp or mail server statistics, graphically.”
  • LogCluster for pattern recognition in log files a “simple logfile clustering tool”
  • Pimp My Log. No analysis, just web server log files meet twitter bootstrap. Included because a some of the others tools have made my eyes bleed.

I have zero experience working with the big names in the not-open source log analysis category, but I feel like I should include them.  I’ve left out VirtualWisdom because it doesn’t actually appear to be that log-file centric?

Focus on the pattern, not the tools

While I just dumped a lot of information about logs on you, that’s not the important point. A pattern for building a system resistant to drifting off mission is the point.

  • Define your values
  • Know where you’ve been
  • Analyze where you are

These three steps not only prevent our natural tendency to accomodate and make due kick in, they provide the information required to create a plan to GTFO the mess entirely.


by carlyn at January 11, 2017 11:17 PM

January 09, 2017


One Thing To Do Today: Take steps to prevent doxing

TL;DR: Follow the advice at the Crash Override Network to prevent and prepare for possible doxing. 

It happens in so many movies and TV shows. Our fearless hero, tied to a chair, mid torture yells at the villain of the week, “Do whatever you want to me! I won’t help you!!”  To which our villain replies “Oh, I’m not going to hurt…. YOU!” and whips out whomever or whatever has been set up as the hero’s One-Big-Weakness.

Threatening to dox someone serves as the online equivalent of putting them in that chair.  A power move meant to gain submission or silence, it shows a willingness to take the fight into the “real world” by revealing information like home addresses and/or financial information about you and your loved ones. Whether it’s launching a activist twitter account, pursuing investigative journalism or even running for office, please have conversations with the people you love about what kinds of behavior you will be engaging in and the possible consequences to your family unit. Then plan how to face them together.

The Crash Override Network has created a step by step coach to lock down information to make it harder for people to get at you.   If you’ve been able to follow along with these posts you will have already done things like changed privacy settings, so getting through the first steps will be a breeze. Skimming through the guides on preventing doxxing and what to do if you have been doxxed gives a nice overview of what to expect from the coach tool.  Examples include checking that domain registrations aren’t leaking your address and clearing personal information out of data broker sites to help keep where you live off the map. Ask the people you care about to go through the same steps.

Preventing certain activity from ever being linked back to you in the first place might help boost your courage. Psuedonymity remains vital to the internet.  Follow a guide or two or three on setting up an alter ego.  How far you’ll need to go will depend on how high up the food chain your big bad lives.

Contending with the baddies who treat others, at best, as Non Player Characters in their game of conquest require special precautions. Making things just a little bit harder for them to trace me or my loved ones back home, or having a plan in case they do, makes standing up and standing out all that much easier to do.

by carlyn at January 09, 2017 07:18 PM

January 06, 2017


One Thing To Do Today: Who decides what you know?

In 1913 Justice Brandeis wrote, “Sunlight is said to be the best of disinfectants,” in objection to bankers hiding money trails to commit crimes.  Any activist will tell you that “getting the word out” builds the scaffolding for all future calls to action. Our threat actor counts on none being the wiser to pull of their shenanigans. Chances are good they’ll move, or have already, to keep unflattering information out of our view.

Helping “the baddies” hide their behavior in shadow, the U.S. public gets news from a small number of sources with a limited amount of time to spend on them. By listening to only a handful of voices, we leave ourselves vulnerable to misinformation propagated by both carelessness and malice. The fewer perspectives heard, the more power each has to shape our world view.  The people invited to have that kind of power over your mind should be chosen with extreme care.

I am a huge fan of the new media distribution methods made possible by the internet. The tricky part of the low barrier to entry means that everyday all day the internet splurts out a whirling, whiplashing firehose of data. This makes handing curation over to powerful algorithms naturally tempting. The damage Facebook algorithms do is well trod territory. When tracking down information I try to put my queries through at least two search engines, never forgetting that the results will reflect the biases dominant in society and in tech company hiring practices.

Being cautious of automated systems means learning how to manually vet your news sources. I am so deeply deeply grateful to my high school U.S. History teacher for hammering in how to work with primary sources. It’s the same skill set for identifying fake news and bad arguments.  It maybe harder than you think.  Be scrupulous. Just because someone has won lionized hero status from all your friends doesn’t make them de facto credible.  It makes them dangerous. When you identify a crap news source, cut it out of your life.   I’m going to go against the pack here and take a stand against hate reading poor quality new sources “just to know” if you aren’t a paid professional media watchdog. I am 100% opposed to letting nut jobs have regular access to your mind.  Eyeballs are revenue. Attention is currency.  Follows attach credibility. Let them whither and die.

Cutting a site out of your life should be based on its veracity and integrity, not code for “the author disagrees with me.”  Another important step when cultivating a regular list of news outlets is to go look for news sources that hire people who don’t look like you, love like you or live where you live.  I am very very comfortable making the diversity for diversity’s sake argument from a security mindset. More points of view, more ways to perceive attacks, richer pool of options generated. It’s math, people.  Authors from different walks of life may tweak some confirmation bias reflexes making their message uncomfortable or even appear unbelievable.  Don’t flinch. Listen.

Depending on your country of origin you may need to use a proxy, Tor and/or a VPN to even get access to certain news websites. More insidiously your geolocation, based on IP number, GPS, nearby WiFi networks or location information you’ve given with your account, might determine what information shows up on the page. The vanishing of content will be seamless and untraceable without an active effort to compare what’s loaded from a different “place.”

People are human. They perform to their incentives. Always always always always always always know who or what is paying for the lights to be on. Always. My suspicious, skeptical nature makes me a huge fan of public television and public radio stations, at least the ones registered as 501(c)3 organizations.  There are podcast umbrella organizations that serve the same purpose. Everyone putting out a story has motivations, at least with this specific class of nonprofits they have published mission statements and publicly available financial records.   Cordcutters can get the PBS Newshour via YouTube.

I’m going to be kind of radical here, but consider… print. (Ducks behind arms.) I find it much easier to stay with long form in depth articles when I don’t have the rest of the internet ready to whisk me away with a click or a tap. A compromise might be an app, but be careful with those.

This all harkens back to that early post on having a news rotation.  Some people use twitter lists or feed readers or email newsletters (shudder). I advocate:

  • bookmark folders in the browser bar organized by day
  • a time on the calendar that they get checked
  • an actual timer to make sure the whole day doesn’t get wasted

This browser folder set up allows for a diversity of link types, too. Podcasts, YouTube channels, twitter accounts/list and forums can all be popped in a folder with more traditional news sites.  I like the topic-a-day approach, but alternatively one site per topic per day could be another choice. Maybe there is a folder for the must-read-everyday crowd.  I look at sites in the tech and security fields, but also the arts, design, hard science, activism, teaching, the environment… people from different fields maybe focusing on a different aspect of a problem or have a different perspective on the world.  Even in the middle of a crisis, one can have a cup of tea. It can be nice to remember that Pluto is just out there, doing its thing. Your priorities will be your own.

This set up gets more complicated for Tor users who need to disguise traffic for personal safety reasons rather than just a simple geofence hop.  Read all the links on Tor safety on the Tor post.  DO NOT use the same browser as your usual sites. Heck, use a whole different computer/bootdrive, and never look at them from your home. If your life’s on the line, this guide will help but its not nearly enough. The EFF and the new Security without Borders seem like other good places to turn.

We are, at least in part, what we know. What we know determines what we think. What we think changes how we behave. Our behavior creates real impacts on the world. The people who control accepted givens, control everything.  Choose, diversify, curate, refine what gets into your head.  If you think you’re above that kind of influence, you’re the biggest fool of the bunch.

by carlyn at January 06, 2017 11:16 PM

One Things To Do Today: Threat Actors, “Yes Nazi are Bad” edition.

When I was growing up AMC was actually the “American Movie Classics” channel. No ad men, no zombies. I watched black and white movies from the ’30s and ’40s all the time. Even though it was the 80’s and 90’s, I got indoctrinated into a certain set of core beliefs about American Values.  It is sort of amazing to me that people seem to need to be reminded about one of the ones that was at the top of that list. Nazi’s are Bad.

Let’s review:

  • Nazis think there is only a small subset of humanity deserving of dignity, and that somehow, magically, they just, oh gee, happen to be it.
  • Nazis steal shiny things that don’t belong to them and try to drape themselves in the glory because they can’t make anything of real substance on their own, because substance requires valuing empathy. Just look at the architecture. All muscle, no heart or head.
  • Nazis enjoy expressions of pain from the not-people who aren’t in their magical golden cohort. The sheeple are just toys or vermin after all.
  • Since a Nazi has no internalized model of you as a human being like them, there are no norms of behavior to limit what they’re capable of doing to you to “win.” Nazi’s will not only use violence and threats of violence to silence dissent, but degradation as well.
  • Winning to a Nazi is the utter destruction of anything that doesn’t reflect the glory of the cult of Nazi-dom and complete rigid control of anything that remains so that it appears that “all good” only comes from compliance with Nazis.
  • Nazi’s use fear and favors so effectively, eventually they don’t even need to say anything in order to get others to comply.

Lucky us. In 2017 we have to deal with both literal and figurative Nazi’s who’ve discovered the internet.  From the Nazi mindset we get trolling, doxxing, fake news, swatting and lots of the other usual suspects directed on those who would stand up against them.  Let’s create our threat actor persona.

Nazi Persona

  • Demographics: People you might never suspect. Everyone has a tribe.
  • Motivation: Your fear. Your silence. For you and your values to vanish from the face of this earth.
  • Willing to Do: Anything

Yeesh. That’s like comic book levels of evil. And that makes it hard to predict what they’ll be capable of. But you know the nice thing about having Nazis as an enemy? Nazis lose.

Attack Vectors

This proto-Nazi figure I’m talking about here wants nothing more than to get into your head. Humans have an operating system. The attention merchants of Madison Ave and Silicon Valley have been gaming it for years. What if instead of getting us to buy toothpaste or in app purchase, we’ve got some chucklehead trying to make us hate our neighbor?

Drawing a technical system map first would be a huge mistake. Also a mistake, I worry, is leading with the words “Hacking” and “Cyberwarefare” because they cause policy misdirection. The average person will start asking about computer logs instead of about Social Engineering and time honored PsyOps techniques that just happen to be delivered with new technologies.  This flavor of threat actor doesn’t lead with the technological objectives. Why should we? Let’s think about the different layers a Nazi might try to attack.

  • Drive: Can I take away their reasons for fighting? Can I hide the problems? Can I minimize or dismiss the issues as unimportant or not relevant to most people? Can I make the the fight seem futile or not worth the effort?  If a loved one is the reason for fighting can I get control of said loved one? If the majority are happy and well fed, no one will notice as we round up the neighbors.
  • Moral Compass: Can I normalize my values over theirs? Make it seem like this is now “just the way it is.” People hate change so once my way seems like the normal, they’ll even fight for me to preserve “tradition.”
  • Sanity: If I can’t change their values can I try to subvert the facts that their values are based on? Can I discredit people who have access to facts I don’t like? Can I create a scenario where facts aren’t facts anymore? Ideally, can I make my rules become the new “facts”?
  • Financials and Resources: Can I make it so they can’t fund their fight? Jeopardize their income? Assets? Home? Credit rating? Simply use up all their time?
  • Health/Stamina: Can I make them too weak to fight? Induce stress via breaking up supportive communities, removal of simple pleasures, removal of food, removal of healthcare?
  • Physical Safety: Can I end them? Get someone else to do it for me? Can it look like an accident? Even better can I end them in a way that makes people think its a false flag? Boom.

Exploits and Mitigations

So at this point you might be thinking, “Seriously Carlyn, Nazi’s?? I’m calling Godwin’s Law on you.”  To which I’d reply with flippancy you’d deserve, “Oh you sweet summer child, you need me on this wall.” Even Godwin would back me up on this one.

I am not a conspiracy theorist. I don’t generally ascribe to malice or smokey rooms patterns in society that easily emerge from human nature and math.  But that’s exactly my point.  We got this tribalism thing pretty deep in us and we’ve got this crazy new playing field called the internet that we do in fact have to share with actual people actually seig-heiling the new president of the United States. This is not a drill.

So what are we going to do? Well we’ll look into each category of vector to understand our vulnerabilities and what we can do about them.  While my emphasis will still be on technology based exploits and their mitigations, not all of the recommendations will be downloads or gadgets.

I leave you with a homework assignment. How has technology been used, intentionally or not, to destabilize you or someone you know from in each of these 6 directions. I’m going to give high profile examples.

ALL of these attacks have counter measures.  We’re going to deploy them all.


by carlyn at January 06, 2017 11:07 PM

One Thing To Do Today: Learn about The Onion Router, Tor

TL;DR Educate yourself before using. If you’re in, download the software, set it up correctly, use it with care.  Next steps include donating to an exit node provider or setting up a relay yourself.

I’ve put off talking about Tor because, well, discussing Tor takes nuance.  Whether or not you decide to bring Tor into your life on the regular, learning about how it works and how clever folks get around it will sharpen your security mindset. I think even if you think, “I don’t need Tor,” there are vulnerable people in the world who could use the cover of your banal data going over the same network. Using Tor doesn’t make you a criminal, and there are great reasons to do so. Since Tor constantly gets pummeled by folks looking for exploits and is therefore also constantly updated,  I thought it important to highlight the date of the information being provided. The links get more in depth down each list, so the top ones may be the only one you need.


FDA Worker uses a glove box to examine lettuce

FDA Worker uses a glove box to examine lettuce. via Wikimedia Commons

Getting your head around Tor starts with understanding Proxies.  When I think of proxies I think of those glove-box isolation chambers. A proxy lets you handle another website without getting your IP address dirty. That box can also sometimes hold a local copy of a website or file if the person running the proxy predicts a lot people will want to handle it from one location.  While going through a proxy(s) can slow web traffic down by adding hops, local caches speed things up. If you’re using StartPage as your search engine, next to each link is the option of going to the page via a “Proxy.”  Top Google search results tend to served by proxy by default, so you may be being served from one now without even knowing it.  Proxies DO NOT provide encryption. They’re merely call forwarding.

Tor’s Special Sauce

picture of a grid of a computers with a message following a random path from one side to the next

Message moves through the Tor network via Mashable

The Tor network bounces your requests through a series of proxies via a special protocol called Onion Routing. Each computer only knows about the one before and the one after. It only takes three hops for originator to become obscured. Onion routing is not just sequential call forwarding. Each new node peels off a layer of encryption, only then discovering who it should send the message on to. Only the exit node will see the original data packet.

Tor isn’t magic

All security products fail. Security is a process. Learning about the shortcomings of Tor can fail without writing the whole attempt off completely seems like the most grownup choice. It’s also kind of fascinating lesson in secure system design.

Ways to Support Tor

The Tor project valiantly maintains one of the very best band-aids we’ve got for the fact that the internet was not designed to address privacy concerns at it’s core.  Like with VPNs, if one understands what the tool is for, it’s invaluable to have available. Help the Tor project by going ahead and sending your innocuous data traffic over it, and by setting up a relay node to mitigate that demand. Exit nodes require a deeper level of commitment, but you can donate to support one. If Tor traffic becomes popular and common place, more ISPs and server companies will get comfortable with it and the onion routing protocol in general.

 Making Tor Obsolete

Folks involved in the Tor project work very hard to make folks safe on the internet as it exists now. But what if the internet was designed completely differently? Although flawed, some of the nascent “Tor alternatives” explore P2P architectures. Look into conversations around the Future Internet. Tools like OpenFlow. provide the ability to rapidly prototype network architecture.  Blockchains may not just be for Bitcoin anymore. Have a research group with its own ideas? Submit a proposal.  If this topic tickles your nose try checking out MIT OpenCourseWare 6.033 Computer System Engineering.

I hope this post pointed you in the direction of helpful resources to understand how Tor works, where it fits in the privacy tool box, and how to properly connect to the network.  Tor’s had some struggles, but it’s in good hands.


by carlyn at January 06, 2017 03:27 AM

January 04, 2017

Pumping Station: One

We wish you a Shiny New…Toaster Oven


The kitchen area has some new devices to ring in a proper feast for the New Year!

We now have an AirCrazy on Demand popcorn popper that does not smell like coffee!  It has a hopper for easy popcorn storage and proper serving size dispensing.


The Microwave has full functioning button panels!

I will show you how long your food has to cook, for now.

I will show you how long your food has to cook, for now…

Behold, a toaster oven!

Go on, make some toast.  You know you want to. It can also bake small items quite efficiently.

be good to me.

be good to me.

Please enjoy, but keep in mind their proper food only use and area safety. Please maintain their cleanliness!

by flyingoctopus at January 04, 2017 01:15 AM

January 03, 2017


Tuesday Sweep: Welcome Back!

Still angry? Me too! But now I’ve got some beautiful smoldering coals that can roast anything.  Let get back to work, returning to to the sweep!

Tuesday List


  • Self Audit:  Anything you’ve done nagging your conscience? Regret is only useful if it leads to a plan on how to improve.  Me, I reinstalled PokémonGo over the holidays so I could be the cool aunt. I have to spend time thinking about trade offs, examining location settings, and deciding what real coolness looks like.

Continuing Set Up:



Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.


We are a community. You are a welcome part of it.

by carlyn at January 03, 2017 09:01 PM

NYC Resistor

Nail Art Make-Along on Jan 15

Our ever-popular Nail Art make-along is back on January 15th. This unisex class is aimed at tricking our your manicure (or pedicure)… in simple but unique ways using templates & stamps. Plus, we’ll be doing a nail polish exchange – bring your unwanted nail polish to swap.

Tickets are on Eventbrite.

by Bonnie Eisenman at January 03, 2017 05:14 PM

December 31, 2016

NYC Resistor

New Years Eve Craft Night!

Resistor is open tonight for a special new years craft night! We start at 8pm and go until next year. Come by to hack on projects and celebrate the end of 2016!

by zellio at December 31, 2016 08:22 PM

December 30, 2016

NYC Resistor

Jan 28th: First Resistor CryptoParty of 2017!

Photo courtesy of the Whitney Museum of American Art.

CryptoParty returns to NYC Resistor on January 28th, 2017 for a night of learning about your digital defense in the age of mass surveillance from Fort Meade and Madison Ave. Stop by anytime between 3PM and 9PM and enjoy snacks and skills from a variety of online security practitioners and researchers. We’re hosting a full day mix of talks and hands-on-help.

If you’ve never been to Resistor before, check our Participate page for more info, including the Code of Conduct. Hope to see you there! If you’ve never been a CryptoParty before, please check out the CryptoParty Guiding Principles.


Saturday, January 28th, 2017 3:00PM – 9:00PM.


NYC Resistor (between Bergen and Dean)
87 3rd Ave. Floor 4 (use this OSM link if you’re Richard Stallman)
Brooklyn, NY 11217

by David Huerta at December 30, 2016 03:20 PM

December 27, 2016

Pumping Station: One

Curse your sudden but inevitable Cookie Decorating

Natural Enemies

Natural Enemies

A gathering of PS:One members came out to try their hand at decorator frosting piping.shelly-explaining-things

A magical reindeer guided the way.










Blood, sweat and tears were offered.




Grand amounts of fat and sugar were brought to one glorious offering.

this is how it is done

this is how it is done

everything naughty

everything naughty

Behold, the rose! You can do it too!

Behold, the rose! You can do it too!









And the results were amazing!

Fantastic Creations

Fantastic Creations

Wee little houses

Wee little houses

by flyingoctopus at December 27, 2016 06:55 AM


33C3 : Works for me

Each year with winter comes the Chaos Computer Congress in Hamburg.

2016 edition : 27-30 dec. Survival guide for this 33rd edition :


Streams and Recording


” Works for me”

Like no other, the year 2016 pointed out how well „works for me“ works for us.
It does not. Mutual hate, envy, insensibility and exclusion have driven us apart.

Feeling isolated and threatened, we turn further against each other, take less care of each other and worry even more about ourselves. And yet, we are never alone: Excessive surveillance is now politically normalized, if not for all then at least for those who are different, intractable, foreign.

Let’s break this vicious circle.
Let’s get together and live our utopia.
Let’s strive for something that works for all of us.

And let’s fight those, who will not let us!

Welcome to the party! :-)


Avec  chaque hiver vient le Chaos Computer Congress, cette année du 27 au 30 décembre.

Bien plus que les autres, l’année 2016 a montré combien « works for me » marche pour nous.

Ca ne marche pas : haine mutuelle, envie, insensibilité et exclusion nous ont déchiré. Les sensations d’Isolement et de menaces nous oppose, nous faisant prendre moins soin de chacun et nous préoccupant plus de nous meme.

Et nous ne sommes toujours pas seuls : la surveillance excessive de tous est maintenant politiquement normalisée, ou au moins des différents, etrangers ou rebelles.

Cassons ce cercle vicieux.

Rassemblons nous et vivons notre utopie.

Battons nous pour quelque chose qui fonctionne pour chacun de nous.

Et combattons celui qui ne nous laisse pas faire !

by sam at December 27, 2016 12:24 AM

December 26, 2016


Testing credit card charges with Stripe in a simple Rails app

Following up on suggestions from the board meeting to look at Stripe for charging member dues, I found a couple Rails tutorials and deployed via Heroku… it works with a few lines of (rails) code! The reason to maybe not use “gravity forms + stripe” just yet is because I think it is $200/yr — you need a Gravity Forms Developer License according to:
Yikes. Is that right? Different sites report different $$ so until someone at Hive tries it we may never know!

Well, we can just make our own embedded form, and Stripe can also deal with subscriptions painlessly, apparently. Try it with the herokuapp link below:
*****WARNING: it will actually charge your CC $1. I promise to deposit it back to Hive*********

Heroku is great, you deploy via github so we could also make the forms public (our private Stripe key is configured only in heroku and is NOT in the github repo). Here’s the rails app on github so we can collaborate; I put all the details for how I did this in the


Some more to think about:

1) Let’s make a member application fee of $1.00. This will ensure prospective members have Stripe setup BEFORE they become a member! Much better than if they are voted in but never actually pay…!

2) I think we should charge the Stripe fees *to the member*. This way we have dependable operational costs. You can see attached that a $5 charge results in only a $4.55 net gain because of the stripe fees, but this is still low cost and dependable for now (Stripe charges 2.9% + $0.30 per transaction). So we would need to charge users fee*1.029 + $0.30 (rounding up by cents; Stripe only charges whole cents) for each fee we designate. Then if Stripe changes fees in the future we just update this amount and Hive still has dependable operational costs.

3) Stripe is nice! Your CC will properly process whatever we write into stripe, here’s how it shows up on my card statement:

4) Right now funds get deposited into my personal checking account (!!) since I don’t have the Hive76 bank account number. Does someone want to give me that? Or I can coordinate this with the treasurer. Again, I promise to deposit your test charges back to Hive.

5) Obviously it needs beautification, choice between member rates, a way to subscribe, etc. But that’s all optimization for later, this rapid hack was about feasibility. It’s feasible to use stripe!

Here’s what you see in the Stripe Dashboard:

by Daniel Toliaferro at December 26, 2016 06:40 PM

NYC Resistor

We’re open for Craft Night tonight


It’s Boxing Day, but that’s not stopping Craft Night. Monday Craft Night / Knit Knight are still happening – come by after 7pm-ish and join us.

And here are some goats in sweaters, just because.

by Bonnie Eisenman at December 26, 2016 01:30 PM

December 23, 2016


Thank You Shuttleworth Foundation

Shuttleworth Funded LogoI’m very honored to announce to have been the recipient of Shuttleworth FoundationFlash Grant” grant to continue working on the “One Thing” privacy and security series!

The money will allow me to keep going with better, more in depth articles… Hopefully with projects, maybe be able to turn them into a class, more organized online-resource.  Thinking about the possibilities has certainly brightened my December. The series will be back Tuesday Jan 3. refreshed and organized!

The ideals of the Shuttleworth Foundation, “openness, integrity, commitment, accountability, and respect for others,” line up so well with the founding principles of CRASH Space and what I’ve been trying to do with this series. I am deeply grateful for the encouragement. It has made a world of difference.


Shuttleworth Foundation from Blink Tower on Vimeo.

by carlyn at December 23, 2016 06:24 PM

December 22, 2016

NYC Resistor

NYE Craft Night Special!!

Last year, we had a craft night on new years eve and it went swimmingly so listen up:

Craft Night happens almost every Thursday but this time It’s on a Saturday, because it’s NYE and this is a special public night.

This time there will be dancing:

And there will be science:

So stop by and meet people, share knowledge, and work on your projects. Don’t forget to bring a project to work on!

Feel free to bring snacks or drinks!

This event like all NYC Resistor events is 18 and over and governed by out code of conduct.

More information:
NYC Resistor Code of Conduct:

by zellio at December 22, 2016 03:28 PM

December 21, 2016


One Thing To Do Today: On dark days, be the light.

On this darkest day of the year, let’s talk about the chilling effect poor privacy and security policies can have on civil discourse. While the idea has a longer history, the phrase “chilling effect” was brought into modern legal vernacular in the 1950’s via Lamont v. Postmaster General. The US congress had actually passed a law where a person expecting to receive information about communism in the mail had to notify the post office of their intent to do so in order to have the package delivered.  The law was struck down by the Supreme Court (8-0, one abstention), sighting the notification requirement’s ability to inhibit behavior legal under the first amendment, even if it didn’t directly prohibiting it.  More recently, champions of the free exchange of ideas on the internet use the phrase to describe the consequences of our malformed copyright laws.

How does this apply to security and privacy? The overwhelming majority technology companies still fail to include security concerns during requirements or design phases. Valuing customer privacy comes dead last on priority lists. Protection from harassment arrives as half hearted fits and starts. Folks worry that even making an effort to even learn about security tools will make them look suspicious. So we shrink.  We don’t need that hassle. Sharing a link on twitter to support my candidate, oh, I don’t want to piss people off. Hmmm, maybe I shouldn’t be wearing that ACLU t-shirt in my selfie? Should maybe I shouldn’t buy that hacking book with a credit card, much less on Amazon?  Maybe the world doesn’t need to know about this great restaurant, since it’s so near my home… In fact, maybe I’ll just stay home. Be a good girl. Bake cookies.

That’s the Chilling Effect. Feeling like there are no good choices but conforming choices. Humans are great at picking up norms. We don’t even need to be told what not to do.  We can end up going full out the other side, manipulated into becoming the horror ourself as we seek to please.

We have an equal weapon.  Positive peer pressure works, too. Professors took over YikYak with affirming messages. Campaigns like the twitter hashtag #EFFintheWild help normalize support for digital rights. Being in proximity to lots of small protests can change more minds than big ones. It only took one person breaking the record to make running the 4 minute mile a thinkable thought for so many others.  Stand up on the desk first, others are waiting.

Maybe you don’t feel that revolutionary. Great. You’re needed even more to move society closer to the tipping point for prioritizing security and privacy for average people. People tend to do the default.  So help change what society and tech companies consider the default. Need to send a recipe or cat picture? Use ProtonMail through a VPN to a Tor node from your encrypted phone.  Use Signal to plan for New Years celebrations.  Moving to “fringe” products for mundane communications help create a Me-Too effect, companies racing to compete. Non-activist, non-lawyer, non-politician, non-journalist consumers need to be in the game. Use how “normal” you are to send a message.

So while it feels cold and dark right now, simple actions can make a difference. To yourself, to the community. It all adds up. Burn bright. The path you light isn’t only your own.



by carlyn at December 21, 2016 09:47 PM

December 20, 2016


One Thing To Do Today: Phones get lost and stolen. Encrypt them.

TL;DR: After doing the Tuesday Sweep, read ArsTechnica’s guide on disk encryption. Add making sure devices have encryption turned on as part of the sweep.

Too few smart phone users have their phones both up to date and encrypted.  Thankfully ArsTechnica has written today’s post for me with it’s excellent guide on disk encryption that covers not only the phone, but computer disks, too.  Among other things, it feels easier to sell/recycle a phone when the last information you had on it before the factory reset was encrypted anyway.

Collections of files can be quickly encrypted using DiskUtility on a Mac or VeraCrypt on Linux and Windows machines.  For Linux users, tomb looks like an interesting contender.  Tomb has chosen simplicity and openness to mollify justified fears about backdoors. While these tools cannot replace a full secure workflow, their use is a step in the right direction.

Devices go AWOL. With back ups and encryption all that’s gone is an easily replaced widget.


by carlyn at December 20, 2016 07:41 PM

December 17, 2016


One Thing To Do Today: Time for some tinfoil

In action movies the experienced guide grabs the befuddled hero’s mobile phone and rips out the battery.   Fiddling with location settings helps, but that can’t prevent everything as this documentary about a guy tracking his cell phone thief shows. Even having the phone off, and the main battery out may not be enough.

Since my phone requires special tools to open, I’m sure my world-weary sensei would shake her head and simply chuck it out the window.  But I like my phone, and apparently other people like theirs enough too have spawned for a signal dead-zones industry.  Commercial Products abound, although my favorite have gone out of business.  It’s also fairly easy to hand make  ones own “faraday cage” bags. I’m hoping that member Barb Noren, of Barb Makes Things fame, will give me a sewing machine lesson sometime soon.  I purchased two kinds of fabric on Amazon, but provides even more options.

Make sure to test your bag or case before relying on it. At Purdue a student did a master’s thesis on just that. Some bag making and usage advice… NO GAPS, make sure to close that flap.

Can’t wait for shipping? Stuff a phone into a fridge or microwave, but those aren’t particularly portable. A cocktail shaker should work as well. For super old school, but still effective, go tinfoil. No calls will get through with it all wrapped up like a burrito, but that’s the point after all.

by carlyn at December 17, 2016 11:31 PM

December 16, 2016


One Thing To Do Today: Threat Model 5, How to look for mitigations

We had a great conversation with Santa, but it won’t help us at all if we don’t look for ways to thwart him. Real mitigation plans (PDF) by real experts take quite some time. I’m going to sum up the process starting by recapping the vulnerabilities and attack vectors he mentioned specifically to make sure our brainstormed solutions actually address them. Next I’ll make a table to help prompt ideas for possible solutions.  That will be enough for today, but future posts will have filled out the tables for the different vulnerabilities.  Still after that comes ranking the choices to an action plan.  Whew.

What vulnerabilities did Santa find?

What vectors did santa discuss?

Santa has a lot of confidence in his social engineering skills.  Most of his exploits involve getting someone to willingly help rather than crack a password or trying a man in the middle attack.  Santa specifically mentioned that he likes to call, and you can listen to examples of which are available on YouTube. Companies need to have well designed permission structures and data access procedures in place since humans have their “only human” thing going on.  This is incredibly hard to verify as a consumer.

Santa also mentioned that he could go direct to consumer with his own game app designed to seduce.  If it actually was fun, it wouldn’t be quite the same as counterfeit app. I’m pretty sure I’d be helpless against it.

One rather suspicious omission, Santa, despite his B&E skills, didn’t mention his ability to just walk into houses while people are sleeping and suck down data from the devices themselves. Given his ability to hit millions if not billions of houses in one night, that’s kind of a weird vector not to try.   My alarm bells have gone off.

Also not raised by santa, facial recognition by surveillance cameras. I’m not sure how else he’s pulling off the “He sees you when your sleeping” bit. I might troll him a bit by adding some Nasim Sehat eyeware to my wishlist.

  • Upstream Social Engineering, specifically “vishing”
  • Mobile app with deceptive practices
  • (Accessing devices)
  • (Visual surveillance data)

Ways to mitigate

So the great chasm of vulnerabilities has opened. Everyone has their own way to handle staring chaos in the eyes. Mine is to make tables.

Across the top of the table I’ve put  the layers of technology the average consumer deals with, from easiest to control to the least.  Sort of. Putting people first might be a mistake. Bad habits get forged from adamantium, I know.

Down the left are types are classes of mitigations, as I understand them.

People Installed software OS,
Hardware Networks External Accounts
Reduce attack surface
Reduce procedural vulnerabilities
Reduce technological vulnerabilities
Block specific exploits


Reduce attack surface: People build forts on cliffs, on peninsulas, inside moats to reduce the number of approaches enemies have to get to them. They’ve reduced their attack surface. Solutions that reduce the number of accounts, apps, devices, open ports shrink the attack surface that threat actors can exploit.

Reduce procedural vulnerabilities: The things that people do that make the system unsafe.  An example of a procedural improvement? Let’s say there is a message for you from someone at your bank saying they have an urgent message. Right now your procedure might be to simply call that number back. Fixing that procedural vulnerability might mean replacing that one step process with a list of actions:

  • search for the original number online
  • look up their main customer service number
  • call the main customer service number instead no matter what
  • report the initial call to the FTC if the bank doesn’t confirm that they called

Procedural problems can have technical fixes as well.  An IT department might block phone calls to and/or from known spammers. Individuals can install apps on their phones.

Reduce technical vulnerabilities: The simplest example? Software has bugs. Updates tend to remove bugs. You’ve removed a technical vulnerability.  Sadly sometimes the technical vulnerabilities come baked into the architecture. For a consumer that may mean switching services, operating systems or hardware to options that take security and privacy more seriously.

Block Specific Exploits:   Here we switch from strategic to tactical. Sometimes a vulnerability can’t be removed from the system immediately. Can’t have cell phones without cell towers for the time being. Sometimes a narrow tool (VPN) to address a narrow problem (unprotected data going through a spoofed tower, not the fact of the connection) provides the least bad choice.

Lobby/Sue:  Sometimes there is already a legal protection against what’s happening. When a company has left you vulnerable by violating their published privacy policy they can be reported to the FTC, for example.  These represent my least favorite mitigations, but they do exist.

Tomorrow I’ll pick a vulnerability and start filling the table out. Maybe give it a try on your own.

by carlyn at December 16, 2016 11:47 PM