First, the Mooltipass BLE. I reviewed the Mooltipass Mini – itself a successor to the original, bulkier Mooltipass – back in Issue 168: a compact, metal-encased device, the Mooltipass Mini holds your passwords in encrypted storage accessible only using a smartcard and four-digit hexadecimal PIN. I’ve been using the Mooltipass Mini with great success since its launch, but it’s always a bit of a pain to use with a mobile device – requiring a USB cable and OTG adapter.
The Mooltipass BLE aims to fix that, by integrated a Bluetooth Low Energy radio. While it can still operate in tethered USB mode, the Bluetooth radio plus internal battery give it a newfound freedom – though my experience is as a beta tester, with finalised and fully-functional firmware still under active development before the device goes on open sale.
The FLIR ETS320, by contrast, is a fully-finished piece of hardware. Regular readers will know that I’ve long been an advocate of thermal imaging analysis for revealing the secrets of electronic devices, and the ETS320 is a considerable upgrade from my usual FLIR C2: the 80×60 resolution thermal sensor of the C2 is replaced by an impressive 320×240 version in the ETS320, at the cost of a dramatically reduced maximum focus distance. I’d also like to thank FLIR for its partnership: the ETS320 has become a permanent fixture in my toolkit, and will be used alongside the C2 for thermal analysis in future hardware reviews.
Finally, the Raspberry Pi 4 Model B 2GB. While the board itself isn’t new, its pricing is: Raspberry Pi Trading recently decided, prompted by falling RAM prices, to retire the 1GB model and make the 2GB model the new entry point into the family. “2GB is a much more viable desktop platform than 1GB,” RPT chief executive Eben Upton told me in an interview for the column. “1GB is great for embedded, but for a desktop platform it’s just a little bit too tight. What it means is that we’re now back to having a really viable desktop machine at our signature price point.”
The full column is available now in Custom PC Issue 201 at your local newsagent, supermarket, or for global delivery from the official website.
This month’s Hobby Tech column takes a look at an open-source microcontroller-driven hobbyist oscilloscope and a book which aims to document art in video games, while also walking readers through the rather handy trick of setting up a reverse SSH tunnel.
First, the tutorial. Since Code42 announced that CrashPlan Home, my chosen off-site backup solution, was being discontinued, I’ve been looking into alternatives. A Raspberry Pi with a USB hard drive and a copy of Syncthing installed does the job nicely, except for the issue of management: once it’s off-site, I’d have to configure someone else’s router to forward a port so I can SSH into it. An easier alternative: a reverse SSH tunnel.
Where a traditional SSH connection goes from local device to remote host, a reverse tunnel goes from remote device to an intermediary device – in my case, a home server on my own network. Your local device then also connects to said intermediary device, and you have full access to the remote device regardless of whether or not it’s behind one or more firewalls or even whether you know its public-facing IP address.
The first of the reviews, meanwhile, is a little cheeky: while the device on test is based on the JYE Tech DSO138 open-source oscilloscope design and firmware, I’ve been using a clone rather than an original – having spotted it on offer during an Amazon sale and been unable to resist a bargain. While the conclusions I draw on the scope’s functionality and usability apply equally to both, a first-party JYE Tech version is likely to feature better build quality and certainly includes better support.
Finally, my review of the coffee table tome – yes, another one – Push Start: The Art of Video Games is one of those rare occasions where I’ve been disappointed by what should have been a product aiming for a very low bar. While the full-colour hardback publication includes plenty of high-quality pictures, it also includes some extremely low-quality screenshots as well – particularly noticeable at the beginning where vector games are captured as bitmaps using MAME’s default ultra-low resolution, and at the end where tell-tale artefacts show the use of third-party JPEG images rather than first-party captures. Worse still is the limited accompanying text, which is riddled with errors.
The latest Hobby Tech is available now from newsagents, supermarkets, and electronically via Zinio and similar digital distribution services.
First, the vintage gaming feature. Building on a brief from editor Ben Hardwidge, I wanted to do something a little more in-depth than the usual how-to guide. The result is a seven-page feature which begins with a look at the wealth of accessories available to turn a Raspberry Pi or other single-board computing into a powerful emulation station, a two-page expert guide to the legalities of emulation in the UK, step-by-step instructions on downloading, installing, and configuring the RetroPie on a Raspberry Pi, and a look at entirely legitimate sources for read-only memory (ROM) game images.
While I’m fully equipped to handle the how-to and look-at-the-shiny-things sections of the guide myself, the legal aspect required an expert eye kindly provided by Eaton Smith LLP partner Chris Taylor. Legal counsel to a variety of game development and publishing companies, Chris kindly walked through the legalities of developing, downloading, and using emulation software and hardware under UK law – and even threw in a cheeky topical reference to Ernest Cline’s Ready Player One ahead of the release of its film adaptation. I’m also grateful to The Internet Archive’s software curator Jason Scott for taking the time to discuss the Archive’s vast trove of software and in-browser emulation functionality.
Meltdown and Spectre, meanwhile, are a lot less fun. The names given to a quartet of security vulnerabilities hard-baked in to the vast majority of processors built since the 1990s, Meltdown and Spectre are unarguably the worst things to happen to the computer industry since the death of the Commodore Amiga. My three-page look discusses the vulnerabilities, how they can be exploited to gain access to supposedly-protected information, and what companies are doing to fix the problems – and, spoiler, the conclusion there is “not nearly enough.” Since the piece was written, though, there’s one thing to note: installation of the KB4056892 patch for Windows 10 includes faulty microcode protection from Intel which can cause systems to reboot spontaneously, which is resolved through the installation of KB4078130 at the cost of disabling protections against one of the two Spectre vulnerabilities.
Finally, Hobby Tech itself opens with a look at the clever but fragile Opendime from cryptocurrency start-up Coinkite. Designed to turn Bitcoin into a digital bearer bond, an Opendime creates a private key which is stored in a secure enclave accessible only by irrevocably modifying the device by popping off a small surface-mount resistor. So long as the resistor is intact, the theory goes, nobody has access to the private key – meaning you can accept the device as payment without risk. Sadly, since my fairly glowing review was written two things have changed: the Opendime I’ve been carrying around on my keyring has unsealed itself without any visible damage to the resistor or the heatshrink which protects it, an issue Coinkite’s founder and support team have singularly failed to address, and the high transaction fees on the Bitcoin network have dropped from around £20 to around 20p meaning one of the major benefits of using a £15 USB device for in-person transactions has been lost.
The iFixit Pro Tech Toolkit, by contrast, is a significantly happier story. I’ve long been a fan of iFixit’s teardowns and the software they developed for presenting the information, so a toolkit with the iFixit seal of approval was high on my want list. Having now received one, I can confirm it’s no disappointment: from the high-quality tools, all bundled with the express intention of making it as easy as possible to dismantle modern electronics, to the smart multi-function storage case, the entire bundle is pleasingly robust.
Finally, Commodore: The Amiga Years. The follow-up to author Brian Bagnall’s Commodore: A Company on the Edge, The Amiga Years was officially cancelled years ago before being resurrected through a crowdfunding campaign. Since the closure of the campaign, however, the project was beset by delays and a last-minute editing decision that sees the final third of the story, taking Commodore to its sad demise, spun out into yet another book – a move backers criticising the decision have positioned as a blatant attempt at extracting more money. As with A Company on the Edge, though, the story told in The Amiga Years is one well worth the entry price – if suffering a little from Bagnall’s wandering editorial process, whereby topics raised as though you should already know them in Chapter 2 won’t be formally introduced until Chapter 5.
All this, and slightly less stuff by people who aren’t me, can be found at your nearest supermarket, newsagent, or digitally via Zinio and similar services.
Starting with the latter, A Gremlin in the Works is another fantastic coffee-table book from retro computing publisher Bitmap Books (the founder of which, Sam Dyer, I interviewed back in Custom PC Issue 136). Written by Mark Hardisty based on exhaustive interviews – and retaining the question-and-answer style of the transcripts, making for an accurate rendition of the subjects’ thoughts but a slightly tiresome read – the two-volume book chronicles the rise and fall of gaming pioneer Gremlin Graphics. As a massive fan of Gremlin’s output – to this day the intro music to Hero Quest brings joy to my heart, and I blame my sweet tooth on a Zool addiction – A Gremlin in the Works is a book I’d long been looking forward to reading, and I’m pleased to say it didn’t disappoint.
Blog in a Box, meanwhile, is an interesting beast. At its heart, it’s a single-purpose GNU/Linux distribution for the Raspberry Pi created by Automattic as a means of making it easier for people to run the WordPress blogging platform from the device. It’s not provided as a downloadable drive image, as with most distributions, though; instead, Automattic has written a cross-platform program which customises various settings – title, passwords, email accounts, things like that – and configures them so the Pi is ready to rock on first boot. It’s a neat idea, but one which still needs polish: I found the Linux version failed to run properly on my Ubuntu 16.04 desktop, and several features promised by the tool were disabled when the Pi actually started up. It’s a tool with promise, though, and I look forward to revisiting it should Automattic release an update.
Finally, the Mooltipass Mini. The brainchild of Mathieu Stephan, the Mooltipass Mini builds on its non-Mini predecessor to create a pocket-sized hardware password safe for all your accounts – or, at least, as many as will fit in 8Mb (1MB) of internal memory. The Mooltipass Mini is a tool for the adequately paranoid: passwords, though not usernames, are stored in the device’s internal memory under AES-256 encryption with the private key located on a removable smart card itself locked with a four-hexadecimal-character PIN. When a password is required, its entry can be found on the screen and the Mooltipass does its best impression of a USB keyboard by typing the account details in on your behalf – or, when the optional software is installed, filling in forms in browser windows automatically upon manual confirmation on the device itself.
Having long advocated for the use of password managers to promote high-quality password use and discourage password reuse, the Mooltipass Mini is a near-perfect companion. It addresses the majority of the problems with traditional password managers, like how to keep the encrypted database accessible while preventing its theft. While there are undeniable issues, such as the £61 (inc. VAT) retail price and the need to buy two so you have a backup to use if the primary one fails, it has become a part of my security arsenal – and one I feel comfortable using thanks to the project’s open-source nature for both the software and underlying hardware.
All this, and a whole mess of other things written by people who aren’t me, is available in the latest Custom PC Magazine from your nearest supermarket, newsagent, or electronically via Zinio and similar digital distribution services.
There’s a bit of a theme to four of the five pages that make up this month’s Hobby Tech column, and with little surprise: I’ve been focusing on the Raspberry Pi Zero, that remarkable £4 microcomputer which is still proving impossible for retailers to keep in stock. That’s not to say it’s entirely Pi-themed, though: I found room for a look at the lovely CodeBug, too.
Naturally, the first thing I had to do when the Raspberry Pi Zero – a fully-functional Raspberry Pi microcomputer, equivalent in specification to the Raspberry Pi Model A+ but with twice the RAM at 512MB and a new 1GHz stock speed for the BCM2835 processor. The fact that the Raspberry Pi Foundation was able to pack all that into a device around half the footprint of the already-tiny Model A+ is impressive enough, but with a retail price of just £4 the Pi Zero is nothing short of revolutionary.
Sadly, my hope that stock issues would be cleared up by the time the issue hit shop shelves proved unfounded: while stock has appeared at the official outlets several times since the Pi Zero launched, it has immediately sold out again – making the device difficult to get hold of and leaving the market rife with sandbaggers flogging the £4 device for anything up to £50 on auction sites. My recommendation: be patient, keep an eye out the official outlets, and don’t reward the sandbaggers with your custom.
With the Pi Zero in hand, I figured a tutorial would be a logical next step. Perhaps one of the most impressive demonstrations of the new form factor’s flexibility comes in turning it into a true random number generator (TRNG) – at least, what Broadcom claims is a TRNG – for a USB-connected server or PC, improving security for a tenth the cost of the nearest off-the-shelf TRNG. While I used the simple method of attaching a USB-to-TTL serial adapter to the Pi Zero’s GPIO header, it’s even possible to create the same device with a single USB cable for data and power by replacing the stock kernel with one tweaked for USB OTG use – a cost-saving trick for another column, perhaps.
Finally, the CodeBug. I’d been planning on reviewing this for some time, but getting my hands on a sample proved tricky until oomlout was kind enough to loan me a unit from the device’s original crowd-funding campaign. Designed for educational use, and the inspiration for the BBC’s much-delayed micro:bit, the CodeBug is a microcontroller with on-board inputs and outputs and a built-in battery connector. Programmed using a modified version of the block-based Scratch language, it’s a great tool for teaching basic computer concepts – and I now have my hands on a few upgrades for the device, which will be appearing in a future issue.
All this, plus a bunch of stuff written by people who aren’t me, can be yours with a trip to any good newsagent, supermarket, or from the comfort of wherever you’re reading this via Zinio and other digital distribution services.
In this month’s Linux User & Developer, following my regular four-page news spread, you’ll find a review of a device that’s a little out of the ordinary: the NeuG, a true random number generator (TRNG) which costs a remarkably small amount.
When you’re using cryptography, you’re chewing up your system’s supply of randomness – or entropy. Linux, in common with other operating systems, works to fill its entropy pool by sampling a variety of things: traffic coming in on the network port, where you’re pointing the mouse and how fast it’s moving, and even how long it takes you to press particular keys. That’s all well and good for a desktop, but for a headless server it can take a while to fill a depleted entropy pool.
Coupled with the fact that it’s very difficult for a computer to produce truly random output, there’s a market for true random number generators. These devices typically cost a small fortune but use a variety of techniques – ranging from physically breaking down pieces of hardware with high voltages and measuring the resulting changes to pointing a webcam at a lava lamp – to generate a constant stream of high-quality entropy.
Enter the NeuG, which was kindly supplied for test by the Free Software Foundation. While it looks like a flash drive that has lost it’s casing, the device is actually a miniature computer in its own right. Using on-board analogue sensors, the NeuG can generate what is claimed to be a stream of true random numbers – numbers which are then pushed through a conditioning hash and spat out of a virtual serial port. Simply link the NeuG to something like the rngd entropy gathering daemon, and kiss goodbye to entropy exhaustion in even headless or virtualised environments.
I have been extremely impressed with the NeuG, especially given its low $50 cost. While there are cheaper alternatives – such as using a $5 Pi Zero and USB TTL serial adapter to create something similar using the BCM2835’s on-board hardware random number generator module – the NeuG’s free nature, whereby the design and source code are all available for review and modification, make it a great choice where certified security isn’t a requirement.
For the full run-down, including benchmarks, you can pick up the latest issue of Linux User & Developer from your nearest newsagent, supermarket, or electronically via Zinio and similar digital distribution platforms.
Opening the pages of this month’s Linux User & Developer magazine, you’ll not only find my usual four-page news spread but also a two-page review of some rather snazzy new encryption software: Encryptr.
Cloud-powered password managers are all the rage these days – I use one myself – but they all suffer from one fatal flaw: storing the keys to your digital kingdom on someone else’s server is risky business. Services like LastPass try to work around this by performing encryption and decryption client-side, but anything that allows you to log into a website and view your data is a risk – but one that could be worth taking thanks to the plus sides, such as synchronising password changes between devices and allowing you to use unique, complex passwords freed from the requirement to memorise them.
Encryptr is an open-source project which looks to offer the best of cloud-based and local password management. Developed by an employee of noted zero-knowledge backup service SpiderOak, Encrypt is based on the company’s Crypton framework. Unlike traditional cryptographic systems, Crypton promises security by ensuring that the remote server has no information – hence ‘zero-knowledge’ – of the data or how it was encrypted.
It’s a neat system, and Encryptr goes quite some way to demonstrating how easy it is to build around the Crypton framework, but it’s early days for the software. It’s still missing some key features – it currently uploads to a pre-set cloud server under the author’s control, with no option to choose your own storage back-end – and the Crypton framework needs an audit to prove its security claims. It certainly shows promise, though, and the inclusion of an Android client is undeniably handy.
To read the full review, plus my usual news spread and a bunch of interesting stuff written by people who aren’t me, head to your local newsagent, supermarket, or stay where you are and pick up a digital copy via Zinio or similar services.
In the latest issue of Imagine Publishing’s Linux User & Developer, in addition to my usual four-page spread of the latest news from the world of open source, I review the Synology DS414j network attached storage (NAS) system and the Duo Security two-factor authentication platform.
I actually came across Duo Security when I learned that support for the platform had been added to the LastPass password management service. Signing up for an account and registering my details, I found that the software could be quickly and easily used to protect an SSH server – and with more than one public-facing SSH server, that piqued my interest.
Duo Security is a two-factor authentication system which uses push messaging to a smartphone application, turning your phone into the ‘thing-you-have’ portion of the setup and precluding the need to buy a dedicated security token. There’s fallback to other authentication measures, from offline token generation similar to Google Authenticator through to SMS and even voice call functionality. Better still, an account is free for ‘enterprises’ of fewer than ten users.
The Synology DS414j, meanwhile, is the latest NAS device to appear from the company and one designed as an upgrade from its popular dual-bay boxes. Featuring four 3.5″ SATA drive bays, the DS414j comes with Synology’s excellent DiskStation Manager (DSM) Linux distribution, but there’s little doubting corners have been cut: the drive bays are not hot-swappable for a start, which means downtime if you need to swap out a failed drive.
My conclusions on both products, plus my take on the most interesting open-source stories of the month, can be yours with a simple trip to your local newsagent or supermarket, or digitally via digital distribution services like Zinio.
Aside from my regular four-page news spread, this month’s Linux User & Developer includes two reviews: the Intel Galileo board, the company’s Quark-based answer to the Raspberry Pi; and the Pogoplug Safeplug, a Linux-based privacy-enhancing TOR gateway.
First, the Galileo. I was lucky enough to get my hands on one of the first retail units to hit the UK, and was eager to see what Intel had come up with. Based on its low-power Quark processor, which is a die-shrunk version of the classic Pentium instruction set architecture, the Galileo boasts full x86 compatibility and plenty of on-board connectivity. Where it differs from its rivals – and anything Intel has ever produced before – is that it’s also Arduino certified, and fully compatible with shields developed for that microcontroller’s esoteric pin layout.
It promises much: on-board Ethernet, out-of-the-box support for existing Arduino sketches, the ability to run a Linux environment, and even a mini-PCI Express slot on the rear for adding in wireless connectivity or other additional hardware. Can it live up to expectations? Well, you’ll have to read the review to find out.
The Pogoplug Safeplug, despite what the contents page splash might suggest, is not a storage device; rather, it’s a modified version of the company’s existing embedded storage gateway product to find a new market in the post-Snowden world. Connected to your internal network, the Safeplug acts as a gateway to the TOR network; all traffic is encrypted and anonymised with little client configuration required. As an added bonus, there’s even an advertising removal feature.
My verdict on both devices, plus stories covering Ubuntu 14.04, the Intel Next Unit of Computing, the Penn Manor School’s move to Linux, a £15 Firefox OS smartphone, Cisco’s IoT security challenge, the Nokia X and more can be yours in newsagents now. Alternatively, you can get the magazine digitally via Zinio.