rrebelo's comments

Oh, thank you. I hadn't test it under Big Sur.

It seems there is an incompatibility with Big Sur in the Sparkle Framework (I use it for updates).

Will look into it.

No, I store on OS-X's keychain.

You made a fair and necessary question but I'd be embarrassed to even think about storing the password on disk, even if encrypted.

> I wish they added "unlock Mac/use id on Mac with iPhone".

Me too. So I made a program that does exactly that: https://www.gadgetish.com/osx.html

It also works with Android phones, Android Wear watches, Tizen (Samsung) watches, ... even some earbuds or smart tags.

Sorry for the shameless plug, but for those without an Apple Watch I've made a program [0] that implements the Unlock Mac with Bluetooth for any other device, including Android phones, Android Wear or Tizen watches or even some ear plugs.

[0] https://www.gadgetish.com/osx.html

Edit:

However, the Windows version works only with Android phones: https://www.gadgetish.com

No, there isn't yet. Sorry.

I'd have to create an app for Apple devices to connect to Windows and allow rssi readings. But I don't have the time to do it now.

BLEUnlock only works with BLE devices with a static MAC address. All Apple devices do that. However almost all Android devices don't do it.

My solution uses classic Bluetooth, which is static MAC by default, therefore you can use Apple, Android, Tizen or even some Bluetooth tags.

Hi all, author here.

On macOS (Mojave, Catalina, ...) you can lock/unlock the computer with an Apple Watch by proximity. But I don't want an Apple Watch...

So I made a program to replicate this feature. It connects to any (classic) Bluetooth device and keeps monitoring the intensity of their Bluetooth signal (rssi). When it is below a threshold (defined by the user) it locks the computer. When it is above it unlocks.

Unlike Apple's version, my program doesn't require WiFi and works even with older Macs that don't support Auto Unlock. However it doesn't handle admin login or does 2-factor authentication, yet. That might come later.

I posted here before a Windows version[0], but it only works with Android phones.

[0] https://news.ycombinator.com/item?id=16476882

Regular expressions do cover most of the basic cases.

It will not handle some of them. But I discovered that partisan politics follow a Pareto rule, of sorts: 80% of the talk is around a small set of words. If you remove the adequate 80%, what remains is very ineffective, grotesque and pathetic communication. It is not enough to get people excited or willing to fight.

The tricky parts is to keep changing the set of words and regular expressions. Particularly on the months before an election the terms to filter go through intense change. After that they remain very stable.

Edit: I am trying now to use the Levenshtein distance[1] algorithm to preemptively detect the tricks you describe, of people deliberately changing some word in order to fool the regular expressions.

[1] https://en.wikipedia.org/wiki/Levenshtein_distance

Beware: the devil is in the details. The trick is to choose the most provocative, trolling or insulting words. I let people discuss generic terms such as income distribution, fiscal crisis, education, etc. But I filter out terms such as "comunist", "fascist", "Bolsonaro" (the Brazilian version of Rodrigo Duterte) etc.

> Did you notice any improvement on the level of discussion?

So far, people are still on a "treading the waters"/"sensing the environment" period. But I sense that:

* The posts tangent to politics don't immediately trigger a knee jerk reaction. Surprisingly, when people discuss politics in a more abstract way, there is a lot more "I agree with you" between people that used to fight a lot. I count this as an improvement, although it is too early to see an increase of depth of understanding on the issues.

* In the beginning some people complained about my heavy-handed approach, calling it censorship and authoritarianism. I just didn't engage in their complaints. My standard response was "my house, my rules".

* There is a lot more of light-heart, especially among the younger ones. Childish jokes and memes are still around, but nothing offensive. In friends and family groups it is ok, these are habits I don't want to break.

> Also, do you just censor the keyword or remove the post entirely?

I remove the post and post a standard bot answer. Often, the bot gives some false positives, but people find it funny (e.g: "PT" is the acronym for both the main opposition political party and for "total loss" in Portuguese). Because I use regular expressions, people started a game of trying to outsmart the bot. Since it was for fun, it only helped sharpen up the expressions.

> Watching distant cousins fight about politics

I've long been cautious to step into the WhatsApp hysteria going on here in Brazil. But the last (disgraceful) election here was the last straw. The level of stupidity in the memes from both sides was far beyond repulsive.

A solution that is working so far: automatic regulation. I created a Telegram group with a bot that censors the most common names and expressions on Brazilian partisan politics, using regular expressions. It is surprisingly effective, in a "no broken windows way": if you block the small infractions people don't come close to big infractions.

Breaking rules is a second national pastime in Brazil. Therefore, at the beginning people found it amusing to try to cheat the censoring regular expressions (e.g.: B0150N4R0, etc) After a while the trick only sharpened these expressions and now they just don't mention politics in the most partisan terms. We do see postings about issues (e.g.: education, fiscal crisis, etc) but not the stupid partisan dogfight. Politics is mostly a tribal thing, not an ideological one.

EDIT: I'd like to stress the "automatic" aspect of it. When you make the regulation/moderation algorithmic you gain 2 big psychological benefits:

* A fast feedback loop: because the post is immediately removed the association between cause and effect is much stronger. People understand much more that they are breaking a rule when the consequences of it are certain and immediate.

* Algorithmic solutions are "rules based" for most people that don't understand them. They perceive it as "the way things are" instead of an arbitrary decision by the person that wrote the algorithm.

Frankly, I am not very happy with it too. It is a concept from biology, designates the specific sensitive skills that each species has to detect their environment. I guess I just went over-nerd with it.

I tried to find a more meaningful name but all I got were too obvious, too lame: PC-Locker, etc.

I am open to suggestions.

Hi, I made this.

This is a program (for Windows 10) and an app (for Android) that allows automatic log in/lock on a Windows PC. It works either automatically (by measuring the strength of Bluetooth signal) or manually (taping the fingerprint reader or the screen).

Also, it has an "anti-theft" feature. If you are at a cafe and walk away from your computer it sends you a warning if someone closes the lid, trying to steal it.

I believe this is very useful in some environments where it can be hard to demand staff to implement proper security behavior (e.g: receptionists in medical offices).

Last, it also has a "reading on the laptop" trick. If you have the phone close to the computer it blocks the screen saver. This is meant to be used when you are reading from the computer screen and don't want to move the mouse or tap the keyboard to block the screen saver.

Now answering the classic question on HN: "how does it compare to X"? If by X you mean one of the following:

* Dynamic Locking: this only locks when you are away, doesn't do login and the other features. Also, you can't configure how far away you are.

* Companion Device Framework: this seems to be stale. Their pages on github and Microsoft haven't been updated for more than a year. However the security protocol architecture I implemented is very similar.

* Windows Hello: my solution doesn't require you to have a Microsoft account (a big issue when dealing with sensitive information outside the US) or to have a web cam on the computer.

* Samsung Flow and Motorola Moto Key: these are specific for some Samsung and Motorola phones. Also, my program has more features (auto log in, strength configuration, anti-theft,etc)

I love and use KeePass on my PC, although not on Android. Will try it, thanks for the tip.

However, a problem I have with KeePass is that I can't get my wife to use it. It is too complicated for her. Even the idea of plugging the smartphone through USB is already a "no" for her. With Bluetooth she might not even need to take the phone out of her pocket.

Funny, I am doing something like that now, but using an smartphone with a fingerprint reader, instead of a Pi and sending the password through Bluetooth (adding USB might be a good idea, though). My problem with the Pi is that it is another bulky device to carry or loose, even the Pi Zero.

My implementation still has lots of security breaches and I don't want to publish something so fragile. I still need to implement fingerprint and time-based authentication. Therefore it still is vulnerable to MITM attacks.

As soon as I have something more robust I'll post it here.

Do you have more ideas to suggest?

> Not if the attacker stops the relay right after the PC is unlocked.

No, if it happens the program falls back into the "user is away->lock the computer" mode.

> an attacker could just replay messages between the two devices and boost the signal without being able to decipher the contents

As a simplified version of a MITM attack? That is clever, I admit I didn't think of it.

However, even in case the attacker is able to do so, the watch would still inform the user when the PC is unlocked. And the user can manually force a lock, from the watch, overriding the proximity/signal strength. To intercept this the attacker would need to decipher the messages. That is for the Android Wear-Windows PC version, though. I admit the Mac version is not that sophisticated, yet.

> Car thieves have been using signal amplifiers

Very true. But I am using Bluetooth and it has much better security protocols than the plain simple radio-frequency signals for car remote controls. At the very least, the user needs to first pair the watch with the computer. Besides, all communication between the 2 is encrypted. And, to avoid Bluetooth spoofing, there is also an exchange of time-based encrypted tokens, all transparent for the user. There are a few more security details about it (e.g.: the authentication password is not stored in the watch, is AES-encrypted in the computer, etc). I intend to write a detailed risk-assessment about it later.

In truth, my intention is someday to make it FIDO-UAF [1] compatible, if I have get the money to do it.

It is very cool to understand what concerns people have about it. Thank you.

[1] https://fidoalliance.org/specifications/overview/

I am about to finish a more limited implementation of this idea for Android Wear smartwatches and Windows. It works by measuring bluetooth signal intensity (rssi).

I already made a prototype for Mac & generic smartwatches [1], but if you have a Pebble you'll have to disconnect the watch from the phone. Questions, criticism & suggestions are welcome.

[1] https://www.gadgetish.com