
Ask HN: I'm quadriplegic – can you help me with my security? - escapologybb
Hey Hacker News,<p>I&#x27;ve run out of places to look so I hope you guys can help me with this. I would like to:<p>1. Securely login to my various websites
2. Securely lock and unlock my MacBook Pro.<p>Easy, right?<p>Except I&#x27;m quadriplegic. I use DragonDictate[1] to input text, and invoke keyboard shortcuts verbally, and SwitchXS[2] with a single button switch[3] (to move the mouse around and switch between applications etc). With these I have nearly total control over my laptop.<p>I use a password manager and once I&#x27;ve spoken the master password out loud the rest of my password challenges are automated. This is necessary, but not so secure as my laptop is then just open to anyone who picks it up. But I can&#x27;t password lock my whole laptop because OS X requires that password before it will load up any applications, and I can&#x27;t put a password in without my apps.<p>I was thinking of getting a YubiKey, but for that I would need to touch
the sensor on the key to activate everything, but as you might imagine
the whole quadriplegic thing gets in the way of this!<p>Some other sort of hardware master key, maybe? What do you guys think?<p>A word on the adversary: I want my personal information secure from
casual passers-by who after having a quick peck on the keyboard would
more than likely give up; I&#x27;m not looking for PRISM dodging security
here :-)<p>Anyway, any help would be greatly appreciated!<p>[1]: http:&#x2F;&#x2F;www.nuance.co.uk&#x2F;for-individuals&#x2F;by-product&#x2F;dragon-for-mac&#x2F;dragon-dictate&#x2F;index.htm
[2]: http:&#x2F;&#x2F;www.assistiveware.com&#x2F;product&#x2F;switchxs
[3]: http:&#x2F;&#x2F;www.ablenetinc.com&#x2F;Assistive-Technology&#x2F;Switches&#x2F;Buddy-Button-and-Big-Buddy
======
giberson
Forgive the off the cuff suggestion here, it's the quickest and simplest thing
I can think of though not an optimum way to use your laptop and you're
probably hoping for a more elegant solution.

What if you install virtual box w/ some free OS (like ubuntu). Store all your
personal information within the virtual machine which is configured with a
secure login. Then you can leave the laptop unsecured so you can use your
other apps to dictate the password to the ubuntu OS for login.

~~~
superuser2
The Ubuntu VM's virtual hard disk is right there for the taking, though.

~~~
ansible
An encrypted home directory will help some with that.

~~~
ghswa
That won't work since escapologybb can't type a password at the OS X lock
screen.

~~~
sequoia
encrypted home dir on the guest OS, not host.

------
mikeash
How about bluetooth-based locking and unlocking, using an app like this?

[https://itunes.apple.com/us/app/bluetooth-
unlock/id576603568...](https://itunes.apple.com/us/app/bluetooth-
unlock/id576603568?mt=12)

It looks like it may work with any BT device, so even if you don't have a BT-
enabled phone, you could get a cheap BT headset or something, and keep it on
you.

I'd also like to say that it's great to see you doing so well with technology.
I had a quadriplegic friend when I was little (he was an adult) who had a nice
setup for the time, but his independence was limited to a few things like
Clappers for lights, TV remotes, and such. I sometimes wonder just what crazy
things he'd be getting up to if he was still around today with a setup like
yours.

~~~
escapologybb
My only issue with Bluetooth pairing is that iPhones are incredibly shiny, and
carers work for minimum wage and the thought of not only my iPhone going
walkies but it locking my laptop in the process… My head might actually
explode :-)

~~~
gohrt
Perhaps you should pay your carers better, so you can hire quality people....

You can also get a proximity alarm for your iPhone.

~~~
andy_ppp
> Perhaps you should pay your carers better, so you can hire quality
> people....

Easy to say things like that isn't it.

------
samwillis
Hi! I'm on the train with bad internet right now and so can't go looking but
have you considered face recognition software using the laptops camera? There
must be an app that takes a look at the webcam when a password challenge is
presented.

Anyone know of anything?

Edit:

Found one! [https://www.keylemon.com/download-other-
versions/](https://www.keylemon.com/download-other-versions/)

~~~
nicholassmith
From what I've read a lot of them can be spoofed with either a printed
picture, or a video playing back.

~~~
chrisfarms
So I guess the next step in the arms-race would be twin cameras (kinect?) to
build a 3D image of a face.

Then the bad guys would make a sculpture.

Then the good guys could add some kind of mannerism detection (smile?, wink?).

Then the bad guys would work on latex masks.

....I quite want to see how this evolves tbh.

~~~
guizzy
Cloning. The end-game is cloning.

~~~
davidradcliffe
Not really, because it could require a combo of physical attributes and
information known by the subject.

~~~
luke-stanley
Age accelerated face cloning and spying to get information and iris or other
samples needed?

------
willvarfar
When I messed with army radios - these being the made-by-the-lowest-bidder-
and-not-secret analogue variety - they were throat-operated. You spoke
silently, and the microphone - pressed to your throat - sent speech over the
radio.

It took practice to talk perfectly clearly, but it could be mastered.

Google "throat microphone".

~~~
escapologybb
If I had one of them, I would totally be able to pretend I'm in the SAS on
some secret mission!:D Obviously a mission that didn't involve any stairs, and
nothing above 6 miles an hour (top speed of my chair!) With lots of ramps and
extrawide doors :-)

Seriously though, I'm connected to this computer with a ton of cables and if
that could be made to play nice with Dragon, and it wasn't too tight across
where the break is in my neck it would be brilliant!

~~~
bigiain
If you're already "wired up to the computer", would another USB connection
make any difference?

An Arduino can act as a keyboard ( [http://hackaday.com/2012/06/29/turning-an-
arduino-into-a-usb...](http://hackaday.com/2012/06/29/turning-an-arduino-into-
a-usb-keyboard/) )

You could then hook that into some controls you've already got on the chair -
the obvious choice being to have "Up, Up, Down, Down, Left, Right, Left,
Right, B, A, Start" trigger the Arduino to type out your password.

(Where are you from? I know if someone asked for help with this on my local
(Sydney, Australia) hackerspace mailing list, there's probaby be three or four
people building prototypes by the weekend…)

~~~
escapologybb
Unfortunately adding another USB connection would make a difference, there is
the cognitive load of just being tethered to my computer there are sometimes
situations where I need to get out of my wheelchair quickly; so minimising
connections is the order of the day.

That being said this solution could be implemented wirelessly maybe? I mean
have the arduino sitting somewhere connected to the laptop wirelessly, and
then have a switch connected to the arduino wirelessly as well?

The only sticking points I could see are that obviously I can't assemble these
things myself, and travelling to a Hackerspace would be impossible
unfortunately.

Also, I'm in the UK.

~~~
bigiain
Hmmm. It's also possible to do the same "pretend to be a keyboard trick" over
bluetooth - it's just a little more expensive than via Arduino/USB. It's about
an extra $50-ish to add bluetooth capability to an Arduino (at least at
sparkfun.com prices).

I'm in Australia, so the UK is a bit far to be prototyping - did you see
Helgosam's post else-thread? Sound's like he's at least in the same country as
you and capable of helping out (and/or putting you in touch with other locals
who're in this space…)

[https://news.ycombinator.com/user?id=Helgosam](https://news.ycombinator.com/user?id=Helgosam)
[https://news.ycombinator.com/item?id=6054049](https://news.ycombinator.com/item?id=6054049)

------
bcoates
It should be possible to make an OSX app that disables the hardware keyboard
and touchpad, that can be toggled by voice password.

The laptop only being accessible via voice recognition and one button should
be enough to render the entire system unusable to casual snoops.

edit: Looks like you can disable/reenable the builtin keyboad/touchpad with
terminal commands, so it'd just be a matter of scripting them to voice
shortcuts: [http://superuser.com/questions/214221/how-can-i-lock-the-
mou...](http://superuser.com/questions/214221/how-can-i-lock-the-mouse-and-
keyboard-but-see-the-screen)

ps: be sure to have a plan B to reboot your laptop while experimenting with
this in case it locks out your controls somehow.

------
Helgosam
As Tyler E suggested:

"Wonder if he could somehow get his one-button clicker to translate morse code
into ascii."

Use the Arduino Leonardo to send native keyboard key strokes into the USB port
of the Mac - it's robust and works every time - plug and play (once it's been
programmed).

The Leonardo could be programmed to listen out for a specific pattern of
switching and then send the entire password down the USB cable, or
alternatively it could have some simple or complex feedback (lights / tones /
onscreen keyboard display on a second mini screen) to allow individual
characters/keystrokes to be sent down the USB cable from the Arduino.

I've been making stuff like this in the UK for the charity Scope, and their
users - often people who have cerebral palsy. I could potentially make you
something and post it over - if you are interested drop me a line.

~~~
escapologybb
If you would be willing to make something that would be brilliant, I would
love to work on a project like that :-)

Having an Arduino with a small screen next my laptop would be no problem at
all, the only snag I can see so far is that I can only use one button at a
time when switching between two buttons is a nonstarter unfortunately; but I'm
sure that that is something that can be overcome.

So yes, I'm definitely interested!

------
cpleppert
>>But I can't password lock my whole laptop because OS X requires that
password before it will load up any applications, and I can't put a password
in without my apps.

Why not just have the mac autologin and then immediately go into screensaver
mode?

At the very least set
/System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/ScreenSaverEngine.app
to open on start

Thinking about solving this programmatically, it wouldn't be too hard to set
up a secure locking replacement for a screensaver that would offer a challenge
response system to unlock the system without using a password anyone who hears
could repeat.

------
ealexhudson
Maybe use your current system with a rolling password, so that the previous
password no longer works?

Obviously that would take a little feat of memory, or at least some kind of
prompt, but you could memorize a poem or something and use that - it would
prevent replay attacks.

Or, use an algorithmic password, perhaps one where you do a sum based on the
time of day.

All these solutions require some level of coding sadly, but I would have
thought it would be something a freelancer could knock up relatively cheaply.

------
ig1
Maybe some kind of NFC device that you could wear so that the computer would
lock/unlock when you were near it ?

~~~
escapologybb
That would be perfect, but instead of wearing it I could have something
implanted in my arm for instance; and I would definitely notice of somebody
tried to steal the tag!

~~~
X4
What do you think about biometric Voice fingerprints? Instead of voice-
recognition.

.

\---going further---

Then just encrypt the home folder's contents on a file-basis & sync it with a
privately owned server. This improves the chances of data-recoverability on
crashes or on filesystem corruption. Add a kill-switch toggle that erases all
important files on the mac on 5 unsuccessful login attempts, and enables
surveillance mode permanently using different tracking software (prey-project
for example).

~~~
escapologybb
I'm really curious about this, I would be open to doing it but I have no idea
how to go about implementing something like this!

Could you expand a little or point me at some resources, that would be great
thanks :-)

~~~
X4
There's a demo of a commercial implementation in an earlier post
[https://news.ycombinator.com/item?id=6058447](https://news.ycombinator.com/item?id=6058447)

But here are opensource solutions:

[http://musicbrainz.org/doc/Fingerprinting](http://musicbrainz.org/doc/Fingerprinting)

[http://echoprint.me/](http://echoprint.me/)

[http://www.politepix.com/openears/](http://www.politepix.com/openears/)

[http://cmusphinx.sourceforge.net/wiki/](http://cmusphinx.sourceforge.net/wiki/)

~~~
escapologybb
Yes, I'd seen that before just didn't realise that was the term for it.

Something like that would be ideal if a system could be implemented that was
reliable enough, there's always going to be some degree of false
positive/negative but it would be cool otherwise.

------
quadstick
[http://quadstick.com](http://quadstick.com) is developing a mouth operated
programmable joystick/mouse/keyboard. A sequential combination of up to eight
input signals (specific joystick movements and/or a sequence of hard or soft
sip & puffs on four different tubes) can trigger the sending of up to six
preprogrammed keyboard keys, or it can just recognize characters traced out on
the joystick and send them one at a time.

------
3amOpsGuy
Would something like Keycard[1] work for locking the screen when you're not
nearby?

I wonder if it could be set to lock at boot unless your phone (or BT
headphones or whatever) is nearby.

I doubt this can be all that secure since it can be downloaded from the App
Store, I'm pretty sure that means it can be force quit (it could not prevent
this key combo since its restricted in the sandbox). It may be just enough.

[1]
[http://www.appuous.com/products/mac/keycard.html](http://www.appuous.com/products/mac/keycard.html)

------
noivad
There are bluetooth screen lock utilities that allow one to auto-lock and
unlock the machine based on the signal strength of whatever Bluetooth device
you pair it with. I would look into the hands-free Bluetooth speakers (meant
for auto use) with a Wheelchair power to USB convertor (most likely the
easiest would be via an auto 12V DC adapter). That way you can have a
mic/speaker mounted on the wheel chair to control the machine as well (if you
don’t have a wireless mic already). Any Bluetooth device capable of being
paired will work though. This will prevent someone going through your laptop
while you are away. I actually have one I use on occasion at coffee shops
called Bluetooth Screen Lock available on the App Store, but there are other
free and low cost apps that do the same thing available. The on I use allows
me to set the sensitivity so that it will lock after being about 6 feet or
more away, and unlock when I am within that distance. I can also set it to
lock at the maximum BT signal range as well.

~~~
jnbiche
This is the most sensible solution. One implementation of this is called
TokenLock. Never used it but it's $3 in the App Store and is pretty well
documented, so I'd imagine the dev is pretty pro-active. Buy that with a $20
bluetooth headset to pair it with (make sure the range is as low as possible!)
and you have a complete solution for the login issue for under $30.

~~~
noivad
I wrote a review for a $35 pair of NoiseHush NS400s. They are a stereo, behind
the head bluetooth headset. So they also have a mic. They sound great, and
pairing them would make an inconspicuous lock that most people wouldn’t thing
about being theft worthy. but they do not work plugged into the charger,
unfortunately.

------
lifeisstillgood
Just a thought but would a inverse keylogger work?

I would guess something like this- an arduino hooked up to something you can
operate (BigBuddy?). This could then ask you for your PIN code (2 taps, 3
taps, 2 taps)

Once arduino is happy it will quirt a pre-stored key sequence into the USB
port, acting as a keyboard, and unlock what you need.

I have no idea if it is really viable but its the best I have.

~~~
samweinberg
I remember reading in MAKE about a gumball machine that only dispenses
gumballs when a secret knock is performed. I'm sure something like that can be
adapted for this purpose.

[http://grathio.com/2010/05/secret_knock_detecting_gumball_ma...](http://grathio.com/2010/05/secret_knock_detecting_gumball_machine/)

------
nathan_f77
I would love to help build something if you can't find a solution. Maybe you
could lock or unlock your laptop via facial recognition [1], or you could add
an accelerometer that automatically locks the laptop if someone picks it up.
Or just physically lock the laptop to your chair.

Or you could plug an Arduino into the USB port and use it as a keyboard device
to send a stream of keypresses when you touch a button (just like a yubikey,
except you could put the button anywhere.) The first button press could type
in a password to unlock the computer, and the second button press could press
a keyboard shortcut to lock it again. Or you could program it to recognize a
simple morse code sequence. Let me know if you're interested in that idea, and
I would be happy to program one and mail it to you.

[1]:
[https://www.macupdate.com/app/mac/36762/keylemon](https://www.macupdate.com/app/mac/36762/keylemon)

~~~
escapologybb
I would love to build something, my programming skills are to put it mildly…
well… Rubbish, but if you were willing to help that would be wonderful!

I really like the idea of using the accelerometer as one layer of security,
because there is no situation where I'm going to be the one who's picking up
my laptop! I think it could only be one part of the overall though, because if
they don't pick it up it would still be completely open.

I've tried facial recognition software, including the one you linked to but so
far haven't found one that is reliable enough; there were far too many false
positives and for a large chunk of the time it wouldn't recognise my face at
all. In theory though, reliable face recognition would be a great solution.

------
fnordfnordfnord
Hi, do you have any movement or dexterity in your fingers at all? If so,
please offer details of this or any other control you have that might be
exploited. I have a colleague who once-upon-a-time built a system of low-force
buttons and other goodies that enabled a quadriplegic person to work a
telephone very effectively, as in they were subsequently employed to do some
kind of work over the telephone. Would something like that be of use?

I think you might also be able to make use of a kinect or Andriod/iPhone and
some eye-tracking.

Also, do you know of these guys? It's where my colleague worked about twenty
years ago. [http://www.tirrfoundation.org/](http://www.tirrfoundation.org/)

~~~
nknighthb
In the vein of finger dexterity, I fear it must be very low, otherwise I'd
expect use of a small "joystick mouse" rather than (or at least as a
supplement to) SwitchXS and a single-button switch.

That said, I've heard of some quadriplegics with basic finger function using
morse code-style inputs in various ways. I don't know details, but this[1]
popped up in Google. It seems old but potentially interesting.

I wonder how much work it would be to put together something like an Arduino-
based device that takes morse-like input and simulates a USB or Bluetooth
keyboard?

[1]
[http://www.makoa.org/jlubin/morsecode.htm](http://www.makoa.org/jlubin/morsecode.htm)

~~~
fnordfnordfnord
Yup, colleague says he designed and built several different sip & puff
controls for various things.

>I wonder how much work it would be to put together something like an Arduino-
based device that takes morse-like input and simulates a USB or Bluetooth
keyboard?

IMO it has never been easier.

------
DanBC
Yubikey would work if you could mount it so that you can touch the touch-pad
with your nose. I don't know if that's acceptable to you?

~~~
jnbiche
There is a Yubikey model that uses NFC called the NEO[1]. So it would operate
simply by your being close to the computer. At the moment, the NFC only works
with Android, iOS, Windows Phone, and Blackberry, but it might be able to be
ported easily. I'm looking into how this might help you now (Yubikey has an
SDK).

You're on OSX, so let me see what I can come up with. No promises, but I'm
looking.

1\. [http://www.yubico.com/products/yubikey-hardware/yubikey-
neo/...](http://www.yubico.com/products/yubikey-hardware/yubikey-
neo/integrate/)

EDIT: I see that the Yubikey NEO is sold out for the next 5 weeks, so this may
not be the best option for you.

EDIT2: The best solution was referenced by silverlight above, it's called
TokenLock for Mac OSX, and it's $3 in the App Store. You can use it with
bluetooth devices. Just get some little $20 bluetooth device or headphones you
can pair it with, and have someone put it in your pocket. Please take a look
here (again, thanks to poster silverlight above): [http://www.map-
pin.com/tokenlock-home/](http://www.map-pin.com/tokenlock-home/) Never used
it, but it looks pretty versatile and can be used with all sorts of login
approaches.

For securing your browser passwords, I think the Yubikey with the NFC chip
will be your best bet. Right now, they don't have OSX software available
specifically for the NFC, but I imagine they will release some eventually. I'd
call and ask them.

~~~
escapologybb
I think as soon as they bring out some software on the Neo model that would be
ideal, I'll definitely get in touch with them. Excellent find!

As for TokenLock, I downloaded the free trial and during the setup process my
laptop locked up for apparently no reason; I had to have my partner stop at
she was doing and come and restart the computer for me. Clearly not an ideal
situation.

It really was a case of;

Download and install application Run through the setup process, which appeared
to go flawlessly Read's helpful message that laptop will be locked when iPhone
goes out of range … Laptop locks up as I'm reading the message, whilst my
iPhone has sat resolutely still about 5 inches from my laptop!

That is a terrible level of reliability for me I'm afraid :-)

------
luke_s
Your adversary is extremely simple. You haven't mentioned in your post if you
are open to or able to do any custom coding.

I would suggest writing/getting an app written that runs in fullscreen and
looks exactly like an OSX login screen. Bonus points if it can disable multi-
tasking shortcuts such as the 3 finger swipe up. The app can be hardcoded to
only accept one password - yours. Since the app is running with OSX logged on
you can use your usual tools to enter the password.

It goes without saying that this won't fool anyone determined - you can just
reboot the laptop to make the app go away. However it should be enough to stop
casual passers-by.

------
ricardobeat
If you are using AbleNet's "Hitch" switch interface, by their description it
should be able to emulate keyboard input without the SwitchXS software being
loaded, but a manual doesn't seem to be publicly available.

This product called "Swifty"
([http://www.orin.com/access/swifty/](http://www.orin.com/access/swifty/))
also takes a switch as input, and can emulate a standard usb keyboard. With
VoiceOver enabled in the login screen (Settings->Users->Login Options) this
should allow one to login without using the keyboard.

Hope this helps.

~~~
escapologybb
When I clicked reply to this comment I was doing so using the Swifty! It
really is robust but when I tried the system you outlined, it was working may
be one out of every 10 times I tried it; at which point I had to ask for help
to get into my machine. Which is like security fail on my part :-)

------
s_q_b
Okay, sounds like an interesting challenge. Let's describe the problem and
examine possible solutions.

Goals: 1\. Securely login to websites. 2\. Securely unlock a Macbook Pro.

Solutions to (1): A. (1) Can be solved with a password memorization app, once
we solve (2).

So let's examine 2.

Solutions to (2):

Seems like there are two parts to this problem: authentication and OS X
integration.

OS X has a login API that can be used to build extensions, or since the
adversary is unsophisticated we could use an input blocking regular
application.

Okay, so the integration piece is possible, and we can flesh that out later.
So let's look at authentication.

A. Use Physical Authentication: Bluetooth, RFID, and Wifi devices come to
mind. All of these require purchasing additional hardware. Buying new hardware
seems inelegant though, so let's table this option for now.

B. Biometrics: Voice print ID or facial recognition. More promising, but false
negative rate is too high, especially for accessibility purposes. Really don't
like the idea of a temperamental biometrics program keeping you out of your
computer.

C. Speech Recognition: Get voice recognition working on the log in screen.
Apple has APIs for dictation and log in. This one seems promising. But then
you might need a rotating set of passwords or an algorithmic password,, as
others suggested, to keep passers-by from overhearing your password.

One more thought. Is there a way to set up Dragon Dictate as a native input
device? If so, Mac lets you access the input device switcher from the log in
menu.

------
anonymous
I used to work with quads. I would use Sikuli.org (python script) automate
most things.

Read this post about new treatments in China. Spinal Cord injury therapies and
medical situation in China Major spinal surgeries in China. Advances in repair
of cord. [http://nextbigfuture.com/2013/07/spinal-cord-injury-
therapie...](http://nextbigfuture.com/2013/07/spinal-cord-injury-therapies-
and.html#more)

~~~
swamp40
Talk about cultural differences. From your link:

> _China in 2004 clamped down on clinical trials and has the most strict
> regulations on it now._

> _They executed some doctors who did not follow the rules._

> _Now doctors are very careful and precisely follow the rules._

------
peacetara
You have a button you can push (#3 in your list above). So this means you are
well on your way. You would need to create(or have created for you) a password
app, that would open on startup, and prompt you for your password. Of course
entering a password using a keyboard isn't so great, but since you have a
button, you can ask for a certain set of button pushes, in a certain order.
(Whatever works well for you).

i.e. you spell 'cat' in morse code with your one button. Or whatever. The
important thing is that it's something YOU can do, and is likely not anymore
easily guessed/caught than someone shoulder surfing someone typing the
password on the keyboard.

That said.. I want to point out, you mention this is because you are worried
about your PA's that are helping you with things maybe taking liberties you
don't want them to. If you don't trust your PA's I think you should work on
getting their trust (and vice versa), or look into replacing them with people
you trust. If you need help with advocacy around this, reach out to your local
Independent Living Center.

Good Luck!

------
gabriel34
Unlocking a computer programatically is hard and should be so. Locking on the
other hand isn't. Perhaps you could lock upon fail to NFC authenticate every x
seconds. That only answers part of the question, since the attacker would
still have x seconds to snoop around every time he logged in, but would be
such a nuisance that he probably would give up.

------
escapologybb
Wow, I went to bed not expecting much of a response but you guys have come up
with some excellent solutions, I'm getting round to specific answers as
quickly as I can!

I'm clearly missing something obvious, but I can't for the life of me figure
out how to edit and update my original question; can someone put me out of my
misery? :-)

------
X4
@OP

a) How about buying an external Fingerprint reader that's close to your thumb
or wearable? There are tools that automatically find windows with input
fields.

b) OR, instead of dictating a password, you could hire someone to write
software that extracts a fingerprint from your VOICE's characteristics. You
would have to train it to diferent types of voices you have (morning
voice/tired voice/hoarse voice etc.)

Every person's voice has characteristics that make it unique and cannot be
reproduced by another human. Only a computer could do that and that would
require a lot of effort to break the unknown algorithm used in your computer
first

c) use existing software like this:
[http://demo.authentify.com/biometric/](http://demo.authentify.com/biometric/)
or similar. I just googled for voice authentication/fingerprint.

------
fsck0ff
Well I guess you could use something like that:
[http://notimpossiblelabs.com/eyewriter](http://notimpossiblelabs.com/eyewriter)
with some software modification (pure speculation as I haven't even checked
the code) you could use eye movement and blinking to simulate mouse input and
with on screen keyboard you should be able to write your password somewhat
securely
[http://www.ted.com/talks/mick_ebeling_the_invention_that_unl...](http://www.ted.com/talks/mick_ebeling_the_invention_that_unlocked_a_locked_in_artist.html)

also shouldn't be expensive to build... [edit] link to the github repo the
software can be found here
[https://github.com/eyewriter/](https://github.com/eyewriter/)

~~~
escapologybb
I will definitely look into that, I remember seeing the TED talk when it first
came out and thought it was cool; thanks for the links :-)

------
nicwise
I'm out of my depth in more than one way here.

How about rigging a bite switch to the ubikey (either directly or via
something like a raspberry pi / beagle bone). That's assuming that the only
issue with the ubikey is you pressing the button.

Maybe (if it has an rpi) it needs a sequence. Bite. Pause. Bite bite. Pause.
Bite. Etc.

I suspect you'd need someone to build it for you but I doubt there is a
shortage of capable or willing people here. Sadly, my electronics skills are
not up to it :(

I'm always impressed by people with accessibility issues using technology (or
whatever is the correct term - sorry if that's at all offensive :( ). I've
managed to make one of my apps a lot more useful to blind/partial sighted
people after talking to a guy who can't see. It took me about 30 mins, and
made the world of difference to him.

------
pbrumm
Maybe you could use a usb device that is physically attached to the chair,
then a thin usb ribbon cable that plugs into the computer, but pulls out
quickly. that way if the computer is taken it would auto lock the machine when
the ribbon is removed.

It would take work to get setup again, which may make the NFC setups better.

you should also follow the leap motion device.
[https://www.leapmotion.com](https://www.leapmotion.com) it could enable some
facial recognition apps, or new approaches for data entry that are not just
voice control.

Also, something like this may make it less desirable to steal, and be another
way to mount it to your chair.
[https://www.stoptheft.com/products/stoplock](https://www.stoptheft.com/products/stoplock)

------
snom380
Does DragonDictate still work if you switch users? If so, you could encrypt
your home directory, add a second user, and set OSX to auto-login to that user
(and auto-launch DragonDictate).

If not, I think your best bet is a Bluetooth solution or some hardware token.
For instance, an Arduino or Teensy ($20) programmed with your login/master
password, and with a small microphone connected would be able to respond to
certain voice commands and act as a regular USB keyboard, typing in your pass
phrase.

You could also have some software on the Mac to automatically lock the screen
or shutdown the computer if the Arduino is removed.

~~~
ericfranklin
If you are already logged in to an account with Dragon running, will it let
you dictate into system password boxes (OS X Dictation does not when I tried
it)? If so, having the computer auto-login on boot to a secondary account
should accomplish what you need. Then dictate your password into the Fast user
switching box.

Otherwise, user switching can also be activated with Automator or Terminal. OS
X Dictation will type into a password prompt in Terminal, so a script might be
able to switch to your account with password dictation (or with your password
stored in the script, if you trust that).

When done in your secure account, just run another script or reboot to switch
back to the secondary account.

Here are some example scripts:
[http://hints.macworld.com/article.php?story=2011081307461141...](http://hints.macworld.com/article.php?story=20110813074611411)

~~~
escapologybb
This is an excellent idea and something I'm going to implement immediately! It
will certainly give me a level of security whilst I look at some hardware
solutions, thanks :-)

------
johlindenbaum
There's an application that lets you lock individual applications, but which
should allow you to unlock it with dictation, as the rest of the OS is still
working. Mac App Blocker
([http://knewsense.com/macappblocker/](http://knewsense.com/macappblocker/))

There's also QuickLock which was/is a workaround to lock OS X quickly without
using the screen saver + immediate password requirement.
[http://www.quicklockapp.com/](http://www.quicklockapp.com/)

Note: I haven't used either, I'm just googling and looking at videos.

------
gaetan
I don’t know much about Apple computers but on a Windows PC I wouldn’t use
startup password to avoid friction when starting the PC. For login in a
website, I would use an application like Keepass. For my private data, I would
create a virtual encrypted disk with Truecrypt. If you leave your PC alone or
take a nap, just close Keepass and Truecrypt and your data are secured. And to
enter the password when you start Keepass and Truecrypt, I would create a few
pages text file on my desktop and just copy/paste a combination of 2 or 3
words so I wouldn’t need to speak my password loud.

------
im3w1l
Questions on the threat model:

-Is the computer turned off or on?

-Do you want to a) protect your computer from being stolen? b) protect your weird fetish from being discovered? c) protect your online banking credentials?

~~~
jabbernotty
I hope you don't mind if I rephrase that last bit, I felt it was overly
specific:

"-Do you want to a) protect your computer from being stolen? b) improve the
privacy of your files? c) protect your online credentials?"

~~~
im3w1l
For porn he could stream it incognito. For protecting banking credentials, he
could use a separate password manager that auto shuts down after a minute or
so.

Solving the special case is sometimes easier.

------
asselinpaul
When you talked about the yubikey, it's actually not too hard to built a two
factor token yourself. Using an arduino, you could wire it in a way that would
be convenient for you to operate.

[http://lab.infoserver.com.br/wiki/index.php/Projects:arduino...](http://lab.infoserver.com.br/wiki/index.php/Projects:arduino-
oath-token)

[https://github.com/damico/ARDUINO-OATH-
TOKEN](https://github.com/damico/ARDUINO-OATH-TOKEN)

~~~
escapologybb
I would love to be able to do these sorts of things, but anything that
involves hardware would mean I would have to contract in a pair of hands.

And hands are not always a readily available resource, the people attached to
them have like lives and other stuff to do; it's terribly inconvenient! :-)

I'm going to look into it though, thanks for the idea!

------
yk
Perhaps voice identification could help. There seem to be quite a few
solutions [1]. Unfortunately I do not have any intuition how good they are,
but probably they can be broken with a simple recording of your voice ( or a
recording of a passphrase). So before you trust these, you should probably
play a bit with an mp3 player.

[1][https://duckduckgo.com/?q=voice+biometric+login](https://duckduckgo.com/?q=voice+biometric+login)

------
laumars
A simple solution might be to "double lock" your system. In addition to your
password manager, use face recognition (via the laptop webcam). I know such a
system can be easily spoofed, but it will stop the casual opportunists you
described in your brief, and without requiring too much effort on your part to
unlock (and I can only imagine how long-winded many of the otherwise simple
tasks might be given your unfortunate position).

------
mkhalil
Face recognition is the best answer I can come up with to unlock the computer.
Setup a usb-wrist band that when you computer gets pulled away from will auto
lock.

------
quasistoic
If I understand correctly, you use neither the traditional keyboard nor the
trackpad. Can you disable both, or at least configure them to be very
difficult for the casual passerby to use? As an example, any non-traditional
keyboard layout that doesn't match the labels on the keys is likely to confuse
and annoy the average user to thr point that they give up very quickly.

------
deodar
You can set LastPass to prompt for the password every time you need to login
to a password[1]. This presumably disables password caching in the plugin.
Would that solve the your first problem?

[1] [https://helpdesk.lastpass.com/account-
settings/security/](https://helpdesk.lastpass.com/account-settings/security/)

~~~
escapologybb
Yes, that's what I'm doing at the moment but I'm unlocking the passwords on a
session by session basis rather than one password at a time.

------
bauer
The next Kinect is supposed to be able to detect eye movement. I don't think
it would be too hard to implement something that would prompt for a sequence
of eye movements after pressing the single button switched described by OP. I
don't know if this would take care of both use cases, but I think it would
take care of the first.

------
trekky1700
There's a program out there that can use a webcam to detect where you're
looking on a screen. It performs a "click" if you hover over a button for a
few seconds. Mix that with an on screen keyboard and that might work. I don't
know if those options work with OSX though.

~~~
obk1352
Camera Mouse 2013 does that on windows for free. Not a great option since it
doesn't always follow whatever it is tracking that well. You would need to go
with an expensive option like [http://www.tobii.com/](http://www.tobii.com/)
if you wanted good eye tracking, but that is expensive and I don't think Mac
compatible. Plus, not always as accurate or easy to use as you would think.

------
gillis
How about some way of voice recognition? Maybe through a raspberry pi with a
mic connected to it. There are surely some pre-made algorithms / scripts for
this sort of thing. So once the voice recognition is passed and validated the
password would be entered via the raspberry pi.

Just my two cents!

------
dobbsbob
Was this posted by Hal Finney? He's unfortunately a quadriplegic now but still
programs.

------
maerF0x0
someone could build a login sequence that uses yes/no questions that only you
know the answer to. Then it would just be a matter of how many bits of
protection you want. eg: 32 questions would be something like 32 bits of
entropy. Kind of laborious but also fairly secure because the order and
selection of questions could be randomized, so someone would have to shoulder
surf many questions in order to break in.

eg: Is this your mom? (with a picture). Is this your favorite color (a color
showing). Is this your phone number? Is this your house? Do you like cheese?
Do you like candy crush (ok, no entropy there, the answer is always "yes") .

now, does someone want to make this product?

------
obk1352
have you thought about using your single switch with an onscreen keyboard? I
am not sure if OSX will let you automatically show an onscreen keyboard for
the login screen (not sure why they wouldn't), but this would be as secure as
you typing in the password via a real keyboard, and you wouldn't have to deal
with all the other things that can go wrong. Also, have you tried to use a
Quadjoy mouse [http://www.quadjoy.com/](http://www.quadjoy.com/) this gives
you full mouse use, and gets you out of jams when Dragon decides to stop
working and your PCA isn't immediately available.

------
wehadfun
Could you re-route the keys to random unicode values so that if someone types
'a' they get '%' instead. That way if someone took a few pecks they would
hopefully get frustrated

------
gcr
Would some sort of active face verification be close to what you're looking
for? Your webcam would always run, then when it sees you, it unlocks; when it
no longer sees you, it would lock.

------
photorized
Don't know if this has been discussed already - have you considered a
proximity-based sensor, where your device is locked when it's away from you?

------
voltagex_
It may be possible to enter Morse code using the single button switch. I knew
someone who used one of these for a while, but not for password entry.

------
itswitch
If you could have a seperate, physical voice to text converter, it would act
as a physical keyboard and type in your password, etc.

------
gmrple
If you're interested in a custom hardware solution, the folks at hackaday.com
may be helpful.

------
UnclePeepingSam
In your case, would you like to wear a brainwave sensor, so to manipulate your
laptop directly ?

~~~
escapologybb
That sounds awesome, but financially speaking I think it would be
prohibitively expensive unfortunately.

------
boojumz
couldn't you just completely disable the keyboard?

~~~
tlrobinson
And USB ports?

------
tater
Using multiple keychains would also help.

------
wissler
Here's a simple idea (lacking in specific implementation details, sorry):

\- Figure out how to add a text filter between DragonDictate and your system.

\- Program the filter to look for a special sequence, e.g. "cipher_mode"

\- When in cipher mode, feed characters through a simple cipher. E.g. A -> C,
B -> D, etc. No passerby is going to be able to figure out what you're doing.

\- When the filter sees "cipher_mode" again then it stops filtering.

~~~
jdaley
If a passerby hears you say "cypher mode A Y R cypher mode" to unlock your
computer, they might not figure out that your password is CAT, but they will
figure out that "cypher mode A Y R cypher mode" unlocks the computer.

~~~
wissler
Obviously you'd pick a better phrase than "cipher mode".

But you make a good point. I think this approach can still work though.

\- Rotate the cipher based on the current day/time, or rotate it based on the
previous use.

\- You could prime the next password each time you successfully login. So e.g.
every time you login, you offer 3 additional letters in "clear mode", but then
have to give them back in cipher mode.

I think I'd go with the last one.

The worst part about all this is that it requires custom programming.

------
camus
Since you are here , a few questions (not related to the current subject): you
might be surfing on the web , given your condition , what are the annoying
stuff you encounter that makes your surfing harder and that could be ,easily
fixed if web developpers actually cared about accessibilty.

Do you have exemples of websites that use technology to facilitate surfing for
disabled people , that could be shown as an exemple of good accessibility
practice ?

thanks and take care.

~~~
escapologybb
Hi, hit me up on Twitter and I'd be happy to help. @escapologybb

------
ngoertz
We have patented something called PassRules which does not disclose your
secret during normal use. It's the perfect solution for you but unfortunately
we don't have a version for Mac -- only Windows. But if there's sufficient
interest we might just develop one. Check us out at www.itsmesecurity.com

~~~
Buttons840
This is a great example of how patents help humanity.

~~~
iguana
TIL that everyone needs a patent to prove defensibility to VC's, but no one is
allowed to mention a patent on HN without being down voted, because patents
are evil.

------
nawitus
If you're not using whole disk encryption (or even partial encryption), then
it doesn't really matter if you use a login password or not. The attacker can
just clone the hard drive to gain access to your files.

~~~
lifeisstillgood
The threat model was casual passers-by. That may not seem much but severe
disabilities change things a lot.

I am assuming that the OP is simply taking steps to mitigate an ever present
fear of "being taken advantage of". There are some real arseholes out there,
for example a friend of a friend was a blind dumb mute who was mugged in the
street - nothing stolen except her cane and cards she used to communicate. She
had no way to communicate with anyone, and they had no way to communicate with
her.

She had to walk home...

~~~
escapologybb
Bang on, it's the horrible person who comes into the house of somebody
physically vulnerable and steals pain medication from them (true story); those
are the people that are the adversary.

Pain medication, from somebody with nerve fire… I just don't understand that
mentality!

