Hacker News new | comments | ask | show | jobs | submit login
Ask HN: I'm quadriplegic – can you help me with my security?
486 points by escapologybb on July 16, 2013 | hide | past | web | favorite | 168 comments
Hey Hacker News,

I've run out of places to look so I hope you guys can help me with this. I would like to:

1. Securely login to my various websites 2. Securely lock and unlock my MacBook Pro.

Easy, right?

Except I'm quadriplegic. I use DragonDictate[1] to input text, and invoke keyboard shortcuts verbally, and SwitchXS[2] with a single button switch[3] (to move the mouse around and switch between applications etc). With these I have nearly total control over my laptop.

I use a password manager and once I've spoken the master password out loud the rest of my password challenges are automated. This is necessary, but not so secure as my laptop is then just open to anyone who picks it up. But I can't password lock my whole laptop because OS X requires that password before it will load up any applications, and I can't put a password in without my apps.

I was thinking of getting a YubiKey, but for that I would need to touch the sensor on the key to activate everything, but as you might imagine the whole quadriplegic thing gets in the way of this!

Some other sort of hardware master key, maybe? What do you guys think?

A word on the adversary: I want my personal information secure from casual passers-by who after having a quick peck on the keyboard would more than likely give up; I'm not looking for PRISM dodging security here :-)

Anyway, any help would be greatly appreciated!

[1]: http://www.nuance.co.uk/for-individuals/by-product/dragon-for-mac/dragon-dictate/index.htm [2]: http://www.assistiveware.com/product/switchxs [3]: http://www.ablenetinc.com/Assistive-Technology/Switches/Buddy-Button-and-Big-Buddy

Forgive the off the cuff suggestion here, it's the quickest and simplest thing I can think of though not an optimum way to use your laptop and you're probably hoping for a more elegant solution.

What if you install virtual box w/ some free OS (like ubuntu). Store all your personal information within the virtual machine which is configured with a secure login. Then you can leave the laptop unsecured so you can use your other apps to dictate the password to the ubuntu OS for login.

You know, I hadn't actually considered that! That certainly could solve quite a lot of the security problems, but as you say it adds a layer of complexity to an already complex method of using my computer. Excellent idea though :-)

If you think OS X offers better dictation/accessibility support than Ubuntu does you can also virtualize OS X on OS X using VMWare Fusion. I'm sure there are other ways of doing this but I know that VMWare Fusion supports this [1]. I don't believe that you will even have to pay for licensing OS X since it is already on an Apple manufactured hardware.

[1] http://kb.vmware.com/selfservice/microsites/search.do?cmd=di...

You are correct, the OS X EULA since 10.7 Lion has allowed two additional instances to be run within virtualization at no additional charge. Here is the EULA for 10.8, search for "virtual": http://www.apple.com/legal/sla/docs/OSX1082.pdf

("...you are granted a limited, non-transferable, non-exclusive license... (iii) to install, use and run up to two (2) additional copies or instances of the Apple Software within virtual operating system environments on each Mac Computer you own or control that is already running the Apple Software, for purposes of: (a) software development; (b) testing during software development; (c) using OS X Server; or (d) personal, non-commercial use...")

I use this exact method to get around VPN restrictions. Works great running a VM Windows 8 within another instance of Windows 8. On an SSD the VM seems to be as fast as the actual machine.

How does that get you around VPN restrictions? Do you then forward your traffic through some proxy?

I think the virtual machine is vpned and the external machine is not. Then you can get all the traffic you need passed through the inner vm while still getting outside traffic on your main.

The Ubuntu VM's virtual hard disk is right there for the taking, though.

Adversary profile precludes this vector.

I would like this as a bumper sticker/answering machine message.




>"Adversary profile precludes this vector"


I use than SIP provider for all my telephone stuff, which gives me the ability to have menus etc.

I've now got one for "press one if you're calling me about an unbelievable sales opportunity" that gives the exact response. I have no idea if anybody has called it yet, but it's kept me laughing for the past three days!

Could you provide some details on how you set that up? It sounds interesting!

No problem, I first signed up for an account with SIP Centric[1], then once you've bought a phone number, you click on IVR menus in the sidebar and then it is point-and-click from there on; it really is surprisingly easy!

[1]: http://pbx.sipcentric.com/

I can't tell you how happy that makes me.

An encrypted home directory will help some with that.

Assuming you shut it down every time you walk away. AFAIK VirtualBox doesn't encrypt snapshots (which include RAM contents and therefore the encryption key).

OP could get at least get screensaver-lock functionality, but actual security in this situation is hard.

That won't work since escapologybb can't type a password at the OS X lock screen.

encrypted home dir on the guest OS, not host.

At least the Ubuntu VM can be password protected and encrypted, unlike OS X in this scenario, or am I missing some other issue?

Using a VM as the "real" machine seems to be at least as effective as any other suggestion made here and far less brittle.

You could use something like TrueCrypt to encrypt the vhd/vmdk(s). How aggressively you mount/unmount the volume depends on the circumstances.

That's just punting. How does he login to the secure VM?

You're jumping the gun a bit... the main problem is that they can't secure their main computer, since they require dictation to work in order to enter passwords. For the main login screen, the dictation software isn't loaded yet.

If they can password-less auto-login to the main computer, then use their dictation software to load up a VM, that VM could be considered secure.

As a side note, can't you also run Mac OS X as a VM guest from a Mac OS X host? I thought that Apple made that license change a while back. If that's the case, they could keep it all Mac, if they'd like.

This certainly seems to be allowed: http://stackoverflow.com/a/39247

He can type things using dictation and that would presumably let him log into the VM, his problem is that the dictation won't work for the OSX lock screen.

The idea probably has some other practical problems though.

I don't see how that would make it harder. Audio surfing is easier than should surfing. Wonder if he could somehow get his one-button clicker to translate morse code into ascii. Then he really could log in in a fairly secure way.

Audio eavesdropping could be pretty easily defeated with a challenge/response system. And if the speech recognition system is powerful enough, the response to the challenge could simply be to repeat the challenge in your own voice - which would be really user friendly.

I don't think he's trying to make it more secure, just trying to get a minimum level of security where he can open the laptop and input a password. Right now, the OP is unable to do that due to OSX not allowing any applications to run at the login screen.

If I had to guess, he would "use [his] other apps to dictate the password to the ubuntu OS for login".

How about bluetooth-based locking and unlocking, using an app like this?


It looks like it may work with any BT device, so even if you don't have a BT-enabled phone, you could get a cheap BT headset or something, and keep it on you.

I'd also like to say that it's great to see you doing so well with technology. I had a quadriplegic friend when I was little (he was an adult) who had a nice setup for the time, but his independence was limited to a few things like Clappers for lights, TV remotes, and such. I sometimes wonder just what crazy things he'd be getting up to if he was still around today with a setup like yours.

My only issue with Bluetooth pairing is that iPhones are incredibly shiny, and carers work for minimum wage and the thought of not only my iPhone going walkies but it locking my laptop in the process… My head might actually explode :-)

If it does indeed work with arbitrary BT devices like I think it does (please verify this for yourself before you buy!) then you can get a cheap headset for $15 or so and key it to that instead of your phone. If your Mac (and the software) supports BTLE, you could even use a specialized token like a Stick-N-Find.

This app does claim to support any BT device, just in case the other one doesn't:


Hope you figure out something that's to your liking.

"If it does indeed work with arbitrary BT devices like I think it does … "

Perhaps a Pebble Watch?

There might be Android alternatives, which would allow you to get a much cheaper device.

Perhaps even a very ugly iPod Touch might work.

Perhaps you should pay your carers better, so you can hire quality people....

You can also get a proximity alarm for your iPhone.

> Perhaps you should pay your carers better, so you can hire quality people....

Easy to say things like that isn't it.

Why do you assume he pays the carers? For that matter, why do you assume he could afford to in the first place?

Hi! I'm on the train with bad internet right now and so can't go looking but have you considered face recognition software using the laptops camera? There must be an app that takes a look at the webcam when a password challenge is presented.

Anyone know of anything?


Found one! https://www.keylemon.com/download-other-versions/

This is an excellent idea, and something I've tried but that particular application wouldn't recognise my face as I tend to lean to one side. But my leaning isn't reliable so it had had real trouble recognising me, not ideal if I'm trying to get into my computer :-)

Reliable facial recognition would be great though, just not managed to find it!

From what I've read a lot of them can be spoofed with either a printed picture, or a video playing back.

It's probably enough for stopping the casual interference the OP wants to prevent.

So I guess the next step in the arms-race would be twin cameras (kinect?) to build a 3D image of a face.

Then the bad guys would make a sculpture.

Then the good guys could add some kind of mannerism detection (smile?, wink?).

Then the bad guys would work on latex masks.

....I quite want to see how this evolves tbh.

It's only going to evolve so far for consumer application. At some point, the barrier to cracking becomes too high for normal efforts. Who's going to spend 4-6 hours applying makeup to their face to crack your laptop's security (since the crack only applies to one instance) if you're only protecting your weird porn and some household financial data. You likely wouldn't hear about any efforts beyond that, since it would be spycraft.

Cloning. The end-game is cloning.

Not really, because it could require a combo of physical attributes and information known by the subject.

Age accelerated face cloning and spying to get information and iris or other samples needed?

Totally off topic, but why don't laptops come with twin cameras already?!?!?

He said he's not looking for high level security. Just something basic to "keep honest people honest".

I've used KeyLemon before on my computer.

Removed it the day a friend of mine unlocked it with his face(he looks quite different).

Are their any technologies out there that can sense your body heat as well as facial recognition? I don't know if there are any commercially available applications of this but here's an interesting delve into evolving facial recognition into thermal recognition: http://cdn.intechopen.com/pdfs/17173/InTech-Thermal_infrared...

Couldn't someone hold up a picture of the OP's face to the camera to bypass this?

I'm not sure if any desktop software does this, but (some?) Android devices can optionally require a blink to unlock with facial recognition.

When I messed with army radios - these being the made-by-the-lowest-bidder-and-not-secret analogue variety - they were throat-operated. You spoke silently, and the microphone - pressed to your throat - sent speech over the radio.

It took practice to talk perfectly clearly, but it could be mastered.

Google "throat microphone".

If I had one of them, I would totally be able to pretend I'm in the SAS on some secret mission!:D Obviously a mission that didn't involve any stairs, and nothing above 6 miles an hour (top speed of my chair!) With lots of ramps and extrawide doors :-)

Seriously though, I'm connected to this computer with a ton of cables and if that could be made to play nice with Dragon, and it wasn't too tight across where the break is in my neck it would be brilliant!

If you're already "wired up to the computer", would another USB connection make any difference?

An Arduino can act as a keyboard ( http://hackaday.com/2012/06/29/turning-an-arduino-into-a-usb... )

You could then hook that into some controls you've already got on the chair - the obvious choice being to have "Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start" trigger the Arduino to type out your password.

(Where are you from? I know if someone asked for help with this on my local (Sydney, Australia) hackerspace mailing list, there's probaby be three or four people building prototypes by the weekend…)

Unfortunately adding another USB connection would make a difference, there is the cognitive load of just being tethered to my computer there are sometimes situations where I need to get out of my wheelchair quickly; so minimising connections is the order of the day.

That being said this solution could be implemented wirelessly maybe? I mean have the arduino sitting somewhere connected to the laptop wirelessly, and then have a switch connected to the arduino wirelessly as well?

The only sticking points I could see are that obviously I can't assemble these things myself, and travelling to a Hackerspace would be impossible unfortunately.

Also, I'm in the UK.

Hmmm. It's also possible to do the same "pretend to be a keyboard trick" over bluetooth - it's just a little more expensive than via Arduino/USB. It's about an extra $50-ish to add bluetooth capability to an Arduino (at least at sparkfun.com prices).

I'm in Australia, so the UK is a bit far to be prototyping - did you see Helgosam's post else-thread? Sound's like he's at least in the same country as you and capable of helping out (and/or putting you in touch with other locals who're in this space…)

https://news.ycombinator.com/user?id=Helgosam https://news.ycombinator.com/item?id=6054049

In a similar vein, emotiv [1] sell an EEG headset, which is purported to offer mind control. I've no clue whether these things actually work or what they are useful for. I'm only aware of this device because I used to work with one of the principals in the company.

[1] http://www.emotiv.com/

This looks like it would be massively useful, but it's really expensive at the moment which keeps it out of my hands unfortunately :-(

It looks like it could be applied to all sorts of accessibility situations and problems though!

If you're in the UK they can be picked up pretty cheaply from surplus stores, and no doubt online too. There must be some consumer-grade ones knocking about too which might be worth a shot if you're not sure if it'll work or not :)

I've just ordered a USB version because Dragon requires really clear quality sound, and just plugging a 3.5 mm jack into the Line In port is and going to work because Dragon will only recognise USB devices.

But fingers crossed this one will work!

Throat mic available at DX.com and other Chinese online retailers last time I checked

EDIT: You can even pick colors: http://dx.com/s/throat

If you can't find one commercially, then its just to do an "ask HN" for anyone to help you acquire one or can make you one etc :)

Throat microphone + headphones makes it all effectively private from literal evesdroppers :)

It should be possible to make an OSX app that disables the hardware keyboard and touchpad, that can be toggled by voice password.

The laptop only being accessible via voice recognition and one button should be enough to render the entire system unusable to casual snoops.

edit: Looks like you can disable/reenable the builtin keyboad/touchpad with terminal commands, so it'd just be a matter of scripting them to voice shortcuts: http://superuser.com/questions/214221/how-can-i-lock-the-mou...

ps: be sure to have a plan B to reboot your laptop while experimenting with this in case it locks out your controls somehow.

As Tyler E suggested:

"Wonder if he could somehow get his one-button clicker to translate morse code into ascii."

Use the Arduino Leonardo to send native keyboard key strokes into the USB port of the Mac - it's robust and works every time - plug and play (once it's been programmed).

The Leonardo could be programmed to listen out for a specific pattern of switching and then send the entire password down the USB cable, or alternatively it could have some simple or complex feedback (lights / tones / onscreen keyboard display on a second mini screen) to allow individual characters/keystrokes to be sent down the USB cable from the Arduino.

I've been making stuff like this in the UK for the charity Scope, and their users - often people who have cerebral palsy. I could potentially make you something and post it over - if you are interested drop me a line.

If you would be willing to make something that would be brilliant, I would love to work on a project like that :-)

Having an Arduino with a small screen next my laptop would be no problem at all, the only snag I can see so far is that I can only use one button at a time when switching between two buttons is a nonstarter unfortunately; but I'm sure that that is something that can be overcome.

So yes, I'm definitely interested!

>>But I can't password lock my whole laptop because OS X requires that password before it will load up any applications, and I can't put a password in without my apps.

Why not just have the mac autologin and then immediately go into screensaver mode?

At the very least set /System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/ScreenSaverEngine.app to open on start

Thinking about solving this programmatically, it wouldn't be too hard to set up a secure locking replacement for a screensaver that would offer a challenge response system to unlock the system without using a password anyone who hears could repeat.

Maybe use your current system with a rolling password, so that the previous password no longer works?

Obviously that would take a little feat of memory, or at least some kind of prompt, but you could memorize a poem or something and use that - it would prevent replay attacks.

Or, use an algorithmic password, perhaps one where you do a sum based on the time of day.

All these solutions require some level of coding sadly, but I would have thought it would be something a freelancer could knock up relatively cheaply.

Maybe some kind of NFC device that you could wear so that the computer would lock/unlock when you were near it ?

If access to another device is just as problematic then a 13.56mhz MIFARE RFID sticker could do the trick with a Sonmicro USB RIFD reader.

The interface could just be a python script reading for serial over USB. I built some Raspberry Pi based RFID terminals that ran a python script in a loop, no problems running them for days on end.

That's the extent to which I know, someone else would have to chime in on exactly how to interface the script with access control.

NFC would be excellent, but if Bluetooth-enabled phone is all you have: http://lifehacker.com/how-to-make-your-smartphone-automatica...

That would be perfect, but instead of wearing it I could have something implanted in my arm for instance; and I would definitely notice of somebody tried to steal the tag!

What do you think about biometric Voice fingerprints? Instead of voice-recognition.


---going further---

Then just encrypt the home folder's contents on a file-basis & sync it with a privately owned server. This improves the chances of data-recoverability on crashes or on filesystem corruption. Add a kill-switch toggle that erases all important files on the mac on 5 unsuccessful login attempts, and enables surveillance mode permanently using different tracking software (prey-project for example).

I'm really curious about this, I would be open to doing it but I have no idea how to go about implementing something like this!

Could you expand a little or point me at some resources, that would be great thanks :-)

Yes, I'd seen that before just didn't realise that was the term for it.

Something like that would be ideal if a system could be implemented that was reliable enough, there's always going to be some degree of false positive/negative but it would be cool otherwise.

Plus just tell the theft that it's something helps you breath, if he continues stealing it you can raise charges against him for attempted murder!

That could be stolen though.

Glue it to the wheelchair. If someone steals that, he has worse problems.

But would a casual laptop theif think to check escapologybb's pockets?

Well, OK, a mugger might, but would they recognize little fob thing as something of import that must be close to the computer?

I'm not sure they would care. I don't know thta much about Macs, but my assumption is that you can do a format/reinstall just like any other computer.

Or, you know, just fence it.

http://quadstick.com is developing a mouth operated programmable joystick/mouse/keyboard. A sequential combination of up to eight input signals (specific joystick movements and/or a sequence of hard or soft sip & puffs on four different tubes) can trigger the sending of up to six preprogrammed keyboard keys, or it can just recognize characters traced out on the joystick and send them one at a time.

Would something like Keycard[1] work for locking the screen when you're not nearby?

I wonder if it could be set to lock at boot unless your phone (or BT headphones or whatever) is nearby.

I doubt this can be all that secure since it can be downloaded from the App Store, I'm pretty sure that means it can be force quit (it could not prevent this key combo since its restricted in the sandbox). It may be just enough.

[1] http://www.appuous.com/products/mac/keycard.html

There are bluetooth screen lock utilities that allow one to auto-lock and unlock the machine based on the signal strength of whatever Bluetooth device you pair it with. I would look into the hands-free Bluetooth speakers (meant for auto use) with a Wheelchair power to USB convertor (most likely the easiest would be via an auto 12V DC adapter). That way you can have a mic/speaker mounted on the wheel chair to control the machine as well (if you don’t have a wireless mic already). Any Bluetooth device capable of being paired will work though. This will prevent someone going through your laptop while you are away. I actually have one I use on occasion at coffee shops called Bluetooth Screen Lock available on the App Store, but there are other free and low cost apps that do the same thing available. The on I use allows me to set the sensitivity so that it will lock after being about 6 feet or more away, and unlock when I am within that distance. I can also set it to lock at the maximum BT signal range as well.

This is the most sensible solution. One implementation of this is called TokenLock. Never used it but it's $3 in the App Store and is pretty well documented, so I'd imagine the dev is pretty pro-active. Buy that with a $20 bluetooth headset to pair it with (make sure the range is as low as possible!) and you have a complete solution for the login issue for under $30.

I wrote a review for a $35 pair of NoiseHush NS400s. They are a stereo, behind the head bluetooth headset. So they also have a mic. They sound great, and pairing them would make an inconspicuous lock that most people wouldn’t thing about being theft worthy. but they do not work plugged into the charger, unfortunately.

Just a thought but would a inverse keylogger work?

I would guess something like this- an arduino hooked up to something you can operate (BigBuddy?). This could then ask you for your PIN code (2 taps, 3 taps, 2 taps)

Once arduino is happy it will quirt a pre-stored key sequence into the USB port, acting as a keyboard, and unlock what you need.

I have no idea if it is really viable but its the best I have.

I remember reading in MAKE about a gumball machine that only dispenses gumballs when a secret knock is performed. I'm sure something like that can be adapted for this purpose.


I would love to help build something if you can't find a solution. Maybe you could lock or unlock your laptop via facial recognition [1], or you could add an accelerometer that automatically locks the laptop if someone picks it up. Or just physically lock the laptop to your chair.

Or you could plug an Arduino into the USB port and use it as a keyboard device to send a stream of keypresses when you touch a button (just like a yubikey, except you could put the button anywhere.) The first button press could type in a password to unlock the computer, and the second button press could press a keyboard shortcut to lock it again. Or you could program it to recognize a simple morse code sequence. Let me know if you're interested in that idea, and I would be happy to program one and mail it to you.

[1]: https://www.macupdate.com/app/mac/36762/keylemon

I would love to build something, my programming skills are to put it mildly… well… Rubbish, but if you were willing to help that would be wonderful!

I really like the idea of using the accelerometer as one layer of security, because there is no situation where I'm going to be the one who's picking up my laptop! I think it could only be one part of the overall though, because if they don't pick it up it would still be completely open.

I've tried facial recognition software, including the one you linked to but so far haven't found one that is reliable enough; there were far too many false positives and for a large chunk of the time it wouldn't recognise my face at all. In theory though, reliable face recognition would be a great solution.

Hi, do you have any movement or dexterity in your fingers at all? If so, please offer details of this or any other control you have that might be exploited. I have a colleague who once-upon-a-time built a system of low-force buttons and other goodies that enabled a quadriplegic person to work a telephone very effectively, as in they were subsequently employed to do some kind of work over the telephone. Would something like that be of use?

I think you might also be able to make use of a kinect or Andriod/iPhone and some eye-tracking.

Also, do you know of these guys? It's where my colleague worked about twenty years ago. http://www.tirrfoundation.org/

In the vein of finger dexterity, I fear it must be very low, otherwise I'd expect use of a small "joystick mouse" rather than (or at least as a supplement to) SwitchXS and a single-button switch.

That said, I've heard of some quadriplegics with basic finger function using morse code-style inputs in various ways. I don't know details, but this[1] popped up in Google. It seems old but potentially interesting.

I wonder how much work it would be to put together something like an Arduino-based device that takes morse-like input and simulates a USB or Bluetooth keyboard?

[1] http://www.makoa.org/jlubin/morsecode.htm

Yup, colleague says he designed and built several different sip & puff controls for various things.

>I wonder how much work it would be to put together something like an Arduino-based device that takes morse-like input and simulates a USB or Bluetooth keyboard?

IMO it has never been easier.

PS re: "I want my personal information secure from casual passers-by who after having a quick peck on the keyboard would more than likely give up; I'm not looking for PRISM dodging security here :-)"

How about an RFID tag fixed to your wheelchair, and a transceiver for it mounted on your computer desk?

Yubikey would work if you could mount it so that you can touch the touch-pad with your nose. I don't know if that's acceptable to you?

There is a Yubikey model that uses NFC called the NEO[1]. So it would operate simply by your being close to the computer. At the moment, the NFC only works with Android, iOS, Windows Phone, and Blackberry, but it might be able to be ported easily. I'm looking into how this might help you now (Yubikey has an SDK).

You're on OSX, so let me see what I can come up with. No promises, but I'm looking.

1. http://www.yubico.com/products/yubikey-hardware/yubikey-neo/...

EDIT: I see that the Yubikey NEO is sold out for the next 5 weeks, so this may not be the best option for you.

EDIT2: The best solution was referenced by silverlight above, it's called TokenLock for Mac OSX, and it's $3 in the App Store. You can use it with bluetooth devices. Just get some little $20 bluetooth device or headphones you can pair it with, and have someone put it in your pocket. Please take a look here (again, thanks to poster silverlight above): http://www.map-pin.com/tokenlock-home/ Never used it, but it looks pretty versatile and can be used with all sorts of login approaches.

For securing your browser passwords, I think the Yubikey with the NFC chip will be your best bet. Right now, they don't have OSX software available specifically for the NFC, but I imagine they will release some eventually. I'd call and ask them.

I think as soon as they bring out some software on the Neo model that would be ideal, I'll definitely get in touch with them. Excellent find!

As for TokenLock, I downloaded the free trial and during the setup process my laptop locked up for apparently no reason; I had to have my partner stop at she was doing and come and restart the computer for me. Clearly not an ideal situation.

It really was a case of;

Download and install application Run through the setup process, which appeared to go flawlessly Read's helpful message that laptop will be locked when iPhone goes out of range … Laptop locks up as I'm reading the message, whilst my iPhone has sat resolutely still about 5 inches from my laptop!

That is a terrible level of reliability for me I'm afraid :-)

Hi, that would be acceptable just not physically doable I'm afraid. My range of movement would prohibit this unfortunately.

Buttons are actually very simple devices, I've owned a yubikey (it got stolen, together with my other regular keys >.<) but I think it is actually very simple to remove it, solder two wires to it and connect it to a switch of any size that you can attach to whatever is within your range of motion :)

I'm based in the Netherlands so I probably can't help you, but maybe you could ask an electrician near you to help you with it.

Your adversary is extremely simple. You haven't mentioned in your post if you are open to or able to do any custom coding.

I would suggest writing/getting an app written that runs in fullscreen and looks exactly like an OSX login screen. Bonus points if it can disable multi-tasking shortcuts such as the 3 finger swipe up. The app can be hardcoded to only accept one password - yours. Since the app is running with OSX logged on you can use your usual tools to enter the password.

It goes without saying that this won't fool anyone determined - you can just reboot the laptop to make the app go away. However it should be enough to stop casual passers-by.

If you are using AbleNet's "Hitch" switch interface, by their description it should be able to emulate keyboard input without the SwitchXS software being loaded, but a manual doesn't seem to be publicly available.

This product called "Swifty" (http://www.orin.com/access/swifty/) also takes a switch as input, and can emulate a standard usb keyboard. With VoiceOver enabled in the login screen (Settings->Users->Login Options) this should allow one to login without using the keyboard.

Hope this helps.

When I clicked reply to this comment I was doing so using the Swifty! It really is robust but when I tried the system you outlined, it was working may be one out of every 10 times I tried it; at which point I had to ask for help to get into my machine. Which is like security fail on my part :-)

Okay, sounds like an interesting challenge. Let's describe the problem and examine possible solutions.

Goals: 1. Securely login to websites. 2. Securely unlock a Macbook Pro.

Solutions to (1): A. (1) Can be solved with a password memorization app, once we solve (2).

So let's examine 2.

Solutions to (2):

Seems like there are two parts to this problem: authentication and OS X integration.

OS X has a login API that can be used to build extensions, or since the adversary is unsophisticated we could use an input blocking regular application.

Okay, so the integration piece is possible, and we can flesh that out later. So let's look at authentication.

A. Use Physical Authentication: Bluetooth, RFID, and Wifi devices come to mind. All of these require purchasing additional hardware. Buying new hardware seems inelegant though, so let's table this option for now.

B. Biometrics: Voice print ID or facial recognition. More promising, but false negative rate is too high, especially for accessibility purposes. Really don't like the idea of a temperamental biometrics program keeping you out of your computer.

C. Speech Recognition: Get voice recognition working on the log in screen. Apple has APIs for dictation and log in. This one seems promising. But then you might need a rotating set of passwords or an algorithmic password,, as others suggested, to keep passers-by from overhearing your password.

One more thought. Is there a way to set up Dragon Dictate as a native input device? If so, Mac lets you access the input device switcher from the log in menu.

I used to work with quads. I would use Sikuli.org (python script) automate most things.

Read this post about new treatments in China. Spinal Cord injury therapies and medical situation in China Major spinal surgeries in China. Advances in repair of cord. http://nextbigfuture.com/2013/07/spinal-cord-injury-therapie...

Talk about cultural differences. From your link:

> China in 2004 clamped down on clinical trials and has the most strict regulations on it now.

> They executed some doctors who did not follow the rules.

> Now doctors are very careful and precisely follow the rules.

You have a button you can push (#3 in your list above). So this means you are well on your way. You would need to create(or have created for you) a password app, that would open on startup, and prompt you for your password. Of course entering a password using a keyboard isn't so great, but since you have a button, you can ask for a certain set of button pushes, in a certain order. (Whatever works well for you).

i.e. you spell 'cat' in morse code with your one button. Or whatever. The important thing is that it's something YOU can do, and is likely not anymore easily guessed/caught than someone shoulder surfing someone typing the password on the keyboard.

That said.. I want to point out, you mention this is because you are worried about your PA's that are helping you with things maybe taking liberties you don't want them to. If you don't trust your PA's I think you should work on getting their trust (and vice versa), or look into replacing them with people you trust. If you need help with advocacy around this, reach out to your local Independent Living Center.

Good Luck!

Unlocking a computer programatically is hard and should be so. Locking on the other hand isn't. Perhaps you could lock upon fail to NFC authenticate every x seconds. That only answers part of the question, since the attacker would still have x seconds to snoop around every time he logged in, but would be such a nuisance that he probably would give up.

Wow, I went to bed not expecting much of a response but you guys have come up with some excellent solutions, I'm getting round to specific answers as quickly as I can!

I'm clearly missing something obvious, but I can't for the life of me figure out how to edit and update my original question; can someone put me out of my misery? :-)


a) How about buying an external Fingerprint reader that's close to your thumb or wearable? There are tools that automatically find windows with input fields.

b) OR, instead of dictating a password, you could hire someone to write software that extracts a fingerprint from your VOICE's characteristics. You would have to train it to diferent types of voices you have (morning voice/tired voice/hoarse voice etc.)

Every person's voice has characteristics that make it unique and cannot be reproduced by another human. Only a computer could do that and that would require a lot of effort to break the unknown algorithm used in your computer first

c) use existing software like this: http://demo.authentify.com/biometric/ or similar. I just googled for voice authentication/fingerprint.

Well I guess you could use something like that: http://notimpossiblelabs.com/eyewriter with some software modification (pure speculation as I haven't even checked the code) you could use eye movement and blinking to simulate mouse input and with on screen keyboard you should be able to write your password somewhat securely http://www.ted.com/talks/mick_ebeling_the_invention_that_unl...

also shouldn't be expensive to build... [edit] link to the github repo the software can be found here https://github.com/eyewriter/

I will definitely look into that, I remember seeing the TED talk when it first came out and thought it was cool; thanks for the links :-)

I'm out of my depth in more than one way here.

How about rigging a bite switch to the ubikey (either directly or via something like a raspberry pi / beagle bone). That's assuming that the only issue with the ubikey is you pressing the button.

Maybe (if it has an rpi) it needs a sequence. Bite. Pause. Bite bite. Pause. Bite. Etc.

I suspect you'd need someone to build it for you but I doubt there is a shortage of capable or willing people here. Sadly, my electronics skills are not up to it :(

I'm always impressed by people with accessibility issues using technology (or whatever is the correct term - sorry if that's at all offensive :( ). I've managed to make one of my apps a lot more useful to blind/partial sighted people after talking to a guy who can't see. It took me about 30 mins, and made the world of difference to him.

Maybe you could use a usb device that is physically attached to the chair, then a thin usb ribbon cable that plugs into the computer, but pulls out quickly. that way if the computer is taken it would auto lock the machine when the ribbon is removed.

It would take work to get setup again, which may make the NFC setups better.

you should also follow the leap motion device. https://www.leapmotion.com it could enable some facial recognition apps, or new approaches for data entry that are not just voice control.

Also, something like this may make it less desirable to steal, and be another way to mount it to your chair. https://www.stoptheft.com/products/stoplock

Does DragonDictate still work if you switch users? If so, you could encrypt your home directory, add a second user, and set OSX to auto-login to that user (and auto-launch DragonDictate).

If not, I think your best bet is a Bluetooth solution or some hardware token. For instance, an Arduino or Teensy ($20) programmed with your login/master password, and with a small microphone connected would be able to respond to certain voice commands and act as a regular USB keyboard, typing in your pass phrase.

You could also have some software on the Mac to automatically lock the screen or shutdown the computer if the Arduino is removed.

If you are already logged in to an account with Dragon running, will it let you dictate into system password boxes (OS X Dictation does not when I tried it)? If so, having the computer auto-login on boot to a secondary account should accomplish what you need. Then dictate your password into the Fast user switching box.

Otherwise, user switching can also be activated with Automator or Terminal. OS X Dictation will type into a password prompt in Terminal, so a script might be able to switch to your account with password dictation (or with your password stored in the script, if you trust that).

When done in your secure account, just run another script or reboot to switch back to the secondary account.

Here are some example scripts: http://hints.macworld.com/article.php?story=2011081307461141...

This is an excellent idea and something I'm going to implement immediately! It will certainly give me a level of security whilst I look at some hardware solutions, thanks :-)

There's an application that lets you lock individual applications, but which should allow you to unlock it with dictation, as the rest of the OS is still working. Mac App Blocker (http://knewsense.com/macappblocker/)

There's also QuickLock which was/is a workaround to lock OS X quickly without using the screen saver + immediate password requirement. http://www.quicklockapp.com/

Note: I haven't used either, I'm just googling and looking at videos.

I don’t know much about Apple computers but on a Windows PC I wouldn’t use startup password to avoid friction when starting the PC. For login in a website, I would use an application like Keepass. For my private data, I would create a virtual encrypted disk with Truecrypt. If you leave your PC alone or take a nap, just close Keepass and Truecrypt and your data are secured. And to enter the password when you start Keepass and Truecrypt, I would create a few pages text file on my desktop and just copy/paste a combination of 2 or 3 words so I wouldn’t need to speak my password loud.

Questions on the threat model:

-Is the computer turned off or on?

-Do you want to a) protect your computer from being stolen? b) protect your weird fetish from being discovered? c) protect your online banking credentials?

I hope you don't mind if I rephrase that last bit, I felt it was overly specific:

"-Do you want to a) protect your computer from being stolen? b) improve the privacy of your files? c) protect your online credentials?"

For porn he could stream it incognito. For protecting banking credentials, he could use a separate password manager that auto shuts down after a minute or so.

Solving the special case is sometimes easier.

Answers on the threat model:

- Yes the computer is turned on - C is the main worry, with regards to A, if somebody has managed to get into the house and is about to take the laptop, there is absolutely nothing I can do about it so I don't really worry about it.

And as for B, I have absolutely no weird fetishes at all and have done absolutely nothing wrong EVER :-)

I think another password manager you only log into when no carer is around could be the solution, that has all the sensitive passwords. If there are any files you want to protect you could put them in a truecrypt container.

When you talked about the yubikey, it's actually not too hard to built a two factor token yourself. Using an arduino, you could wire it in a way that would be convenient for you to operate.



I would love to be able to do these sorts of things, but anything that involves hardware would mean I would have to contract in a pair of hands.

And hands are not always a readily available resource, the people attached to them have like lives and other stuff to do; it's terribly inconvenient! :-)

I'm going to look into it though, thanks for the idea!

Perhaps voice identification could help. There seem to be quite a few solutions [1]. Unfortunately I do not have any intuition how good they are, but probably they can be broken with a simple recording of your voice ( or a recording of a passphrase). So before you trust these, you should probably play a bit with an mp3 player.


A simple solution might be to "double lock" your system. In addition to your password manager, use face recognition (via the laptop webcam). I know such a system can be easily spoofed, but it will stop the casual opportunists you described in your brief, and without requiring too much effort on your part to unlock (and I can only imagine how long-winded many of the otherwise simple tasks might be given your unfortunate position).

Face recognition is the best answer I can come up with to unlock the computer. Setup a usb-wrist band that when you computer gets pulled away from will auto lock.

If I understand correctly, you use neither the traditional keyboard nor the trackpad. Can you disable both, or at least configure them to be very difficult for the casual passerby to use? As an example, any non-traditional keyboard layout that doesn't match the labels on the keys is likely to confuse and annoy the average user to thr point that they give up very quickly.

You can set LastPass to prompt for the password every time you need to login to a password[1]. This presumably disables password caching in the plugin. Would that solve the your first problem?

[1] https://helpdesk.lastpass.com/account-settings/security/

Yes, that's what I'm doing at the moment but I'm unlocking the passwords on a session by session basis rather than one password at a time.

The next Kinect is supposed to be able to detect eye movement. I don't think it would be too hard to implement something that would prompt for a sequence of eye movements after pressing the single button switched described by OP. I don't know if this would take care of both use cases, but I think it would take care of the first.

There's a program out there that can use a webcam to detect where you're looking on a screen. It performs a "click" if you hover over a button for a few seconds. Mix that with an on screen keyboard and that might work. I don't know if those options work with OSX though.

Camera Mouse 2013 does that on windows for free. Not a great option since it doesn't always follow whatever it is tracking that well. You would need to go with an expensive option like http://www.tobii.com/ if you wanted good eye tracking, but that is expensive and I don't think Mac compatible. Plus, not always as accurate or easy to use as you would think.

How about some way of voice recognition? Maybe through a raspberry pi with a mic connected to it. There are surely some pre-made algorithms / scripts for this sort of thing. So once the voice recognition is passed and validated the password would be entered via the raspberry pi.

Just my two cents!

Was this posted by Hal Finney? He's unfortunately a quadriplegic now but still programs.

someone could build a login sequence that uses yes/no questions that only you know the answer to. Then it would just be a matter of how many bits of protection you want. eg: 32 questions would be something like 32 bits of entropy. Kind of laborious but also fairly secure because the order and selection of questions could be randomized, so someone would have to shoulder surf many questions in order to break in.

eg: Is this your mom? (with a picture). Is this your favorite color (a color showing). Is this your phone number? Is this your house? Do you like cheese? Do you like candy crush (ok, no entropy there, the answer is always "yes") .

now, does someone want to make this product?

have you thought about using your single switch with an onscreen keyboard? I am not sure if OSX will let you automatically show an onscreen keyboard for the login screen (not sure why they wouldn't), but this would be as secure as you typing in the password via a real keyboard, and you wouldn't have to deal with all the other things that can go wrong. Also, have you tried to use a Quadjoy mouse http://www.quadjoy.com/ this gives you full mouse use, and gets you out of jams when Dragon decides to stop working and your PCA isn't immediately available.

Could you re-route the keys to random unicode values so that if someone types 'a' they get '%' instead. That way if someone took a few pecks they would hopefully get frustrated

Would some sort of active face verification be close to what you're looking for? Your webcam would always run, then when it sees you, it unlocks; when it no longer sees you, it would lock.

Don't know if this has been discussed already - have you considered a proximity-based sensor, where your device is locked when it's away from you?

It may be possible to enter Morse code using the single button switch. I knew someone who used one of these for a while, but not for password entry.

If you could have a seperate, physical voice to text converter, it would act as a physical keyboard and type in your password, etc.

If you're interested in a custom hardware solution, the folks at hackaday.com may be helpful.

In your case, would you like to wear a brainwave sensor, so to manipulate your laptop directly ?

That sounds awesome, but financially speaking I think it would be prohibitively expensive unfortunately.

couldn't you just completely disable the keyboard?

And USB ports?

Using multiple keychains would also help.

Here's a simple idea (lacking in specific implementation details, sorry):

- Figure out how to add a text filter between DragonDictate and your system.

- Program the filter to look for a special sequence, e.g. "cipher_mode"

- When in cipher mode, feed characters through a simple cipher. E.g. A -> C, B -> D, etc. No passerby is going to be able to figure out what you're doing.

- When the filter sees "cipher_mode" again then it stops filtering.

If a passerby hears you say "cypher mode A Y R cypher mode" to unlock your computer, they might not figure out that your password is CAT, but they will figure out that "cypher mode A Y R cypher mode" unlocks the computer.

Obviously you'd pick a better phrase than "cipher mode".

But you make a good point. I think this approach can still work though.

- Rotate the cipher based on the current day/time, or rotate it based on the previous use.

- You could prime the next password each time you successfully login. So e.g. every time you login, you offer 3 additional letters in "clear mode", but then have to give them back in cipher mode.

I think I'd go with the last one.

The worst part about all this is that it requires custom programming.

Since you are here , a few questions (not related to the current subject): you might be surfing on the web , given your condition , what are the annoying stuff you encounter that makes your surfing harder and that could be ,easily fixed if web developpers actually cared about accessibilty.

Do you have exemples of websites that use technology to facilitate surfing for disabled people , that could be shown as an exemple of good accessibility practice ?

thanks and take care.

Hi, hit me up on Twitter and I'd be happy to help. @escapologybb

We have patented something called PassRules which does not disclose your secret during normal use. It's the perfect solution for you but unfortunately we don't have a version for Mac -- only Windows. But if there's sufficient interest we might just develop one. Check us out at www.itsmesecurity.com

Good thing you have a patent. Now, if you can't be bothered to make a Mac version, no one can! (maniacle villian laughter goes here, don't forget to twirl your mustache)

Not true, we'd be happy to work with Mac developers. It's just that we don't have the skills in house. Any takers?

This is one reason why you write for the JVM. I have Mac users for software that I've never personally used on a Mac.

JVM path not feasible when the goal is O/S security

This is a great example of how patents help humanity.

TIL that everyone needs a patent to prove defensibility to VC's, but no one is allowed to mention a patent on HN without being down voted, because patents are evil.

Help yourself and download our FREE versions for Windows workstations, Android devices, iPhone, and iPad.

If you're not using whole disk encryption (or even partial encryption), then it doesn't really matter if you use a login password or not. The attacker can just clone the hard drive to gain access to your files.

The threat model was casual passers-by. That may not seem much but severe disabilities change things a lot.

I am assuming that the OP is simply taking steps to mitigate an ever present fear of "being taken advantage of". There are some real arseholes out there, for example a friend of a friend was a blind dumb mute who was mugged in the street - nothing stolen except her cane and cards she used to communicate. She had no way to communicate with anyone, and they had no way to communicate with her.

She had to walk home...

Bang on, it's the horrible person who comes into the house of somebody physically vulnerable and steals pain medication from them (true story); those are the people that are the adversary.

Pain medication, from somebody with nerve fire… I just don't understand that mentality!

I interpreted the threat as a passer-by stealing the laptop and not giving it back.

> I want my personal information secure from casual passers-by who after having a quick peck on the keyboard would more than likely give up; I'm not looking for PRISM dodging security here

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact