September 2016

Next Thing CHiP as a Twitter Bot

twitter-logoThere was a post that came across on Medium recently, How to Make a Twitter Bot in Under an Hour.  It’s pretty straight forward, though it seems to be pretty geared towards non “techie” types, mostly because it’s geared towards people making the bot on a Mac and it uses something called Heroku to run the bot.  Heroku seems alright, except that this sort of feels like an abuse of their free tier, and it’s not free for any real projects.

I already have a bunch of IOT stuff floating around that’s ideal for running periodic services.  I also have a VPS is I really wanted something dedicated.  So I adapted the article for use in a standard Linux environment.  I used one of my CHiPs but this should work on a Raspberry Pi, an Ubuntu box, a VPS, or pretty much anything running Linux.

The first part of the article is needed, set up a new Twitter account, or use one you already have if you have extras.  Go to apps.twitter.com, create an app and keys, keep it handy.

Install git and python and python’s twitter extension.

sudo apt-get install git

sudo apt-get install python-twitter

This should set up everything we’ll need later.  Once it’s done, close the repository.

git clone https://github.com/tommeagher/heroku_ebooks.git

This should download the repository and it’s files.  Next it’s time to set up the configuration files.

cd heroku_ebooks

cp local_settings_example.py local_settings.py

pico local_settings.py

This should open up an editor with the settings file open.  It’s pretty straight forwards, you’ll need to copy and paste the keys from Twitter into the file, there are 4 of them total, make sure you don’t leave any extra spaces inside the single quotes.  You’ll also need to add one or more accounts for the bot to model itself after.  You’ll also need to change DEBUG = TRUE to DEBUG = FALSE as well as adding your bot’s username to the TWEET_ACCOUNT=” entry at the bottom.

Once that is all done do a Control+O to write out the file and Control+X to exit.  Now it’s time to test out the bot with the following…

python ebooks.py

It may pause for a second while it does it’s magic.  If you get the message ” No, sorry, not this time.” it means the bot decided not to tweet, just run the command again until it tweets, since we’re testing it at the moment.  If it worked, it should print a tweet to the command line and the tweet should show up in the bot’s timeline.  If you get some errors, you may need to do some searching and troubleshooting, and double check the settings file.

Next we need to automate the Twitter Bot Tweets.  This is done using Linux’s built in cron.  But first we need to make our script executable.

 chmod 755 ebooks.py

Next, enter the following….

sudo crontab -e

Then select the default option, which should be nano.  This will open the cron scheduler file.  You’ll want to schedule the bot to run according to whatever schedule you want.  Follow the columns above as a guide.  For example:

# m h  dom mon dow   command

*/15 * * * * python /home/chip/heroku_ebooks/ebooks.py

m = minutes = */15 = every 15 minutes of an hour (0, 15, 30, 45)

h = hour = * (every hour)

dom = day of month = * = every day and so on.  The command to run, in this case, is “python /home/chip/heroku_ebooks/ebooks.py”.  If you’re running this on a Raspberry Pi, or your own server, you will need to change “chip” to be the username who’s directory has the files.  Or, if you want to put the files elsewhere, it just needs to b e the path to the files.  For example, on a Raspberry Pi, it would be “python /home/pi/heroku_ebooks/ebooks.py”.

If everything works out, the bot should tweet on schedule as long as the CHIP is powered on and connected.  Remember, by default the bot only tweets 1/8th of the time when the script is run (this can be adjusted in the settings file), so you may not see it tweet immediately.

This is also a pretty low overhead operation, you could conceivably run several Twitter Bots on one small IOT device, with a staggered schedule even.  Simply copy the heruko_ebooks directory to a new directory, change the keys and account names and set up a new cron job pointing to the new directory.

Cleaning up My Password Security

encryption-imageIt seems like there is an increasing amount of hacks and leaks lately.  These also seem to be larger and higher profile targets more and more.  Recently I’ve been seeing stories about Last.fm and Dropbox accounts apparently being compromised as well as a vulnerability in vBulleten, a popular Message Board hosting tool.  For the most part, a lot of these hacks are going to be harmless, for now.  Any website that actually matters is probably (they better be) using salted passwords, making a password dump mostly useless.  Though in Last.fm’s case, apparently 96% of the passwords were decrypted because their encryption algorithm was shoddy.  Still, it seemed like a good time to check over my Password Security.

Beware, those music scrobbles you see might actually be the music taste of some Russian or Chinese hacker!  Seriously though, I don’t really see the point with hacking Last.fm, I’m not entirely sure they even have any sort of financial data.  I imagine the email list is sort of useful for spam accounts.  I suppose there is also the issue of people using the same passwords everywhere.

The good side of these hacks, the lists get put on-line, on hacker sites or TOR sites, and there are several places that take these lists of leaked accounts, dump them in a database and allow you to search to see if your account shows up in a list and for which site, if available.  With all of these recent lists I went through and checked my primary email addresses and found about 20 entries between the two of them that had been compromised.  Most of those were vBulleten Boards that I had signed up for 10 years ago, never posted to, and had forgotten even existed.

I mentioned the problem of using the same password repeatedly.  I’ve got several “layers” I use for how much complexity I put into my passwords.  Financial sites, large buying sites (eBay, Amazon, etc), all get unique passwords.  I just remember those.  The next level, things like Facebook and Twitter, also get unique passwords, but I have some basic algorithms I use to generate them, mentally, so I can remember those as well while keeping them unique.  Sites like the ones that were compromised, tiny one off bulletin boards with little risk to me if they get hacked, I admit, I use the same few passwords on a lot of those.  Especially older ones from ten years ago, before I got serious about my online security.

Ironically, these sites are now possibly my most secure passwords.  Because I used Lastpass to generate the passwords.  Lastpass is a plug in for pretty much every browser.  It remembers your passwords, and syncs them across your Lastpass account.  I’ve used it for years to store and sync passwords, but I never really bothered with the generated passwords feature.  The best practice at the moment, for passwords, are long strings of random characters, lastpass can create these, and then remember them, so you don’t have to.  I don’t know what my new password is for the PPCGeeks message board, but I don’t need to, because when I visit, Lastpass will enter it and log me in.  It’s long and complex.  I mostly avoided this feature before because it pretty much meant I would never be able to log in via mobile since I would have to manually type the password in.  Lastpass now has a mobile solution, but I also just sort of accepted that, I’m never going to visit many of these sites on mobile anyway.

The even better solution, when available, is to use 2 Factor Authorization.  Something you know, a password, something you have, an Authenticator.  Every mobile platform has an authenticator App.  If you happen to be one of the 1% using Windows Phone like me, the Microsoft Authenticator works just like the Google Authenticator when setting it up.  When I want to log into say, Dropbox, I enter my username and password, like normal, and then I am prompted to enter the generated code from my Authenticator.  It doesn’t matter if someone else has my password, because they don’t have the Authenticator, which is randomly generated and can’t be duplicated.  I use this for any site that has it, which is almost all of the “big ones”, Microsoft, Google, Dropbox, etc.  I actually get frustrated when it’s not available, like when my Rockstar Games account got stolen 6 months ago or with Playstation Network, which has had like 3 or 4 hacks now.