To call Joe Barnard an “amateur” rocketeer is something of a misnomer.
As the founder of Barnard Propulsion Systems (BPS), a small business making flight hardware for other amateur rocketeers, the 25-year-old Nashville resident is working on cracking propulsive landings for model rockets. This is the same principle that allows SpaceX to land the first stage of its Falcon 9 rockets after boosting a payload to orbit, but it has never been demonstrated in hobby rocketry before.
The key to propulsive landings is thrust vectoring, which enables control over the direction of a rocket’s engines during flight to change its trajectory and stabilize the vehicle. Barnard is a pioneer in DIY thrust vectoring, and in the last few months he’s harnessed the technique to test self-landing model-scale rockets. As some of the most recent videos on his YouTube channel demonstrate, there are still a few kinks left to work out, but it’s pretty impressive what he’s managed to accomplish so far.
Although thrust vectoring has been used in the aerospace industry for nearly a century, it was a technology generally considered to be too complex and expensive for amateur use. Barnard wants to change that.
“There have been maybe five independent projects in the last ten years trying to incorporate thrust vectoring in their rockets,” Barnard told me on the phone. “Generally speaking it doesn’t go so well or it never gets to the point of flying. No one else has carried it through to the point where I’m at right now.”
Over the last three years, Barnard has managed to turn his rocketry hobby into a full-time gig. Watching videos of his rockets, which include scale replicas of SpaceX’s Falcon 9 and Rocket Lab’s Electron, it’s hard to believe he doesn’t come from a technical background.
A test flight of Barnard's SpaceX Falcon Heavy Replica. Image: Joe Barnard/BPS Space
Although Barnard’s father worked on rocket propulsion back in the 90s, Barnard attended Berklee College of Music and worked as a videographer after graduating. He said he became interested in the aerospace industry after watching videos of early SpaceX flights. His initial goal with starting BPS was to attract the attention of aerospace companies and eventually transition into the industry.
“Aerospace is a really exciting industry and I decided that’s where I wanted to work, but I didn’t feel like I could afford to go back to school,” Barnard said. “I also learn better through teaching myself things so I bought a bunch of textbooks and got to work.”
When he first started out, Barnard was truly working from scratch. He had to teach himself not only the basics of rocketry, a complex mix of physics and chemistry, but also how to assemble hardware and write the software programs to control it. Barnard said the most difficult part was learning how to write the flight control software, which required him to learn programming languages like C++ and Swift.
Barnard working on a rocket. Image: Joe Barnard/BPS Space
“The hardest part is getting a flight computer to understand how to point itself in the right direction without wobbling around a bunch,” Barnard said. “This is a control problem that usually only super advanced aerospace engineers are doing to fly things to space. They have tons of computing power and resources, whereas I’m trying to make this happen basically using a glorified Arduino.”
Barnard’s early flight computers were prototyped using off-the-shelf components and Arduino microcontrollers, but these days his flight computers consist of customized printed circuit boards with parts that are optimized for their task. Earlier this year, he launched his second iteration of the BPS avionics system, Signal, which he sells in thrust vectoring kits for $350 each. The combined income from selling these hardware kits and the BPS Patreon allowed Barnard to quit doing videography work and begin working on BPS full-time last spring.
Perusing Barnard’s YouTube channel speaks volumes about how fast his homebrew thrust vectoring technology has progressed. Videos of his first rockets from 2015 are a compendium of failure, featuring more rockets sliding along the ground than flying through the air. Still, these early failures were invaluable learning experiences for Barnard and speak to the difficulty of the problem he is trying to solve.
Testing roll control for a Falcon Heavy replica. Image: Joe Barnard/BPS Space
“We didn’t have a single flight you could classify as successful for the first year and a few months,” Barnard told me. “I was dumping thousands of dollars into this and nothing was working, but I really wanted to work in aerospace and I had to demonstrate I knew what I was doing. It didn’t bother me that a lot of the early things failed pretty badly because it shows the progression.”
The thrust vectoring system now sold as a kit through BPS is limited to low and medium-powered amateur rockets. Most of Barnard’s test flights only fly a few hundred feet vertically because the thrust vectoring system can only handle about 40 Newtons of thrust. (For the sake of comparison, the latest version of the SpaceX Falcon 9 rocket produces about 7.6 million Newtons of thrust at liftoff.) Still, it lays the foundations for using rockets with more powerful motors in the future.
“BPS stands for ‘Barnard Propulsion Systems’ but the funny part is I build every part of the rocket except for the propulsion system,” Barnard told me. For his test rockets, Barnard currently uses readymade solid fuel rocket propellant, but hopes to transition to something with more power in the future. “I’m a horrible chemist, but if we could get enough funding I’d like to start working on rockets using liquid or hybrid engines at a sounding rocket scale. That requires a lot more capital though, so for now it’s just hobby motors.”
A propulsive landing test of the Echo rocket. Image: Joe Barnard/BPS Space
As for whether Barnard’s model-scale rocketry efforts have attracted the attention from the aerospace industry that he desires, he told me that several companies have reached out to him, but said he wasn’t able to disclose their names or the content of their conversations.
Now that he’s starting building a model rocket company of his own, Barnard says he wants to see it through to the finish.
“If I just can’t get this stuff to work in a few years, then I’d be totally happy calling it quits and going to work in the aerospace industry,” Barnard told me. “But for now I really like having this entrepreneurial endeavor and everything is trending toward it working out.”
Mysterious hooded computer guys doing mysterious hooded computer guy .. things! Who knows what kind of naughty digital mischief they might be up to?
Unfortunately, we now live in a world where this kind of digital mischief is literally rewriting the world's history. For proof of that, you need look no further than this single email that was sent March 19th, 2016.
An attacker slurped up lists of any public emails of 2008 political campaign staffers.
One 2008 staffer was also hired for the 2016 political campaign
That particular staffer had non-public campaign emails in their address book, and one of them was a powerful key campaign member with an extensive email history.
On successful phish leads to an even wider address book attack net down the line. Once they gain access to a person's inbox, they use it to prepare to their next attack. They'll harvest existing email addresses, subject lines, content, and attachments to construct plausible looking boobytrapped emails and mail them to all of their contacts. How sophisticated and targeted to a particular person this effort is determines whether it's so-called "spear" phishing or not.
In this case is it was not at all targeted. This is a remarkably unsophisticated, absolutely generic routine phishing attack. There is zero focused attack effort on display here. But note the target did not immediately click the link in the email!
Instead, he did exactly what you'd want a person to do in this scenario: he emailed IT support and asked if this email was valid. But IT made a fatal mistake in their response.
Do you see it? Here's the kicker:
Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
One word. He got one word wrong. But what a word to get wrong, and in the first sentence! The email did provide the proper Google address to reset your password. But the lede was already buried since the first sentence said "legitimate"; the phishing link in that email was then clicked. And the rest is literally history.
What's even funnier (well, in the way of gallows humor, I guess) is that public stats were left enabled for that bit.ly tracking link, so you can see exactly what crazy domain that "Google login page" resolved to, and that it was clicked exactly twice, on the same day it was mailed.
As I said, these were not exactly sophisticated attackers. So yeah, in theory an attentive user could pay attention to the browser's address bar and notice that after clicking the link, they arrived at
Note that the phishing URL is carefully constructed so the most "correct" part is at the front, and weirdness is sandwiched in the middle. Unless you're paying very close attention and your address bar is long enough to expose the full URL, it's … tricky. See this 10 second video for a dramatic example.
Of those five examples from 6 months ago, one is completely gone, one loads just fine, and three present an appropriately scary red interstitial warning page that strongly advises you not to visit the page you're trying to visit, courtesy of Google's safe browsing API. But of course this kind of shared blacklist domain name protection will be completely useless on any fresh phishing site. (Don't even get me started on how blacklists have never really worked anyway.)
It doesn't exactly require a PhD degree in computer science to phish someone:
Build a realistic copy of a login page that silently transmits everything you type in those login fields to you – perhaps even in real time, as the target types.
Harvest email addresses and mass mail a plausible looking phishing email with your URL.
I want to emphasize that although clearly mistakes were made in this specific situation, none of the people involved here were amateurs. They had training and experience. They were working with IT and security professionals. Furthermore, they knew digital attacks were incoming.
The … campaign was no easy target; several former employees said the organization put particular stress on digital safety.
Work emails were protected by two-factor authentication, a technique that uses a second passcode to keep accounts secure. Most messages were deleted after 30 days and staff went through phishing drills. Security awareness even followed the campaigners into the bathroom, where someone put a picture of a toothbrush under the words: “You shouldn’t share your passwords either.”
The campaign itself used two factor auth extensively, which is why personal gmail accounts were targeted, because they were less protected.
The key takeaway here is that it's basically impossible, statistically speaking, to prevent your organization from being phished.
Or is it?
Nobody is doing better work in this space right now than Maciej Ceglowski and Tech Solidarity. Their list of basic security precautions for non-profits and journalists is pure gold and has been vetted by many industry professionals with security credentials that are actually impressive, unlike mine. Everyone should read this list very closely, point by point.
Computers, courtesy of smartphones, are now such a pervasive part of average life for average people that there is no longer any such thing as "computer security". There is only security. In other words, these are normal security practices everyone should be familiar with. Not just computer geeks. Not just political activists and politicians. Not just journalists and nonprofits.
It is a fair bit of reading, so because I know you are just as lazy as I am, and I am epically lazy, let me summarize what I view as the three important takeaways from the hard work Tech Solidarity put into these resources. These three short sentences are the 60 second summary of what you want to do, and what you want to share with others so they do, too.
1) Enable Two Factor authentication through an app, and not SMS, everywhere you can.
Logging in with only a password, now matter how long and unique you attempt to make that password, will never be enough. A password is what you know; you need to add the second factor of something you have (or something you are) to achieve significant additional security. SMS can famously be intercepted, social engineered, or sim-jacked all too easily. If it's SMS, it's not secure, period. So install an authenticator app, and use it, at least for your most important credentials such as your email account and your bank.
Have I mentioned that Discourse added two factor authentication support in version 2.0, and our just released 2.1 adds printed backup codes, too? There are two paths forward: you can talk about the solution, or you can build the solution. I'm trying to do both to the best of my ability. Look for the 2FA auth option in your user preferences on your favorite Discourse instance. It's there for you.
(This is also a company policy at Discourse; if you work here, you 2FA everything all the time. No other login option exists.)
If you use a password manager, you can simultaneously avoid the pernicious danger of password re-use and the difficulty of coming up with unique and random passwords all the time. It is my hope in the long run that cloud based password management gets deeply built into Android, iOS, OSX, and Windows so that people don't need to run a weird melange of third party apps to achieve this essential task. Password management is foundational and should not be the province of third parties on principle, because you never outsource a core competency.
Bonus rule! For the particularly at-risk, get and use a U2F key.
In the long term, two factor through an app isn't quite secure enough due to the very real (and growing) spectre of real-time phishing. Authentication apps offer timed keys that expire after a minute or two, but if the attacker can get you to type an authentication key and relay it to the target site fast enough, they can still log in as you. If you need ultimate protection, look into U2F keys.
I believe U2F support is still too immature at the moment, particularly on mobile, for this to be practical for the average person right now. But if you do happen to fall into those groups that will be under attack, you absolutely want to set up U2F keys where you can today. They're cheap, and the good news is that they literally make phishing impossible at last. Given that Google had 100% company wide success against phishing with U2F, we know this works.
In today's world, computers are now so omnipresent that there is no longer any such thing as cybersecurity, online security, or computer security – there's only security. You either have it, or you don't. If you follow and share these three rules, hopefully you too can have a modicum of security today.