[Freedombox-discuss] [Freedom Box] Finding your FB box on the network

Jonas Smedegaard dr at jones.dk
Thu Oct 14 18:40:08 UTC 2010


On Thu, Oct 14, 2010 at 06:41:02PM +0200, Christian Brædstrup wrote:
>2010/10/14 Bjarni Rúnar Einarsson <bre at beanstalks-project.net>
>
>> Your suggestion was that people plug a cable in to the box and some 
>> sort of network magic took place - which initially sounded really 
>> complicated to me. But if you strip out all the fancy authentication 
>> protocols, and implement a "just trust the LAN on first boot" policy, 
>> then a physical cable can be the recommended way to make that secure 
>> on first boot.
>>
>
>How about if the web server only accepts local IP's during the install 
>process? That should provide some security. Then you need to be on the 
>LAN to access the install process or have hacked into a box that is on 
>the network.

I already imagined our enemy sitting on the same wire as ourselves. 
Maybe proxied through some virus infection on a Windoze box or a hacked 
router.


>Then we can advice the user to unplug the Internet during the first 
>stages of the install process (but not have him only connect the two 
>computers directly) and only allow one user to access the web install 
>interface at a time.

Unplugging *other* cables than the one connected directly to your own 
computer is not simple.

I recently asked my mother to do exactly this when helping her out over 
the phone, and she (a teacher using both Mac and Windows) was confused 
about which network cables goes where in her own house (and no, I did 
not set it up, and really it is only 4-5 cables total!), and she was 
uncertain if she would manage to properly plug the network back together 
again.


>If more the one user tries to access the install interface it will just 
>display:
>
>One user is already connected to the device. If that is not you then 
>you may have a intruder on the network. Please unplug your device, 
>disconnect your Internet connection and try the installation again. If 
>you still get this error go ask you son to stop it ;)
>If that is you then enter the security code you recived during the
>installation.
>
>The installation could generate a security code at install time that is 
>only known to the first user on the system.

With security code you mean a PIN?

I find it silly to not use strong encryption from the beginning.

If you do mean encryption key above, then that is what I (tried to) 
propose: When clicking on the big red button, the FreedomBox switch from 
about-to-enter-erase-myself state to erase-myself state. And thus cannot 
be controlled by more than one user - i.e. cannot both be in control of 
our user and hijacked at the same time.

We need to support "hijacking" as our user may have lost their 
encryption key so need a way to reset without being able to authenticate 
themselves.

My proposal was to prove ownership by needing to do something special 
physically to the bos for it to enter about-to-enter-erase-myself state.

In about-to-enter-erase-myself state...
   * anyone can reach the FreedomBox
   * noone can reach data on the FreedomBox
   * if FreedomBox already contains key, only key holder can reset
   * if FreedomBox contains no key, anyone can reset

If our user hits the button first, then she is given a key and is then 
the only one who can access the installed system.

If our user is too slow and an evil person hits the button first, then 
our user cannot hit the button, and (if not noticing that) cannot access 
the installed system - and will then simply try again.


>That is so low tech that even my mother should be able to figure it 
>out.

Your mother can figure out to juggle with a PIN at install time and a 
proper security key at the end of the install routines, but cannot 
handle skipping that temporary PIN?!?


>The installation could have a 30 sec delay time from the user logs in 
>and until the installation starts so that if a intruder should have 
>taken over the box at boot he can't begin the installer for the first 
>30 sec and the "real" user can discover the intruder and disconnect the 
>box without harming the system.

...and your mother is fine with above delays - which I believe is 
completely needless with my proposal?


>This should work on both a headless and non-headerless install and then 
>all the WebID could be setup later (if the user wants to use it).

Oh, you mean if the user wants an insecure box?  Or which alternative 
security mechanism do you have in mind for your mother other than an SSL 
certificate installed in her web browser?


>About the Zeroconf. Both the user and server need the software right?

Yes, both parties need the tcp/ip stack and a bit on top of that.

MacOS X supports Zeroconf out-of-the-box (they call it "Bonjour").

I believe Windows supports UPnP out-of-the-box.

Linux systems quite commonly supports Zeroconf, I believe.

-- 
  * Jonas Smedegaard - idealist & Internet-arkitekt
  * Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20101014/4d671797/attachment-0001.pgp>


More information about the Freedombox-discuss mailing list