Posted by
ryuzaki0
on from the do-it-yourself-toll-gate dept.
MC68040 writes "The guy at this site managed to build something together that's actually quite neat in the way he built it, all hand-crafted system that uses a linux box to unlock his door. Maybe not the coolest of solutions, but actually a pretty good idea as for security in my humble opinion."
23 years ago...
by
Pig+Hogger
·
· Score: 5, Interesting
23 years ago, I was involved in a project to make a portable computer for data-entry, to replace optically-readed mark-sense sheets.
The final solution was to have no keyboard at all, but rather a computer whose motherboard was embedded in a 3-ring binder, with sheets.
On the sheets, were some barcodes, arranged in roughly the same layout the mark-sense cards were.
(For the geeks, the machine was MC6809-based, and had 56K CMOS RAM. The LCD display was always powered, but the computer shut down after it finished decoding a barcode and processing the "keystroke".)
Does he have to scan a can of Spam to check his e-mail?
Note: Don't blame me, only one post and it's already/.ed, how am I supposed to read it?
-- Comment forecast: Bits of genius surrounded by a sea of mediocrity.
your house as a semi-permeable membrane
by
timothy
·
· Score: 5, Insightful
What's cool about this idea (to me) is that it actually has the great thing about many modern hotel keys (the ones with little holes, or mag strips), which is reprogrammability, but without the major hassles (specialized equipment to punch holes or re-stripe a card).
With a system like this, you can provide time-bounded access -- the petsitter can come by while you're gone part of this week, but her code might not be on the approved list for, say, 1 a.m. next Saturday night. Not that it would stop a real burglar, but all security systems are a series of intentional nuisances to bad guys. This way, there's no "spare" key floating around to be lost and worried about.
Plus you can send someone who needs to come by when you're not there (that petsitter, or the neighbor you've asked to check up on things) to open the door a "key" as a JPG file; they print it out, and it's their open sesame, at least at the times you've set them as welcome.
Since I like to think of houses as cell walls (hey, metaphors are meant to be reversed and amplified!), this lock system really resonates with me.
Re:your house as a semi-permeable membrane
by
MORTAR_COMBAT!
·
· Score: 5, Interesting
Indeed a cool idea. I would add that the holder of a 'key' should definitely keep it in a sleeve, though, lest high-res photography would allow for a duplicate key to be easily created.
The 'sending a JPG' to the baby-sitter starts out as a very neat idea, but what happens when baby-sitter has a popular e-mail virus which sends her e-mail to 100 people in her address book? Instant house party? Naturally they would only have the same access time slice as the baby-sitter, but they could just wait until after he/she is alone in the house and walk on in.
but without the major hassles (specialized equipment to punch holes or re-stripe a card)
It also means any Joe with a printer can make themselves a valid access card. I thought for quite a while about putting a similar setup at my house, but I decided instead to go with an extremely similar method, except instead of bar-codes I use hand prints. A lot of the advantages (time slices for the maid and sitters) without being able to be so easily produced (until advanced cloning techniques allow people to commonly grow copies of my hand).
And w.r.t. the people who keep asking about 'power outages' for (1) ever heard of generators of batteries and (2) naturally a physical key still works in the lock, duh!
Humble opinions aside, I can't see describing this as secure, at least compared to an "unpickable" modern lock (i.e., a lock that's tough enough to pick that you'll just go through a window instead).
To get into my house, you need to have my key, or a copy of my key. If I let you look at my key, you won't be able to copy it; you have to have my key in your possession to make a copy.
To get into this guy's house -- and please note that the pictures wouldn't load, so I'm going by the captions -- you need to have his barcode, or a copy of his barcode. If I look at his barcode, I can remember the information I need to copy it, even if I don't have his key when I make the copy!
It's a neat hack, and *maybe* it's more convenient than putting a key in a lock (but it's also more complex -- I picture him standing at the door in the rain during a power failure), but it's not secure. Even a PIN pad would be more secure, becaues you can memorize the PIN -- you *have* to write down the barcode.
Re:Slashdot record?
by
DarthWiggle
·
· Score: 5, Funny
Maybe/. could start offering a prepackaged "Port 80 Flood Kit - Get the pride of being slashdotted without having to work for it." Say $1000 a pop. It's better than spending the money on advertising.
Geek 1: Hey, guys, I got slashdotted! Geek 2: Woah! No way! Geek 1: Yep. *smug* Chick: He's so dreamy...
Haven't you seen Star Wars? All you have to do to get past that is either shoot the keypad with a lazer gun, or tear it off the wall and short out the wires in the back.
Re:Honestly, really
by
sbaker
·
· Score: 5, Interesting
I agree.
Slashdot really, truly, utterly needs to have a local cache of the pages it references. It's getting to where Slashdotting is as bad as a denial of service attack - and that's a terrible thing to inflict on *anyone*.
Probably 50% of web sites referenced from main news items are down within an hour of Slashdot mentioning them - and they stay down until a couple of days have passed. That sucks.
They could easily implement some kind of opt-in thing where you put a META tag in your web page telling Slashdot that you grant them explicit permission to mirror the site for (say) a week after mentioning it - so Slashdot would have no legal/copyright come-backs. At the end of the week the Slashdot mirror could revert to become a redirect to the real site so you don't have problems with people bookmarking the Slashdot cache instead of the real site.
The whole process could be automated.
People who do cool things like this door lock would surely be aware that they could get Slashdotted and prepare for the event in advance by inserting the tag - and private individuals are the people who are most likely to have their server die.
Companies that want to profit from their slashdotting by advertising from their page or taking orders off of it could just leave off the META tag and handle the traffic as now.
An opt-in cache mechanism is a win-win-win solution. Slashdot wins because more people will use the service if it doesn't continually refer to dead sites. Readers will win because less sites will be dead-on-arrival - and web site operators will win (if they want to) by not having their site die from Slashdotting.
-- www.sjbaker.org
Re:And to scan the barcodes
by
Frater+219
·
· Score: 5, Funny
Hmm, imagine using it for access entry. "Sorry, you have to carry a bottle of jolt to gain access here", or "what, a pepsi!? No access for you!"
] inventory
You are currently holding the following: a set of keys, a brass lantern, a case of Jolt Cola[tm], and no tea.
] look
You are in the Cubicle of the Mountain King, with passages in all directions.
A huge green fierce programmer bars your way!
] n
You can't get by the programmer!
You're in Cubicle of Mt. King.
A huge green fierce programmer bars your way!
] drop jolt
The programmer attacks the Jolt Cola[tm], and in an astounding fury rushes off to enter the International Obfuscated C Code Contest.
] n
You are in a low north/south hallway at a hole in the floor....
I don't buy it; use a caching proxy if nothing els
by
Fastolfe
·
· Score: 5, Insightful
I don't buy the FAQ's explanation. I think they're deliberately oversimplifying or just saying "it'll be too complicated and annoying for everyone" because they're lazy.
At a very minimum, use a caching HTTP proxy to feed a "mirrors.slashdot.org" site. Links would be set up under their own, unique path on this site (e.g. mirrors.slashdot.org/some.site/path/document or even mirrors.slashdot.org/50449) and this would funnel into a caching HTTP proxy. So long as the other site set up reasonable cache headers, there is no reason why the sites would object to their pages being cached in this fashion. This is built into HTTP, for fuck's sake. Wherever they have advertising being done, they're probably doing that in an iframe with its own caching policy. HTTP would handle all of this perfectly fine. Set an artificially low max-age value (overriding the site's) if you're really worried about things getting stale, but even this is unnecessary.
This is all fairly trivial to do. Slashdot authors/programmers have just gotten lazy in the last few years. They don't innovate or improve, they just watch over the slashcode "open source" project and occasionally toss out a few minor releases.
From your quote of the FAQ:
I could try asking permission, but do you want to wait 6 hours for a cool breaking story while we wait for permission to link someone?
Why don't you use some fucking common sense, ask yourself, "Do I think this site will survive linking?" And if the answer is "probably not," then e-mail them or call them, give them a head's up, and only if you fail to get a response in a reasonable amount of time would I ever think it's OK to link to them anyway.
They do have the information posted online, so any link and any amount of traffic is fair, but at least have the goddamn courtesy to mitigate the amount of damage you're knowingly causing. That's all that's being asked for: courtesy. Slashdot authors are lazy, that's all there is to it.
Re:Let's be frickin' realistic...
by
Fastolfe
·
· Score: 5, Insightful
Your point of view here is totally absurd (which I guess is why you're posting as an AC).
I completely agree that people posting information to the web should not be surprised if that generates more activity than they would have wanted. In that respect, yes, it is "their own fault" and they "deserve" what they get.
But your comment suggesting that every web server and network be configured to survive a Slashdotting is idiotic. A "properly configured 333Mhz crap machine" most certainly will not survive any but the most mild Slashdotting, even assuming the network does. The fact that you make this statement shows me that you have no idea what you are talking about. Please post some numbers.
Your lack of sympathy for those people just trying to get something interesting/useful posted to the web astounds me. Someone that can afford to put information online for the benefit of all but cannot afford to do so using high-end hardware and high-capacity network links should not be punished for doing so. Not everyone is a professional web provider. Not everyone needs to be one. For most sites, with most content, Slashdot-levels of traffic will never happen. Why spend money building an environment that will handle it? In addition, some environments can handle it, so long as they have sufficient notice. What's wrong with a policy of giving people a few days notice before posting their link on Slashdot when it's clear their site probably won't survive it? Maybe the site owners can take some steps to ensure their site would stay up, or maybe temporarily mirror the content in question somewhere else? There's a lot that can be done here to prepare for a Slashdotting, but nobody has the decency to allow that to happen.
I agree that 'michael' can't be directly blamed for this, but Slashdot's policies on the matter most certainly can. It's just a matter of common sense and not being an ass. You're right: there's nothing requiring Slashdot to do this, and anything with a URL is fair game to be linked (with the traffic that that causes), but come on, there is a human factor here, and Slashdot could be a bit more courteous here.
Slashdot Mirror
The final solution was to have no keyboard at all, but rather a computer whose motherboard was embedded in a 3-ring binder, with sheets.
On the sheets, were some barcodes, arranged in roughly the same layout the mark-sense cards were.
(For the geeks, the machine was MC6809-based, and had 56K CMOS RAM. The LCD display was always powered, but the computer shut down after it finished decoding a barcode and processing the "keystroke".)
Does he have to scan a can of Spam to check his e-mail? Note: Don't blame me, only one post and it's already /.ed, how am I supposed to read it?
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
What's cool about this idea (to me) is that it actually has the great thing about many modern hotel keys (the ones with little holes, or mag strips), which is reprogrammability, but without the major hassles (specialized equipment to punch holes or re-stripe a card).
With a system like this, you can provide time-bounded access -- the petsitter can come by while you're gone part of this week, but her code might not be on the approved list for, say, 1 a.m. next Saturday night. Not that it would stop a real burglar, but all security systems are a series of intentional nuisances to bad guys. This way, there's no "spare" key floating around to be lost and worried about.
Plus you can send someone who needs to come by when you're not there (that petsitter, or the neighbor you've asked to check up on things) to open the door a "key" as a JPG file; they print it out, and it's their open sesame, at least at the times you've set them as welcome.
Since I like to think of houses as cell walls (hey, metaphors are meant to be reversed and amplified!), this lock system really resonates with me.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
I was just reading about barcodes the other day...
Check out This if you are interested.
Humble opinions aside, I can't see describing this as secure, at least compared to an "unpickable" modern lock (i.e., a lock that's tough enough to pick that you'll just go through a window instead).
To get into my house, you need to have my key, or a copy of my key. If I let you look at my key, you won't be able to copy it; you have to have my key in your possession to make a copy.
To get into this guy's house -- and please note that the pictures wouldn't load, so I'm going by the captions -- you need to have his barcode, or a copy of his barcode. If I look at his barcode, I can remember the information I need to copy it, even if I don't have his key when I make the copy!
It's a neat hack, and *maybe* it's more convenient than putting a key in a lock (but it's also more complex -- I picture him standing at the door in the rain during a power failure), but it's not secure. Even a PIN pad would be more secure, becaues you can memorize the PIN -- you *have* to write down the barcode.
Maybe /. could start offering a prepackaged "Port 80 Flood Kit - Get the pride of being slashdotted without having to work for it." Say $1000 a pop. It's better than spending the money on advertising.
Geek 1: Hey, guys, I got slashdotted!
Geek 2: Woah! No way!
Geek 1: Yep. *smug*
Chick: He's so dreamy...
Haven't you seen Star Wars? All you have to do to get past that is either shoot the keypad with a lazer gun, or tear it off the wall and short out the wires in the back.
The cache is useless because it's a page of images which are being loaded from the guys web server.
Prevent email address forgery. Publish SPF records for y
I agree.
Slashdot really, truly, utterly needs to have a local cache of the
pages it references. It's getting to where Slashdotting is as bad as a
denial of service attack - and that's a terrible thing to inflict
on *anyone*.
Probably 50% of web sites referenced from main news items are down within
an hour of Slashdot mentioning them - and they stay down until a couple
of days have passed. That sucks.
They could easily implement some kind of opt-in thing where you put a META tag
in your web page telling Slashdot that you grant them explicit permission
to mirror the site for (say) a week after mentioning it - so Slashdot would
have no legal/copyright come-backs. At the end of the week the Slashdot
mirror could revert to become a redirect to the real site so you don't have
problems with people bookmarking the Slashdot cache instead of the real
site.
The whole process could be automated.
People who do cool things like this door lock would surely be aware that
they could get Slashdotted and prepare for the event in advance by
inserting the tag - and private individuals are the people who are
most likely to have their server die.
Companies that want to profit from their slashdotting by advertising from
their page or taking orders off of it could just leave off the META tag
and handle the traffic as now.
An opt-in cache mechanism is a win-win-win solution. Slashdot wins because
more people will use the service if it doesn't continually refer to dead
sites. Readers will win because less sites will be dead-on-arrival - and
web site operators will win (if they want to) by not having their site
die from Slashdotting.
www.sjbaker.org
] inventory
You are currently holding the following: a set of keys, a brass lantern, a case of Jolt Cola[tm], and no tea.
] look
You are in the Cubicle of the Mountain King, with passages in all directions.
A huge green fierce programmer bars your way!
] n
You can't get by the programmer!
You're in Cubicle of Mt. King.
A huge green fierce programmer bars your way!
] drop jolt
The programmer attacks the Jolt Cola[tm], and in an astounding fury rushes off to enter the International Obfuscated C Code Contest.
] n
You are in a low north/south hallway at a hole in the floor ....
I don't buy the FAQ's explanation. I think they're deliberately oversimplifying or just saying "it'll be too complicated and annoying for everyone" because they're lazy.
At a very minimum, use a caching HTTP proxy to feed a "mirrors.slashdot.org" site. Links would be set up under their own, unique path on this site (e.g. mirrors.slashdot.org/some.site/path/document or even mirrors.slashdot.org/50449) and this would funnel into a caching HTTP proxy. So long as the other site set up reasonable cache headers, there is no reason why the sites would object to their pages being cached in this fashion. This is built into HTTP, for fuck's sake. Wherever they have advertising being done, they're probably doing that in an iframe with its own caching policy. HTTP would handle all of this perfectly fine. Set an artificially low max-age value (overriding the site's) if you're really worried about things getting stale, but even this is unnecessary.
This is all fairly trivial to do. Slashdot authors/programmers have just gotten lazy in the last few years. They don't innovate or improve, they just watch over the slashcode "open source" project and occasionally toss out a few minor releases.
From your quote of the FAQ:
I could try asking permission, but do you want to wait 6 hours for a cool breaking story while we wait for permission to link someone?
Why don't you use some fucking common sense, ask yourself, "Do I think this site will survive linking?" And if the answer is "probably not," then e-mail them or call them, give them a head's up, and only if you fail to get a response in a reasonable amount of time would I ever think it's OK to link to them anyway.
They do have the information posted online, so any link and any amount of traffic is fair, but at least have the goddamn courtesy to mitigate the amount of damage you're knowingly causing. That's all that's being asked for: courtesy. Slashdot authors are lazy, that's all there is to it.
Your point of view here is totally absurd (which I guess is why you're posting as an AC).
I completely agree that people posting information to the web should not be surprised if that generates more activity than they would have wanted. In that respect, yes, it is "their own fault" and they "deserve" what they get.
But your comment suggesting that every web server and network be configured to survive a Slashdotting is idiotic. A "properly configured 333Mhz crap machine" most certainly will not survive any but the most mild Slashdotting, even assuming the network does. The fact that you make this statement shows me that you have no idea what you are talking about. Please post some numbers.
Your lack of sympathy for those people just trying to get something interesting/useful posted to the web astounds me. Someone that can afford to put information online for the benefit of all but cannot afford to do so using high-end hardware and high-capacity network links should not be punished for doing so. Not everyone is a professional web provider. Not everyone needs to be one. For most sites, with most content, Slashdot-levels of traffic will never happen. Why spend money building an environment that will handle it? In addition, some environments can handle it, so long as they have sufficient notice. What's wrong with a policy of giving people a few days notice before posting their link on Slashdot when it's clear their site probably won't survive it? Maybe the site owners can take some steps to ensure their site would stay up, or maybe temporarily mirror the content in question somewhere else? There's a lot that can be done here to prepare for a Slashdotting, but nobody has the decency to allow that to happen.
I agree that 'michael' can't be directly blamed for this, but Slashdot's policies on the matter most certainly can. It's just a matter of common sense and not being an ass. You're right: there's nothing requiring Slashdot to do this, and anything with a URL is fair game to be linked (with the traffic that that causes), but come on, there is a human factor here, and Slashdot could be a bit more courteous here.