Thread: Any interest in a lojack-like app for Maemo?
View Single Post
Benson's Avatar
Benson is offline Benson
2008-06-02 , 20:52
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#29
Originally Posted by kernelpanic View Post
2 reasons-
1. web of trust- The user public keys can be signed by the server. Adding another barrier to unauthorized remote code execution.
2. Encryption- Data sent to the server can be encrypted (in case on wanted to retrieve important documents prior to wiping them remotely.
Sounds good, although I had been assuming the owner's public key would be transferred to the tablet directly by the owner. (#1 seems to run on the assumption that key distribution is through the server, which is also fine.)
Some kind of port-knocking handshake to set-up ssh into the stolen tablet would be great. I really like the feature ideas everyone is coming up with. Most of them would be trivial to add to a working app. I've actually started coding the daemon. But first I'm trying to ensure that any implementation I come up with is secure. (There's too many insecure implementations of secure algorithms out there already esp. on Debian)
The one problem with ssh is the synchronousness. For wiping files, for example, asynchronous actions are nice; if the owner can drop a signed script on the server, and the next time the tablet is online, it connects, checks the signature, and executes the script, it saves you from sitting up waiting till it's on to start a ssh session.

The ability to function asynchronously also permits drive-by operations; I drive past a couple of APs strong enough that I can connect and load a single web page before I lose them; those connections would be worthless for ssh, but excellent for the tablet to receive instructions. (And that could be instrumental, in the case where the thief has an encrypted AP, or perhaps no AP at all, in the locations the tablet usually holds still.)

Still, your approach is certainly the correct; security, then functionality, then features. There's a lot that could go wrong if this were approached out-of-order.
I think I can actually. Is this any different than the 'Automatically Connect to non-preferred Networks' setting in windows XP? That setting causes XP to automatically connect to any unencrypted WLAN it finds. the sauce that suits the goose...

The Computer Fraud and Abuse Act states that it's illegal to access protected (i.e. encrypted) networks/systems. There ARE States with more restrictive laws including(but certainly not limited to)- Texas, Michigan, Florida, Illinois, Washington, and Alaska.

For example in Texas it's illegal to access ANY network without permission.
Well, what I meant you couldn't put in was aircrack to break WEP. Naturally, putting in the baseline "connect to everything open" mode is fair; it's legal or only questionable in enough places that you're not going to be in trouble for including it, with a big fat warning in the config to make sure it's legal in your jurisdiction before turning it on.

I'll likely do exactly as Bill Gates and put in the option in but leave it 'off' by default. I'll also add a popup that warns the user to check the applicable laws in their Country/State/Whatever... (Note- Windows doesn't do that even though one could get into lot's of hot water unintentionally in the States listed above. And Microsoft is based in one of those states!!?)

Putting SSH access in seems like enough to me. Then the owner can do whatever they want. But THEY have to do it. Having the app automatically do questionable or illegal things is not my goal.
Excellent!

Also, open-sourcing is to allow scrutiny of the security model to prevent abuse. I'll likely also have some kind of signature on the binary that users actually install on-tablet. So that way, at least if someone subverts the daemon, they can't then use the main server for their nastiness... (In Fact- Make that reason #3 for the server to have a key also.)
I'm not quite sure what is meant here about the signature on the binary... are you saying that the daemon would have to be signed by the owner, by the master server, or what? I can't really see how the daemon could be subverted to do anything that couldn't be accomplished anyway, if you have access to the daemon. As it only has the public keys (for both the server and the owner), it seems as though the most you could do is modify it to send phony pictures, GPS, etc., back, or disable it entirely, and either of those, in a sane installation, requires root privileges on the tablet.

That description could mean that the client would be open-source for verification, but the server would refuse to communicate with any but official binaries -- I doubt that this was your intent, but if so, I'll be happy to write a full-page rant explaining why this is bad, without resorting to RMS-style moral arguments. (Starring Ken's back-door, of course.)
__________________
World's first inductively-charged N900!