[Freedombox-discuss] [Freedom Box] Finding your FB box on the network
Bjarni Rúnar Einarsson
bre at beanstalks-project.net
Thu Oct 14 16:02:45 UTC 2010
On Thu, Oct 14, 2010 at 3:43 PM, Jonas Smedegaard <dr at jones.dk> wrote:
> On Thu, Oct 14, 2010 at 02:47:13PM +0000, Bjarni Rúnar Einarsson wrote:
>
>> On Thu, Oct 14, 2010 at 1:39 PM, Jonas Smedegaard <dr at jones.dk> wrote:
>>
>>> I briefly proposed in an earlier post to implement a special "handshake"
>>> in the FreedomBox boot process. Such routine could be added to the
>>> installer too - which means that handshake could be made to not require
>>> internet access, and thus be possible with a cross-over ethernet cable
>>> directly between the box and its user.
>>>
>>
>> How about something a bit more low-tech? Plugs should ship with passwords
>> printed on stickers on the bottom, just like wifi routers do.
>>
>
> Why "should" they?
>
Mostly because it's dead-simple and people understand it. The physical
security matches perfectly, as people have to protect the secret exactly as
well as they have to protect the device itself from theft. :-) So ultimate
usable simplicity, along with zero extra security failure modes. Assuming
the password is generated properly, of course, and your concerns about that
are valid.
Another alternate method for delivering the password, would be to read it
off a USB stick or memory card on first boot. This could either be a manual
process (user creates the file, ISO is fixed) or a factory process (all
plugs are the same, but each ships with a different memory card).
I fail to understand why it is so much more "easy" to autogenerate a unique
> key at ISO build time compared to doing it at install time.
>
I'm thinking of the headless install scenario.
Your suggestion was that people plug a cable in to the box and some sort of
network magic took place - which initially sounded really complicated to me.
But if you strip out all the fancy authentication protocols, and implement a
"just trust the LAN on first boot" policy, then a physical cable can be the
recommended way to make that secure on first boot.
And that's simple enough for everyone, too, as long as there is a networking
cable in the box with the plug. :-)
--
Bjarni R. Einarsson
Founder, CEO and janitor of the Beanstalks Project.
http://beanstalks-project.net/ ~ http://bre.klaki.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20101014/b5324677/attachment.htm>
More information about the Freedombox-discuss
mailing list