On Thu, Oct 14, 2010 at 3:43 PM, Jonas Smedegaard <span dir="ltr"><<a href="mailto:dr@jones.dk">dr@jones.dk</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Thu, Oct 14, 2010 at 02:47:13PM +0000, Bjarni Rúnar Einarsson wrote:<br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">
On Thu, Oct 14, 2010 at 1:39 PM, Jonas Smedegaard <<a href="mailto:dr@jones.dk" target="_blank">dr@jones.dk</a>> wrote:<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I briefly proposed in an earlier post to implement a special "handshake" in the FreedomBox boot process. Such routine could be added to the installer too - which means that handshake could be made to not require internet access, and thus be possible with a cross-over ethernet cable directly between the box and its user.<br>
</blockquote>
<br>
How about something a bit more low-tech? Plugs should ship with passwords printed on stickers on the bottom, just like wifi routers do.<br>
</div></blockquote>
<br>
Why "should" they?<br></blockquote><div><br>Mostly because it's dead-simple and people understand it. The physical security matches perfectly, as people have to protect the secret exactly as well as they have to protect the device itself from theft. :-) So ultimate usable simplicity, along with zero extra security failure modes. Assuming the password is generated properly, of course, and your concerns about that are valid.<br>
<br>Another alternate method for delivering the password, would be to read it off a USB stick or memory card on first boot. This could either be a manual process (user creates the file, ISO is fixed) or a factory process (all plugs are the same, but each ships with a different memory card).<br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">I fail to understand why it is so much more "easy" to autogenerate a unique key at ISO build time compared to doing it at install time.</div>
</blockquote><div><br>I'm thinking of the headless install scenario. <br><br>Your suggestion was that people plug a cable in to the box and some sort
of network magic took place - which initially sounded really complicated to me. But if you strip out all the fancy authentication protocols, and implement a "just trust the LAN on first boot" policy, then a physical cable can be the recommended way to make that secure on first boot.<br>
<br>And that's simple enough for everyone, too, as long as there is a networking cable in the box with the plug. :-)<br></div></div><br>-- <br>Bjarni R. Einarsson<br>Founder, CEO and janitor of the Beanstalks Project.<br>
<br><a href="http://beanstalks-project.net/" target="_blank">http://beanstalks-project.net/</a> ~ <a href="http://bre.klaki.net/" target="_blank">http://bre.klaki.net/</a><br>