[Noisebridge-discuss] Unlocking the door via SMS

[Rubin Abdi]

Hi kids. I was the one who implemented the "opengate" command on pony 
(which simply pokes the laptop controlling the relay and plays the 
wonderfully annoying chime) and "web page" you go to to unlock the gate.

http://pony.noise/gate

This directory has access control on it to only allow users of our local 
network (the Noisebridge wifi) the ability to see and use it. If you're 
on the "internet" you'll have a very hard time accessing...

http://pony.noisebridge.net/gate

The reason access control was implemented was so we don't have a random 
search engine robot, or an internet accessible script kiddy from 4chan 
constantly scanning pony and triggering the gate. Since we've noticed a 
bit of a burning smell from the electronic latch, Nils added in a 30 
second delay before the relay can be used again.

The reason access control was implemented was _not_ to police who can 
and can't enter the space.

If you're smart and have an account on pony, it's pretty trivial to go 
and copy the contents of /var/www/gate and place it in ~/public_html/ 
with the addition of some sort of mechanism to make sure a machine 
randomly hitting pages doesn't inadvertently open the gate over and over 
and over again. Such as...

rubin110 at pony:~/public_html/gate$ cat .htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/rubin110/public_html/gate/.htpasswd
require valid-user

This will allow you now to run the "opengate" command, through a web 
browser, from the other side of the internet, with a simple very 
hackable but obscure user name and password.

Additionally, if you can get onto the wifi from downstairs, you can open 
the gate that way.

I think creating more means for folks to get into the space is fun, just 
as long as two things are understood.

1. Mainly I'm concerned about making it easy for some ass hat on IRC to 
open our gate over and over again, possibly busting the electronic latch 
that's part of the gate. Please don't implement things in a stupid 
fashion, think of the children.

2. With any system of electronic access, logging and the lack of 
anonymity is always present, always. With my gate page one can very 
easily just "grep gate /var/log/apache2/access.log" and get a butt load 
of IP addresses. With Micah's SMS setup, Google now has records of 
anyone who SMSed that number requesting the gate be opened.

I don't actually personally care about the 2nd item there, but I do want 
to point it out.

So to end this email, I'd like to say that more means of getting in 
sounds fun and interesting.

Micah: I'm against the idea of using SMS as a means for folks to open 
the gate because SMS is a horribly dated technology that cell carriers 
are simply keeping alive because they make amazing money off of it. I 
wish to see SMS die and people adopt something a little more useful, 
such as simple email on cell phones.

Why not work with Nils on having a phone number you call, with a check 
to see if you've dialed this week's magic secret number? This way one 
doesn't feed into the SMS craze and anyone without SMS service (they 
exist) can gain access.

Additionally I have plans on extending the wifi just far enough out that 
one could access it from the sidewalk, and a /gate page that is net 
accessible but will want this week's magic secret number, which one 
could easily get off of the touch panels in the space.

-- 
Rubin Abdi
rubin at starset.net