Barcode-Controlled Home?

MC68040 writes "The guy at this site managed to build something together that's actually quite neat in the way he built it, all hand-crafted system that uses a linux box to unlock his door. Maybe not the coolest of solutions, but actually a pretty good idea as for security in my humble opinion."

Hum

[Anonymous Coward]

What happens if the power goes out?

your house as a semi-permeable membrane

[timothy]

What's cool about this idea (to me) is that it actually has the great thing about many modern hotel keys (the ones with little holes, or mag strips), which is reprogrammability, but without the major hassles (specialized equipment to punch holes or re-stripe a card).

With a system like this, you can provide time-bounded access -- the petsitter can come by while you're gone part of this week, but her code might not be on the approved list for, say, 1 a.m. next Saturday night. Not that it would stop a real burglar, but all security systems are a series of intentional nuisances to bad guys. This way, there's no "spare" key floating around to be lost and worried about.

Plus you can send someone who needs to come by when you're not there (that petsitter, or the neighbor you've asked to check up on things) to open the door a "key" as a JPG file; they print it out, and it's their open sesame, at least at the times you've set them as welcome.

Since I like to think of houses as cell walls (hey, metaphors are meant to be reversed and amplified!), this lock system really resonates with me.

timothy

Keypad

[EvanED]

It seems like a keypad would almost be a better solution. You don't have to carry something around, only remember the combination. I don't know how reliable this is; from what I've seen in stores, these don't read fairly often, and he's going through glass.

Of course, you'd have to make the password sufficiently strong.

Honestly, really

[Anonymous Coward]

This isn't flamebait or a troll but I think I'm starting to agree with other people: Whats the point of posting a story on a guys personal site if its almost certain to be slashotted?

Video store barcode

[zaffir]

A video store gave me a little keychain barcode which I'm using here.

So i just have to work at his video store (or have a friend who works there), make myself a copy of his barcode, and i get free reign of his house? Sweet.

Not very secure

[Anonymvs Cowardvs]

Humble opinions aside, I can't see describing this as secure, at least compared to an "unpickable" modern lock (i.e., a lock that's tough enough to pick that you'll just go through a window instead).

To get into my house, you need to have my key, or a copy of my key. If I let you look at my key, you won't be able to copy it; you have to have my key in your possession to make a copy.

To get into this guy's house -- and please note that the pictures wouldn't load, so I'm going by the captions -- you need to have his barcode, or a copy of his barcode. If I look at his barcode, I can remember the information I need to copy it, even if I don't have his key when I make the copy!

It's a neat hack, and *maybe* it's more convenient than putting a key in a lock (but it's also more complex -- I picture him standing at the door in the rain during a power failure), but it's not secure. Even a PIN pad would be more secure, becaues you can memorize the PIN -- you *have* to write down the barcode.

Forget key impressions in soap...

[Ben Jackson]

All you need to break into this guy's house is a few seconds with his "keys" and a photocopier. Though I guess if you were really worried about that you could put a small label printer by the door and get a new key every time you left...

Re:Not very secure

[LFS.Morpheus]

You contradict yourself in your post, saying you have to write down the barcode, but you can remember the data if you were to look at his barcode...

Contradiction aside, most people, and especially common thieves, would have no idea how to make a barcode. I personally know you can do it with some software, but I'm not familiar with any of it and have never done it. I do know there are several types of bar codes so that throws another hardball at you; you have to get the right type.

In this case, also, if this person lost his bar code, it's his video rental card. It doesnt exactly scream "this is the key to my house." *No one* is going to think its the key to his house. That. Is. Cool. Of course, if he doesnt have a copy or cant get another copy of from the video store, he's also screwed, etc etc.

On the other hand, if a thief were to somehow get your pin, I bet he would be able to remember the pin long enough to write it down, and entering it into your numpad is trivial.

I think its at least more secure then you give it credit.

Re:your house as a semi-permeable membrane

[delta407]

a "key" as a JPG file; they print it out, and it's their open sesame

Problem: most barcode readers fail when trying to read fuzzy barcodes, making JPG a very bad choice. Also, unless you have a nice barcode reader, you'll probably have issues with barcodes if they were not produced by a laser printer; inkjets simply do not give the definition you need. (Besides which, laser printing is good for other reasons -- if your key gets wet, you won't have ink smearing all over.)

If you used PNG and could guarantee that the receiver had a laser printer (or thermal, for that matter), then it would work. If you want to use JPG and inkjet, well, good luck. :-)

Slashdot effect

[null_terminator]

Why doesn't the ./ staff just mirror all small sites? This would eliminate this kind of problem. Though it would be *polite* to get permission from the author of the site first. I was honestly interested in that site, and now it's gone.

Smart burglars

[Anonymous Coward]

I could just imagine someone coding a little program for Palm OS/PocketPC that would spurt out on the screen all the possible barcode combinations for his video club manufacturer ID. In a matter of a few minutes, someone could gain access to his house.

Re:Slashdot effect

[Osty]

It's just too messy, it takes up time for the editors

Are these the same editors that have time to post duplicate stories?

screws up pages with ads on them (yeah, boohoo, but if you were getting money for the page you'd care)

The sites that tend to be most quickly slashdotted are also the sites that are most likely not to be ad-supported. More, they're also the same sites that are most likely going to end up costing the owner an arm and a leg when their bandwidth allotment is completely smashed by a Slashdotting. In otherwords, they're not gaining any money by being linked to Slashdot, and are highly prone to actually losing money. Let's see what you'll do if you're faced with a $1000 bandwidth bill because your lego collection made it onto Slashdot.

and the rest

What "rest"? Legal issues? The editors obviously should contact site owners (at the very least to warn them that Slashdot is about to launch a massive DDoS on their website). I'd much rather wait a day or two to see an interesting site than not be able to see it at all. If someone doesn't want Slashdot to cache their site, then they should at least be given the opportunity to not have the site posted to Slashdot.

It would be good, though, if the editors were to put up at least the Google cache of this kind of site.

For this kind of site? Not likely. I looked at the Google cache. The site has a lot of pictures of the guy's setup, and google doesn't cache images. Thus, the Google cache is nearly useless.

Re:$10 and I'm in

[MORTAR_COMBAT!]

Well, the difficulty bar is raised a bit from the 'bar code'. It seems reasonably more difficult to both (1) secure an object with a clear figerprint of mine and (2) use said fingerprint to etch a 3D image onto some PCB board than to (1) use a photocopier or camera/printer to copy a bar code.

That insecurity is indeed real. Although those systems which were compromised were single-finger systems, and my system uses 3 as well as hand shape. Being able to get 3 clear fingerprints and mimic hand shape is more difficult than simply picking the lock, anyway, so your efforts would be better served in investing a a few dollars worth of decent lock-picking tools instead of a set of hobbyist PCB boards and etchers.

Re:Not very secure

[jjshoe]

you can remember 12 digits? there was a time when i could remeber the 1st 6 of hp's barcode because i was often looking hp stuff up in our system.. 08689 who knows now.. that was a while ago.. but the point is most people cant look at 12 digits and just remember it...

i use my drivers liscence to switch to root on my box.. its not nesecery, in fact its probly over kill and pointless. however. most importantly it makes me think for a second if im about to do something as root.

plus, its something neet to brag about, which is part of the geek world. because you dont like it doesnt mean that himself and his friends dont like it

USB Keychains

[milkmandan9]

Something occured to me when I read the blurb (as the article is dead).

Instead of a barcode, why not use one of those USB-keychain things? Seems easier to rig under Linux -- just get the kernel to automount the device when it sees it and check some file on the device. Fit a USB socket into the wall and carry around your wee USB keychain.

Authentication is the least of concerns...just dump a gazillion random bits to the drive and compare them with the copy on the house. I imagine you could probably rig up some spiffo public-key crypto, but I don't really see the point. One-pads work fine here.

As usual, you've got the problem that if somebody steals your keychain, they can make a copy of it, but this is the same problem you have with regular keys or this barcode thing.

Another benefit is you can rewrite the key on the USB drive after every use. If $BAD_GUY steals your key without your knowledge but you manage to get back to the house first, his key is worthless.

The max # cycles isn't so hot on those flash drives, but I imagine you can get a few years worth of entry without any problems.

Plus, with a 64MB keychain, you've got enough space for as many keys as you could possibly every need (640k, anyone?)

I don't buy it; use a caching proxy if nothing els

[Fastolfe]

I don't buy the FAQ's explanation. I think they're deliberately oversimplifying or just saying "it'll be too complicated and annoying for everyone" because they're lazy.

At a very minimum, use a caching HTTP proxy to feed a "mirrors.slashdot.org" site. Links would be set up under their own, unique path on this site (e.g. mirrors.slashdot.org/some.site/path/document or even mirrors.slashdot.org/50449) and this would funnel into a caching HTTP proxy. So long as the other site set up reasonable cache headers, there is no reason why the sites would object to their pages being cached in this fashion. This is built into HTTP, for fuck's sake. Wherever they have advertising being done, they're probably doing that in an iframe with its own caching policy. HTTP would handle all of this perfectly fine. Set an artificially low max-age value (overriding the site's) if you're really worried about things getting stale, but even this is unnecessary.

This is all fairly trivial to do. Slashdot authors/programmers have just gotten lazy in the last few years. They don't innovate or improve, they just watch over the slashcode "open source" project and occasionally toss out a few minor releases.

From your quote of the FAQ:

I could try asking permission, but do you want to wait 6 hours for a cool breaking story while we wait for permission to link someone?

Why don't you use some fucking common sense, ask yourself, "Do I think this site will survive linking?" And if the answer is "probably not," then e-mail them or call them, give them a head's up, and only if you fail to get a response in a reasonable amount of time would I ever think it's OK to link to them anyway.

They do have the information posted online, so any link and any amount of traffic is fair, but at least have the goddamn courtesy to mitigate the amount of damage you're knowingly causing. That's all that's being asked for: courtesy. Slashdot authors are lazy, that's all there is to it.

Re:Interesting

[Fastolfe]

I think you're looking at it from the wrong angle. A guy puts up some information on a site using meager resources. He hopes that information will be useful and interesting to those that happen upon it. The hardware turns out to be perfectly adequate for his needs. Then someone posts a link on a popular site and the traffic increases by a factor of 10,000. The site goes down.

Frustrated, he pulls the content down in an attempt at restoring at least some semblence of service to the site.

Wouldn't you share his emotions? Sure, he "asked" for it and "deserved" it by posting that data online, but it's still annoying and frustrating that you can't make that information available due to its inflated popularity by being reported on by a site.

Slashdot needs to be a little more cautious with this type of thing. At the very least, use standard HTTP caching mechanisms to set up a form of mirror for those sites that do express a willingness to be cached through HTTP.

Re:Let's be frickin' realistic...

[Fastolfe]

Your point of view here is totally absurd (which I guess is why you're posting as an AC).

I completely agree that people posting information to the web should not be surprised if that generates more activity than they would have wanted. In that respect, yes, it is "their own fault" and they "deserve" what they get.

But your comment suggesting that every web server and network be configured to survive a Slashdotting is idiotic. A "properly configured 333Mhz crap machine" most certainly will not survive any but the most mild Slashdotting, even assuming the network does. The fact that you make this statement shows me that you have no idea what you are talking about. Please post some numbers.

Your lack of sympathy for those people just trying to get something interesting/useful posted to the web astounds me. Someone that can afford to put information online for the benefit of all but cannot afford to do so using high-end hardware and high-capacity network links should not be punished for doing so. Not everyone is a professional web provider. Not everyone needs to be one. For most sites, with most content, Slashdot-levels of traffic will never happen. Why spend money building an environment that will handle it? In addition, some environments can handle it, so long as they have sufficient notice. What's wrong with a policy of giving people a few days notice before posting their link on Slashdot when it's clear their site probably won't survive it? Maybe the site owners can take some steps to ensure their site would stay up, or maybe temporarily mirror the content in question somewhere else? There's a lot that can be done here to prepare for a Slashdotting, but nobody has the decency to allow that to happen.

I agree that 'michael' can't be directly blamed for this, but Slashdot's policies on the matter most certainly can. It's just a matter of common sense and not being an ass. You're right: there's nothing requiring Slashdot to do this, and anything with a URL is fair game to be linked (with the traffic that that causes), but come on, there is a human factor here, and Slashdot could be a bit more courteous here.

Re:What A Beautiful Mind

[vrmlguy]

I'm 47 years old. A little less than thirty years ago, I built one of Don Lancaster's TV Typewriters, an ancestor of the computer monitor you're sitting in front of right now. Around twenty years ago, I helped write "big iron" code that simulated underground explosions as an earthmoving tool (it tried to predict where the displaced soil and rocks would land), and I got to be on site for some of the tests) Ten years ago, I wrote a document management system that accepted faxed cell-phone contracts from kiosks, so that when someone tried to get out of a contract, we could fax them back their signature. Today, I'm active in Linux, Apache, MySQL, Perl, PHP, C, C++, PalmOS, Windows XP, Unix and SANs.

The point is, whatever you're doing today seems like drudge work, but after a quarter-century, everyone forgets the boring bits and just recalles the sexy parts.

Less is more

[riqnevala]

I could try asking permission, but do you want to wait 6 hours for a cool breaking story while we wait for permission to link someone?

No, I'd rather see that nice hobbyist page stormed down, THEN wait 6 hours for the site to recover.. Oh, if it only were just 6 hours..

Is it possible to de-concentrate the traffic by any means? Show the story for 5 minutes, then show it again after a quarter or so.. Daily readers would get it eventually..

You /. guys are holding too much influence compared to your careless morality.

Re:Great

[The Spoonman]

That's not funny. This poor guy comes up with might be a great little hack, and /. kills it. Constantly, we read on /. about how certain big companies should take responsiblity for their actions. Well, I say it's time for /. to stop being a hypocrite and start doing it itself. Ask these site ops if they'll be able to handle a /.ing, if not, offer to mirror the site for a day or two. If /. has no problem with the load, great, then help out those that can't.

Re:Mirror Site

[drewp]

This is Drew Perttula, creator of the barcode door entry system. Many of you have emailed me asking for where I moved the site. In my bulk answer (which about 200 people have received by now), I included the following text:

I give everyone on this Bcc list permission
to mirror the page with these conditions: you have to put my name
and email on it as the author, and you have to indicate on the page
that you're mirroring is http://bigasterisk.com/automation/door (not
[the address of the moved page], obviously).

What do I get? digital_gods (to whom I did not give any special additional permissions) mirrors my page, alters it with a comment that readers will not see that includes the secret address of the moved page! He didn't add my name to the page either. This doesn't make me mad; I'm just stunned at the way someone copied my work without attribution and without following my easy instructions about the URLs.

digital_gods, I hope you'll edit your mirror the way I asked. Everyone else, go look at digital_gods' page I guess, since all you want is to see my photos. I want to go to bed, so I'm not going to mess around with links and servers any more tonight. I hope I am still able to receive all your emails, as I've been receiving lots of interesting stories over the weekend.