[sudo-sys] Outer door access, DNS changes, new services, new mesh AP

Matthew Meier wolfy at wlfy.it
Sun Mar 3 13:01:59 PST 2013 

Really awesome Juul!

On Sat, Mar 2, 2013 at 6:11 PM, Andrew <andrew at roshambomedia.com> wrote:

> Thanks for the updates marc. Jake sent me the source code for the key pad
> system noisebridge is using. If we can get an eithernet cable wired up we
> can get that working.
>
> Also i have a usb wifi. Ill bring it next time im at sudo
> On Mar 2, 2013 5:17 PM, "Marc Juul" <juul at labitat.dk> wrote:
>
>> Hiya sudo-sysadmins!
>>
>> First off: Sorry for this exceedingly long mail. Here's the summary:
>> We set up the .sudo domain and a few new web services + a new mesh
>> access point router for 510pen. Included is also an explanation of the
>> outer door access system and what still needs to be done.
>>
>> I should have been sending mails incrementally as I was doing stuff,
>> instead of one huge mail like this. I'll try to do better in the
>> future.
>>
>> --
>>
>> I set up wolfie's proposed .sudo domain on the DNS server running on
>> space.local, and pointed space.sudo and *.space.sudo to the
>> space.local machine (192.168.1.3).
>>
>> Since mDNS and DNS can't co-manage .local, it makes sense to have
>> normal DNS manage .sudo and mDNS manage .local.
>>
>> If you point a web browser to http://space.local or http://space.sudo
>> you will get the same page: A simple html page with links to local
>> services. For now it has things like:
>>
>>   http://track.space.sudo/ (qr-code item tracking)
>>   http://pad.space.sudo/ (etherpad lite)
>>   http://lib.space.sudo/ (library genesis, setup in progress)
>>   http://map.space.sudo/ (tidepools decentralized map, setup in progress)
>>
>> These services are all hosted via apache, but some (track, pad) have
>> built in web servers, so apache is acting as a reverse proxy.
>>
>> I thought about making the domains like pad.sudo instead of
>> pad.space.sudo, but I think it's nice that the domain names tell you
>> which computer the services are hosted on.
>>
>> I want to improve the http://space.sudo/ overview page in two ways:
>>
>> 1. I want to make it pull the static list of services from a wiki page
>> so that everyone can edit it, but it will still be up when the
>> internet or sudoroom wiki is down.
>>
>> 2. I want to make it dynamically list zeroconf services that are
>> currently being announced on the network.
>>
>> Regarding outer door access: I had to partially disassemble the door
>> and drill a few holes to put in the wire, since the door did not have
>> any built-in wiring channels. The electric strike is mounted in the
>> fail-secure mode (as opposed to fail-safe), which means that it will
>> stay locked if the power fails, and power is required to open the
>> door. This is desirable because the push-bar on the inside of the door
>> mechanically overrides the electric strike, such that you can always
>> get out, even when there is no power, and likewise the key will open
>> the door from the outside without power.
>>
>> The box next to the outer door contains a 12 volt AC power supply
>> which is hooked up to the electric strike in the door, and controlled
>> by one of the GPIO pins on a raspberry pi. The raspberry pi is running
>> raspbian, and control of the GPIO pin is handled with a python script.
>> A usb wifi adapter is connected to the raspberry pi and set to run in
>> master mode (access point mode), with the ssid "sudodoor". A so-called
>> captive gateway is running. It's based on dhcpd and two python
>> scripts: One is a simple DNS server that resolves all queries to the
>> (static) IP of the raspberry pi's wifi interface, and another is a
>> simple web server that asks for the secret password. If the correct
>> password is entered, then the door opens. The user never gets
>> "through" the captive gateway.
>>
>> This is highly insecure, since the password is transmitted in
>> plaintext as a simple URL get request over an unencrypted wifi
>> connection. It also sucks because there is only a single password for
>> everyone instead of per-user passwords, and because it takes way too
>> long go through the process of entering the building, and because you
>> need a laptop or smartphone, and you need to wave around your laptop
>> or smartphone in what is not the safest neighborhood and lastly
>> because there is no battery backup so you cannot enter without a key
>> if there is no power.
>>
>> I'd love to see three new access mechanisms: Magnetic stripe card, pin
>> entry and RFID.
>>
>> Preferably, magnetic stripe and rfid should not be stand-alone access
>> methods, but should be combined with pin entry.
>>
>> I'll likely put in an RFID reader within the next two weeks, but the
>> other two methods require a wired connection to the outside of the
>> door. I don't want to drill more holes in the door, so we need a hole
>> through the wall. We need to talk to George (the landlord) about this.
>>
>> The sudodoor computer is not connected to the internet. Matt Senate is
>> coordinating with George (the landlord) to run two ethernet cables
>> from the door and up to sudo room. Once this happens, we will be able
>> to set up a system for per-user passwords. We don't have any plans for
>> any of this. If you have any ideas and want to work on it: By all
>> means throw an email on this list, or talk to someone at sudo room, or
>> just implement a solution and tell someone about it.
>>
>> We also need to put in a simple method for sudo room and a couple of
>> the other tenants to buzz in people. Helping the other tenants get
>> this system working was part of the agreement that got us a new
>> electronically controllable door for free. It would be great if this
>> buzzing-in solution does not rely on the network or computer being
>> operational, such that it is very resistant to failures (leaving sudo
>> room with less time spent on support for other tenants). I imagine a
>> small timer chip connected to the door circuit and a long wire going
>> to each of the tenants, with a button attached. One press will trigger
>> the timer and open the door for e.g. 3 seconds. I'm not sure what to
>> do about the intercom/phone system. I don't know who set up the phone
>> in sudo room. We'd at least need to add a button on the street for
>> each tenant so all phones don't ring every time.
>>
>> We also need a better box and cable management than the current
>> carboard+duct-tape solution :-)
>>
>> We also really really need an off-site and off-line backup system for
>> all servers in the space.
>>
>> Lastly, Mark Burdett put up a mesh router as part of the 510pen
>> (five-one-open) mesh initiative. It's on the shelf above the server
>> closet (with all the old telephone wiring). It may not yet be
>> operational.
>>
>> Also: If any of you have one or more wifi usb adapters that you'd be
>> willing to donate to the mesh initiative (or maybe you want to join
>> the mesh group?), please contact me! We need them for testing and for
>> the first rooftop link.
>>
>> Thanks!
>>
>> --
>> Marc Juul
>> _______________________________________________
>> sudo-sys mailing list
>> sudo-sys at lists.sudoroom.org
>> http://lists.sudoroom.org/listinfo/sudo-sys
>>
>
> _______________________________________________
> sudo-sys mailing list
> sudo-sys at lists.sudoroom.org
> http://lists.sudoroom.org/listinfo/sudo-sys
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sudoroom.org/pipermail/sudo-sys/attachments/20130303/e3cfb80f/attachment.html>

More information about the sudo-sys mailing list