Gotta Ask: Is Spinneret Wifi version in the works somewhere?
Oldbitcollector (Jeff)
Posts: 8,091
(As the title says)
I'm curious as this would be the next logical step for Spinneret.
OBC
I'm curious as this would be the next logical step for Spinneret.
OBC
Comments
I was also wondering if they'd jumper the W5100 connections to the Prop so that you could choose SPI or parallel modes (save pins vs. throughput). Personally the real value in using the Prop with the W5100 would be it's ability to do all the fun multi-cog connectivity to real world stuff, hence liking the option of more pins (or a Prop 1-B .... sigh).
Would you really want to use WiFi if FireSheep can hijack or log into any user's account?
I would like to use Spinneret web server as an interface for a control system. I would like to both monitor a process and be able to change settings on the fly via a connection to the internet (or a home network connected to the internet). And YES, it could be argued that if a system is hidden behind the right fire wall you would not have to worry about general attacks. But thats still does not stop what FireSheep or anyone else that understands the concept behind Firesheep can do to hijack your system, let alone your laptop. But I am worried about the security if I used Spinneret Web server, and it being hacked. Its one thing to just have some sensor information as output to the web; its another if the wrong person starts changing setting on your device and draining your supply tank or driving your War Bot into the saw blade of death. I have played with HTML enough to write simple web page, but getting into HTTP or HTTPS sounds complicated.
Like a lot of people here I am new to this Spinneret Web server, let along network connections. There is enough on the web about how hard it is to do HTTP stacks on the normal microprocessor. I was wondering if the Spinneret Web server can do HTTPS? Sure with the right code you can do almost anything, but I am wondering what else I am going to have to do to get this to work? Am I going to have to have 3+ gigs of memory to implement what I want? I hope I am not jumping the gun too much here, but I really think we are going to need some help understanding how this new package flies.
You can read about how FireSheep is used to hack the major social networks here >> http://www.komonews.com/news/tech/107360348.html. BUT... it also talks about getting into a user's account for the Amazon, YouTube and The New York Times.
D9W
Running or connecting to unencrypted WiFi is unsafe, but easily avoidable.
My comment about wifi, was for a low (information) value home appliances that would be able to connect up to the home network and provide informational updates. While the following examples may seem stupid, they show the kind of opportunities that we haven't thought about in the past;
- A "smart" Toaster could provide statistics on it's use, element temperature, running time, power consumption. It could potentially work by the measured/reflected carbon levels? What if it could measure the water content/ temperature (frozen vs fridge vs room) and reflectivity (could help you predict whether it's wheat or rye), etc.... Serious opportunity to evolve the humble toaster.
- Fridge could give statistics on door opening times, temperature of the various areas, and even provide the potential for food quality / predictability of shelf life of dairy products etc.
etc.
There could be many other examples, all would be suited better by wireless than a wired network.
Now if a neighbour brought up whatever wireless hacking tool of choice, then sure they could find out that the fridge is 4C, it was last opened 1 week ago (confirming that you are on holidays - but they could tell that by looking at the external items like the papers on the front lawn and that the car haddn't moved), that your toaster says that you burned the last piece of toast and it recommends a lighter setting, or a darker setting when taking frozen toast straight from the fridge. Not much value to a hacker, and these items are not likely to compromise your house.
The main risk would actually be from a network disassociation attack, where an attacker broadcasts and instruction for all clients to disassociate from their current bridge. This would leave your network disrupted until you restarted (watch dog would probably manage that threat).
I agree that industrial controls, heating systems, or anything where the potential for loss is high may need a different communication medium. But then again, some of these things would be better protected over a point to point RS485 network rather than an ethernet. Again, you have to apply your risk management to the solution.
As OBC and myself have pointed out, we'd like the option of a WIFI solution where it makes sense for the application.
-Phil
If the information is only output as what stetting for your toaster or Fridge is at, or when the door is open then you’re right, no harm.
Unless somehow it lets someone track when your toaster is on or off , or when the most likely you open your Fridge, so they know when to come visit your house when you’re away… or the thought if you can change your setting via the internet someone could set your toaster to extra fire toasty or turn up your Fridge to the point not only your Adult beverage is too hot to drink, but the milk and meat goes bad too … Either way I still think making sure there is some type of security option is important.
I know that most home owners don’t look at their home as a national security issue. But what if my web system controls the lights inside and outside the house? What if the local brat decides to turn your lights on at 2 AM, or off so they can do more than just TP your house at 4 AM?
I have no problem putting the results for the local rain fall, temperature, wind speed, and humidity on the web for everybody to see. I am not sure if I would want everybody in the world knowing how I water my garden (even if it was a drip system- There is always some busy body going to tell you: You can’t use your rain barrel, gray water system, or rain cistern to water something.)
As I see this issue, some things need to have an answer from the ground up. This is more than making sure the black box for some widget that controls a switch on the national power grid can’t be hacked- never mind how that security issue has been ignored by the big power companies. I think making sure that nobody can set your house on fire, or turn on/off the alarm system/lighting system, mess with the fridge temp, cause your washing machine to flood your house, raise or lower the garage door, or turn on your irrigation system so the city comes by to cite you, or let the local thug/ex-spouse track your movements VIA the NET is quite important.
I like the idea that you have a wireless router in your house and you can control your irrigation system from your home net work with out having to run all the wires.
If I am going to invest in a new system (what ever that is) I want to make sure I know the full limitations of that system. There are a few PICs that work in C# that has the ability to do HTTPS. You just tie into their code and everybody is happy. But they can’t do what the propeller can. For most part I agree you don’t need Fort Knox, until you do. Then when you do need Fort Knox, then it’s normally too late and needs a total re-work $$$.
Grimm
From that second URL about firesheep >>
...
Leo: Ay, ay, ay.
Steve: And so...
Leo: So it pulls these photos from Twitter or Facebook or Flickr or wherever the profile photos exist.
Steve: Right, because it knows everything about them. It's able to log in as them, get that information. And then you simply, if you want to impersonate them, literally hijack their session, you just double-click on it, and you're logged in as them, on their Facebook page.
Leo: And it does that because it doesn't give you the password, it's not that the password is out in the clear, but the cookie, the authenticating cookie is sent in the clear. And so you have the cookie. You just say "I'm them."
Steve: Correct. Now, okay. The thing that Starbucks could do to fix this immediately, I mean, and it would be wonderful if they did, is simply to bring up WPA encryption with the password "Starbucks." It doesn't have to be unknown. We don't have to have per-user passwords or anything.
Leo: Oh, interesting.
Steve: We already discussed how WPA provides inter-client isolation. We discussed this a couple months ago under a different context. So right now you walk into Starbucks, and you're online. They're unencrypted, and they're open.
Leo: So use WPA. You can tell everybody the password, including somebody running Firesheep, doesn't matter.
Steve: Yes.
....
{side note: The one thing that Steve implemented back in XP days was a way to prevent Denial of service attacks. I think some of what he suggests would be really cool to code- it would prevent someone over loading your toasters web connection- I will try to dig his discussion on DoS attack up.}