tag:blogger.com,1999:blog-3993498847203183398.post5436663652775930735..comments2024-03-28T09:19:27.451+00:00Comments on RevK<sup>®</sup>'s ramblings: To open source, or not to open source? That is the question...RevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-3993498847203183398.post-36949091759874637642017-07-26T23:01:12.936+01:002017-07-26T23:01:12.936+01:00It's a different standard adopted. I cannot re...It's a different standard adopted. I cannot remember the reason. As above it's achieved with some out of order bit shifting. I've not looked through your code to see if you've reversed the map back to the standard serial no. I implemented a decoder in a web page for installers to paste a list of cheap tag codes to receive a CSV with the mapping.StuartMcGhttp://www.sm-alarms.co.uknoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-44929948023996753812017-07-22T00:28:41.973+01:002017-07-22T00:28:41.973+01:00sorry my answer was based on selling it as a produ...sorry my answer was based on selling it as a product aka monetisation.chrcolukhttps://www.blogger.com/profile/01922782032112968876noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-82286864285892201882017-07-21T15:27:09.846+01:002017-07-21T15:27:09.846+01:00An odd answer - making it open source also means y...An odd answer - making it open source also means you exclude liability for it - people can take it and use it if they want, at their own risk.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-26197872042725231692017-07-21T15:25:13.869+01:002017-07-21T15:25:13.869+01:00Bad idea, the potential liability could take down ...Bad idea, the potential liability could take down a&a. Bound to be at least vulnerability somewhere.chrcolukhttps://www.blogger.com/profile/01922782032112968876noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-40184786962476495682017-07-20T07:12:18.203+01:002017-07-20T07:12:18.203+01:00The keypad reads a different number to the max rea...The keypad reads a different number to the max readers, so you cannot use that trick to make a fob that works on a max reader, only for use on the keypad. Interesting that it could simply be an accident, though.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-24244675407031868962017-07-20T00:55:44.633+01:002017-07-20T00:55:44.633+01:00If you're worried about something nefarious sl...If you're worried about something nefarious slipping in, you should engage in some "defensive formatting" to complement the defensive coding.<br />For example, using {...} for single-statement if..else makes it much harder for something to make its way into that part of the code.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-4885647875578758412017-07-19T22:12:53.140+01:002017-07-19T22:12:53.140+01:00> Max readers scramble the true number they see...> Max readers scramble the true number they see so you have to buy special Honeywell key fobs with the scrambled number printed on them in order to use with the Galaxy system. The new system reports the ID it saw from the reader so any compatible key fobs or cards will be usable.<br /><br />I don't think this is an entirely deliberate thing: I think it's more that there are 2 or 3 different "standards" for the way the EM41xx codes are turned from bits into numbers. We used to have fobs that had one number printed on them, but showed up as a different number in the Galaxy programming (tip, for anyone who has a Galaxy system and isn't aware: when you're about to enter a new user's fob number on the panel, just after you've deleted the old code or 00000, you can press A+1 simultaneously and then hold a fob up to the reader, to automatically type in that fob's number. That way you can use fobs even with the "wrong" number printed on them.)<br /><br />I once tried to decipher the mapping between the printed number and the Galaxy number, and it turned out to be very simple - can't remember the exact details, but it was mostly about moving bits to different positions, and possibly some BCD - clearly no attempt to make things difficult!<br /><br />Those were fobs we got from the installer. Now I buy EM410x fobs in bulk from eBay, at about 20p each. As it happens, the number printed on them matches what's displayed in the Galaxy programming...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-87572706542910021082017-07-19T17:22:25.284+01:002017-07-19T17:22:25.284+01:00If you fancied an open source alternative to GitHu...If you fancied an open source alternative to GitHub, you could use GitLab, https://about.gitlab.com/galoophhttps://www.blogger.com/profile/04874642360748833149noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-44881064986131476862017-07-19T10:39:43.640+01:002017-07-19T10:39:43.640+01:00Indeed. We did have the system installed by someon...Indeed. We did have the system installed by someone certified, and so could have had insurance and so on. As it happens we did not. But I can bet the claim would at least be hassle as the alarm had not in fact been set when we were robbed. Something we have fixed by technical and process changes since.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-42039898238817302992017-07-19T10:37:55.231+01:002017-07-19T10:37:55.231+01:00In my experience (both for home and caravan insura...In my experience (both for home and caravan insurance), the cost of having and maintaining a certified system is greater than the discount applied to the policy for having such a system. Then there's the possibility of a claim being refused because somebody forgot to set the alarm before they went out...NABhttps://www.blogger.com/profile/15645758112897112622noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-57963399072578549182017-07-19T09:30:31.398+01:002017-07-19T09:30:31.398+01:00I answered that above. That said, getting a system...I answered that above. That said, getting a system certified should be possible, of course.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-21696299976029739352017-07-19T09:27:27.206+01:002017-07-19T09:27:27.206+01:00What are the implications for your insurance?
I d...What are the implications for your insurance?<br /><br />I doubt they're going to accept your "homebrew" kit as an alarm unless you get it/you certified. I know our insurers won't reduce the premium unless the alarm/company who fitted it are SSIAB/NACOSS certified.<br /><br />I think you're running the risk of them rejecting future claims if you declared your current system/installer as certified.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-23825505968005895632017-07-19T08:34:05.938+01:002017-07-19T08:34:05.938+01:00No, it won't ever be "finished" I un...No, it won't ever be "finished" I understand that.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-4775152786650299952017-07-19T08:33:08.367+01:002017-07-19T08:33:08.367+01:00I think it's rude to prevent the community fro...I think it's rude to prevent the community from contributing to the design and evolution of the codebase, personally.<br /><br />The point of open source is that it is never "finished".DThttps://www.blogger.com/profile/03573629759647894295noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-35207426089566015942017-07-19T08:26:37.875+01:002017-07-19T08:26:37.875+01:00A software licence equivalent of CC NC-ND wouldn&#...A software licence equivalent of CC NC-ND wouldn't meet either the Free software definition or the Open Source Definition. You've basically got a pretty standard proprietary licence.<br /><br />Of course, once either the source or binary are out there, anyone can (technically, rather than legally) use it however they wish. Short of putting in some form of DRM / licence validation, and pursuing infringement claims, there's not much one can do...Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-15662678308960935252017-07-19T08:11:54.707+01:002017-07-19T08:11:54.707+01:00I quite understand - yes, the security by obscurit...I quite understand - yes, the security by obscurity argument is not a good one, but I have put here as something to consider (and dismiss). As for "complete", I mainly mean as complete as I am planning to make it, i.e. "not half finished". I think it would be a tad rude to publish something half finished to be honest :-)RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-45223215627584355132017-07-19T08:04:11.622+01:002017-07-19T08:04:11.622+01:00+1 for GitHub.
I'm rather disturbed to see th...+1 for GitHub.<br /><br />I'm rather disturbed to see the "security through obscurity" argument made by you!<br /> (apparently in all seriousness)<br /><br />Particularly for something like this, is suspect the main money is to be made out of selling the system as a whole (hardware, software, installation, maintenance, support, etc). After all, if it only took a week or so to develop, the software/hardware IP is hardly _that_ valuable.<br /><br />"To some extent it depends how good, and complete, my code is, which is partly why I have delayed releasing so far (I do not think complete enough, yet)." rather misses the point of open source. If Linus had waited until Linux was "complete enough" it would probably never have become what it has.DThttps://www.blogger.com/profile/03573629759647894295noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-30923977542465415372017-07-19T07:59:52.501+01:002017-07-19T07:59:52.501+01:00+1 for GitHub.
I'm rather disturbed to see th...+1 for GitHub.<br /><br />I'm rather disturbed to see the "security through obscurity" argument made by you!<br /> (apparently in all seriousness)<br /><br />Particularly for something like this, is suspect the main money is to be made out of selling the system as a whole (hardware, software, installation, maintenance, support, etc). After all, if it only took a week or so to develop, the software/hardware IP is hardly _that_ valuable.DThttps://www.blogger.com/profile/03573629759647894295noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-26001886312051338052017-07-19T07:58:53.744+01:002017-07-19T07:58:53.744+01:00Of course, this does raise the question of what th...Of course, this does raise the question of what the hell I call the system. For now, "SolarSystem", but not sure.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-90930310210071231962017-07-19T07:57:14.902+01:002017-07-19T07:57:14.902+01:00It is just a C application running on linux, so no...It is just a C application running on linux, so not automatically GPL itself :-) Deciding what licence is one point though.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-57568191598207626772017-07-19T07:55:15.864+01:002017-07-19T07:55:15.864+01:00My home insurance seem to be. The office does not ...My home insurance seem to be. The office does not have contents cover as it was more expensive that being robbed - we are going for "good security in the first place" these days.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-32571666193398998982017-07-19T05:35:51.808+01:002017-07-19T05:35:51.808+01:00> I may have vulnerabilities in my code that I ...> I may have vulnerabilities in my code that I have not spotted!. If published, someone could find them and exploit them to rob us, or other people I also have slightly more faith in humanity and would expect someone to tell us if they saw an issue in the code, or at least not bother to exploit it, or at least not have the contacts to let someone else exploit it. So maybe safe to publish anyway.<br /><br />I'd argue that unlike an internet connected piece of software, this is hardware and software that is (hopefully), not connected to the internet. Obviously you (A&A) run this hardware and software and publishing said source code might seem like a bad idea but a) would-be robbers of your clients aren't going to know "Oh this is an A&A based alarm system" b) most common burglaries are done by low-tech criminals. Case in point, when my house was robbed 6 years ago it was because someone left the back window unlocked while going out for 10 minutes. It is my opinion that having transparent and open systems in the long run can make security better.<br /><br />> It would be a risk to try and exploit such issues<br /><br />Indeed. Given how this is a physical "hack" and not a remote exploit, you have "one shot" then it's over.<br /><br />> I also have slightly more faith in humanity and would expect someone to tell us if they saw an issue in the code<br /><br />Bug bounties can be an incentive for people to find and report security issues, although such for a hardware device doesn't seem to fit in with current models. Or you can hire a competent penetration team annually to test your system if you wish and act on the results. Although it's my experience that systems already made by people and organizations that have "ethos of competent old-time Unix sysadmin types" seem to have not many "catastrophic" vulnerabilities and just some minor ones really.<br /><br />I remember when reading a while back about your FireBrick devices and your IPSec implementation you pondered if you should open source it, given how FireBricks have signed bootloaders and such. I say in the case of the FireBrick give out the source so people can build it and compare it with the existing image with the digital signature stripped, so people can be "rest assured" that their image hasn't been tampered with. Same technique was used in early audits of TrueCrypt. This also relates to my next point.<br /><br />> It always helps if there is an "official" version, and if we ever get it to meet security specs or British Standards that also helps confirm which versions does that. But who controls it? There are many ways to release code from just putting it out there, to putting on a community repository, to accepting code updates, or suggestions, or changes, and simply controlling the master copy ourselves.<br /><br />Again, if you don't feel comfortable with it, you don't have to accept changes from unknown 3rd parties, this could just be as a "for reference" sort of thing. <br /><br />> If anyone can submit new code, or make changes, one has to be careful. It would be easy to hide a deliberate vulnerability or introduce a accidental one.<br /><br />All changes would have to be approved by yourself or someone you trust. Or like I said you could simply ignore them.<br /><br />> I was pondering, for example, I have key fob codes (numbers) and zero is invalid. If someone just removed the if(e->fob) line from the code that does nothing with a zero, then zero would be valid and may match any user without a key fob defined as they have zero stored<br /><br />Very clever scenario. Reminds me of this: https://freedom-to-tinker.com/2013/10/09/the-linux-backdoor-attempt-of-2003/<br /><br />Ideally I think a good compromise would be to have the system as open-source but have some license where modified versions might have to use a different name, and have a disclaimer in the readme such as "This is a fork of $Project and is not endorsed or associated with Andrews & Arnold in any form". "No warranty" clauses are standard in many projects.<br />JTLhttps://twitter.com/jtl999noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-68974616251082936002017-07-19T03:40:23.560+01:002017-07-19T03:40:23.560+01:00Regarding the question of open-sourcing it or not,...Regarding the question of open-sourcing it or not, I have two questions in reply:<br /><br />1) Let's assume that you were selling the software, such that entity A gives you money, and you give them a working installation.<br /><br />For all of the other software you use but did not write (the OS, libraries, etc.), how are they licensed? In particular, are any of them licensed under the GPL (v2 or v3) exclusively?<br /><br />If you do rely on any GPLed code, then at the least you'd have to make a copy of that source available (the Linux source, for example). If your code relies on something so tightly that the two things cannot be separated, and that "something" is GPL-licensed, then your code may also become GPL-licensed.<br /><br />That doesn't mean you have to give your code away for free, but it does mean that your customers could.<br /><br />2) Let's again assume that you will be selling the software, either just the software or a "full package" of software, hardware, and services. How much would it cost to get indemnity insurance, to cover the costs in the event your product fails, leading to theft at a customer? I imagine it wouldn't be cheap.<br /><br />It's worth noting also that "open source" doesn't necessarily give people the option to use it however they want. You (that is, A&A) could choose to license it in such a way that people wouldn't be able to do certain things with it. For example, you could try finding an equivalent to the Creative Commons CC-NC-ND license.<br /><br />So, before looking at what platform to use for making it available, I'd check in to the above questions, to see if your hands might already by tied!Anonymoushttps://www.blogger.com/profile/04428564417365417467noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-22525210738847339402017-07-18T23:31:30.025+01:002017-07-18T23:31:30.025+01:00Is your insurance co happy with a home-made alarm ...Is your insurance co happy with a home-made alarm system? I thought they were picky about such things.Will Deanhttps://www.blogger.com/profile/15515078919433985452noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-34715719159173111012017-07-18T21:31:37.654+01:002017-07-18T21:31:37.654+01:00No good turn goes unpunished.No good turn goes unpunished.SimonFhttps://www.blogger.com/profile/03711861360301638111noreply@blogger.com