#128596 - 30/11/2002 13:26
Secure empeg registry
|
pooh-bah
Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
|
Ok, another idea: A secure empeg registry which couldn't (easily) be used by thieves. I have the hunch that thieves may use the registry to create fake serial number tags based on which ones have not yet been registered. They could easily make a new tag and put the player in a box claiming it's new-in-box and that the firmware serial number can't be displayed because the box can't be opened.
How can this be done? Kinda like One Way Kerbros encryption. Once you submit your serial, name, and location to the server, it can't be retreived by a listing or browsing. The only way your information can be retreived is by submitting the serial number to the server. To avoid brute-force enumeration, you're IP could get three tries in a certain period of time before it's locked out.
That way, if someone says, "I'm selling serial 010101999" you could go to the reg and punch that in. If nothing came back, you could feel kinda good that it may be legit. And empeg owners could feel good that their information was confidential because of the security in place.
To further secure the server, there could be some functionality which would e-mail the owner of the serial when their information was accessed. The e-mail could contain the requestor's IP address, for instance. So, if I owned 010101999, I'd know someone was poking around when my information got requested.
Any other ideas for security? I'd really love to see the whole community registered and to keep their registration updated.
_________________________
- FireFox31 110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set
|
Top
|
|
|
|
#128597 - 30/11/2002 13:45
Re: Secure empeg registry
[Re: FireFox31]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
Great idea, but the problem with this is getting enough people to put their data in. Back when the Mark 1 was new, most of the owners were here, and aware of the old registry. Now, we have 5000ish players in the wild, and these stats for the board:
Users - 2497
New Users in past 24 hours - 1
New Users in past 7 days - 12
New Users in past month - 49
Users that have logged in the past 24 hours - 154
Users that have logged in the past 7 days - 380
Users that have logged in the past month - 586
Users that have never logged in - 308
So the problem is going to be getting the word out to all owners to register. About the only way I could think of acheiving a high rate with this would be to include a message in the official upgrades from empeg about it, and still it would run the chance of being ignored, or never seen.
I've thought about reviving the registry for RioCar.org, but never got to it before the product was discontinued.
|
Top
|
|
|
|
#128598 - 30/11/2002 19:39
Re: Secure empeg registry
[Re: FireFox31]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
It would still be quite easy to come up with a serial number that looks valid but is actually fake. All I need to do is change the month portion of the serial number and then fiddle actual unit number. You would need the big list of valid serial numbers from empeg. That would prevent somebody from trying to make up a valid looking serial number.
It's a good idea but it's just too difficult to implement properly given the simplistic nature of the serial numbers and the low number of registrations. Anybody with the motivation to actually change the serial number on the box will be more than able to plug random numbers into the registry or look it up on the mars.org list.
- Trevor
|
Top
|
|
|
|
#128599 - 01/12/2002 00:04
Re: Secure empeg registry
[Re: tman]
|
carpal tunnel
Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
|
All I need to do is change the month portion of the serial number and then fiddle actual unit number.
You probably wouldn't even have to do that. I suspect that a large percentage of people who buy used stereo equipment at bargain basement (i.e., thieves') prices know full well that it is stolen and could care less what serial number is on it.
I also suspect that a large percentage (nearly 100%) of people who purchase used stereo equipment legitimately would be totally unaware of this serial number registry and would not know to look at it.
I think that a cost/benefit analysis would show the amount of work exceeded the return.
tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"
|
Top
|
|
|
|
#128600 - 01/12/2002 09:09
Re: Secure empeg registry
[Re: tanstaafl.]
|
pooh-bah
Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
|
> I think that a cost/benefit analysis would show the amount of work exceeded the return.
It would be too costly, but... ah, it was just a thought. I was honestly trying to think up other reasons for maintaining an empeg registry other than my weak arguement of thieft protection. Haha, I'd still like to know who has the empegs that rolled off the line one before and one after mine. I'm curious like that.
Oh well, it was just another thought.
_________________________
- FireFox31 110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set
|
Top
|
|
|
|
#128601 - 01/12/2002 09:28
Re: Secure empeg registry
[Re: FireFox31]
|
addict
Registered: 02/04/2002
Posts: 691
|
I still say we get some kind of ip tracking on the factory image. If we could get the empeg guys to add a simple check to see if the empeg is online, if so, post serial number and ip address to a database. Maybe even the contact info from the empeg too.
Then when a empeg owner gets careless and leaves it in their car, they can pray that the thief will plug their deck into a net connection, and the empeg owner would get an email.
Something like that is what i've had in mind. I can even host the database if need be.
The only thing the user would have to do, is upgrade thier deck to beta 14
_________________________
Oliver
mk1 30gb: 129 | mk2a 30gb: 040104126
|
Top
|
|
|
|
#128602 - 01/12/2002 18:12
Re: Secure empeg registry
[Re: oliver]
|
carpal tunnel
Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
|
Yeah, this has been brought up before (was it you who brought it up?) and most people concluded that it's a bad idea. Big issues of privacy and such. For instance, I don't want any central database seeing the IP address of my Empeg at work, or to know when I'm at home versus when I'm at work... etc. I would immediately disable this feature on mine.
|
Top
|
|
|
|
#128603 - 01/12/2002 22:16
Re: Secure empeg registry
[Re: tonyc]
|
addict
Registered: 02/04/2002
Posts: 691
|
This is true, never thought of it that way, but that would be a huge issue. Maybe then we could setup a way for the empeg to email the owners email account everytime it gets plugged into the net. Chances are that 9/10 people here don't even use a public ip for thier empeg. So i should probally just stop thinking
_________________________
Oliver
mk1 30gb: 129 | mk2a 30gb: 040104126
|
Top
|
|
|
|
#128604 - 02/12/2002 03:59
Re: Secure empeg registry
[Re: oliver]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
Well... If you implement the call home function inside Emplode/JEmplode then the chances of it working are much higher. Just have to worry about the huge numbers of dialup people out there still...
Okay, who's going to be the first to embed a GPS module and radio into the empeg so you can track it?
- Trevor
|
Top
|
|
|
|
#128605 - 02/12/2002 09:26
Re: Secure empeg registry
[Re: tman]
|
addict
Registered: 02/04/2002
Posts: 691
|
Oh, how i dream something like this would come about
_________________________
Oliver
mk1 30gb: 129 | mk2a 30gb: 040104126
|
Top
|
|
|
|
#128606 - 02/12/2002 10:25
Re: Secure empeg registry
[Re: oliver]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
You could make one yourself from easily available parts but it wouldn't be as small as a custom solution.
You'd need a GPS with an antenna connector and serial port, a mobile phone with a built in modem and the necessary serial cable and external antennas for both. If you can make it autoanswer then that would be it. Otherwise you'd need a PIC chip or something to handle the connection.
- Trevor
|
Top
|
|
|
|
|
|