jkiv news goes here

The Arduino is a wonderful little device. It’s versitile, inexpensive, and surrounded by a large community. These qualities have led to a wide variety of add-ons, like the Ethernet shield which provides the Arduino with network capabilities.

I’m currently working on an Arduino device for managing access to a beer keg, called PourLogic, inspired by the Kegbot project. This Arduino-based device acts as a web client (like your web browser) that makes requests to a remote web server.

For instance, when a patron swipes his/her RFID tag, the Arduino asks the server whether the owner of the RFID tag can have some beer. The web server decides and replies with the amount the person can pour, from zero (he/she cannot pour) to infinity (he/she can have as much as he/she wants). Once the person finishes pouring, the amount of beer he/she has poured is sent to the web server to be recorded.

Communication between the Arduino and the web server is essential for this system to operate effectively. When the Arduino asks the server if a patron can have some beer, the Arduino is trusting that the end-point it is connecting to is trust-worthy. However, imagine if somebody posed as the server (i.e. tricked the Arduino into connecting to it, instead of our nice little server) and this fake server responded to every reply with “Yes, you can drink as much as you want.” In such a case, any RFID would allow the beer to be poured, bypassing all effort to prevent this. To avoid this kind of scenario, the Arduino must be able to authenticate responses from the server.

After a patron has finished pouring, the volume poured is sent back to the server for some (lovely) record-keeping. Now, not just anybody should be able to post this type of data to the web server. If this was a regular website, like publishing to an essay to a blog, or posting a tweet to a Twitter account, this type of request would necessarily require the user to authenticate his/herself (i.e. enter a username and password). Thus, the server needs to authenticate all requests from its clients.

Imagine now that the previous two problems are solved. If a third party were to, again, trick the Arduino into connecting to it instead of the real server, it may be able to simply play as proxy to the valid communication between the Arduino and the real server. Any valid request would be sent to the fake server, the fake server would forward the request to the real server, get the real response and forward the real response back to the Arduino. In this process the fake server can view and remember the valid exchanges between the Arduino and the server. Two problems need to be avoided here. First, the third party should not be able to alter any request data and have the message still be valid. Second, if the prior problem is solved, the third party should not be able to recall a previous valid message and use it at a later time. This second issue can become a problem when a valid response to a pour request, which cannot be altered, is “Yes, you can have as much as you want and this is really the server talking here.” The fake server can reply with such a message at any time once observed.

In the typical situation (webmail, etc.), these four issues would be remedied with the use of SSL/TLS, the de-facto standard for providing both authentication and encryption between two end-points over TCP. The Arduino, being a cute little thing, is not very powerful. As a consequence, the use of SSL/TLS with the Arduino is not feasible.

How can the two end-points authenticate without public key cryptography and all the fun stuff that requires more computing power than the Arduino provides?

[TO BE CONTINUED]

I tried writing a number of pieces on the design of my “Kegbot” system, an RFID beer control system. From the main concept, to the security models, to implementation, I was going to cover it all. However, a lot of my writing was in retrospect — months of retrospect.

Before I started writing the articles, I “finished” the project. The project was far from finished but a failed test run (i.e. a kegbot party) crushed any faith I had in completing it successfully. While hotwiring the kegline open I killed my Arduino; that was my second Arduino. The remaining effort I made was in shelving the damned thing.

Being a clone/redesign of an existing idea, it inevitably had a name change coming. Posting the client code caught the attention of the Kegbot project; they told me asked me politely to change the name. I had no issue with this, so I decided I would. I brainstormed some names, asking friends and colleagues. I soon after registered various possible domain names: beerarbiter.com, kegb.org, pourlogic.com… PourLogic — aww yeah!

The thinking long and hard about a name for the project I felt I failed miserably at got me reinvested in it. Instead of a rickity Kegbot clone, it began to feel like it’s own thing.

Slowly reinvigorated, I began to think about the problems I had with the failed run; the console-based administration, the breadboard circuitry that caused me to hotwire my Arduino to death… That was it! I quickly ordered a prototyping shield. I needed a prototype shield, to have everything soldered on nicely with line-quenching buttons and no wire-to-wire death!

When it arrived, I assembled the essential parts of the shield with glee! It didn’t fit; the prototyping board would not fit over my fat old ethernet shield.

A fellow hackerspace member asked me something along the lines of, “Why do you keep buying Arduinos? Just put your programmed chip into your own board.”

“Because I need ethernet, SD, and the works!” I replied. But he was right. I should have made my own board. The schematics for the Arduino and my ethernet shield are publicly available. What’s stopping me from integrating them into a PCB too? So I began.

It occurred to me that if, by the end of the process, I had the full parts list and PCB layout for the PourLogic board, kits could be made available. If kits were available then more people would have the board. If more people had the board then there would be many deployments of the PourLogic server. If there were many deployments then there would need to be an account made for each patron on each server of each bot he/she gets served at. Ergo, the PourLogic server needed to be a service.  So I began work on redesigning the server.

And that’s the story so far. The board and public PourLogic service are pending.

Anyway, the articles — they became irrelevant as the entire thing went through an evolution before I published them.

All I wanted to say was that I wrote a few articles on the development but was too slow to publish them, so I deleted them. Sorry.

Since I haven’t mentioned it yet, I am using the 32-bit version of Ubuntu Server 10.04 as the operating system for ease’s sake.  I’m doing this to relax after all.  (Sorry gentoo; you know I still love you.)

Setting up gitosis

So, gitosis.  Why?  It’s simple, there is no need to create user accounts for each contributor, and it runs over SSH.

What do we need to get this running?

Assumed to be already installed on the server:

• python
• SSH (server)

We will be installing on the server:

• python-setuptools
• git
• gitosis

Assumed to be already installed on the client:

• SSH (client)
• An SSH public/private key pair
• git

Let’s start with the server.

Read More

So, I’m going to build a little server.

Oh wait, I did!

It’s meant to be an always-on, low-power, physically unobtrusive box.

It’s going to provide SSH, web, and git/gitweb/gitsosis service.

That’s it!

If you’re nerdy, here’s more detail:

• 1.0GHz VIA C7
• Mini-ITX motherboard
• 1GB RAM
• 32GB compact flash

I will be chronicling my experience.