Good information here:
https://luketopia.net/2013/07/28/raspberry-pi-gpio-via-the-shell/
Pulled down the utility script and it just works. Appears GPIO4 is tied to a pull up? Shows 1 when reed switch is open. Used a 10k pull down and goes to zero when closed.
Pic here.
Monday, November 28, 2016
Tuesday, November 15, 2016
Alarm via SMS
I've been monitoring doors with the K8000 inputs for years. I'm using Asterisk to call a local endpoint registered on my smartphone, but want something for when I'm away. Communications Platform as a Service (CPaaS) allow this (Twilio, Vonage, ShoreTel, etc), so here are the steps to get SMS out from BBB when the alarm is tripped:
1. Fixed DNS, which was not working.
2. Using CPaaS create a REST API command that can be used on BBB. The platform I'm using requires http POST and provides some JSON examples (the examples had documentation errors - ie optional fields that were required).
3. Learn Postman, a google chrome extension, allows you to create http POST commands on the fly, test, and copy code in various formats. Python should work, but I'm no 2.7 not 3, which is not supported by Postman. Shell -> Curl did not work, but Curl did.
4. Add Curl to BBB
5. Create bash script that has Curl code.
6. Add bash script to python monitoring scirpt and wah lah, SMS when alarm tripped.
The REST API requires authentication, which needed to be investigated. Here is a good description:
https://stormpath.com/blog/the-problem-with-api-authentication-in-express
1. Fixed DNS, which was not working.
2. Using CPaaS create a REST API command that can be used on BBB. The platform I'm using requires http POST and provides some JSON examples (the examples had documentation errors - ie optional fields that were required).
3. Learn Postman, a google chrome extension, allows you to create http POST commands on the fly, test, and copy code in various formats. Python should work, but I'm no 2.7 not 3, which is not supported by Postman. Shell -> Curl did not work, but Curl did.
4. Add Curl to BBB
5. Create bash script that has Curl code.
6. Add bash script to python monitoring scirpt and wah lah, SMS when alarm tripped.
The REST API requires authentication, which needed to be investigated. Here is a good description:
https://stormpath.com/blog/the-problem-with-api-authentication-in-express
REST API Security Explained
Before diving into the ecosystem options and challenges that currently exist, I’d like to take a moment to cover how REST API authentication should ideally work. There are exceptions to this rule, of course, but in general, the following hold true for most public (and private) API services.
There are two common ways to secure your REST API service: either via HTTP Basic Authentication or OAuth 2.0 with Bearer Tokens.
If your service is going to transmit sensitive information, it’s best to serve it over HTTPS to ensure that data can’t be leaked in transit.
API Keys
At the core of any API service are API keys. API keys allow developers to authenticate against an API service.
But what should API keys look like, ideally? What is the ideal way to generate API keys?
Well, before answering that question, lets take a look at one way you don’t want to do it.
How Not to Generate API Keys
How many of you have used an API service that generates a single API key for you?
For instance, many times I’ll sign up for an API service and get a generated API key that looks something like this:
6myyAgKSZuLaextotmfQiRPdLkc79ycjgqhqKD51.
Unfortunately, if you’re only receiving a single API key from a provider, chances are, this provider isn’t properly securing their REST API.
All API keys should really be API key pairs.
The way HTTP Basic Authentication works is that it allows you to specify two pieces of information with each request: a ‘username’ and a ‘password’.
When you submit an API request to a service secured with HTTP Basic Authentication, what you’re really doing is taking your username and password (API key pair), smashing them together into a string (separated by a colon character), then base 64 encoding the result and setting it as the HTTP Authorization header.
If you have only a single API key, you’ll end up with an HTTP Authorization header that looks like this:
apikey:.
As you can imagine, this can lead to guessable API keys as an attacker can simply try every possible string until they ‘guess’ the correct API key. Depending on the length of your API key, this might make an attacker’s job very easy since an attacker only needs to guess your API key in order to make API requests on your behalf. For instance, let’s say your API key is 5 characters
in length — this means an attacker could simply try every combination of characters until they guess your API key.
in length — this means an attacker could simply try every combination of characters until they guess your API key.
With two API keys (a username and a password), it is much harder for an attacker to ‘brute force’ your API keys as it will take much, much longer computationally to try that number of string permutations.
Subscribe to:
Posts (Atom)