Would like to hear what others have to say.

Discussion in 'C-Bus Toolkit and C-Gate Software' started by CTS, Mar 20, 2005.

  1. CTS

    CTS

    Joined:
    Aug 3, 2004
    Messages:
    23
    Likes Received:
    0
    Location:
    Melbourne
    I had a client ask me a question the other day.


    "Does the C-Bus software/System have a password that locks the installation ?"

    Now i think it would be a bad idea to have this feature, for a number of reasons.


    What do you lads think ?


    Kind Regards
    :p
     
    CTS, Mar 20, 2005
    #1
  2. CTS

    cueman

    Joined:
    Aug 3, 2004
    Messages:
    20
    Likes Received:
    0
    Location:
    Oxford, UK
    If you're worried about somebody walking around with a PCI, unscrewing light switches and connecting to the bus, I'm not sure there's much that could be done.

    Clipsal have said security is coming to CGate/Toolkit.
    http://www.cbusforums.com/forums/showthread.php?t=714

    Maybe that would be sufficient?
     
    cueman, Mar 20, 2005
    #2
  3. CTS

    Monty

    Joined:
    Oct 26, 2004
    Messages:
    9
    Likes Received:
    0
    Location:
    New Zealand
    Bad Idea to Lock it up

    The problem with locking up the system is that the customer is the one to pay if for some reason there is a problem on the system, and the original installer is nowhere to be found.
    Clipsal is then at the mercy of cowboys after a quick buck.
    If C-Bus is to become a household name, then it needs to be accessable like regular sparky work is. (It's just the next generation)

    If the problem is that the Installer is worried about keeping their customer, and not having other Installers muscle in and take over, there are a couple of tricks:

    Give excellent service to the customer and they will only use you.
    Do the exact opposite, and give the Customer more than they thought they were paying for ie. Asbuilts, Scope of works documents, a CD with the Database. This will cultivate Trust.

    Also take the PCI away if you are worried about people accessing the system who could stuff it up. Then they'll at least have to buy a PCI.

    Write a clause into the contract with the customer to the effect that when you have commisioned the job and it's signed off, that if the programming is changed, and there is a fault because of it, then they pay for your services again.

    And thats about it from me!...
    ..
    Me too!
     
    Monty, Mar 20, 2005
    #3
  4. CTS

    Richo

    Joined:
    Jul 26, 2004
    Messages:
    1,257
    Likes Received:
    0
    Location:
    Adelaide
    That thread is related to securing remote communications and has little (if anything) to do with securing the actual configuration of units on a network.
     
    Richo, Mar 20, 2005
    #4
  5. CTS

    Richo

    Joined:
    Jul 26, 2004
    Messages:
    1,257
    Likes Received:
    0
    Location:
    Adelaide
    Good question and one that is very much in the consideration of CIS when developing our products ... however before responding to this one in a public forum I will need to seek the official word on this as it may be a sensative topic for some. I'm not in the office today so will chase this when I'm back in.
     
    Richo, Mar 20, 2005
    #5
  6. CTS

    ashleigh Moderator

    Joined:
    Aug 4, 2004
    Messages:
    2,391
    Likes Received:
    24
    Location:
    Adelaide, South Australia
    "Securing C-Bus" is a bit vague.

    Here are some possible way C-Bus *could* be secured. Each have different implications:

    1. Encrypt transmissions on the bus so that snooping bus traffic is pointless
    2. Encrypting transmissions between Toolkit and C-Gate
    3. Preventing the parameters in a unit from being changed

    Item 1 is done in cbus wireless - thats because its an open medium. Bus encryption comes with a few hassles which have been sorted out for wireless. The most inconvenient is the neeed to get the encryption key into each unit. You probably don't mean this.

    Item 2 is done already, its there to ensure that programming of networks from a remote location is secured and tamper-proof.

    Item 3 is probably what you are referring to. To pursue this issue further, you have to ask *why* the parameters (unit programming) should be locked down.

    Here are some possible reasons:

    • To prevent accidental or deliberate use of Learn to screw up network programming (eg in public areas). This is already handled - Learn can be disabled in all units that support it.
    • To lock a customer into a particular installer. If the magic unlock process is not known then only the person who locked it can open it again. As described by a previous post, this is not a good way to serve a customer and is likely to be counter-productive.
    • To prevent fiddlers (hackers) from undoing all the good work of an installer.

    This last option seems the most likely reason why anybody would want to lock down unit programming.

    Few installations would be prone to hackers wandering by and changing settings. If its going to happen, acess or otherwise (removing or not removing) a PCI won't do much because those with the knowledge are most likely to have a PCI of their own anyway.

    Which really only leaves 2 possibilities:

    1. The hacker homeowner. But its their home, their installation. So if they screw it up, then they should be prepared to pay for a competant installer to fix their mess.
    2. The public demonstation. In this case, if you have a PC running toolkit in a public space and anybody who comes by can change things, then you are just asking for trouble. Use a password protected screensaver!

    In spite of all the above, a lock down capability is being considered for some new products. More details are not available at this time.

    HOWEVER - if there is something which I have not considered (above) and there is a compelling reason, post and say what it is (please).
     
    ashleigh, Mar 21, 2005
    #6
  7. CTS

    GeorgeKosmas

    Joined:
    Nov 24, 2004
    Messages:
    53
    Likes Received:
    1
    Location:
    Sydney
    I think if the customer is stupid enough to allow someone to change thier setting of the c-bus and let them stuff something up then they should pay whatever you charge to reload the data back to the c-bus network.

    I am not trying to sound like a tight ass but they stuffed it up, so i think that they should pay to get it fixed. The same thing goes with any product that is sold to a consumer, if they break something like a mobile phone the service center will make the customer pay for it.

    And also please do not forget that if the cbus network is locked with whatever method there will be a problem if another programmers that do not have the backups of the c-bus config and tries to make a change to the system.

    Regards
    George Kosmas
     
    GeorgeKosmas, Mar 21, 2005
    #7
  8. CTS

    coppo

    Joined:
    Sep 7, 2004
    Messages:
    221
    Likes Received:
    10
    Location:
    Adelaide
    password ??

    Dare i say it, Homeminder ...... there it is said..

    We learnt from that, some of the problems that happen with passcodes.

    Whilst the locking codes on it seemed a good idea and alot of installers
    were all for protecting their IP, it was in a few cases , the same installer,
    who "arced" up when he had to go to another installers site and could not retrieve the project file.

    A common scenario is where an installer , not necessarily CIS affiliated;
    1/ programs the product,
    2/ provides no documentation,
    3/ provides no project files
    4/ goes out of business
    5/ customer rings either you people or CIS to try and fix it.

    You could argue that , CIS should then create a special backdoor
    code to help you out, but how long would it take for that special passcode
    to become common knowledge, bringing you back to square1 ,
    wher we started with "no passcode" .
     
    coppo, Mar 21, 2005
    #8
  9. CTS

    UncleDick

    Joined:
    Aug 5, 2004
    Messages:
    130
    Likes Received:
    0
    Location:
    Adelaide
    Swordfish

    Well the HomeMinder at least had the possibility of being used as the buildings security system so some level of password was not out of order. With C-bus can the same thing be said? probably not - and if you are using C-bus as an integral part of a security system god help you. In any event as Ashleigh commented there are few real opertunities for any one to get on and mess with a C-bus system (and just give me 5 mins and a Fire Axe and I will alter a network so that no amount of re-programming will fix it! - and no amount of passwords will protect it) :eek:
     
    UncleDick, Mar 21, 2005
    #9
  10. CTS

    GeorgeKosmas

    Joined:
    Nov 24, 2004
    Messages:
    53
    Likes Received:
    1
    Location:
    Sydney
    Yes, thats pretty much the point that has to be thought about.

    Regards
    George Kosmas
     
    GeorgeKosmas, Mar 21, 2005
    #10
  11. CTS

    CTS

    Joined:
    Aug 3, 2004
    Messages:
    23
    Likes Received:
    0
    Location:
    Melbourne
    coppo you ROXOR my JOXOR
     
    CTS, Mar 21, 2005
    #11
  12. CTS

    ICS-GS

    Joined:
    Nov 1, 2004
    Messages:
    347
    Likes Received:
    0
    Location:
    SE Melbourne
    provide the password upon request!!!

    I do alot of PLC programming, aside from providing great service (and hoping the customer calls me again for future work). I do password protect my files!:eek:

    The only reason we do this is to keep track of when the password has been requested (by the client). And from that point onward we explain to them that we are not responsible for the software on that unit. Sometimes they then call us back to do the alterations, other times the dont!

    However, without exception we provide the passwords to the client when requested. The password may be something as simple as the clients phone number, or your invoice number backwards.

    Maybe CIS could keep a record somewhere, not sure how they could manage this, possibly via some sort of online form, or integrate it into the toolkit software, and as soon as a password is generated it is written to a specific memory address somewhere so that they can extract it quickly and easily.

    Anyway thats my 2 cents worth.

    Cheers

    Grant
     
    ICS-GS, Mar 23, 2005
    #12
  13. CTS

    ashleigh Moderator

    Joined:
    Aug 4, 2004
    Messages:
    2,391
    Likes Received:
    24
    Location:
    Adelaide, South Australia
    What we have been considering is CIS to add a password which locks the unit.

    A magic (but not "secure") algorithm encodes the password entered so that its not bleeding obvious for scanning and extraction.

    If somebody wants to unlock the unit and does not have the password, a special extraction process can be used to get some information, which is sent to CIS. CIS in turn use that information to recover the password. This could all be done over the phone.

    No committment is made that CIS will actually roll this out, though.
     
    Last edited by a moderator: Mar 23, 2005
    ashleigh, Mar 23, 2005
    #13
  14. CTS

    The Don

    Joined:
    Nov 12, 2004
    Messages:
    16
    Likes Received:
    0
    This is my first post so please be gentle. As a homeowner, we are installing C-Bus throughout our new huge extension. We are happily paying an installer to do this for us. We are unable however to give very explicit instructions as to the scenes required because we haven't lived in the area yet and all we are asking is that all the electrical components be connected and we will bring the installer back in a few months to make the various modifications.

    Or, I might by then, be familiar enough with the various software that I have freely downloaded and installed, to make the modifications myself. (For example I thought I was going well by giving the installer printouts of the various pages for the monochrome touch screen which I had programmed on my PC, but we will now wait for the release of the new colour screen.)

    If I find that all the system is locked down by a password that only the installer knows, I will be a might miffed.
    And what happens in the future if the system is password protected is a bit frightening. I want the next user of my house to have 'clear ownership'. :)
     
    The Don, Mar 23, 2005
    #14
  15. CTS

    ashleigh Moderator

    Joined:
    Aug 4, 2004
    Messages:
    2,391
    Likes Received:
    24
    Location:
    Adelaide, South Australia
    See above - anything that CIS implements in the units will be reversable, and by a call to CIS.

    CIS has no axe to grind so if somebody asks for the password to be recovered we would do it.

    As stated however, we are not making a committment to implement a lock-down system for all the sorts of reasons previously described (including home-owners righly being very miffed).
     
    ashleigh, Mar 23, 2005
    #15
  16. CTS

    ICS-GS

    Joined:
    Nov 1, 2004
    Messages:
    347
    Likes Received:
    0
    Location:
    SE Melbourne
    I dont see the problem, if the customer is aware from the onset that a password exists, and it it primarily used to ensure traceability of the software.

    Ashleigh's sentiments seem to be on the right track...
     
    ICS-GS, Mar 23, 2005
    #16
  17. CTS

    Rick

    Joined:
    Aug 6, 2004
    Messages:
    5
    Likes Received:
    0
    Dear Mighty Miff

    I wouldn't pay the installer unless he or she handed over the password.
    In turn ,If i were the installer i wouldn't hand over the password unless i got paid.
     
    Rick, Mar 24, 2005
    #17
  18. CTS

    Josh

    Joined:
    Aug 25, 2004
    Messages:
    240
    Likes Received:
    0
    Location:
    Pretoria, South Africa
    Passwords

    Why would there be a need to lock the CBUS Installation

    1. Prevent the owner to change the installation, or/and
    2. Prevent unauthorized changes by vandals, or/and
    3. Prevent other installers to change the installation


    Personally, I do no think there is a need to lock (password protect) Toolkit or CBUS installation.

    Normally the Distribution Box (DB) is in a secure or semi-secure location and there should be no threat from outside the installation.
    As long as the owner is aware, that they will have to pay the initial installer if they make harmful changes.

    The same would apply if another vendor/installer makes the changes.

    I think adding the feature to lock the CBUS installation would be a waste of time and would add more pain and headache (as mentioned by previous posts) than needed. :confused:
     
    Josh, Mar 29, 2005
    #18
  19. CTS

    Richo

    Joined:
    Jul 26, 2004
    Messages:
    1,257
    Likes Received:
    0
    Location:
    Adelaide
    In a domestic situation I agree. In commercial or other situations the story may be very different. It may be the owener locking the system ... or their maintenance department. There can be lots of valid reasons when you consider every application of C-Bus in every industry, country and building possible.
     
    Richo, Mar 30, 2005
    #19
  20. CTS

    Monty

    Joined:
    Oct 26, 2004
    Messages:
    9
    Likes Received:
    0
    Location:
    New Zealand
    Intellectual Property!

    Here's a good one:

    "But I need to password protect it because it's my Intellectual Property"

    What do you reckon?
    Whose Intellectual property is it?

    Clipsals, or the Installer who configured it?

    Is it like saying that my Alarm clock is my intellectual property because I entered the time?

    Of course there's a lot of work goes into configuring these systems, but we charge the customer for that eh!

    A Nudge is as good as a wink to a blind bat eh!
     
    Monty, Mar 30, 2005
    #20
Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.