I’m providing a Pixelblaze as part of a festival stage. While i’d like the organizer be able to change/modify sliders of patterns already online to adjust the mood, i would like to protect my code so it can’t be used anytmore. Is there a way to lock code access ?
Thank you !
What do I do if the organizer is also a Pixelblaze hacker and knows this?
Dunno! Without good https on ESPs, seems our options for password protecting things like this URL are limited. After all, without auth on the underlying API, a hacker could just GET/POST the edit endpoints directly.
The first thing that comes to mind would be to set up an nginx reverse proxy to the Pixelblaze to block some routes combined with some firewall rules.
I can understand how TLS might be hard on ESPs, But HTTP Basic Auth doesn’t require HTTPS! It could be as simple as setting a username:password in the UI, which gets base64 encoded. Every response gets a WWW-Authenticate header and you check for the encoded string in the Authorization request header. … or does ESP not give you any control over simple HTTP headers?
A reverse proxy would work, but then you need an AP that will do that, for example openwrt (pretty sure it could do that) or a Linux box running hostapd.
I used HTTP basic auth back in the day, but if we’re assuming a hacker at least as good as you and me, I generally wouldn’t be ok with any auth token sent unencrypted. You could assume the wifi is WPA, won’t be cracked or guessed, and the rest of the network involved allows no packet snooping by the actor. Maybe that’s our level of pragmatic vs the prankster who can find and search these forums
I think… it’s important to ask what it is we’re trying to protect and why. For my part, I’d be much more interested in keeping the promoter/hackers/pranksters and random “helpers” out of the editor so they couldn’t mess things up in the code.
A tiny “disable editor” hardware switch on the Pixelblaze, like the ones on SD cards and some USB drives would be perfect for this, and would have no performance cost at all.
Indeed, in hololit’s case, the only threat is too-curious event organizers who want to do more that twiddle the knobs on the patterns. If you’re using the local wifi, then maybe pranksters on the network too.
For a long-term installation, it’s probably better to have a Pixelblaze as AP so the network is not so public, and to provide a separate channel if mulitple PBs are involved. The chances of a sophisticated hacker getting at that are pretty low.
The /?setup works great, this is pretty much what I’m looking for. But yes, it’s vulnérable to anyone who’d be actually looking on this forum as well.
As a suggestion, what could be even better:
- be able to protect more or less (for example restrict only access to edit/add/remove patterns but allow add/remove of playlists…)
- protect the “advanced setup” with a password. So it would be impossible to reverse it by accessing simply /?setup. In case the password is forgotten, allow full reset of the pixelblaze so it can be reversed to “unlocked state” by losing the programs. The idea would be, if I write my original patterns, do prevent them to be extracted and used on another controller.