GPS monitoring without eyes

"If you are not paranoid, this does not mean that no one is watching you." The development of the Internet has translated this statement to a qualitatively new level. It is already possible to follow without leaving the house, and all information will be provided voluntarily by the object of observation itself. People post their personal data online, but they don’t always think about who they can access. Login / password and "Show only to friends" are reassured. It creates the illusion that we control the privacy of our own data. But there are still administrators and authorities who will find out everything that interests them, without asking and without your knowledge.

This is the problem of all systems that centrally serve many customers. For example, any popular social network has a single data repository (possibly distributed), which is available for official purposes for a certain circle of people. Users are gradually beginning to realize the threat: there are peer-to-peer social networks (see links in the article about Pandora ), but they hardly make their way.
')
A similar situation with privacy also exists for transport monitoring systems. For them, you can offer a fundamentally different approach that will allow the user to fully control access to their data. The idea is simple - provide everyone with their own dedicated server in the cloud!

Watch yourself, be careful!

GPS monitoring systems breed like mushrooms after rain. You can think of a dozen scenarios for their use. For example, the company monitors its own fleet, spouses - one after another, parents - for children, children - for dogs, someone else - just for their own car. Typical for such systems is a web-based interface that allows you to learn from any device connected to the Internet not only where the object of observation is located now, but also to look at its movement history (tracks) or statistics. It is convenient, but is it safe?

Just do not say that nobody cares about your movements! Tracks can tell too much about your lifestyle: where and when you are and, potentially, what you are doing there. Where do you live, where do you work? What shops do you go to? What time are you usually not home? Are you currently at the cottage or on vacation in another country? And somehow I do not want to place this data on another server. It would be nice to have your own and keep everything under personal supervision.

This service is also offered on the market. Many companies are ready for a fee to install a monitoring system on your server. If he, of course, you have ( judging by the statistics , rather not). And where is the guarantee that it is suitable, compatible with the operating system and the installed components? And it is unlikely that you will have the desire of someone to set something up there. Only one way out: create a separate server exclusively for monitoring. But not every IT specialist will be able to deploy his server and correctly (!) Set it up, but for a typical average user or a company that does not need a sysadmin, this generally seems too heavy — in complexity or in money — a task. Therefore, the process of obtaining and setting up the server should be as automated as possible, and the cost of ownership should not be very large. Thus, we are talking about a personalized vehicle monitoring system, oriented specifically to ordinary people (perhaps, generally far from IT) or to small companies.

Lightness accessible to clouds only.

Fortunately, there are cloud service providers in the world. You can use the services of AWS , among which there is EC2 Micro Instance - a virtual cloud server of minimal capacity, which is quite enough to monitor a dozen objects. It is not less pleasant that it is provided free of charge for a trial period, i.e. for a whole year.

Usually, to create a server, you need to specify one of the many AMI virtual modules that contain images of already configured operating systems, and specify a number of parameters. For an unprepared person, this is not easy, but for an advanced person it is boring, although it takes 20 minutes with some familiarity. For the monitoring system, you will need an AMI prepared in advance and a fully automated process of its installation and system installation.

There remains the problem of registering on Amazon and pre-setting the account. Here, no effort on the part of the user can not do. In fact, all that is required is to fill in several forms and put checkmarks in the right places in the management console. For a hacker, this may seem like a trifle, but, again, we are talking about the most common users. For them, filling out forms, especially those that are not localized, can become a non-trivial task. In what format to enter your phone? Why does the address have 2 lines? What to do if there is no bank card or do not want to indicate its details? In general, we need a detailed step-by-step instruction created based on the results of monitoring a test group of users.

As a result, the user receives a file with keys generated by AWS. These keys are transmitted to the installation server of the system in order to get the access parameters to your new server in 5 minutes. During this time, the scripts install AMI, create Amazon S3 (Simple Storage Service) storage for data and backup, configure the server and its components, generate random passwords, start the monitoring system and send the user access parameters.

It may seem that the transfer of keys is a bottleneck from a security point of view, because installation scripts may well save them in some database. Therefore, it is better for real paranoids to change all keys and passwords after installation on their own - without the help of third parties.

Domus sua cuique est tutissimum refugium

(~ my home is my castle)

Using a personal server provides additional benefits:

• On a shared server, the problems of one client can affect the rest. Here is your system, and no outsider can be there.
• Theoretical security is higher due to the smaller number of potential vulnerabilities: available scripts, queries, input forms. Once logged on to your site, a stranger will not be able to go beyond the first page without authentication.
• The possibilities of another server application are not limited in any way. If you wish and have some experience, you can store any data there or pick up a spare FTP. And you can even forget about monitoring transport - a good way to get a configured server in 5 minutes.

And this is not even the most important thing. There is a feeling that the concept of personal servers can drastically change the entire Internet. Therefore, it would be very interesting to know the opinion of professionals about this approach.

The monitoring system that implements these principles has already been developed in the framework of the proof-of-concept, it is free and available for review, but before modifying it and presenting it to the general public, I wanted to put the idea to the test and get a piece of constructive criticism of its safety from the community. and weak points.