OpenNDS voucher

Hello,

How safe is the linked phyton openNDS add-on? Does it contain bugs? Not easily hackable? This is a GitHub development, not developed by openNDS.

1 Like

ask the people over at openNDS, or the creator, as you've been told (many times) by @bluewavenet, in the past ?

the full source for openNDS is on github, and so is openwrt, so I guess they're both insecure ...?
but hey, it also means you can look into the code, spot and report any insecurities you find.

1 Like

The Python code is a trivial example of how to generate a voucher roll. You would run it on your private computer and it produces a "csv" text file containing a list of vouchers.
You would probably import this into Excel or similar and run a macro to print out a paper voucher to give to customers.

So "is it hackable" is not a relevant question. Who is going to hack it?

Like I said, it is a trivial example of how to generate a voucher roll... Write your own if you do not like the Python version.

Do you mean "Is the theme_voucher script hackable"?

This is just a standard Themespec script that is run by the libopennds library to generate a login sequence of html pages.
openNDS aims to make it virtually impossible to bypass the login sequence for any Themespec script, as it uses a shared key hashing of a unique access token.

So theme_voucher is as secure as any other Themespec script. You are welcome to study all the code and make comments, as indeed many others have done in the past.

It is a "Theme" script developed by a member of the openNDS community and after testing was accepted as a Community contributed script. It is a fairly simple (B)ASH script consisting of ~500 lines of code, based on the standard theme_user-email-login-basic.sh script, so will be quite easy to read if you are worried about it.

Note on Voucher Systems
Way back in time when WiFi first became a thing but Internet access was expensive and slow, a Captive Portal with paid vouchers was a desirable thing.

Twenty or more years later, things have moved on dramatically.
Now a venue, for example a coffee shop, is expected to have free WiFi and if it does not then customers will, quite simply, choose a coffee shop that does have free WiFi.

A voucher system, even if free, is inconvenient for today's discerning customer and puts an onerous load onto staff at the venue.
What venue owners demand is an autonomous system they can plug and forget, but a system that compiles with both privacy laws and controlled connection recording for anti criminal and anti terrorism requirements, in addition to enforcing Terms of Service acceptance, passing liability for misdeeds onto the customer.

Voucher systems have long been dead in all countries with developed Internet availability for many years now.

Even those countries lagging behind, are rapidly catching up. Even in the small number of areas where a voucher system seems at first sight to be desirable, there are far better ways to provide venue Internet.

1 Like