
Proxy (YC S16) Is Digitizing Your Presence - stvnchn
http://themacro.com/articles/2016/08/proxy/
======
denismars
Very excited to get this off the ground - we've got some big ideas where this
can go - ultimately we want to support many use cases, but before we get there
we need to battle test it in the market - would love any feedback, and if you
want to get involved reach out to me denis at proxy dot co

~~~
fergyfresh
Do you encrypt the Bluetooth signal at all or it is all out there? That is the
only thing that scared me, you obscure user information with a unique-id-key,
but if I'm close to your office I can just get your key and get in the
building.

~~~
sratner
We use a one-time token for each interaction. We don't use Bluetooth
encryption, but the tokens are signed and cannot be replayed/transferred, so
intercepting one is near-useless.

~~~
j4_james
Would this not still be vulnerable to a kind of man-in-the-middle attack
though? I don't know much about the workings of bluetooth, so maybe this just
isn't possible, but I was envisioning a kind of relay device that could
capture an incoming signal, forward it to another device, from which it would
then be rebroadcast.

The idea being you have an attacker standing in front of the door, relaying
the bluetooth transmissions to an associate, who in turn rebroadcasts those
transmissions to an employee who he has followed out to lunch. That employee's
phone then responds exactly as if he were standing in front of the door.

I can't see why this wouldn't work, but I'm sure I must be missing something.

Obviously if the user is forced to confirm an ID request before continuing
with the transaction this wouldn't be a problem, but I got the impression from
the article that that wasn't necessarily required.

------
ilikeatari
Really neat idea! In the office building use case - what happens when you
approach the door? Is the door unlocked automatically or is the user prompted
for some action? Basically what happens if your phone is stolen?

~~~
sratner
Can do either - hands-free, or require a second factor like screen unlock and
manual tap. If your phone is stolen, the first thing you'd want to do is
revoke your account authorization (via web or another device), just as you
would to protect your email accounts and anything else sensitive. If you are
more paranoid, remote wipe - many companies have that as a policy already.

We don't store credentials on the phone, and the tokens we issue for each
interaction are short-lived.

------
caleblloyd
If the receptionist has this, and they sit within 10ft of the door, is the
door perpetually unlocked? Or is there an algorithm to prevent this very
behavior?

~~~
sratner
You can set the detection range for your setup, or disable auto-unlock.

------
throwanem
> Wouldn’t it be great if you could just walk up to any cafe, the monitor
> senses you and knows exactly what you want, and you just push one button and
> wait for your coffee?

No.

