PractiScore website results being upgraded - input welcome

[jcwren]

I know exactly what James is talking about because I do scoring and shoot with him. Given that each device has a synch code perhaps that could be used as the synch password? During the match briefing you could provide shooters with the synch code for the master device and then they could pull scores as they desired. Before we distribute tables to the squads we write down the tablet name T1 - T5 in our case and the synch code for each one. If you were prompted to enter the synch code when you pull scores from the stage tables you would be okay. The great thing about Practiscore is it uses the pull method of synching so that limits the ability for Billy and Bob to attempt to push enhanced scores to the master. Not that Billy and Bob would ever do such a thing, of course .

That's actually less secure that you would think. The sync code is the low 16 bits of the IP address of the device. I don't know about other ranges, but most of us up here run with a DHCP server on the access point. And if you're using a NOOK, you HAVE to, because the IP address can't be assigned statically.

Since that's the IP address assigned by the DHCP server, there's nothing to prevent a malicious Billy Bob from setting his iPhone or Android device with a static IP address that's the same as one of the stage devices. Usually if you have two devices at the same address, you'll get odd behavior. But that's not a guarantee, especially if the stage device has gone to sleep.

So that method, while a good suggestion, just isn't really secure.

Incidentally, that's why we also put the MAC address in the DHCP server, so the device always gets the same IP address. By doing this, we control the IP address, so when we have more than 9 devices, our sync codes don't go to 010A. Instead, device 9 has a sync code of 0109 (192.168.1.9), and device 10 has a sync code of 0110 (192.168.1.16). Now, we don't have to shift out of number mode to enter a sync code

Edited February 1, 2014 by jcwren

[JFlowers]

Please understand, my issue is really not one of "security". Just one where I don't want an accident. Personally, I would like to see either (a) a way to set that only specific devices can be synch'd FROM by the Master or ( only certain devices show up on the Synch List to be synch'd from... while still allowing every shooter on the range to synch their device from the Master.

Nothing too complex, nothing taking a lot of setup.

[ZackJones]

That's actually less secure that you would think. The sync code is the low 16 bits of the IP address of the device. I don't know about other ranges, but most of us up here run with a DHCP server on the access point. And if you're using a NOOK, you HAVE to, because the IP address can't be assigned statically.

Well it seemed like a good idea at the time . Thanks for the education.

[ZackJones]

Please understand, my issue is really not one of "security". Just one where I don't want an accident. Personally, I would like to see either (a) a way to set that only specific devices can be synch'd FROM by the Master or ( only certain devices show up on the Synch List to be synch'd from... while still allowing every shooter on the range to synch their device from the Master.

Nothing too complex, nothing taking a lot of setup.

Oh simple solution then. From Master you only synch from T1 - T5 . I get your point though you could accidentally synch from Zack's iPhone or Donna's Kindle, etc when you really only want to pull scores from the official scoring tablets.

Just thinking out loud here but is it possible for a device to appear on two WiFi networks? If so we could setup a private "scoring" network where only the Master and T1-T5 tablets are joined and then a Guest network where the Master and individual shooters could join to pull results from the master. Could any of you WiFi smart guys comment?

[wgnoyes]

...

Just thinking out loud here but is it possible for a device to appear on two WiFi networks? [As far as I know, no - Bn] If so we could setup a private "scoring" network where only the Master and T1-T5 tablets are joined and then a Guest network where the Master and individual shooters could join to pull results from the master. Could any of you WiFi smart guys comment?

Two networks is the solution that's available right now and that's what we intend to do at Area 6 assuming we run it as a PS match. I don't want to have to write down or key in synch codes, that's miserable and really slows things down. Neither do I want to see 300 different devices on the scoring network. So we intend to secure the scoring network with a password (which will NOT leak out so that's all the security I need) and have a separate open ssid being served by an iPad which will be synced from the scoring master on occasion for the competitors. And of course, competitors can always just goto practiscore.com to get the latest match results which will up loaded as syncs are done from the stages to the master.

[Ken N.]

I prefer the secure net solution. With competitors synching from the cloud.
That said, I know it isn't viable for all places. We will cogitate and figure out approach that can happen pre-match and is simple to do solely within the app.

All cloud connections are moving to https with next website update.

Ken N.

Edited February 1, 2014 by Ken N.

[JFlowers]

Cloud is not very helpful with the range well away from anything, including good stable cell service. Not sure how to connect the Master to two networks simultaneously, but I don understand that solution just means more hardware.

[wgnoyes]

Yeah, I always have to assume there is no internet connection, period. One of our clubs is literally on top of a mountain and you can see for miles and miles, yet regardless of who your carrier is, this is still absolutely NO service up there.

Edited February 3, 2014 by wgnoyes

[wgnoyes]

Cloud is not very helpful with the range well away from anything, including good stable cell service. Not sure how to connect the Master to two networks simultaneously , but I don understand that solution just means more hardware.

[bp78]

Practiscore does an awesome job at what it does. Most amazingly for the price we all get it at thanks to the generosity of it's sponsors.

The app does not need enterprise level security. Folks as is can have enough problems just getting it up and working.

For big matches, just bring in the appropriately tech savvy people to run them if you're concerned about security issues. You can still do a private network which is locked down to your Nooks MAC addresses only. There are plenty of control steps to take on the network and match admin side to keep it secure and not try to burden Ken & the Practiscore guys with core security stuff when they could be off adding new score statistics, match types, and other usable features for the niche it fills so nicely.

@ Nifty Bytes & Practiscore, thanks again for the app and the continued development. I'd still like to see some score posting/integration within our own club websites though. ;-) Even an iframe link would rock...

Edited February 1, 2014 by bp78

[ZackJones]

Two networks is the solution that's available right now and that's what we intend to do at Area 6 assuming we run it as a PS match.

I hope that you guys do decide to run practiscore at Area 6, especially if Jay Corn is going to be there. It would be interesting to get his feedback given that he really seemed to like the scoring program they used in Florida recently. If you do decide to run it I'll gladly help in any way I can.

[Ken N.]

Practiscore does an awesome job at what it does. Most amazingly for the price we all get it at thanks to the generosity of it's sponsors.

The app does not need enterprise level security. Folks as is can have enough problems just getting it up and working.

For big matches, just bring in the appropriately tech savvy people to run them if you're concerned about security issues. You can still do a private network which is locked down to your Nooks MAC addresses only. There are plenty of control steps to take on the network and match admin side to keep it secure and not try to burden Ken & the Practiscore guys with core security stuff when they could be off adding new score statistics, match types, and other usable features for the niche it fills so nicely.

@ Nifty Bytes & Practiscore, thanks again for the app and the continued development. I'd still like to see some score posting/integration within our own club websites though. ;-) Even an iframe link would rock...

Thanks. Embedding is intended, like Youtube and Facebook provide.

This thread is intended for feature requests primarily about the web but other items will leak in, and I don't mind at the minimum discussing it. In this case, synchronizing with only authorized devices is fairly simple based on things we've already added, so I don't mind adding it to support clubs that have limited resources, Or aren't technically savvy to set up the sort of network my range has.

Doing something like this won't slow down the web improvements, which largely go to other engineers.

The next technical front in the app itself will be better support for open squadding. I have ideas here that I hope will be simple, not require range connectivity, and that will actually make open squadding an attractive option for clubs not doing it currently. Some of our most active clubs such as Rio, Norco, and even some matches we run on my range are not using practiscore as efficiently as they could if we had better support for open squadding. At a minimum the changes I am contemplating will make registration for existing squadding approaches painless and quick.

In an effort to keep from creating infinite thread as was the first practiscore thread, I will start a thread specifically for open squadding improvements sometime next week.

[Ken N.]

Cloud is not very helpful with the range well away from anything, including good stable cell service. Not sure how to connect the Master to two networks simultaneously , but I don understand that solution just means more hardware.

On one master 2 networks at same time... It cannot be done, at least not in a way that would yield the benefit desired. The only thing I can think of would be to have an authorized device and a feature added to automatically switch between networks, find the master and synch, and switch back to the public network. Since the majority ranges now have 3G coverage I don't see prioritizing this since we can push to the cloud and they can sink from there.

[LabMan45]

...

Just thinking out loud here but is it possible for a device to appear on two WiFi networks? [As far as I know, no - Bn] If so we could setup a private "scoring" network where only the Master and T1-T5 tablets are joined and then a Guest network where the Master and individual shooters could join to pull results from the master. Could any of you WiFi smart guys comment?

Two networks is the solution that's available right now and that's what we intend to do at Area 6 assuming we run it as a PS match. I don't want to have to write down or key in synch codes, that's miserable and really slows things down. Neither do I want to see 300 different devices on the scoring network. So we intend to secure the scoring network with a password (which will NOT leak out so that's all the security I need) and have a separate open ssid being served by an iPad which will be synced from the scoring master on occasion for the competitors. And of course, competitors can always just goto practiscore.com to get the latest match results which will up loaded as syncs are done from the stages to the master.

I'm from the KISS school of engineering and this is what we do currently. I run a secured router for the designated scoring devices and our master and a second open guest router with my pad as the second 'master' for anyone on the property with a device and the app installed to view. It's a little hassle for me to keep the second master current with the match, but not much, and is worth it not to stress over a possible accidental sync from a non-designated scoring device.

[LabMan45]

Ken - I sent you a PM with a follow-up on the dialog we had about on-line registration from the 23rd. Thanks for the help.

Jim S.

[RadarTech]

I've been meaning to reply for a couple days here, but can't do that from the iPAD.. so-------

Ok-- I may be crazy for saying this.. BUT I have seen several people have concerns about the paper backup, and the ability to share scores with the competitors. and then we have the WIRTEX solution popping up here and there...

Here are my thoughts.

A tablet CANNOT be on the two different WIRELESS NETWORKS... BUT a LAPTOP--- it COULD be on a wired and a WIRELESS Network... It can make a ROUTING decision..

That is what can't be done on a tablet as it only has one network interface.... Even a Laptop with the right drivers could have a single WIRED interface and be on TWO networks.....

So how about this idea:

A Windows APP, much like the one we have now to pull scores from PS for EZWIN integration... BUT It is programed to do the following:

it pulls the scores from the NAMED devices on the Wireless Network and then on the WIRED Network it then acts like a tablet and let's shooters pull scores.

This would serve several purposes...

1. BACKUP to the handhelds...

2. Serves the shooters.

3. the PULLED from stage devices' data could be time stamped and noted for changes.

4. allow for the security several have asked for.

As for the network configuration...

If you have a "SMART" AP such as a UBNT or Cisco or ANY AP that can do MULTIPLE SSID's/Wireless Networks that could be segmented.

For the network geeks-- an 802.1q trunked AP with the proper network cards.. or a USB network interface on the laptop... (basically get 2 Network interfaces)

WPA or other Secured Wireless NET for the official devices, and UNSECURED for the "guest"

a little "LAN" magic and you are DONE....

OR

Wireless Connection on the laptop and then a WIRED connection to AP #2..

OR

WIreless Connection to the laptop in the SECURED MATCH wireless and then Wired to a VLAN capable Switch that connects to the SAME AP but on the GUEST SSID

There are some technical needs here...

A couple swtiches that could do this are the Netgear GS108T-NAS ~$60 on amazon or the DLINK DGS-1100-08 also about ~$60.

Of Course if you have 200-300 competitors and they all get on the SAME AP, you MIGHT have issues with older AP's as they can only handle 15-30 clients reliably....

Of which you could shutdown/limit devices....

Anyway-- Just a Few thoughts--

Edited February 2, 2014 by RadarTech

[gose]

Just looked at the 3GN regional results and the positioning of the scrollbar is just horrendous. To see the individual stage results I have to scroll down to the bottom, scroll to the right, scroll back up again, and then try to find the right row with no reference to row number or shooter name?

Look at the attached screenshot, how is anyone supposed to be able to identify anything here?

Scrolling has to be made in context, or there has to be some reference to row # or shooter name (preferred).

Edited March 3, 2014 by gose

[DrawandDuck]

I agree on the website match results.....Take AL Section results, when you click on the OVERALL all the info. is displayed on one page. When you click on stage results you have to scroll forever....Can the stage results not be displayed on one page like the overall results?

[wgnoyes]

If you mean column width, I agree. You have to specifically code to make a column wider than its maximum-length character string in a cell, so I don't understand. I think they're probably working on it.

[gzo]

Food for thought .....QR Codes should be what USPSA uses on there member ship cards, then have PractiScore able to read and use this code information to register that shooter. Take it one more step and have it generate one for the devices to scan and upload the scores.

[euxx]

Food for thought .....QR Codes should be what USPSA uses on there member ship cards, then have PractiScore able to read and use this code information to register that shooter. Take it one more step and have it generate one for the devices to scan and upload the scores.

Huh? http://www.brianenos.com/forums/index.php?showtopic=144925&page=50entry1989647

[wgnoyes]

Yeah, but that's not actually available, is it? If so, where? I must have missed it.

There's also a vocal group of IT folks who think qrcodes are a massive security risk, in that you can't actually read the imbedded url in the code, and it may send you off to god knows where. I don't agree with that all-condemning assessment; I'm just saying it's out there.

Also from a commercial software standpoint, if you have the latest 2013 version of msword, that will supposedly generate qrcodes. Link. And adobe indesign will also do it. I've used the latter; it's there and easy.

[ZackJones]

How about a good ole bar code on the back of our membership cards? Easy to print, easy to read, no obscure URL's hidden within, what's not to love?

[jcwren]

Extremely low information density, largely numeric only.

http://www.gs1.org/barcodes/technical/bar_code_types

Edited April 1, 2014 by jcwren

[alma]

I remember the uproar about QR Codes. I believe it was largely overblown and highly theoretical.

The applications that I have used to scan QU will generally display what the data is and prompt the user about what action to take. For example, if it contains a URL then it will say something to the effect of URL HTTP:// www[.]badsite[.]com / malware.apk before asking if you want to go to that link.

Additionally, the risk of scanning a malicious QR is arguably no different then clicking on a malicious link in an email or being redirected to a malicious website from a legitimate one. The mobile operating systems (iOS and Android) are architecturally very different than the traditional desktop systems and it is very difficult for to get infected without requiring explicit user interaction. For example, one of the local shooting clubs had it's Yahoo webmail account compromised and it sent out a malicious link to every shooter in the email list. Clicking on that link from an Android smart phone my phone promptly downloaded a malicious Android application called Security_Update.apk .

This action alone was not enough to infect my phone. After the application completed it's download my phone prompted me as to whether I would like to install this application and showed me a list of the permissions being requested by the malicious application. Without confirming that I wanted it installed it is still sitting harmlessly in my downloads directory. There is one critical security configuration that is highly recommend for Android users. Under Security settings it is a check box called "Unknown Sources: Allows installation of apps from sources other than the Play Store." Unless you are very comfortable with knowing what you are downloading at all times I recommend leaving this box unchecked. The vast majority of malicious code targeting the Android platform comes from "unknown sources" including shady third party App stores and other single file downloads. With this box unchecked, only applications from the Google Play Store can be installed.

Since Apple iOS devices do not have an option to easily install applications from untrusted sources (i.e. anything but the Apple App Store) it is much more difficult to infect an unjailbroken iPhone or iPad.

In addition to this information there is another reason why the use of QR codes in a custom application would not be a security risk. In the context of an application you can be selective about what actions can be taken from scanning a QR code. If you don't need to use it to directly link to internet sites then you do not have to configure that functionality. If you did need to do that then in the application itself you could easily use data input validation to ensure that the URL was hosted on practiscore's domain to assure that no misdirection could be accomplished. Data input validation should also assure that all other inputs read off of the QR code are bound to expected field lengths and acceptable values.

In summary, for use within a custom application there is no security risk to use QR codes when implemented properly. It is just an alternate form in input for the application.