Security Camera without remote access

Ever since our garage doors got broken by burglars (they also broken others, stolen things, etc.), I wanted to get a security camera. However, it looks like there’s only two choices: a full sized CCTV system, costing many hundreds of pounds, with a lot of equipment and complicated setup, or cheap stupid WiFi cameras that not only require cloud access (to a cloud I don’t trust), but also opens up access to Mirai.

In 2016, the malware was already wide spread across the Internet and caused a huge Internet blackout, delivering hundreds of GB/s bandwidth in multiple DDoS attacks, also crippling many first grade websites like PayPal, Twitter and Spotify. Here’s some good coverage (as usual) by Ars and Engadget.

After the storm, I really though the IoT industry would shake up, grow up and a year or so later, we’d have better devices. Alas, mid-2017 still had vulnerable cameras in massive botnets. None of the big manufacturers issues recalls (only one small company did, AFAIK), and the cameras you find on Amazon today are the same you would find at the time of Mirai.

So, I had two choices: either pay premium for a full CCTV kit and spend weeks installing it all around my house (and getting the ire of the local community for a massive spy-shop), or build my own camera. Of course, I opted for the latter…

CameraApp

I’m not a very creative person when it comes to names (our kids have all standard names, as we do), so CameraApp sounds like a name as good as any. What it is, basically, is a Python script that pools a PIR sensor for movement, and when it sees it, the camera takes a snapshot (optionally flashing an LED). That simple. The main loop is about 10 lines of Python on a RaspberryPi. The snapshots go into a directory that has a simple PHP script, which generates thumbnails of new pictures and print a simple gallery of the images in a very crude HTML.

If you setup a web server on the board, you have yourself a gallery. If you mount that directory into a NAS, and have a web server on another machine, you have a remote server and backup. All of the security is managed by two simple concepts:

  1. System security: No root passwords, clamped down Linux, only access via SSH keys, only open necessary ports, etc. Left as an exercise to the sysadmin.
  2. Isolation: No access to the Internet needed, in or out, so if you want to get to the images from outside you’ll need to either VPN in or DMZ an external server out. If you DMZ your camera, you get what you deserve.

While I could have used any small gadget board, I decided to go with the RaspberryPi. Not only I had 4 of them lying around the house, but it’s the easiest one to find proper Linux distributions, compatible hardware on Amazon and instructions on the Internet.

Case Design

We also happen to have a 3D printer, and while it’s fun, it’s not easy to find uses for it to pay its own cost. Honestly, anything useful I can print on it, is cheaper on Amazon. So, if I get the chance to design something out of nothing, that’s a good use case for the printer.

On Thingverse, I looked for RaspberryPi cases, and you can find a huge list, so I just picked the simplest looking one (so I could mod). Then, using TinkerCAD, I designed from scratch a case for every component (PIR, LED, Camera) and joined them together into a face that would snap into the base. The project is here. That part took a lot of iterative print-try-mod cycles and the final design went back to Thingverse here.

Putting it all together

So, after printing and assembling the components, it looked like this:

The software was developed in the Pi itself, by connecting it to the TV (via HDMI) and using wireless keyboard/mouse and the Python IDE that comes with Raspbian. This setup makes it a lot easier to develop than Arduino or mbed, as everything I do can be live tested directly on the board, instead of having compiler-flash-no-output problems all the time.

After the development period was over, I could remove everything from the Pi but the power cable (remember, 2A at least), and use the on-board WiFi module for connectivity. This makes it extremely simple to put the camera in random hard-to-reach places. You could, in theory, use a battery (if it is able to provide 2A), but that means a big 20Ah would only provide a day or two and it would crash when the juice runs out (damaging the filesystem).

Uses

While this is great for indoor snooping and holiday reassurance, it needs more than what’s in the package to be actually useful (like most other cameras). The only use that actually comes for free as is, is the cookie jar example, but you don’t want to teach your kids to only do the right thing because someone is watching, so scratch that.

Holiday reassurance

For this use case, you’d just connect the camera and place it facing a door or the whole room. But if you keep the pictures in the camera’s filesystem, well, the burglar will take it too, and you’re back to square one. If you keep the pictures in a server, the burglar can also take the server, and your backups, so you need external backup. Luckily, Linux has good support for cloud storage, including safe (and encrypted) options, so you don’t need to trust the manufacturer.

You can either mount the Images directory directly on the cloud disk, or setup an rsync to push it once in a while in a cron job. In that case, you can easily look at the pictures while still on holidays, contact the police, send them the pictures and get it started even before you come back home.

Package Monitoring

Another problem that this could solve is package monitoring (ex. taking pictures of a door to see if a package has arrived), but this Python script won’t work because PIR sensors only detect movement of things that emit IR and boxes usually don’t. Extending to this usage would probably mean writing a slightly different script to take pictures every minute and compare with the previous. If similar enough, replace, try again.

You should replace the picture to make sure light and shadows only play a small enough role between two pictures, not the entire day. Also, comparing images will need additional software (like imagemagick), unless that’s your cup of tea and you want to do it all from scratch.

If the package you want to monitor is actually your pet, then the camera will work out of the box, providing you put the sensor on maximum, to capture the low heat that pets emit, compared to humans.

External CCTV

This is the use case I had in mind, but unfortunately, PIR sensors don’t work well through windows. That’s because glass is a good IR insulator, so this camera would pick up a mob with pitchforks and torches, but not much else. Unless you’re an orc afraid of your life, you’ll need to place the camera outside, and well, that comes with a lot of problems on its own.

First, the case will need to be waterproof (or at least resistant), and that’s a challenge on its own. The Pi is a computer, and as such, needs cooling, which is usually done by air passing on top of the CPU (or its heat sink). Heat it too much and the Pi dies, bricking the camera. Moreover, you will need to give some maintenance on the board some time later, so packing it as a one-off won’t do any good.

Second, taking power outside is usually done with proper extensions, not many of them with USB options, and not many USB adaptors are waterproof. So, the best option is to put the device inside a shed, providing the shed has power, of course. At least, taking power to a shed is a lot simpler (the endpoints are inside the house/shed) and then regular adaptors and bluetac would work for fixing the camera somewhere.

If your shed has solar power and a battery, giving the low consumption of the camera, it could last the whole summer at the very least.

The one thing I’ll have to add later is a way to configure the camera via a text file. As is, it doesn’t support night vision (even if your camera does), as this is a PiCamera option, along many others that one could easily add to the camera setup phase in the script. That’s my next step, which will go into GitHub as soon as I’m done.

Dash Cam

A bit of bluetac would work to put that case as is on your dashboard and the car’s power socket usually has more than enough power to support a 5V 2A adaptor. But again, you would have to write a new Python script to take videos instead of snapshots. I’d also add a big button to start/stop recording and a large USB dongle to store the videos (they’ll get big).

Educational Value

Getting a camera was the idea, but the most important take out was to show the kids how easy it is to do something functional. By using the right tools, things essentially build themselves.

A few of the takeaways:

  • By using the RaspberryPi instead of an Arduino, I could develop the app on the board itself and test it as I went, which really have shorten the development cycle.
  • It also allowed me to download Raspbian, which comes with absolutely everything I needed (OS, GUI, IDE, Python, PiCamera, GPIO, browser for searching).
  • It also allowed me to purchase the right devices on Amazon (especially the camera!) and everything worked out of the box.
  • By doing it in the living room (on the only TV), I forced my kids to watch and sometimes help. Seeing only the final product makes it look like magic.
  • The 3D printer was really helpful, as initially I have lost a lot of time looking for software bugs when actually the pins got disconnected by touching it.
  • And it turned out to be half of the fun, printing, fitting, trying again.
  • I hate to say this, but, by doing it in Python and PHP, I could really leverage the APIs and modules. Writing it in C++ would have been a nightmare and totally pointless.
  • And I could also find a dozen other projects that did similar things, and even steal a bit of code from them, refactor, change completely.

Closing Words

In the end, building stuff is always half the fun, so you have to plan accordingly. If you need a camera today, go buy on Amazon, but if you have some time to spare on your holidays and are bored of looking at the cold rain outside, a project like this really shines.

If this project interests you in anyway, feel free to collaborate (on GitHub, TinkerCAD, Thingverse), and let me know (in the comments or as GitHub issues) of ideas you have and problems you find. Happy hacking!

 

 

Google knows what you searched last summer

Despise all the controversy, Google started his new Privacy Policy last Thursday and whether you like it or not, you are being watched.

Being realistic, this is not far from what they were already doing: Google already tracked your searches, what you are watching on Youtube or your emails.

But before March, 1st, Google Plus, Youtube, Gmail and almost 60 Google products, were in different databases. With this change, Google guys are giving themselves the right to put all those products in just one big place, put one and one and one together to build a better and more complete online behaviour of YOU. And use it to chase YOU with their ads.

And you can’t opt out. If you want to use any Google product you are under their privacy policy.

It should be nonsense for me to tell you to stop using Google products. Almost everything you do in the internet today, from searches and emails, to finding a street and comparing products’ prices, is somehow through a Google product or related to it.

But you can at least reduce the amount of information that Google will be able to collect from you.

You can, for instance, delete your Google history going to https://www.google.com/history/ and clicking the button “Remove all Web History”

You can also configure your advertising settings here:  https://www.google.com/settings/u/0/ads/preferences/

You can edit your settings or even opt out.

 

Another way to “confuse” Google is creating a different account for each Google service (if you can keep up with all usernames and passwords).

Or, when watching a video on Youtube or searching the Web, make sure you are not logged in to your Google account.

There is also the possibility to use browser plugins that work to protect your data, or even anonymous proxies.

But, the truth is, as soon as you type into your computer, click anything, visit at a page, talk through Skype, or even talk on a telephone, (mobile or fixed), those who want to, can spy on you.

At least now Google is coming clear and telling you that they are spying on you. It makes better sense to me than living in a fool’s paradise, where you still believe that you have control over your life.

Smart Grid Privacy

I have recently joined the IETF Smart Grid group to see what people were talking about it and to put away my fears on security and privacy. What I saw was a bunch of experts discussing the plethora of standards that could be applied (very important) but few people seemed too interested in the privacy issue.

If you see the IEEE page on Smart Grids, besides the smart generation / distribution / reception (very important) there is a paragraph on the interaction between the grid and the customers, being very careful not to mention invasive techniques to allow the grid to control customer’s appliances:

“Intelligent appliances capable of deciding when to consume power based on pre-set customer preferences.”

Here, they focus on letting the appliances decide what will be done to save power, not the grid or the provider. Later on, on the same paragraph:

“Early tests with smart grids have shown that consumers can save up to 25% on their energy usage by simply providing them with information on that usage and the tools to manage it.”

Again, enforcing that the providers will only “provide [the customer] with information”. In other words, the grid is smart up to the smart meter (that is controlled by the provider), where inside people’s houses, it’s the appliances that have to be smart. One pertinent comment from Hector Santos in the IETF group:

“Security (most privacy) issues, I believe, has been sedated over the years with the change in consumer mindset. Tomorrow (and to a large extent today) generation of consumers will not even give it a second thought. They will not even realize that it was once considered a social engineering taboo to conflict with user privacy issues.”

I hate to be pessimist, but there is a very important truth in this. Not only people are allowing systems to store their data for completely different reasons, but they don’t care if the owner of the system will distribute their information or not. I, myself, always paranoid, have signed contracts with providers knowing that they would use and sell my data to third parties. The British Telecom is one good example. He continues:

“Just look how social networking and the drive to share more, not less has changed the consumer mindset. Tomorrow engineers will be part of all this new mindset.”

There is no social engineering any more like it used to be. Who needs to steal your information when it’s already there, on your Facebook? People are sharing willingly, and a lot of them know what problems it may cause, but the benefit, for them, is greater. Moreover, millions bought music, games and films with DRM, allowing a company control what you do, see or listen. How many Kindles were bought? How many iPhones? People don’t care what’s going on if they have what they want.

That is the true meaning of sedated privacy concerns. It’s a very distorted way of selfishness, where you don’t care about yourself, as long as you are happy. If it makes no sense to you, don’t worry, it makes no sense to me too.

Recently, the Future of Privacy Forum published an excellent analysis (via Ars) on the smart grid privacy. Several concepts that are easy to understand how dangerous they can be, became commonplace to not think about it or even consider it a silly worry, given that no one cares anyway.

An evil use of a similar technology is the “Selectable Output Control“. Just like a Kindle, the media companies want to make sure you only watch what you pay for. It may seem fair, and even cheaper, as they allow “smart pricing”, like some smart-grid technologies.

But we all have seen what Amazon did to kindle users, of Apple did to its AppStore, taking down contents without warn, removing things you paid for from your device, allowing or disallowing you to run applications or contents on your device as if you hadn’t pay enough money to own the device and its contents.

In the end, “smart pricing” is like tax cut, they reduce tax A, but introduce taxes B, C and D, which double the amount of taxes you pay. Of course, you only knew about tax A and went happy about your life. All in all, nobody cares who or how much they pay, as long as they can get the newest fart app

Who’s afraid of the big bad code?

What would Bruce Schneier say about the magic list that the NSA is putting together with Microsoft and Symantec of the 25 biggest errors in code that normally lead to a security flaw.

Don’t get me wrong, putting out a list of bad practices is a fantastic job, that’s for sure. It makes programmers more aware of the dangers, and as the article says itself, newbies can learn from experience before getting into a new field.

But the way that (lay) people take it makes it so magical that the practical side of such list is greatly reduced.

Order and size of the list

I understand that the order must have some sense, but which? Is it ordered by number of attacks in the last 12 months? Or by the sum of all reported losses caused by them? Or by number of such errors found in common code (on those companies’ code, of course)? Or by any other subjective “importance” factor from a bunch of “Security Experts”?

Also, why 25? Why not 30? Who says that the 25th is so important to show up in the list and not the 26th?

Real-world

We programmers know about most of them, know the problems they pose and normally how to fix them. We often want to fix them, but that normally requires some refactoring and now it’s time to implement those features that our client needs for the demo, right? We can think about that later… can we? Will we?

Than, NSA decides to make this a priority for the country and claim it as a national security problem. Big companies like fancy terms, and would strive to adopt any new standard that shows up in the market.

Then, comes down the VP of engineering and say:

“We need to make sure every programmer knows how to write code that is free of the top 25 errors.”

Done, he can put the GIF image from the NSA saying his company’s software is secure against all odds, according to the NSA and DHS.

Now, coders and technicians, tell me: Would any editor, IDE or compiler ever be able to spot those errors with 100% accuracy?

“Then we need to make sure every programming team has processes in place to find and fix these problems [in existing code] and has the tools needed to verify their code is as free of these errors,”

Of course not, but they will try, and Microsoft will put a beta on Visual C++ and other companies will tell their clients that their software is being tested with the new product and the clients will buy, after all, who are them to say anything about that matter?

Protect against who?

Now, after so much time and effort, 30+ companies and government departments working hard to come up with a (quite good) list of the most common errors that lead to security flaws for what?

“The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent – ankle-biters if you will – would be deterred from breaking in.”

WHAT?!?! All that to stop script-kids? For heavens’ sake, I thought they were serious on that… Well, maybe I expected too much from the NSA… again…

(Note: quotes from original article, ipsis litteris)

Bad Vista

Ooops, they did it again…

A whole new hacking style was discovered due to the complete incompetence of Microsoft’s engineers. When will they understand that security means the opposite of trust?

You can choose whatever framework you want (Java, .NET, ActiveX) build a simple program and have total control of the user’s machine in seconds. All that because our beloved Windows browsers trusts Microsoft’s technology only too much. And worse, the Windows kernel trusts Microsoft’s browsers and .NET too much too!

ActiveX attacks are not new, IE has an extensive history of huge holes through their magnificent piece of crap. Rendering Windows’ security hopeless is also not new, Outlook for decades gave hackers a free feature of one-click-exploit ™ but this is completely crazy.

No matter which way you go, what framework you use and what path you take, total control of the machine is a few clicks away. Worse still, as this confidence in crap dates back from Windows 2.0, I wouldn’t be surprised if they find they can do the same on all versions of any software (ahem…) they’ve produced so far, including DOS 1.0!!

Oh well, you can’t say you didn’t know, can you?

Nvidia helps crackers?

Their long support for the minority is well appreciated for us, Linux users, but now they’re indirectly supporting the bad guys as well! Not to panic though, every major breakthrough comes with a proportional cost (ie. nuclear physics).

According to The Register, this company is using NVidia’s GPU to reduce the password cracking from months to days!

The new CUDA platform allows you to use the GPU for numeric processing, giving a big advantage over the too generic (and too complex) CPU.

Now, just between us, they can’t say they didn’t know it was going to happen, can they? No one said week password schemes (even with strong public encryption algorithm) were safe…

Dangerous Files you Have to Avoid

temp1.jpg
Crackers like to use phishing to spread their malicious code. And actually, if you take care with just some file extensions you can avoid these dangerous codes.

If you receive an e-mail with the extensions .cmd, .bat, .exe or .scr, don’t open it, even if it comes from a secure source. And, as email servers are blocking these attached files, crackers are using telephone promotions, your bank account and other current subjects to direct you to a malicious link where a virus is downloaded. They develop sites almost identical to the original sites, “clones”, where the cracker has total control over your acts. It’s really common send scraps to Orkut users with these links.

Most files available to download in these websites are those kind mentioned in the beginning: .cmd, .bat, .scr or .exe.

The .cmd and .bat files are used to execute scripts known as batch files, to automate tasks. Crackers use these kind of files to steal user data. The .scr are screen saver files, and most users trust this kind of files, but the virus will be activated when the screen saver is executed.The most known, and still most used as phishing is .exe. Users know how dangerous these files are, but, most of time, they don’t pay attention to the extension they are downloading.

The files mentioned are Trojans and keyloggers. Trojans open your machine to the cracker and Keyloggers record everything you type. So, can you imagine the damage to your personal data?

Now that you know these dangerous files, what to do to protect your data? it’s always a good idea to have a firewall and other prevention methods that can identify these links and extensions. And don’t think you will notice that your computer was infected. The cracker don’t want to be noticed, he will be hidden, and quiet, to get all information he wants.

Take care with those files and links, check the extension, don’t open files from unknown sources and don’t execute anything in your computer that you are not sure what is. It’s not that hard to be safe on line.

Computer Forensics: Recovering Files – Part 2

Last week I introduced you Active@ File Recovery as a useful computer forensics tool and file recovery software.

Today, we go a bit further in Active@ File Recovery usage.

A few tips when using Active @ File Recovery to recover your lost files:

    1. Before install Active@ File Recovery for Windows it’s a good idea create a Recovery point, so, that way, if you don’t like the software or if it doesn’t work properly, you can easily restore your system for the situation before to install Acite@ File Recovery.
        – Actually, it’s a good idea set up a Recovery Point for Windows every time you will install any software in your Windows System. It will provide the basis for recovery if and when needed.
      • – A recovery Point is the basis that allows you undo all changes made in your system and recover all your configurations.
    2. Try to use Active@ File Recovery without install, so, there’s no risk to overwrite your files.
    3. Install Active@ File Recovery in a different Hard Drive or partition of the affected drive partition to avoid of writing over data that you wish to recover.
    4. After install Active@File Recovery, you can open it and navigate just like you do in Windows Explorer.
    5. Go to the file or folder you want to recover and choose recover option.

    1. When you choose this option it will open a new windows asking where do you want to place the recovery file or folder.

  1. If you chose to save at the original place, the system will warn you to save it in another place to avoid overwrite your file or folder. In this case, it will be impossible a future recovering operation.

But remember, not every lost file can be recovered. You have to think about the following possibilities:

    • We have to assume that the file entry still exists, I mean, it was not overwritten. The more the files have been created on your HD, the less chances that the space for that deleted file has been used for other entries.
    • We assume that the file entry is more or less safe to point to the proper place where file clusters are located. If the operating system had been damaged file entries right after deletion, the first data cluster becomes invalid and further entry restoration will not be possible.

So, as a general advice, do not write anything in the drive containing your deleted data and do not try to recover your files to the original drive data.

 

How to keep your Internet Life Browsing in a secure way

First of all, if you thought Internet Explorer and Firefox were your only options, you were mistaken. This section reviews Internet Explorer and Firefox basics and introduces other viable Web browser options.

Microsoft Internet Explorer is a common target for browser hijacking. Internet Explorer 7.0 provided a significant upgrade to Microsoft browser security but, still have flaws, like the one discovered for an Israeli vulnerability researcher. Aviv Raff warned in a posting on his blog Wednesday that Attackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions. Raff said IE 7 running on Windows XP and Vista is susceptible to cross-site scripting attacks.

So, you don’t have options and you have to use IE, or maybe, for some weird reason, you just like it.

IE has the ability to provide a secure browsing, but it’s the responsibility of the organization or the user to configure it.
Yes you have to do your homework. You can start reading this How-to articles from Microsoft.

If you are tired of patching your IE browsers every week (at least) may consider migrating to Mozilla Firefox, a popular third-party browser that is generally thought to be more secure than IE. However, Firefox is not immune to attacks, and as the browser increases in popularity, it’s likely to become a bigger target for attackers.

In this link you can find a list of security tips for Firefox users, but it’s great reading for other users as well.

Not satisfied with Firefox or IE? Yes, there are other options, such as Opera, Safari, Konqueror, Lynx (this one just for grown ones) and others. They all have theirs pros and cons, visit their webpages and and learn what you should expect if you’re not using IE or Firefox.

And remember: on the second Tuesday of every month, Microsoft releases hot fixes for its newest flaws which almost invariably include Internet Explorer patches. Yes, at least twice a month you will have to patch your IE.

Others Web browser of your choice will release their patches eventually.