Network video camera
Thoughts

Power consumption in data centers and online cameras

There’s an interesting article linked below that talks about the internet of things and the potential for net negative power consumption after more and more devices go online. I’m not going to get into a discussion about the significant potential for hacking these devices and the need to constantly update their firmware, because that’s a great big subject. What I want to talk about is online cameras and power consumption. The quote that got me started is this:

Hölzle acknowledges that his prediction comes with a caveat: the proliferation of online cameras—which send so much data across the network—may cause a steep rise in power consumption across the world’s data centers. “Video is the one exception,” he said on Tuesday.

via Google Says the Internet of Things’ Smarts Will Save Energy | WIRED.

Of course online cameras eat up a lot of power across data centers, even though they shouldn’t. It’s because every one of the camera makers opts for the easy setup that involves the cloud and the possibility of extra revenues in the form of monthly fees instead of offering the possibility of a straightforward home setup, where the cameras are made accessible through the owner’s firewall.

When that happens, when you can access your home cameras directly through your firewall from your laptop, tablet or phone, you cut out the cloud and the extra power consumption. It’s a little more difficult to do but it’s the right thing to do if you want to reduce power usage, particularly when a lot of firewall/router makers (such as Dlink) also make network video cameras. Surely they can streamline the process of setting them up through their own firewalls and making them available to the owners. Dynamic DNS is the one part of the equation that’s still a bit difficult but I’m of the opinion that each firewall/router maker should run their own DDNS service, just like they already run their own time servers. (DDNS is important because your IP address changes often with some ISPs, making it fairly impossible to get at your firewall simply by bookmarking your external IP address.)

There is another aspect of this that’s worth mentioning. Cloud-based setup and administration of network video cameras becomes a worthwhile proposition when these companies offer subscription-based archival of the video footage. If the cost is reasonable, where you can archive say, eight video cameras for $20-30/month and then be able to search that footage for motion, vloss and audio markers, then it’s worth getting. When a knowledgeable thief breaks into your house, if he sees you’ve got video cameras, he’ll often rip out the DVR and take it with them (if they can find it). When the video is stored in the cloud, they can’t rip anything out, you’ll still have the proof, and that’s a very good thing.

Standard
Thoughts

Identity theft and password security

A neat infographic that details how identity theft occurs and why password security fails when passwords aren’t secure enough. If you’ve ever wondered why you’re asked to choose both lowercase and uppercase letters in your password, know this: an eight-character lowercase password can be cracked in just two hours, but if you add just one uppercase character, it can take up to 200 years.

Identity Theft and Password Security

Standard
Thoughts

American airport hysteria

I love this article from Patrick Smith at Salon.com. It’s on the subject of American hysteria when it comes to airport security, and it references all of the overblown and recent responses of the TSA and other individuals charged with security at American airports. Since when have we become such a nation of frightened ninnies?

“This country needs to get a grip. We need a slap in the face, a splash of cold water.”

“What caused the delays and what hassled so many travelers was not the defendant’s actions, but our mindless and hysterical response to them.”

“Here in this proclaimed new “age of terrorism,” we act as if the clock began ticking on Sept. 11, 2001. In truth we’ve been dealing with this stuff for decades. Not only in the 1980s, but throughout the ’60s and ’70s as well. Acts of piracy and sabotage are far fewer today.”

“Imagine the Karachi attack happening tomorrow. Imagine TWA 847 happening tomorrow. Imagine six successful terror attacks against commercial aviation in a five-year span. The airline industry would be paralyzed, the populace frozen in abject fear. It would be a catastrophe of epic proportion — of wall-to-wall coverage and, dare I suggest, the summary surrender of important civil liberties.”

“What is it about us, as a nation, that has made us so unable to remember, and unable to cope?”

Patrick isn’t the only one upset about this. I wrote about our overblown airport security rules in the past — see this article, and this one, and this as well.

All I can say is that hope can be glimpsed across the pond, in Europe. Having flown through multiple European airports this past year, I can tell you things appear more rational there. Even when there are extra security checks, the tone is calm, the demeanor is calm, and you’re not eyed with suspicious eyes, like you are here in the US, where everything is seen as a threat.

Standard
Thoughts

Obama wants to increase airport security tax

Waiting to check in

We’re currently getting charged $2.50 per passenger to go through the security theater* at our airports. Now the Obama administration wants to increase this fee. Quoting from this article at the Economist:

“The Homeland Security portion of Obama’s proposed 2010 budget (PDF) includes a plan to raise the fees by an as-yet-undisclosed amount in 2012. The increase, the White House says, is needed because the current fee only funds about 36% of airport security costs.”

So let me get this straight: not only do we have to go through the inane, annoying and useless experience of getting scanned, uber-prodded and turned over every time we want to board a plane, but now we’ll have to pay more for that unsavory experience as well? Thanks a lot, Mr. Obama. I can see my vote went to a good cause.

As I said before, I think we should be doing away with the whole darned thing. What happened to accepting the risk and moving on? That’s how the United States was founded and built. It wasn’t built by wimps who wanted to make sure no letter openers or nail clippers got on the plane with them. Why zap us with X-rays, make us take off our shoes, put us through air blowers to sniff us (I’ve half a mind to fart when I go through those things just to see what happens), open up our luggage, and generally speaking stink up the whole flying experience when we don’t really need any of it?

It’s shocking to hear that, isn’t it? Truth of the matter is we wouldn’t really need any of it if security were done right, and if people had the courage to step up and disarm the terrorists when and if they dared do something on a plane. Since the general populace is a bunch of pansies who’d rather have big-brother government do everything for them, now we have to put up with cretinous security checks and starting next year, with increased fees for said security checks. Hooray for democracy, where the majority rules with a pudgy, slightly damp and sweaty fist, tired from holding the remote control too long.

* Term coined by Bruce Schneier.

Standard
Lists

Condensed knowledge for 2008-03-23

Standard
Lists

Condensed knowledge for 2008-03-17

Standard
Lists

Condensed knowledge for 2008-03-12

Standard
Thoughts

Catching a code injection hacker in the act

Several days ago, I installed the Redirection plugin from Urban Giraffe. It’s truly awesome, in more ways than one. John Godley, you are an amazing programmer! As I re-arranged the categories on my blog, I tracked the 404 errors through the plugin. On Saturday morning, I noticed the following bit of information in my log:

You can click on the thumbnail to view the screenshot at full size. Look at the entries for IP address 65.90.251.169. Notice something peculiar? That’s a hacker trying to inject malicious code into my pages. He was trying to call to code contained in a text file by the name ide.txt located on a possibly compromised domain.

First, I checked out his domain, new-fields.com. It looked legitimate. The text file was another story altogether. Have a look at the screenshots above. I also saved the code to my computer in case it ends up disappearing from the hacker’s website.

I tested the code, and it looks like some pages from the podPress plugin are targeted or affected — at least that’s what the error message given by WP referenced when I ran the code. I had that plugin enabled at the time, and I’ve disabled it since. It seems that the code tries to modify one of the header.php pages, along with checking disk space (?). So I thought, let me find out who this hacker is. Apparently, he’s from Napperville, IL, US, or at least that’s where his IP address lives.

What’s more, I thought it’d be interesting to see who owns that domain name where his text file resides. It turns out to be one Samir Farajallah from Dubai.

So what we’ve got so far is some dude in Dubai who owns the domain where the malicious code resides, and some hacker in Napperville, IL, trying to exploit my blog using that malicious code.

Wait, it gets better… On Saturday evening, I have another look at my blog’s 404 log, and I find that some other hacker from Vietnam (IP address: 203.171.31.19) is trying to hack into my blog using that exact same code, but this time the text file’s located on some domain in Argentina. That last link leads directly to the text file with the malicious code, but it’s harmless if you browse it. It only works if you run it as PHP code, like these hackers are trying to do.

So far, it looks like I’ve got two hackers, who may or may not be working together, using the same malicious code, located on two different, possibly compromised domains, and trying to modify my header files, possibly to insert code in there that will display splog content or some other stuff.

Update: It looks like three more hackers are trying their luck today, on Sunday morning, 9/30/07. Their IP addresses are 65.98.14.194, 66.79.165.19 and 66.11.231.48.

What I can tell you is that they haven’t been successful. I checked all of my files, and none of them have been touched. Everything’s fine. At this point, I’m not going to waste any more of my time trying to hunt them down. If I see that the attacks continue, I’ll notify my web hosting provider, along with the hosting providers of the other domains, and I’ll also notify the ISPs who own the IP addresses used in the attacks.

My thanks go out to John Godley for the wonderful Redirection plugin. I wouldn’t have been able to catch these hackers without it. I don’t often check my 404 log files, although I should.

I’ve been working in IT for 13 years or so. Maybe I’m naive, maybe I’m too honest for my own good, but I’ve stayed away from this hacking business, and I’ll continue to do so. It’s just not a sustainable lifestyle. I believe that the bad stuff you do in life will catch up with you sooner or later. It’s inevitable. These hackers will get what’s coming to them, and I won’t even have to lift a finger beyond what I’ve done so far.

Standard
Thoughts

ISPs to become IT providers for home users?

Bruce Schneier makes a solid point in his recent post entitled “Home Users: A Public Health Problem?”, where he states that computers and computer security are much too complicated for the regular home user. That’s most certainly true. No matter how much you “educate” the average user, they’re still going to mess up. Even if they’re working in IT, that’s no guarantee of know-how. There are so many things you can do in IT these days that an IT guy might not even know what a hard drive or a RAM module looks like. You really have to like working with computers to get the way they work and to be willing to put in the time to learn how to protect and operate them the right way.

But then Schneier says ISPs should become IT providers for the home user. In other words, provide real Help Desk support for software installations, router and firewall settings, anti-spyware and anti-virus software, etc. This sounds good at first until you realize there’s a very small step between that and choosing to mitigate damage to the network by controlling what software users can install and use on their computers. What’s to stop ISPs from requiring that users register their computers on their domain (or doing it automatically as users run their software CDs), then pushing down group policies that enforce their rules?

What’s the alternative? Make computers easier to use! Operating systems and the gadgets that go along with them have to become really easy to use. A certain number of security options have to be enabled by default, and those settings have to able to propagate from the OS down to the gadgets (firewalls, routers, printers, network drives, WiFi devices, etc.) automatically and where applicable. You set it once and it gets set everywhere else. I talked about this in another post of mine, entitled “It’s got to be automated“. Have a look at that as well.

The starting point should be OS X. It’s not the best OS it could be, but it’s a lot easier to use for most everyday tasks than other systems, but even it is hard to figure out for a normal user when it comes to security and special protocols like site hosting, file sharing or FTP, and privileges between users in places like the Shared folder.

We need to do away with arcane file names for user groups in operating systems. Privileges should be much easier to set for files, folders and entire drives. Systems ought to be smart enough to know when we’re trying to share something with the firewall up, and pop up an on-screen wizard to assist us. They should anticipate certain things and guide us through.

I say we need to make all network devices manageable directly through the computer, instead of having to log onto them separately. This goes especially for routers. The computer should know there’s a router on the network, and allow us to manage its settings from the control panel, as we would manage a printer, but make it even easier. It should auto-configure it with medium-level security by default and only ask us to choose a password and be done with it.

The solution lies in making better software and hardware.

Standard
Reviews

Flickr tightens up image security

Given my concern with image theft, I do not like to hear about Flickr hacks. A while back, a Flickr hack circulated around that allowed people to view an image’s full size even if the photographer didn’t allow it (provided the image was uploaded at high resolution.) The hack was based on Flickr’s standard URL structure for both pages and image file names, and allowed people to get at the original sizes in two ways. It was so easy to use, and the security hole was so big, that I was shocked Flickr didn’t take care of it as soon as the hack started to make the rounds.

It’s been a few months now, and I’m glad to say the hack no longer works. I’m not sure exactly when they fixed it. Since it’s no longer functional, I might as well tell you how it worked, and how they fixed it.

D

First, let’s look at a page’s URL structure. Take this photo of mine (reproduced above). The URL for the Medium size (the same size that gets displayed on the photo page) is:

http://flickr.com/photo_zoom.gne?id=511744735&size=m

Notice the last URL parameter: size=m. The URL for the Original size is the same, except for that last parameter, which changes to size=o. That makes the URL for the original photo size:

http://flickr.com/photo_zoom.gne?id=511744735&size=o

Thankfully, that no longer works. If the photographer disallows the availability of sizes larger than Medium (500px wide), then you get an error that says something like “This page is private…”

Second, they’ve randomized the actual file names. So although that image of mine is number 511744735, and it stands to reason that I would be able to access the file by typing in something like http://farm1.static.flickr.com/231/511744735_o.jpg, that’s just not the case. Each file name is made up of that sequential number, plus a random component made up of letters and numbers, plus the size indicator. So the actual path to the medium size of the image file is:

http://farm1.static.flickr.com/231/511744735_b873d33b12_m.jpg

This may lead you to think that if you can get that random component from the URLs of the smaller sizes, you can then apply the same URL structure to get at the larger size, but this is also not the case. It turns out that Flickr randomizes that middle part again for the original size. So although it stays the same for all sizes up to 1024×768, it’s different for the original. For example, the URL for the original size of that same photo is:

http://farm1.static.flickr.com/231/511744735_d3eb0edf2d_o.jpg

This means that even if you go to the trouble of getting the file name for one of the smaller sizes, you cannot guess the file name of the original photo, and this is great news for photographers worried about image theft.

While I’m writing about this, let me not forget about spaceball.gif, the transparent GIF file that gets placed over an image to discourage downloads. It can be circumvented by going to View >> Source and looking at the code to find the URL for the medium-size image file. It’s painful, but it can be done, and I understand there are some scripts that do it automatically. The cool thing is that after Flickr randomized the file names, it became next to impossible to guess the URL for a file’s original size. The best image size that someone can get is 1024×768, which might be enough for a 4×6 print, and can probably be blown up with special apps to a larger size, but still, it’s not the original.

Perhaps it would be even better to randomize the file name for the large size as well, so that it’s different from the smaller sizes and the original size. That would definitely take care of the problem. Still, this is a big step in the right direction.

Standard