Buy vs Build on security cameras

There are a lot of choices for security cameras these days, and for the home or small business owner the choices can be overwhelming.

I have installed and used systems ranging from the costco/best buy/amazon security appliance with wired (and sometimes wireless cameras) to systems with a standards-based security DVR (I usually get a refurbished business-class desktop running Windows 10 Pro to install security DVR software onto, adding extra disks for the video storage) and open standards-based wireless and wired IP security cameras.  There are a wide range of cameras available from different manufacturers to meet different requirements.    Prices for cameras can range from $30 for a pan-tilt-zoom capable 1MP indoor camera to  $460 for a high-end pole-mounted PTZ camera with a 30x power zoom.  The nice thing about open systems is being able to fit the hardware to your needs and not being locked into a single vendor for parts or service.   The open system may take a little more effort to set up than puling out an appliance and plugging it in – but the end result is a much nicer system that is easier to use with much higher quality web, android and iOS apps.

Of the appliance-based security DVRs – the ones from Revo, Lorex and Q-See are the safest choices.  None of them are going to be as good as an open ONVIF/Milestone Xprotect system, but there are a lot of lesser systems than those three that are real garbage.  I won’t name names here – but some of the systems from Costco that aren’t the 3 brands listed above are real stinkers.  Access is only from android and iOS apps, no web access at all, for example.  The other systems listed above do have web access, but some are limited to only working with Internet Explorer.  The web access from Milestone Xprotect Essential is HTML5-based and works in multiple browsers on multiple platforms.  The situations where I would use an appliance over a Milestone system is if all the cameras can be easily wired to the appliance – like to cover a specific room or area rather than a whole house or trying to cover indoors and outdoors with the same system.

If you are considering a security system – find an installer you can trust that can recommend the best solution for your situation.  Work with them to come up with a reasonable plan, and you will end up with an easy to use functional security cameras across your property.

HP shipped laptops with keyloggers installed. We have HP laptops but we aren’t panicking.

The laptops we purchased to be dedicated Bitcoin wallets are HP. HP is in the news for having shipped computers with keyloggers pre-installed. It turns out that the microphone tray applet for the sound card drivers shipped with these computers happened to be logging every single keystroke to a unencrypted unprotected file. It turns out that this is only the case with the windows drivers and software. If windows is removed and is completely replaced by x a boon to, as is in our case, this vulnerability simply does not exist.

The reason we replaced windows for exhibition to is that 100% of the software is open source and the source code is visible and available for inspection. That also applies to the sound card, WiFi, keyboard, and all other drivers and software on the system. Given this latest incident from HP and Microsoft, I’m not sure how I could ever trust a Windows system ever again for critical Computing tasks. It frightens me to no end that critical medical devices and Fire Control Systems on US Naval warships both run Windows.

More on security cameras and Wifi

We went to go Implement our new cable modem, router, access points, security DVR and WiFi IP security cameras yesterday, and things went pretty smoothly. At the end of the day we had the security DVR setup, the cameras recording, and the cable modem from Comcast replaced with our own purchased equipment.

The basic sequence of events went like this:

First, we called our internet provider. In our case that was Comcast. We told them we wanted to stop using their least cable modem and want to use our own. They asked for the model number and MAC address of our new equipment, which is located on a barcode on the bottom of the modem. I find it helpful to take a picture with my camera so I can zoom in on it too clearly see the numbers to give them to the Comcast representative.

After Comcast gave us to go ahead we remove the old equipment and plugged in our new cable modem and connected it to a laptop with an Ethernet interface. After confirming we were able to get an IP address from Comcast and get online, we went ahead and configured our new router and then plugged are new security DVR into the private side, setup the WiFi controller and adopted the access points, configured the WiFi on our new security cameras to join the new network, and then added the cameras to the security DVR. Tomorrow I will be returning to permanently Mount the cameras in their final location and deal with tomorrow I will be returning to permanently Mount the cameras in there final location and deal with routing and mounting the cables.

Back to WiFi and Security Cameras

Have a client that has several problems – home has an issue with spotty WiFi and their cars are getting broken into in their driveway.

The house was built in the 1920’s with plaster and lath.  The entire home is a Faraday Cage.  (too much metal in the walls) Fortunately, there is some wired ethernet already installed between the first and second levels of the home.  We’ll install better, more powerful, Ubiquiti access points with a WiFi controller, creating one seamless wifi network across the entire property. Replace their leased Comcast cable equipment (reducing monthly bill) with a new, much better, cable modemrouterWiFi access points and a WiFI controller. All purchased from Amazon.

To deal with the security issue, we will install a security Digital Video Recorder, using their old mac laptop, some security DVR software and a pair of wireless 1080p WiFI ONVIF cameras.(which can be placed anywhere, as needed)

Install is coming up this weekend. We’ll keep you updated on how it goes!

Turning our $180 Target hardware bitcoin wallets into multi-altcoin wallets

Well, we took a a pair cheap cloudbooks from Target and repurposed them as Linux-based hardware bitcoin wallets with a complete open-source (and thus, more trusted) software stack.  No black boxes here.

Now we need to add wallets for other coins like Ethereum, ZCash, Dash, Ripple and others.  These systems come with 32GB of flash storage, we’ll see if we need to add more storage via the SD card slot or not.  If we do, that volume will need to be encrypted either with LVM or by making it the home folder and enabling home folder encryption.  We’ll burn that bridge when we come to it.

For now, we want to be able to run Coinomi, an open-source android wallet.  How do we run Android?  With . VirtualBox.

Our first in-depth tutorial – coming shortly – will detail how to install VirtualBox, Android and Coinomi, in that order.

Stay Tuned!

How to safely connect cold storage offline wallet to your online wallet

USB keys or SD cards are one way, but I dislike using USB drives because they are an unacceptable infection vector for my cold storage machine.  USB, SD cards or any block storage introduces drivers and firmware which may be suspect and or may contain malware that you copy unknowingly or that gets launched automatically (reference: https://www.us-cert.gov/sites/default/files/publications/RisksOfPortableDevices.pdf)

What to do, then?

These laptops have a wired ethernet port.  I can connect them back-to-back and simply have a static IP configured on both machines.

Enable the SSH server on the online machine with the following command:

sudo apt-get install -y openssh-server

Then go to the network menu, select Edit Connections, select Wired Connection 1 and hit Edit.  Go to the IPv4 Settings tab and set Method to ‘Shared to other computers’.  You can now hit Save and then Close.

Go back to the Network menu and select ‘Connection Information’ and note the IPv4 IP Address of Wired Connection 1.  This is the IP address you will connect to from the cold storage machine.

Connect the two machines together with an ethernet cable.

Use FileZilla to connect to the IP address of your online host.

You can now safely drag and drop files between the two hosts.

The $180 Bitcoin Wallet I got at Target

Problem: Need offline/cold storage for our coins

Solution: AMD-based HP CloudBook laptop at Target for $180

Why AMD? Many Intel CPUs have vPro techology baked in – which has a nasty security hole allowing remote IP KVM to be enabled, allowing for keystroke logging that is simply unacceptable on our wallet machine.

They come with Windows 10 Home preinstalled, which we go ahead and log into and download the following things:

Opera Browser: http://opera.com

Install the opera browser, go into settings and turn on VPN in the Privacy and Security section

Xubuntu ISO image:
http://torrent.ubuntu.com/xubuntu/releases/xenial/release/desktop/xubuntu-16.04.3-desktop-amd64.iso.torrent

Rufus USB image writer: https://rufus.akeo.ie

Run rufus after downloading, select the Xubuntu ISO image you downloaded before rufus and write it to a 4GB-32GB USB stick (preferably a USB 3.0 one)

Reboot and keep tapping Esc to go into the BIOS

Find the boot order, move USB devices above the built-in SSD in the boot order and reboot.

Install Xubuntu, enabling disk and LVM encryption when you get to that point in the install. Pick a password you will not forget.

Once Xubuntu is installed and you are logged in, connect to the internet, open a terminal and do the following to bring the system up to date:

sudo apt-get update
sudo apt-get upgrade -y
reboot
sudo apt-get autoremove

Go through the power settings and enable suspend on lid close and shutdown on reaching critical battery levels.

Firefox is installed already, use it to download and install Opera. I have had better luck downloading the file and installing it in the terminal rather than using the GUI software manager. The command to install manually is:

sudo dpkg -i <packagename>.deb

You will find it in your /home/<username>/Downloads folder

And that’s how we turned a $180 cloudbook into a whole-disk-encrypted hardware eCoin wallet.

Start installing your favorite wallets. Our next post will cover installing and configuring Electrum.

how do I make my WiFi better?

Here is how we have improved our WiFi at multiple locations:

1. Replace consumer-grade WiFi gear with enterprise-grade gear

2. Add additional WiFi radios to increase coverage zones

Why replace consumer-grade Netgear/Belkin/Linksys/TP-Link WiFi gear with enterprise-grade gear? Because enterprise-grade WiFi gear will let you deploy multiple access points that will allow for seamless roaming from one access point to another. Consumer-grade access points don’t do that. In addition to roaming, the coverage provided by enterprise-grade access points is generally much better and will cover a larger area.

The gear we recommend is the Ubiquity UniFi line. The difference between the Pro and Lite versions of their access points are:

Lite version has a 2×2 MIMO radio and is indoor-only

Pro version has a 3×3 MIMO radio, is indoor/outdoor and has a 2nd ethernet port for connecting wired devices

The best news is that the cost of these Ubiquiti radios is the same or less than the consumer-grade radios they are replacing.

https://www.amazon.com/Ubiquiti-Networks-802-11ac-Dual-Radio-UAP-AC-PRO-US/dp/B015PRO512/

https://www.amazon.com/Ubiquiti-Networks-Dual-Band-passive-UAP-AC-LITE/dp/B016K4GQVG

https://www.amazon.com/Ubiquiti-Unifi-Cloud-Key-Control/dp/B017T2QB22/ref=sr_1_2?s=electronics&ie=UTF8&qid=1512180686&sr=1-2&keywords=unifi+cloud+key

The CloudKey controller is optional, you can run the UniFi controller on a Windows, Mac or Linux PC – or a Raspberry Pi

https://www.amazon.com/Ubiquiti-Unifi-Security-Gateway-USG/dp/B00LV8YZLK/

the USG is a firewall/router that integrates with the UniFi Controller and allows you to manage everything from one user interface. Not required, but nice.

Replacing your current WiFi gear with an enterprise-grade set of gear will eliminate dead spots in your coverage and give you a reliable network you can trust.