If you’ve followed along with our series so far, you know we’ve set up a network of Raspberry Pis that PXE boot off a central server, and then used Zoneminder to run a network of IP cameras. Now that some useful services are running in our smart house, how do we access those services when away from home, and how do we keep the rest of the world from spying on our cameras?
Before we get to VPNs and port forwarding, there is a more fundamental issue: Do you trust your devices? What exactly is the firmware on those cheap cameras really doing? You could use Wireshark and a smart switch with port mirroring to audit the camera’s traffic. How much traffic would you need to inspect to feel confident the camera never sends your data off somewhere else?
Thankfully, there’s a better way. One of the major features of surveillance software like Zoneminder is that it aggregates the feeds from the cameras. This process also has the effect of proxying the video feeds: We don’t connect directly to the cameras in order to view them, we connect to the surveillance software. If you don’t completely trust those cameras, then don’t give them internet access. You can make the cameras a physically separate network, only connected to the surveillance machine, or just set their IP addresses manually, and don’t fill in the default route or DNS. Whichever way you set it up, the goal is the same: let your surveillance software talk to the cameras, but don’t let the cameras talk to the outside world.
Edit: As has been pointed out in the comments, leaving off a default route is significantly less effective than separate networks. A truly malicious peice of hardware could easily probe for the gateway.
This idea applies to more than cameras. Any device that doesn’t need internet access to function, can be isolated in this way. While this could be considered paranoia, I consider it simple good practice. Join me after the break to discuss port forwarding vs. VPNs.
Continue reading “Hack My House: Opening Raspberry Pi to the Internet, but Not the Whole World”
In 1961, FCC Commissioner [Newt Minow] famously described TV as a “vast wasteland.” But TV can do great things; educational programming, news coverage, and great performances do appear, just not all that often. You can draw the same parallels to the Internet. Sure, it’s mostly cat pictures, snarky comments, and posts of what your friends had for dinner. But it can also be a powerful tool, especially for education. Recently, top-name schools and other institutions have posted courses online for everything from Python to Quantum Mechanics to Dutch. The problems are finding these classes and figuring out which ones are gems and which are duds. A site called Class-Central aims to solve these problems.
The site aggregates class descriptions from a variety of sources like edX, Coursea, and more. Users can rate the classes. Many of these courses are free to take. The recent trend is to offer the content for free, but charge for people who want an assessment, such as a certificate of completion or even a full-blown degree. Even then, the cost is typically far less than traditional college costs.
There’s also news about courses. For example, a recent post highlighted that edX now offers nine online master’s degrees in conjunction with major schools. A computer science masters from the University of Texas, for example, runs about $10,000. A Georgia Tech cybersecurity masters degree costs even less. There are another seven not ready yet, including one for electrical engineering.
Continue reading “Back to School Online”
Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program. If you did, though, you’d wind up with a bunch of RAR files that you could unrar and get the complete works of the Immortal Bard in a single Tweet. You can also find the source code — where else — on Twitter as another image.
What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.
The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.
Continue reading “Shakespeare in a Zip in a RAR, Hidden in an Image on Twitter”
When you create a Thing for the Internet of Things, you’ve made a little computer that does a simple job and which probably has a minimal interface. But minimal interfaces leave little room for configuration, such as entering WiFi details. Perhaps if you made the Thing yourself you’ve hard-coded your WiFi credentials in your code, but that hardly translates to multiple instances. So, how to put end-user WiFi credentials easily on more than one Thing? Perhaps [Rob Dobson] has the answer with his technique of sending them as a sequence of audible tones.
Of course, this is nothing new, as any owner of an 8-bit machine that had a cassette interface will tell you. And on the face of it it’s much easier than those awkward impromptu hotspots with a web interface to which you connect and pass on your credentials. But while we quite like the convenience, we can’t help wondering whether expressing the credentials in audible free space might be a bit too insecure for many readers. The technique however remains valid, and we’re sure that other less sensitive applications might be found for it. Meanwhile we hope he hasn’t inadvertently shared his WiFi password in the video below the break.
Continue reading “Speak Your WiFi”
If you’re like us, you probably spend more time browsing Reddit than you’d like to admit to your friends/family/boss/therapist. A seemingly endless supply of knowledge, wisdom, and memes; getting stuck on Reddit is not unlike looking something up on Wikipedia and somehow managing to spend the next couple hours just clicking through to new pages. But we’re willing to bet that none of us love browsing Reddit quite as much as [Saad] does.
He writes in to tell us about the handheld device he constructed which lets him view random posts from the popular /r/showerthoughts sub. Each press of the big red button delivers another slice of indispensable Internet wisdom, making it a perfect desk toy to fiddle with when you need a little extra push to get you through the day. Like one of those “Word a Day” calendars, but one that you’ll actually read.
For those curious as to how [Saad] is scraping Reddit with an Arduino, the short answer is that he isn’t. Posts are pulled from Reddit using an online tool created for the project by his wife (/r/relationshipgoals/), and dumped into a text file that can be placed on the device’s SD card. With 1500 of the all-time highest rated posts from /r/showerthoughts onboard, he should be good on content for awhile.
[Saad] has done an excellent job documenting the hardware side of this build, providing plenty of pictures as well as a list of the parts he used and a few tips to help make assembly easier. Overall it’s not that complex a project, but his documentation is a big help for those who might not live and breathe this kind of thing.
For the high-level summary: it uses an Arduino Pro Mini, a ILI9341 screen, and a 3.3 V regulator to step down 5 V USB instead of using batteries. A bit of perfboard, a 3D printed case, and a suitably irresistible big red button pulls the whole thing together.
We’ve seen a similar concept done in a picture frame a couple of years back, but if that’s not interactive enough you could always build yourself a Reddit “controller”.
There’s a lot going on our virtual spaces, and anyone with a smart phone can attest to this fact. There are pop-up notifications for everything you can imagine, and sometimes it’s possible for the one really important notification to get lost in a sea of minutiae. To really make sure you don’t miss that one important notification, you can offload that task to your own personal dinosaur.
The 3D-printed dinosaur has a rack-and-pinion gear set that allows it to extend upwards when commanded. It also has a set of LEDs for eyes that turn on when it pops up. The two servos and LEDs are controlled by a small Arduino in the base of the dinosaur. This Arduino can be programmed to activate the dinosaur whenver you like, for an email from a specific person, a reply to a comment on Reddit, or an incoming phone call to name a few examples. Be sure to check out the video below the break.
With this dinosaur on your desk, it’s not likely you’ll miss its activation. If you’d like something that has the same function but with less movement and more lights, there’s also a notification 3D cube made out of LEDs that’s sure to catch your eye as well. Continue reading “Popup Notification Dinosaur”
Continue reading “It’s The Web, Basically”