Category: Technology

Home Security Drone

We’ve conceptualized home security drones for some time with autonomous programming that instructs the drones to return to a charging station when their batteries become depleted. Feed the video back to a platform that knows what the area should look like and alert on abnormalities.

The idea of a drone patrol is interesting to me because optimizing the ‘random walk’ algorithm to best suit the implementation is challenging. The algorithm would need to be modified to account for areas that other drones recently visited and allow weighting for ease of ingress (i.e. it’s not likely someone will scale a cliff wall to infiltrate your property. A lot of ‘intrusions’ will come through the driveway). Bonus points for a speaker system that would have the drone direct visitors to the appropriate entrance (please follow me to the front door) — a personal desire because delivery people seem to believe both our garage and our kitchen patio are the front door.

This is a great security solution when it’s unique, but were the idea to be widely adopted … it would suck as a home security implementation. Why? Drones with video feeds sound like a great way to deter trespassing. But drones have practical limitations. Home break-ins would be performed during storms. Or heavy snowfall. Or …

What if the drone charging base has wheels – during adverse weather, the drone can convert itself into an autonomous land vehicle. I’d probably include an additional battery in the base as the wheeled vehicle traversing land would use more energy. And there would be places a wheeled vehicle could not travel. The converted drone would be able to cover some of the property, and generally the area closest to the structures could be traversed.

Spectre & Meltdown

The academic whitepapers for both of these vulnerabilities can be found at https://spectreattack.com/ — or El Reg’s article and their other article provide a good summary for those not included to slog through technical nuances. There’s a lot of talk about chip manufacturer’s stock drops and vendor patches … but I don’t see anyone asking how bad this is on hosted platforms. Can I sign up for a free Azure trial and start accessing data on your instance? Even if they isolate free trial accounts (and accounts given to students through University relationships), is a potential trove of data worth a few hundred bucks to a hacker? Companies run web storefronts that process credit card info, so there’s potentially profit to be made. Hell, is the data worth a few million to some state-sponsored entity or someone getting into industrial espionage? I’m really curious if MS uses the same Azure farms for their hosted Exchange and SharePoint services.

While Meltdown has patches (not such a big deal if you’re use cases are GPU intensive games, but does a company want a 30% performance hit on business process servers, automated build and testing machines, data mining servers?), Spectre patches turn IT security into TSA regulations. We can make a patch to mitigate the last exploit that occurred. Great for everyone else, but doesn’t help anyone who experienced that last exploit. Or the people about to get hit with the next exploit.

I wonder if Azure and AWS are going to give customers a 5-30% discount after they apply the performance reducing patch? If I agreed to pay x$ for y processing capacity, now they’re supplying 0.87y … why wouldn’t I pay 0.87x$?

3D Print Server – OctoPrint

When we started setting up our 3D printer, I installed Cura on my laptop … but I don’t want to leave my laptop in the office & hooked up to the printer for a day or two. We could install Cura on the server and use it to print, but we’d also need to use something like xvnc so we could remotely initiate a print job and not need to stay connected to a redirected X session for a day or two. Thus began the quest for a server-based 3D printer controller. I think we’re going to use OctoPrint on our Fedora server.

There are a few prerequisities: python, python-pip, and python2-virtualenv, and git-core (well, you can just download/extract the project … but having a git client is quicker/easier).

In the directory where you want the OctoPrint folder, run “git clone https://github.com/foosel/OctoPrint.git”

Create a user for octoprint and add that user to the tty and dialout groups.

Create a python virtual environment: virtualenv venv

Install OctoPrint into the new environment: ./venv/bin/python setup.py install

Log into the octoprint service account (interactive logon or su), start a screen session for the server, then start the server with in the screen:

su – myserviceaccount
screen -d -m -S OctoPrintServer
screen -x OctoPrintServer
/path/to/OctoPrint/venv/bin/octoprint

Then access the web service and continue setup – the default port is 5000. My next step is to write an init script so the server will auto-launch on restart … but this is functional enough to start printing.

 

Customer Service And IT Automation

A 3D printer filament manufacturer, MakerGeeks, has been running a series of awesome deals since Black Friday. We placed an order for several of their their “grab bag” packages – which I assume to be production overruns and whatever isn’t selling. We want to make a few large prototypes – if it’s an amalgamation of oddball colours … whatever, it’ll still be functional. We can pay extra to select the colour once we’ve got a finished model file.

A few hours after placing my order, I got a mass e-mail saying essentially “we sold a lot more stuff than we expected, it’s gonna take a while to ship”. Wasn’t buying Christmas presents, so waiting a while … whatever. Two weeks later, I haven’t heard a thing from them. Odd. I sent a quick e-mail asking for someone to verify that my order didn’t get lost or something. And never heard back from them. Waited another week and sent a follow-up.

Checked them out on the BBB site and found out they’ve got a really bad reputation for non-existent customer service And not shipping ‘stuff’. Sent an e-mail to all of the contacts listed on the BBB site (the phone number is unanswered and rolls to a generic message). Another week with no response, and I filed a BBB complaint mostly to increase the number of people saying “these people don’t bother answering e-mail and suck at order fulfillment”.

Additional irony – I’d subscribed to their newsletter when we placed our order. The five weeks of no communication from the company did include an almost daily e-mail with information on their holiday promotion. So they’re not bothering to ship my stuff, but they’re actively soliciting new orders!?!

What bothers me, though, is that a simple automated job would be the difference between initiating a charge-back and waiting for my order to ship. There’s an order database somewhere. Pull a list of all open orders & send a message that says increasingly comforting versions of “we haven’t forgotten about you, we just haven’t gotten to you yet”. If it were me, I’d probably include something like “We currently have outstanding orders for 25,839 KG of filament that we’re working through. The machines are running as fast as they can, and we’re shipping 2,848 KG a day. We want to thank you for your patience as we work through this amazing volume of holiday orders.”. Actual message content is almost irrelevant. The point is a few dozen development hours would be saving orders and improving the company’s reputation.

Instead I get nothing. With no faith that the company will ship me anything ever … and since I don’t want to try disputing a charge six months after it was made (had problems with that before – prepaid a CSA membership through PayPal, waited eight months for the new cycle to start, but I wasn’t on their list and they claimed to have no record of my payment. Tried to dispute it through PayPal and was told the window to dispute the charge was up … but I didn’t know I wasn’t going to be part of the new year until the first delivery!), I presented my communication and their complete lack of response to the credit card company. About 24 hours later, the charge-back was completed.

Ransomware

My company held a ransomware response through experiment recently – and, honestly, every ransomware response I’ve seen has been some iteration of “walk through backups until we find good files”. Maybe use something like the SharePoint versioning to help identify a good target date (although that date may be different for different files … who knows!). But why wouldn’t you attempt a proactive identification of compromised files?

The basis of ransomware is that it encrypts data and you get the password after paying so-and-so a bitcoin or three. Considering that NGO virus authors (e.g. those who aren’t trying to slow down Iran’s centrifuges) are generally interested in creating mayhem. There’s not a lot of disincentive to creating mayhem and making a couple of bucks. I don’t anticipate ransomware to become less prevalent in the future; in fact I anticipate seeing it in vigilante hacking: EntityX gets their files back after they publicly donate 100k to their antithesis organisation.

Since it’s probably not going away, it seems worthwhile to immediately identify the malicious data scrambling. Reverting to yesterday’s backups sucks, but not as much as finding that your daily backups have aged out and you’re stuck with the monthly backup from 01 Nov as your last “good” data set. It would also be good to merge whatever your last good backup is into the non-encrypted files so the only ‘stuff’ that reverts is a worthless scramble of data anyway. Sure someone may have worked on the file this morning and sucks for them to find their work back-rev’d to last night … but again that’s better than everyone having to reproduce their last two and a half months of work.

Promptly identifying the attack: There are routine processes that read changed files. Windows Search indexing, antivirus scanner, SharePoint indexing. Running against the Windows Search index log on every computer in the organisation is logistically challenging. Not impossible, but not ideal either. A central log for enterprise AV software or the SharePoint indexing log, however, can be parsed from the data centre. Scrape the log files for “unable to read this encrypted file” events. Then there are a myriad of actions that can be taken. Alert the file owner and have them confirm the file should be encrypted. Alert the IT staff when more than x encrypted files are identified in a unit time. Check the create time-stamp and alert the file owner for any files that were created prior to encountering them as encrypted.

Restoring only scrambled files: Since you have a list of encrypted files, you have a scope for the restore job. Instead of restoring everything in place (because who has 2x the storage space to restore to an alternate location?!). Restore just the recently identified as encrypted files – to an alternate location or in place. Ideally you’ve gotten user input on the encrypted files and can omit any the user indicated they encrypted too.

Scraping OpenHAB Karaf Console Data

Realized an easier way of scraping the Karaf console output – no need to SSH into the console (which, evidently, can timeout for inactivity … something I sort on my OpenSSH server with a config parameter whenever I’m looking to use tee and scrape output).

You can just pipe the startup script to tee. Have to push stderr into stdout to get the *errors* logged.

./start.sh 2>&1 | tee -a /tmp/logfile.txt

The output gets a little funky – maybe because of the color flags on some of the text? Dunno, but it’s grabbing the text and something like tail displays it without funky odd stuff

ESC[31m ESC[0m __ _____ ____ ESC[0m
ESC[31m ____ ____ ___ ____ ESC[0m/ / / / | / __ ) ESC[0m
ESC[31m / __ \/ __ \/ _ \/ __ \ESC[0m/ /_/ / /| | / __ | ESC[0m
ESC[31m/ /_/ / /_/ / __/ / / / ESC[0m__ / ___ |/ /_/ / ESC[0m
ESC[31m\____/ .___/\___/_/ /_/ESC[0m_/ /_/_/ |_/_____/ ESC[0m
ESC[31m /_/ ESC[0m 2.2.0-SNAPSHOTESC[0m
ESC[31m ESC[0m Build #1114 ESC[0m

Hit 'ESC[1m<tab>ESC[0m' for a list of available commands
and 'ESC[1m[cmd] --helpESC[0m' for help on a specific command.
Hit 'ESC[1m<ctrl-d>ESC[0m' or type 'ESC[1msystem:shutdownESC[0m' or 'ESC[1mlogoutESC[0m' to shutdown openHAB.

ESC[?1hESC=ESC[?2004hESC[36mopenhab>ESC[0m

But you get the java exceptions too:

      Exception in thread "pool-45-thread-5" java.lang.NullPointerException
              at java.util.AbstractCollection.addAll(AbstractCollection.java:343)
              at com.zsmartsystems.zigbee.ZigBeeNode.setNeighbors(ZigBeeNode.java:510)
              at com.zsmartsystems.zigbee.ZigBeeNetworkMeshMonitor$2.run(ZigBeeNetworkMeshMonitor.java:232)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)

 

Logging OpenHAB’s Karaf Console To A File

With OpenHAB2, there is a console where information is displayed. You can copy/paste from the console to save information, but if you are reproducing an issue and expect something to be logged, you can also dump the information from the console into a text file. This is done by ssh’ing into the Karaf console and using tee to write output to a file. Since the SSH server is bound to 127.0.0.1, you will need to use localhost or 127.0.0.1. This cannot be done remotely without some sort of firewall port redirection or OpenHAB change

     ssh UserName@localhost -p 8101 | tee -a /tmp/test.txt

So what’s the username? Karaf uses karaf as the username and password. OpenHAB uses the users.properties file (./openhab2/userdata/etc) to store users. Our file has the user openhab. You can google the default password or put your own crypt string in there and know the password.

Now everything that comes across the Karaf console (system output and stuff you type) will be in the /tmp/test.txt file.

[root@fedora01 ~]# tail -f /tmp/test.txt

                          __  _____    ____
  ____  ____  ___  ____  / / / /   |  / __ )
 / __ \/ __ \/ _ \/ __ \/ /_/ / /| | / __  |
/ /_/ / /_/ /  __/ / / / __  / ___ |/ /_/ /
\____/ .___/\___/_/ /_/_/ /_/_/  |_/_____/
    /_/                        2.2.0-SNAPSHOT
                               Build #1114

Hit '' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '' or type 'system:shutdown' or 'logout' to shutdown openHAB.

openhab> bundle:list
START LEVEL 100 , List Threshold: 50
 ID │ State    │ Lvl │ Version                │ Name
────┼──────────┼─────┼────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
──────────────────────────────────────────────────────────────────────────────────
 15 │ Active   │  80 │ 2.2.0.201712061711     │ ZWave Binding
 16 │ Active   │  80 │ 2.2.0.201712052342     │ ZigBee Binding
 17 │ Active   │  80 │ 5.3.1.201602281253     │ OSGi JAX-RS Connector
 18 │ Active   │  80 │ 2.4.5                  │ Jackson-annotations
 19 │ Active   │  80 │ 2.4.5                  │ Jackson-core
 20 │ Active   │  80 │ 2.4.5                  │ jackson-databind
 21 │ Active   │  80 │ 2.4.5                  │ Jackson-dataformat-XML
 22 │ Active   │  80 │ 2.4.5                  │ Jackson-dataformat-YAML
 23 │ Active   │  80 │ 2.4.5                  │ Jackson-module-JAXB-annotations
 24 │ Active   │  80 │ 2.7.0                  │ Gson
 25 │ Active   │  80 │ 18.0.0                 │ Guava: Google Core Libraries for Java
 26 │ Active   │  80 │ 3.0.0.v201312141243    │ Google Guice (No AOP)
 27 │ Active   │  80 │ 3.12.0.OH              │ nrjavaserial
 28 │ Active   │  80 │ 1.5.8                  │ swagger-annotations
 29 │ Active   │  80 │ 3.19.0.GA              │ Javassist
 31 │ Active   │  80 │ 3.5.2                  │ JmDNS
 34 │ Active   │  80 │ 1.1.0.Final            │ Bean Validation API
 36 │ Active   │  80 │ 2.0.1                  │ javax.ws.rs-api

Net Neutrality And Infrastructure Investments

Ajit Pai claims eliminating net neutrality will spur carriers to invest in network infrastructure. And he’s not exactly wrong – there’s equipment required to QOS traffic to allow companies who have paid access extortion to have their traffic move faster. There’s equipment required to block services for subscribers who haven’t opted to pay for, say, the “Social Media Bundle”. Billing systems will need to be updated, which means more work for developers.

Turning all of the public roadways over to private corporations and allowing them to elect to operate them as free or toll roadways would spur a lot of investment or hiring too. There’s not an automated toll collecting barricade at the end of my street today, or a human toll collector. Imprisoning half a percent of the entire US population spurred a lot of investment and hiring too – new prisons, guards, support staff.

Investment or hiring is not, eo ipso, a boon. Sure it’s great for the company whose products are being purchased. Sure it’s great for the person who just got a job. But for society some impetus for investment and hiring is outright detrimental.

Since Pai has outright stated that he cares naught for public opinion, I am appealing to my members of Congress to enact legislation to enact principals similar to the existing net neutrality regulations. That’s the point of checks and balances in government – the courts could deem the reclassification of Internet providers to be unconstitutional (it isn’t, so not gonna happen). Congress can pass laws changing that which the executive branch needs to enforce. The executive branch can veto the legislative net neutrality bill, but a 2/3 majority in Congress can override the veto. Courts can rule those laws unconstitutional (since the existing regulations have already passed legal challenges, that’s doubtful too).

Nothing Is New

I keep seeing articles hyping the anonymity of bitcoin-type “currency”. That’s not a new concept in value stores. Non-registered bearer bonds allowed untraceable fund transfers. As bearer instruments are not illegal in the United States, such bonds can still be issued. The holder cannot get any tax exemptions on interest paid for the bond, but you can transact business using bearer bonds. And just like bitcoin-type currencies … you’re screwed if someone takes it. Bonds provide legal recourse – bitcoin, not so much. If no one wants to pay a couple hundred thousand dollars for your bitcoin, you have little bits on disk. It’s like an anonymous stock — it’s worth whatever people are currently willing to pay for it.

As a data storage technique – distributed across the world, redundant, but ultimately meaningless in its sub-components to anyone who happens to have a snippet – it’s intriguing. But as a non-dodgy way of transacting business, it’s just silly.

The Colloquial Occam’s Razor

Occam’s razor – it is futile to do with more things that which can be done with fewer – is colloquially rendered as “the simplest solution is the most likely”. We had multiple tickets opened today for authentication failures on an Apache web server. Each malfunctioning site uses LDAP authentication and authorization against an Oracle Unified Directory. Nothing in the error logs. The service account from the Apache configuration can log in and query the directory from the box using ldapsearch, so the account is valid and there is nothing in the OUD preventing access from this particular host.

That’s a puzzler, and I was about to take down a lot of web sites to reload the service with its log level set to debug. Not even sure what made me do it, but I went out to the groups and looked at their member lists. Oops. Something had gone wrong with the identity management platform and employee accounts had been cleared from the groups (all of the contractors were still members, which made it even stranger). Added a few people back into groups appropriate for their position, voila they could log into their site again.

No idea how the identity management group restored the memberships, but verifying people who should have been members (who had been members and had done nothing to remove their memberships) were actually members of the group saved a lot of time running through debug logs. Sometimes the simplest answer is the most likely.