Nest Cam Outdoor – My experiences

So a couple of months ago some bastard keyed my car. My initial knee jerk reaction was to buy a CCTV camera to watch over it in case it happened again, so I knew who’s knees to break. So the search began, but I wanted something fast.

I looked at a couple of offerings but I wanted something easy and quick to install, and preferably without too many cables to run around the house. I settled in the Nest Cam Outdoor, after owning their thermostat for a year and being very pleased with its performance and functionality.

When the camera arrived it was very well packaged with the usual plethora of mounting hardware. The kit comes with long enough cables for most installations and all the required fixing hardware, including cable clips, which was nice.

The mounting system for the camera uses strong magnets to hold it in place. While this is a novel idea, in practice a well-aimed football will knock the camera off the wall and render it useless. Points lost there unfortunately.

The cable attached to the nest has a ruggedized USB connector on it that’s approximately 18mm diameter. All well and good until you need to run it through a wall. I know this camera is meant for American homes which I presume mostly have outdoor power outlets, but that’s an uncommon facility in the UK. Drilling an 18mm+ hole in a double skinned brick wall is no simple task. More points lost there.

Once installed the camera is easy to set up using the Nest iOS or Android apps. Scan the bar code on the app and away you go. Don’t forget you’ll need a constant internet connection for the camera to work though.

The video quality of the camera even in daylight is shit considering it is allegedly 1080p. While the camera sensor probably is 1080p, the camera compressed the nuts off the video to upload it to Google’s cloud platform, losing most of the quality. I honestly can’t even read the number plate of my car from the video, and the car is parked maybe 15 feet from the camera, if that. Image quality is even worse at night.

Remember Google’s server I just mentioned? They only allow the camera to store 3 hours of footage, unless you buy a Nest Aware subscription to store up to 10 days, or 30 days, whichever tickles your fancy. This isn’t particularly well communicated by Nest either, to the point that when my “Free Trial” expired, I didn’t even get a notification to say “Hey, your camera has just deleted all video over three hours old! Best break the credit card out!” Thinking about this logically, if somebody broke into my car between 1am and 3am, I wouldn’t have any footage of it at all. What’s the point?

In conclusion, don’t buy this camera. It’s effectively a glorified, very expensive, video doorbell without a subscription, which wouldn’t be as bad if the cost of the camera wasn’t so fucking much to start with. Even then, you can’t make out facial features unless the camera is installed at a level where the magnets make it easy to sabotage. Again, what’s the point?

Honestly. Don’t waste your money. This device has the potential to be awesome, but is used as a cash cow by Nest instead.

The S**t Software Vendors Say

Software vendors can be really knowledgable, helpful and a pleasure to work with. As with any professional community though, there are those who let the collective down with a lack of knowledge, communication skills or common sense. Here are some of the classic queries I have had from vendors and consultants over the years, and the best way to deal with them.

“Our application requires sysadmin privilege on the database server to work properly”

I’ve brought up this point first because it is by far the most common I have come across over the years. The answer is simple, NO application should require sysadmin. Even the most poorly coded application should only need dbowner privilege on its own database at a very push, and even then it’s not ideal from a security perspective.

If you receive this query, I implore you to refuse the request and ask them to provide the actual required privileges. Ask them to escalate it to their developers if need be. You’d be surprised how few permissions the application usually needs to function.

Requiring sysadmin is one of those things that should raise a red flag instantly. I’d seriously question the competence of the vendor if they continue to insist this point. Even if the database server instance is dedicated to the application, secure it. It’s the smaller database installations that tend to get breached first, and their application probably stores your users’ passwords in there. Probably the same password they use to log on to every system in your network.

“Our application HAS to use that database password” or “We can only use the SA account on the database server”

Don’t let vendors dictate the password or user account used to access your database server. Using a generic password for all installations, or requiring the SA password on your SQL box just isn’t cricket. It just shows complete incompetence of the vendor and / or the developers.

Enforce your password policy on them just like any other service account. There is no excuse they can give for not being able to accommodate it except shear laziness.

Even if the database server instance runs locally on the application server, enforce password policy. The vast majority of breaches involve a leaked password, and the vast majority of those are default passwords.

“We support virtualisation. Just plug this license dongle into one of your hosts”

Just no. If software needs a license dongle, it doesn’t support virtualisation. Granted, the application will run, but the major selling point of virtualisation is high availability, which fails the second the host with the dongle plugged in goes down for any reason.

Unfortunately there isn’t much that can be done about his problem. Just make sure you communicate to your company that all that metal they bought to support HA, can’t protect the seriously outdated software that still relies on an archaic licensing technology.

“We need XX amount of RAM for the application, even though its virtualised”

In rare occasions this statement is true. The vast majority of the time though most applications don’t need 48GB of RAM assigned to the virtual server that runs a simple service.

As a general rule of thumb, a VM actually uses a fraction of the memory allocated, filling the rest with cached data that it never accesses. Check your VM performance charts for memory and you’ll see the active memory usage.

I generally kick back on the consultant / vendor to produce some sizing reports based on our companies projected usage. If in doubt, or they won’t supply the information, I allocate the memory as requested, but gradually reduce the amount allocated during maintenance windows to find the “happy medium” between performance and wasted memory allocation.

“We only support remote support via [insert free remote access services here].”

Just say no. I’ve lost count of how many times a consultant or vendor has tried to install some agent based remote access technology like Logmein or TeamViewer on a server. Don’t allow it. The last thing you want is an agent based remote access service tied to your vendors remote access service running inside your network.

Imagine if the vendor decided to fire one of their helpdesk engineer, who has the username and password to their logmein account? It’s not worth thinking about.

The best way to deal with this is to provide your own method of remote access to your server, with an account you control. Then write a policy that you make vendors sign before allowing access. It might seem like more work for you, but it’s a much more secure arrangement than most of the options provided by the vendor.

This solution doesn’t have to be complicated or expensive. You could use Microsoft’s Remote Desktop Gateway for example, which is a role of windows Server so doesn’t cost anything to use (providing you have enough server licenses of course).

“We don’t support HTTPS”

Sack them off immediately. Any software that doesn’t support he most basic security protocols like HTTPS, doesn’t belong in enterprise IT.

What they usually mean is they don’t know how to enable HTTPS in IIS, Apache or Nginx. Do you want to use an application developed by a company who don’t know the technology their application runs on? Nope.

“We can’t resolve your email server at address (192.168.20.3 ) Can’t you take a look?”

This isn’t a common one to be fair. I only recently came across it. For starters it’s an IP address and doesn’t need to be resolved. Secondly you have a space in it, which probably means your application is treating it as a string and trying to resolve it in DNS, thus causing your problem.

This point nudges back at that common sense (or lack of) I mentioned earlier. It amazes me when we pay tens of thousands for consultants, and they struggle with even the simplest of everyday administrative tasks.

Conclusion

I know this post is a bit of a rant. It was meant to be to be fair. I also know I paint a bad picture of software vendors and consultants, so I should probably point out that not all vendors, consultants or helpdesk engineers are cut from the same mould. Some of the vendors I have dealt with have been excellent and great to work with. Unfortunately it’s the bad ones that burn experiences into your memory, and not the ones you can just rely on to do a good job.

One thing I have taken away from my experiences is not to allow vendors or consultants to do what they want, and don’t let them back you into a corner when it comes to best practise or security. At the end of the day, it’s your desk your boss will be standing over when shit hits the fan.

Unfortunately we will never eradicate bad vendors or consultants, because they are the ones that don’t mind bullshitting your executives and project managers to win the work. Thats just the way enterprise software goes, so embrace it, and enjoy making them look like idiots when they CC the world into an email conversation, trying to blame their poor performance on you, your department or your infrastructure.

Seriously? Brexit?

I’m getting sick and tired about hearing about Brexit now. It’s all I ever seem to see in the news app on my iPhone, and all I seem to see on the news on TV. Why anybody though Brexit was a good idea is beyond me.

For starters, most of the muppets who voted to leave the European Union last year during the referendum don’t even know themselves why they wanted to leave. Some of the interviews on the news showing people giving bollocks excuses about immigration etc as the reason they voted leave, and then being told on live TV that they were wrong in their rationale was cringe worthy.

Then there were the politicians in the leave camp, lying through their teeth and scare mongering to try to rack up the leave votes. I’m still oblivious as to how they have managed to get away with lying to the public. Surely it’s classed as rigging a vote. Personally I’d put them in prison.

And now where do we stand? On the fence of course. Nobody knows exactly what will happen. The government seems to think they can negotiate an exit from the EU and keep access to all of the perks the EU brings to the table, while eliminating the disadvantages. Sure they can’t think that will work?

In all seriousness, the referendum shouldn’t have happened the way it did. The vote count should have had limits imposed, such as 60% either was, and the government should have laid the exact terms of Britain’s exit from the EU out on the table before the referendum happened. At least then they the public could have made informed votes based on truth and foresight.

But no. We ended up with the shit fest we are in now. Looks like Cameron managed to bail at just the right time.

 

via Daily Prompt: Seriousness

The Pirate Bay; The Lesser of Two Evils

A few years ago the courts in the UK Ordered that UK block access to the popular torrent site; The Pirate Bay. Fair enough. But was that a wise desicion, or one made by dinosaurs that don’t understand the current digital landscape?

Torrent sites like The Pirate Bay have been an effective distribution vector for malware for years. Non-savvy consumers often Google “(latest movies here) free download” and end up at a site such as TPB to download the latest flick. Unfortunately deviants (pronounced Dick Heads) took notice of this and started seeding infected wares to build their botnets or extort money out of unassuming folk using encryption to lock their baby pictures and cat videos. 

So blockin access to TPB was a good thing, right? I don’t think it was. 

Now when people try to obtain illegitimate copies of software, movies, music etc, they end up at smaller torrent sites, a lot of which are funded by the same deviants that used to target consumers through TPB. 

For slightly more savvy users, TPB is still accessible by googling “TPB proxy” and choosing one of the many proxies available for free. The problem with these proxies is that they too are riddled with malware nasties trying to take advantage of people looking to save a few quid.

So, with Sony’s PlayStation Network sustaining massive DDoS attackes on a regular basis, I can’t help but think that the majority of the infected nodes in the botnet are probably as the result of consumers trying to circumvent the UK TPB block and ending up on a less reputable website. I bet Sony didn’t consider that when they approached the courts to ban TPB. 

This is all speculation of course. I’d bet my last dollar on it being at least partially accurate though.  

Schools and Holidays

One thing that really gets my goat is the whole “you’re not allowed to take your kids out of school for a holiday” rule in the UK. Fuck you government. If I want to take my kids on holiday I will. Fine or no fine.

It’s obvious what’s going on here though. Since the price of holidays during school term times is considerably cheaper, the government looses out on taxes on air travel etc. Obviously that isn’t acceptable. How will the pricks in westminster pay for their third and fourth homes if we keep finding clever ways to get things cheaper and paying less tax into their expense funds?

As it turns out, it’s usually cheaper to pay for a holiday in term time, and then just add the £70 per child to the total cost of your holiday and you still end up saving an arm and a leg compared to booking a holiday during school holidays.

The whole system is flawed really. Unless you look at it from the perspective of the corrupt wankers in UK parliament.

Rant over.