On 12/12/2024 1:42 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfg9k$2tnfq$1@dont-email.me...
On 12/12/2024 12:32 PM, Edward Rawde wrote:
Is there any reason the camera can't talk to a phone that is also
hosted by the customer's access point?
>
If you want to let the camera access a phone that is NOT "local",
then let the user subscribe to a DynDNS service -- provided by
any number of competing firms (even the manufacturer -- via a nice
clean OPEN interface).
>
Inbound is problematic for various reasons.
Do you want your cameras accepting inbound connections from anywhere in the world?
>
Vendors have no problem selling "hubs" as a prerequisite to talk to
their devices. Why can't the hub implement a packet filter?
One reason is that the packet filtering would have to be configured specifically for local requirements.
This gets us back to the issue of most people not knowig a packet filter if they fell over it.
Most users have banal needs for a firewall. If running Windows hosts,
then the filter in the host is even finer-grained than a filter in
an external firewall (as the host-based filter can be tailored
to specific applications).
Use that as a selling point: the hub can act to protect the
local network (for a fee!!) while their access point/router likely
has not been reliably configured for that purpose.
>
Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
firmware updates.
>
Simply putting the camera (or any device manufactured by someone who
may or may not be trustworthy) on your "internal network puts you
at risk.
>
E.g., I can open an outbound connection to hostile_actor.com and let
an external agent act as command-and-control, telling me (the camera)
what to do ON THE INTERNAL NETWORK.
I don't permit outbound connections to a long list of countries.
You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as
a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter
defenses" (WELCOMED in!) can act on behalf of some other agency.
IP filtering doesn't buy you any real protection.
I (the camera) can masquerade as any host INSIDE your network when I
want to deliver data to an external agent. Because I can DYNAMICALLY
set my network stack to masquerade as any IP address on a packet-to-packet
basis.
And, I have a good idea what the range of valid IP addresses for your
internal network will be -- based on the address and netmask that you
assigned to *me* when I was installed (or, negotiated my DHCP lease).
Likewise, I can claim my MAC is anything that I want it to be!
If you happen to peruse the logs, there is nothing that tells you
over which "wire" the request came into your switch, AP, etc. So,
you would have to eliminate devices until you stopped seeing "suspicious"
traffic.
All this assuming you are capable of doing so.
I can always whitelist if it does turn out that I need to connect to a server in one of those countries.
See above.
This traffic can be disguised to look innocuous. E.g., resolving
"whatshouldIdo.hostile_actor.com" can deliver data to the camera that
can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com".
Results can be delivered to the external agency by resolving
"thepasswordisFOOBAR.hostile_actor.com", etc.
>
Or, open an HTTP connection to hostile_actor.com and anyone looking
through the logs (ha!) would just think a user visited a website of
with an oddly suspicious domain name. (So, buy up yahooo.com,
goggle.com, etc.)
>
I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
attempting brute force to a blacklist.
But most people have no interest in that.
>
Hence the value of a "hub".
>
I "hide" my file server behind a particular "knock sequence" that is
only known to folks who should need access to it. Trying to probe
the IP address gets you no information -- it looks like there isn't
a machine AT that IP address.
I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
connection is secure.
Knowing that a server exists is information. (esp if your AUP
prohibits them! :> ) Knowing that there is <something> sitting
at an IP invites probes.
An address that never reacts to your actions is uninteresting.
And, unless you can snoop the actual traffic, you can't know that
the address is actually actively moving data!
Once a connection is granted, there are no limits on what can be
transfered (set up a tunnel and all of those transactions are hidden)
>
Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
pictures to be viewed by anyone other than themselves.
>
<https://www.shodan.io/search?query=camera>
>
Even if you can't (easily) access the video, the fact that someone has
INSTALLED a camera (five cameras??) has informational value.
A nearby store installed cameras not long ago.
The number if cameras (or what looked like there were cameras inside them) made it easy to conclude that they were fake.
Many parts of the US deliver "utilities" (phone, cable, power) via
overhead wiring: "telephone poles". There exist transformers
on these poles (at regular intervals) to step down the mains to
the 240V center tapped that feeds our homes.
Several decades ago, a "transformer" was installed on such a pole
(why was it SUDDENLY needed, there?) outside from a business that
sold "growing supplies" to folks who were suspected of being marijuana
growers.
The joke was that the transformer had NO wires (primary or secondary)
attached to it. And, a large, rectangular region that resembled a
"window" -- on the side facing the business.
"Gee, wanna bet that's a (really poorly disguised) camera??" :>
Win11 explorer bug?
Re: Win11 explorer bug?