Motion with Security

Every time I see a tutorial for setting up a security camera using a Raspberry Pi I cringe. No consideration is given towards the security of what is essentially an IoT device.

DO NOT RUN YOUR SOFTWARE AS ROOT!

Motion both accepts data from the network, and hosts a webserver (by default, at least), making it extremely dangerous to run as the root user. Fortunately, it’s easy to runĀ motion on a Raspberry Pi that secure enough for home users. The one thing you should know before continuing is that this is not the most secure way of setting this up, and I would never use it in a corporate environment, but this is perfectly secure for a home environment.

For the purposes of this tutorial, I’m going to assume that you’re running Arch Linux for ARM on your Raspberry Pi. The default user for the Arch Linux image for Raspberry Pi is “alarm”. I’m going to assume that you changed the hostname for your Raspberry Pi to “camera”.

SSH to the Raspberry Pi and enter the root prompt.

ssh alarm@camera
su -

Install motion.

pacman -Syu motion

As root, you need to give the user account access to video devices.

usermod -aG video alarm

The magic that allows us to run motion as a user, instead of as root.

loginctl enable-linger alarm

The default location that motion saves its files to is “/usr/local/apache2”. That’s fine for our purposes, or you can get fancy here.

mkdir /usr/local/apache2
chown alarm:alarm /usr/local/apache2/

And, that’s all we need to do as root to get your camera up and running. You can exit the root shell to continue.

exit

Since you just created the default location and given your user ownership of that folder, let’s go ahead and test that your user account has access to the location by setting up your first camera save file location. Make the folder as the “alarm” user. The “-p” means that it’s going to create all of the parent folders needed before it creates the full path below.

mkdir -p /usr/local/apache2/htdocs/cam1/

Our config file for motion is going to be saved in the ~/.motion folder, so let’s go ahead and create that. We’re also going to copy the default motion config file so we can make our own changes

mkdir ~/.motion
cp /etc/motion/motion.conf ~/.motion

That gets us the defaults. You don’t want the defaults. Let’s fix a couple of the big things first. At the very top of the config file is the “Daemon” section. Change both variables so it reads like the following. Changes are in bold.

############################################################
# Daemon
############################################################

# Start in daemon (background) mode and release terminal (default: off)
daemon on

# File to store the process ID, also called pid file. (default: not defined)
process_id_file /home/alarm/.motion/motion.pid 

You will probably have to update the “videodevice” variable in the config file. That’s not the focus of this tutorial. I recommend the Arch Linux Wiki for advice on configuring the video device. You may want to finish this tutorial so you get to the point that you’re starting and restarting the motion service on the Raspberry Pi so you can test, before you continue configuring motion.conf.

Make any changes to motion.conf that you think are necessary. The motion.conf file is extensively commented, but the website is also helpful in understanding what all of the options can do.

Now it’s time to get the service setup so it starts automatically on reboot. Systemd expects your configuration files to be in “~/.config/systemd/user/”.

mkdir -p .config/systemd/user/
cp /usr/lib/systemd/system/motion.service .config/systemd/user/

Update “pid” file location. As a “user” account, you’re not going to be able to write to the default PID location. You also need to update the order in which motion starts, since, again, you’re not root you’re going to have to wait your turn to start motion.

vim .config/systemd/user/motion.service

# Change the appropriate lines as follows.
PIDFile=/home/alarm/.motion/motion.pid
WantedBy=default.target

If you’re troubleshooting your webcam, you can now start the motion service and test the website to see if you’re getting video.

 systemctl --user start motion

Then navigate to http://camera:8081/ in your browser and see if the webcam or Pi camera module connected to your Raspberry Pi is working. If it’s not working then change your config file and run “restart” command to restart the service.

systemctl --user restart motion

If everything is working as expected, make it permanent.

systemctl --user enable motion

 

A little explanation about those last few commands. “systemctl” allows root to start, stop, and restart system services, normal users can’t use that command. “systemctl –user” allows a normal user to start, stop, and restart system services that they own, however, in order to do so they have to be granted permission to do so via the “loginctl enable-linger” command.

And that’s about it. You can try “restart”ing the Raspberry Pi to verify that motion is automatically starting when the system boots up.

Scribus Problems

As it may come as no surprise to you I run Gentoo, and although it is great, I occasionally have problems installing new software.

A short time ago I installed Scribus to play around with making barcodes but when I tried to run it all I got was the error:
scribus: symbol lookup error: /usr/lib64/scribus/plugins//libscriptplugin.so.0.0.0: undefined symbol: PyUnicodeUCS2_SetDefaultEncoding

I spent quite a bit of time searching for the problem but noone seemed to know the answer. I set about looking for an answer and found none so I started looking for an answer on my own. I have had success in the past reinstalling the dependencies of a package that won’t work, so I started there and ran into a problem, lcms wouldn’t compile. The compiler was complaining about a problem with python. I checked:
[ebuild R ] dev-lang/python-2.5.2-r7 USE=”gdbm ipv6 ncurses readline ssl threads -berkdb -build -doc -examples -sqlite -tk -ucs2 -wininst” 0 kB

That’s when I noticed the problem. It appears python needs to be built with the ucs2 flag. I ran:
echo dev-lang/python ucs2 >> /etc/portage/package.use
emerge -av python

After that, scribus works no problems. I am putting this out there in hopes that I can help others with this same problem.
Share and Enjoy!

HTTP Referer

Your browser whether you like it (or even know it) or not, sends information about your computer to every website you visit in the form of HTTP Headers. Most of the information is harmless, useful, and handy. It tells the web server what kind of character encoding to use, what language, and how (if at all) it can compress the data before it is sent in order to save bandwidth. Two fields are of particular interest however, the Referer and User-Agent fields. I will get to the User-Agent in a future post, but for now what we will look at is the referer, what it is, what website’s do with it, why it is a problem, and what we can do about it. I have seen a resurgence on the popular social networking sites about users being blocked from certain websites based on the referer header so I thought that I would provide some info about what is going on and how to get around it.

What is the referer?
Very simply, the referer field is used to send the website you visit the address of the last site you were on. Say you’re browsing reddit.com and see a web page that you would like to visit. When you click the link, the web server sees http://reddit.com/ in the referer field.

What it is used for?
Web servers usually have logging software to track how many hits a site gets and where users are coming from. For example, over half of the traffic for http://warnetd.org/ comes from Google one way or another. Many server side languages such as PHP, Ruby, and even JavaScript can see these headers and act on them.

Why this is a problem?
There are two reasons this is as problem. First, say you are checking out The Pirate Bay and click a link someone left in the comments and it takes you someplace you probably shouldn’t go. Now they know what you were doing, which is more evidence then they need. Second, there are website owners who do not appreciate traffic from certain websites. I feel that administrators don’t have any right to know what websites I have been to. Even if it is only one website every time I visit, the amount of information they can accumulate starts to add up over time.

What can we do about it?
Luckily Firefox users have a number of options, but IE users are not left out. The best solution is to just stop your browser from sending the headers. Point a new tab at about:config and in the filter bar type ‘Network.http.sendRefererHeader’. This value is defaulted to 2, we find this sends the referer header when we click links and images, only sitting it to 1 will turn off image referer, the point, however, is to disable the links so set that value to 0. Double click the line, type 0 (zero) in the box, and click OK. This keeps Firefox from sending headers at all so it protects your privacy and keeps you from having problems. This could cause problems as one site in a blue moon will rely on the referer to function properly but, in all my time on line I have only ever run in to one site that didn’t work so I had to send referers just that one time. Firefox users can also select from a number of other solutions; I haven’t messed with any of those but they might be good for someone just looking to get around blocks put on reddit/digg users.
I promised IE users a fix too so I have another cross browser Firefox/IE (try it on other browsers and let me know) fix to get around anti reddit/digg blocks. Browsers are designed to only pass referer info if you click a link, browsers will not pass info about the site you are on if you type a URL in manually or click a bookmark. Therefore, if you find a site that is blocking you based on your referer (“Digg users go home”) then you can copy the URL into the address bar and click go (right click the link and choose ‘Copy Link Location’ or ‘Copy Shortcut’ and paste it into the address bar). In the case that the site just blocks you and doesn’t redirect you, you can even just click the Go button and since the browser treats this as if you had entered the address manually it clears the referer; no referer, no block.

Wanna try it out? Ryan Tomayko has a challenge that Digg users are blocked from his site, if you’ve followed my instructions why don’t you take him up on that? (hint: click the main title) Try it with and without sendRefererHeader being disabled and see what happens.

Note to Reddit/Digg users. You are always welcome on my site, the day I turn users away just because of the websites they browse is the day I no longer deserve to use the Internet. I don’t care what you do to my site, and if it makes my website better or more useful, more power to you.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

http://09f9.com/

Oh man, so I have to point out the irony in this entire situation.

For those who don’t know. Digg.com is the website that sparked this viral content. There is a lot of details that I find amazingly hilarious. First of all some background information…

HD-DVD took more than 12 months to create, backed by Corporate America, it was supposed to have the ultimate technology in DRM (Digital Rights Management). However, this super special DRM technology was cracked within a couple months by another geek outside of America. This geek discovered that there is a single string of characters that will unlock the copy protection placed on ANY HD-DVD. This super special string is….

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Digg.com is a website started by the infamous Kevin Rose from the old days of TechTV and The Screen Savers TV show. Don’t get me wrong, I am sure Kevin is a great guy and nice to the ladies and all, but the man may have a screwed idea of the IT Industry for he has turned his back on countless communities which he has either started himself or used to take himself places. Kevin doesn’t seem to have any ties to any ideals adopted by most online communities and doesn’t seem to care about the fate of any online community he may be a part of. Digg.com is basically a website dedicated to finding other viral websites. Digg.com is also sponsored by the same corporation that created HD-DVD.

So of course, when people began to find out that some geek cracked the DRM on HD-DVD, the websites that had the key were digged by the diggers at digg.com. The sponsors, obviously, did not like this very much at all. They immediately requested Kevin to take down the links to the key and at first he obeyed.

(stop) — OK, so this is where we see the nature of Kevin Rose at work. He claims to support the little geek, he claims to fight for freedom on the digital frontier, he starts multiple online communities and then abandons them. However, unlike the true leaders of the digital frontier, Kevin bows to capitalism before community and leaves his followers empty handed.

Anyways, so Kevin removes the links to the HD-DVD key and was results is a digg.com revolt! Diggers everywhere, all across the world begin to bash Kevin and digg.com for the unfavorable failure to sustain a backbone. The effect grows beyond control and for once Kevin lets the community cause a chill to run up his spine.

So he gives in. He responds to the community by leaving the links to the HD-DVD key on his site, but by now its too late. The key is everywhere, people everywhere have it and are continuing to put it on the Internet in new and creative ways. This is a classic tale that will leave our generation telling tales and pulling a few laughs in our later days.

I have nothing to say to those who place their idols up on pedestals.

Another article: http://blog.wired.com/gadgets/2007/02/the_new_hddvdbl.html
HD-DVD Key T-Shirt: http://www.nerdyshirts.com/productdetails.aspx?id=100089931

DIFRwear Faraday Caged Apparel


Affiliate Link

If you haven’t heard, there have been a couple of bills passed in the last few years that require RFID tags placed in Drivers Licenses and Passports, not to mention that they are already being included in credit cards. A scary prospect considering that anyone with some spare parts can read these tags from up to 69 feet away! On top of that people are already cracking the ‘encryption’ used to protect the sensitive data on these cards.

So, what can be done to protect the valuable data that you are carrying around in your wallet or purse? Enter DIFRwear. They have come out with a line of wallets and passport cases that contain a layer of material that blocks radio frequencies from escaping your wallet into the hands of anyone who cares to have it.

I have not gotten my hands on one of these, to test it, yet, but the video demonstrations on their site seem pretty convincing. Expect another post on this topic when my wallet gets in the mail, I’ll let you know if they live up to their claim.

New Year Predictions

Since this is the time of the year most people are predicting what is going to happen over the next year, we thought that we would chip in with our own predictions for the coming year.

1. MySpace will be hacked and many user’s profiles will be defaced.

2. Bluetooth hacking will gain momentum and press coverage.

3. WiMax will continue to flounder here in the US.

4. It will become increasingly difficult to find a cell phone without a camera.

5. The Open Source Movement will make some significant headway with the introduction of the GPL-3.

6. There will still be long lines to get a PS3 this next Christmas. Also, we may not be legally allowed to refer to the Christmas holiday using that word.

7. The Wii will still not be taken seriously. (at least, we hope)

8. Hacking the Xbox360 will take on new meaning when someone uses Xbox Live to take control of someone else’s Xbox. More specifically, a worm.

9. Blu-ray will quickly gain wide market acceptance and will leave HD-DVD in the dust. Blu-ray DRM will be cracked wide open.

10. Windows Vista won’t be available this year. When it hits the shelves, it will gain a premature market adoption and force many home users with new computers to upgrade to Vista or be unable to run critical software. It will be rushed.

11. With the introduction of IE7, tiered Internet will start to form around which browser you are using. At least, for Microsoft and friends products and services.

Truly Random

Most random number generators don’t actually generate actual random number, but number that look random. These are called Pseudo Random Number Generators. Well, there are people out there who have setup services to generate truly random numbers. My favorite is Random.org.

Random.org generates random numbers by feeding noise from a radio tuned to static into a special program that turns the noise into numbers and then makes sure the numbers are really random. The numbers are then provided to the user live and guarantee that no two people get sent the same data.

Random.org provides several different services for those seeking random numbers. They offer the staple random integers, which gives you random numbers between a low value and a high value. They offer random sequences which can emulate coin flips or pulls from a deck of cards. They will give you just plain raw bits of random data.

My preferred form of random data, however, is the random bitmap images. After generating random data, the system then formats the image as an XBM and prints it to the screen. An example of a random image is the one at the top of this post.

The Random.org people recommend not to use the random numbers to generate GPG keys or other secure applications like that because the numbers are sent over an unencrypted connection, but the website is just too fun not to use.

A new spin on Virtual Private Networking

shot-2
Virtual Private Networking has been a fairly popular subject for many years now. However, the constant battle with implementing these types of networks, is with NAT (Network Address Translation) which tends to break these types of connections.

A fairly new software application to come out of Canada as closed source (those silly Canadians) is a program called Hamachi (named after a deep sea fish). Hamachi is a program that essentially runs as a daemon in the background of a host operating system adding a virtual network interface.

Logging into this program sets you up with Hamachi’s open source and freely available handshaking server software. You get your own IP address for this virtual interface.

But this my friends, is not just an ordinary IP address. Its in the reserved 5.0.0.0 IP space. It is supposedly reserved for private networking. You get such an ip address for free and its yours forever and always.

The Hamachi client software is capable of digesting a 63 character random extended alpha-numeric password from Steve Gibson’s password generator. www.grc.com/passwords.

This software is operating system independent by running at the lower network layers of the host operating system. It works with Windows, Mac OS X, and of course, Linux. In Linux, its primary interface is in the CLI (Command Line Interface), but the project gHamachi is a gnome graphical front-end which represents how Hamachi would appear in the other two operating systems.

mainwindow
So what exactly is so Absurd about Hamachi? Its all about the ip address. How cool is a 5.0.0.0 ip address thats yours, no one else can have it, and you can get to it from anywhere! Its externally routable, but yet only Hamachi equipped pc’s can connect to these machines. Its also capable of whats called NAT Traversal. This means it can find its way through your piece of crap Linksys routers at both ends with a reported 90% success rate.

Lastly, Hamachi is transparent to the point that gaming over a Hamachi LAN is a popular application.