Anyone tried Security Camera Warehouse (SCW) NVRs and Cameras?

[fenderman]

This isn't how the hardware works. An airgap protects the cameras from being access by something other than the NVR. All processes to the camera must originate in the NVR. So, no camera can be hacked if the NVR isn't hacked. That's how this works.

I don't really know how UNV does it. That's proprietary and they haven't told me.

But I can tell you that this isn't nonesense. Here's one way to do it: use a reverse SSH, which is an even more highly secure form of protecting client data than even a VPN.

With a reverse SSH, the edge device can deposit files into a trusted repository (like a cloud or a NVR) and can look at files in the edge repository for instructions on what it should do (like settings changes or firmware updates), but unlike a VPN it cannot receive directions - at all. All communication with a reverse SSH device are outgoing. All communications to the device are blocked - even the central server cannot send it instructions outside of its existing parameters.

The only way to compromise a reverse SSH is for both the trusted device to be hacked and the for the hacked to have knowledge of what files the edge device has been instructed to look for and what validation (hashing algorithm based on mac address, timestamp based hash, whatever) is required for the files to be accepted by the edge device.

You keep repeating the same bullshit. Once again, there IS NO AIRGAP if the NVR can be hacked. Who cares of the cameras cannot be hit (which is unlikely, but assuming arguendo they cannot) the NVR is vulnerable.
Your reverse ssh comment is irrelevant - your users are not implementing it.

 

[mnederlanden]

that no longer receive any updates because they decided to label the machine EOL. What is the user to do at that point?

I love this. I'm glad you point this out. This is the sad state of IOT (NVRs cameras, smart speakers, smart locks, etc) currently. Stuff gets discontinued and then abandoned way too quick. I'm hoping to change this.

 

[mnederlanden]

Your reverse ssh comment is irrelevant - your users are not implementing it.

I'm not asking them. That's far too complex for them. I'll building it into our software suite. Soon you won't have to do a VPN or open ports.

P.S. we haven't settled on a reverse SSH as the best method, just something we're trying for now.

 

[fenderman]

I love this. I'm glad you point this out. This is the sad state of IOT (NVRs cameras, smart speakers, smart locks, etc) currently. Stuff gets discontinued and then abandoned way too quick. I'm hoping to change this.

The solution, at least with cameras is going to be SAST open firmware by bosch. Hopefully something similar will come for NVRs.

 

[fenderman]

I'm not asking them. That's far too complex for them. I'll building it into our software suite. Soon you won't have to do a VPN or open ports.

Yes, they will just have to trust you and your servers . Its better than trusting hik/dahua, Ill give you that much. Its a step in the right direction.

 

[mnederlanden]

The solution, at least with cameras is going to be SAST open firmware by bosch. Hopefully something similar will come for NVRs.

You! I like you!

 

[mat200]

.. We're one of their largest customers. They fix bugs for us weekly.

This is really no different that your scenario with Blue Iris. You guys move a lot of product and you get power because of that with the developer. That's a good thing. You help him manage his bugs and know which bugs are more important at any given point. It is soft power, yes, but it is powered none-the-less.

HI Matt @mnederlanden

As these are linux based, is the source code available?

 

[mnederlanden]

No, our partner doesn't publish source code.

I think the only open source projects availible right now are Zoneminder, Shinobi, and ONVIF Device Manager. There's several more being worked on, but those are the only ones I know of that are currently downloadable. SAST is coming and we're working on a project, so there should be more options soon.

The founder / developer of Shinobi - Simple CCTV and NVR Solution - Home is active on Reddit. His handle is /u/moeiscool . He's very nice and professional.

I'm not fond of zoneminder. Any software platform that takes a "I'll never work for with non-opensource OS's - like Windows" isn't going to sit well with me. There's a purist personality that wants that, but for me this feels like putting principles before the user experience, so I won't recommend it - but almost everyone my company serves uses MacOS or Windows.

Warning: ONVIF Device Manager has had rumors for years that it has malicious code hidden in plain sight and that its team has connections with the Kaspersky team. I don't think this claim has been proven, but I have not looked into it myself.

 

[mat200]

No, our partner doesn't publish source code.

I think the only open source projects availible right now are Zoneminder, Shinobi, and ONVIF Device Manager. There's several more being worked on, but those are the only ones I know of that are currently downloadable. SAST is coming and we're working on a project, so there should be more options soon.

The founder / developer of Shinobi - Simple CCTV and NVR Solution - Home is active on Reddit. His handle is /u/moeiscool . He's very nice and professional.

I'm not fond of zoneminder. Any software platform that takes a "I'll never work for with non-opensource OS's - like Windows" isn't going to sit well with me. There's a purist personality that wants that, but for me this feels like putting principles before the user experience, so I won't recommend it - but almost everyone my company serves uses MacOS or Windows.

Warning: ONVIF Device Manager has had rumors for years that it has malicious code hidden in plain sight and that its team has connections with the Kaspersky team. I don't think this claim has been proven, but I have not looked into it myself.

Hi @mnederlanden

Last I checked linux was covered under the GPL and thus your partner is legally required to publish source code if they are using linux.

 

[mnederlanden]

Last I checked linux was covered under the GPL and thus your partner is legally required to publish source code if they are using linux.

That's not how GPL licensing actually works. Android is open source. Not all Android apps are open source. You can't compel gmail to give you their source code, just cause gmail runs on Android. Most linux kernels aren't even totally open source.

The majority of Arch linux or Debian kernels installed on an embedded linux NVR are open source. If someone improves or makes their own derivative of Arch or Debian, they have to open source their changes / improvements, yes. However, if they write an app that runs on linux, they don't have to open source it. The camera system GUI that auto loads on top of the linux distro doesn't have to be, if it does not use any open source GDL licensed code. Most of the distros have an easy to setup "kiosk" mode out of the box that forces the launch of an app on startup; I presume they are using something like that. That's what we're doing.

If you keep your closed source code separate, you can keep it closed source. This is why, for example, Red Hat or Suse can ship with closed source commercial drivers.

You can see this "wall of separation" in a very transparency way in Ubunutu. If you want to install broadcom drivers, for your HP wifi card, you download the closed source broadcom drivers in their own package. This package is clearly labeled as closed source. Ubunutu even has a nice GUI menu, asking you if you want to include the repositories for popular closed source file types like MP3, H.264, etc and popular proprietary, restricted, closed source driver packages like broadcom or nvidia.

In the same way, when you install ffmpeg (open source) in linux, you don't invalidate microsoft and apple's patents on H.264/5, just because it is running on a linux box and ffmpeg can encode or decode H.264/5.

 

[mat200]

That's not how GPL licensing actually works. Android is open source. Not all Android apps are open source. You can't compel gmail to give you their source code, just cause gmail runs on Android. Most linux kernels aren't even totally open source.

The majority of Arch linux or Debian kernels installed on an embedded linux NVR are open source. If someone improves or makes their own derivative of Arch or Debian, they have to open source their changes / improvements, yes. However, if they write an app that runs on linux, they don't have to open source it. The camera system GUI that auto loads on top of the linux distro doesn't have to be, if it does not use any open source GDL licensed code. Most of the distros have an easy to setup "kiosk" mode out of the box that forces the launch of an app on startup; I presume they are using something like that. That's what we're doing.

If you keep your closed source code separate, you can keep it closed source. This is why, for example, Red Hat or Suse can ship with closed source commercial drivers.

You can see this "wall of separation" in a very transparency way in Ubunutu. If you want to install broadcom drivers, for your HP wifi card, you download the closed source broadcom drivers in their own package. This package is clearly labeled as closed source. Ubunutu even has a nice GUI menu, asking you if you want to include the repositories for popular closed source file types like MP3, H.264, etc and popular proprietary, restricted, closed source driver packages like broadcom or nvidia.

In the same way, when you install ffmpeg (open source) in linux, you don't invalidate microsoft and apple's patents on H.264/5, just because it is running on a linux box and ffmpeg can encode or decode H.264/5.

HI @mnederlanden

Actually, that is how GPL does work.

Android base which is GPL'ed is available - this is how Amazon was able to make their versions off this base.

Google has added a lot of non-GPL code to what is Android, as they own the base IP they can dual license.

Google still makes available the base that is GPL'ed.

Ubuntu, Redhat, Suse, etc.. does make the appropriate GPL code available. The closed source drivers are a different story.

Likewise your upstream should be making the code available.

Otherwise, from what I can see it's just another Chinese OEM taking IP from others and not following the appropriate laws to make available that IP that they've modified.

 

[Dramus]

This isn't how the hardware works. An airgap protects the cameras from being access by something other than the NVR.

That's not what an "air gap" is. An "air gap" means, literally, nothing but air between a device and the rest of the world. If something's connected to something, it is not air-gapped.

HI @mnederlanden

Actually, that is how GPL does work.

mnederlanden is, or may be, correct. Software running upon a general purpose operating system created in whole or in part from GPL'd code does not oblige the software maker to open-source their software. If their software uses GPL'd code or libraries, however, it may be subject to being required to open-sourced, but not necessarily. It depends on a variety of factors, incl. under which version of the GPL the re-used code or the libraries are licensed.

Most of the libraries and associated header files on a Linux system are licensed under the GNU Lesser General Public License (aka: GPLv2). Code using those libraries would not be subject to the requirement of being open-sourced, providing the libraries and associated header files are unmolested.

If the company in question was selling an embedded system, with modified kernel and/or libraries, then they'd be subject to having to publish their modifications to that code. But they still, AIUI, would not be required to publish the code that relied upon those underlying libraries or kernel.

N.B.: IANAL, either in real life nor on TV.

 

[mnederlanden]

mnederlanden is, or may be, correct.

Thank you for recognizing this.

That's not what an "air gap" is. An "air gap" means, literally, nothing but air between a device and the rest of the world. If something's connected to something, it is not air-gapped.

This is not true. That's not the only definition of an air gap, although it is most common definition.

From IPFS:

"The air gap may not be completely literal, as networks employing the use of dedicated cryptographic devices that can tunnel packets over untrusted networks while avoiding packet rate or size variation can be considered air gapped, as there is no ability for computers on opposite sides of the gap to communicate."

From Wikipedia:

"a physical or conceptual air gap"

Bonus example with illustration: Jfrog Artifactory DMZ airgap. This is a great diagram for the reverse SSH method I was talking about earlier.

The definition from IPFS is what POE NVRs do with their airgaps. The Jfrog is what Cirrus does / will do.

 

[fenderman]

Thank you for recognizing this.



This is not true; I'm right on this point as well.

From IPFS:

"The air gap may not be completely literal, as networks employing the use of dedicated cryptographic devices that can tunnel packets over untrusted networks while avoiding packet rate or size variation can be considered air gapped, as there is no ability for computers on opposite sides of the gap to communicate."

From Wikipedia:

"a physical or conceptual air gap"

Bonus example with illustration: Jfrog Artifactory DMZ airgap. This is a great diagram for the reverse SSH method I was talking about earlier.

Problem is your Uniview made NVR does not use any of those. Why do you keep lying about it? You dont use reverse SSH. Why bring it up as if you do?

 

[mnederlanden]

Problem is your Uniview made NVR does not use any of those. Why do you keep lying about it? You dont use reverse SSH. Why bring it up as if you do?

Some to All Hikvision, Dahua, and UNV POE NVRs use the IPFS method of an airgap. Most other POE NVRs do as well. We aren't the only ones who have this; this is normal in POE NVRs.

On these devices, there is no physical connection between the uplink port and the POE ports. The only way to talk to the cameras from the main network is through the NVR. The only way to load the camera web interface is to plug a computer directly into the POE ports. The NVR hardware prevents devices on the main network side from communicating with the camera side without passing through the NVR DMZ.

An experimental, unreleased Cirrus build uses the reverse SSH setup. I'm not sure that we will end up using that in a public build or if we will come up with something better, but it is highly relevant to these discussions. Zero trust network design infrastructure concepts are the same whether it is local or cloud based infrastructure.

 

[Dramus]

This is not true. That's not the only definition of an air gap, although it is most common definition.

Yeah, well, lots of people call lots of stuff "firewalls" that aren't really firewalls, too. I guarantee you that if I use the phrase "air gap" with any of my fellow I.T. security acquaintances, they'll know just what I'm talking about. You aren't air-gapping anything.

 

[fenderman]

Some to All Hikvision, Dahua, and UNV POE NVRs use the IPFS method of an airgap. Most other POE NVRs do as well. We aren't the only ones who have this; this is normal in POE NVRs.

On these devices, there is no physical connection between the uplink port and the POE ports. The only way to talk to the cameras from the main network is through the NVR. The only way to load the camera web interface is to plug a computer directly into the POE ports. The NVR hardware prevents devices on the main network side from communicating with the camera side without passing through the NVR DMZ.

An experimental, unreleased Cirrus build uses the reverse SSH build. I'm not sure that we will end up using that in a public build or if we will come up with something better, but it is highly relevant to these discussions. Zero trust network design infrastructure concepts are the same whether it is local or cloud based infrastructure.

No one said you were the ONLY ones. However, YOU are the only one who made this false claim. That might work on other forums but here we call bullshit for what it is. You can BS your customers on your website or on the phone, you cant and wont do it here.
I dont care about your experimental releases and more importantly your continued deliberate misrepresentation of the facts doesn't bode well for you with respect to users trusting YOUR servers with their security.
Your Uniview NVR's wont be using your SSH even if you successfully implement it.

 

[mat200]

..
mnederlanden is, or may be, correct. Software running upon a general purpose operating system created in whole or in part from GPL'd code does not oblige the software maker to open-source their software. If their software uses GPL'd code or libraries, however, it may be subject to being required to open-sourced, but not necessarily. It depends on a variety of factors, incl. under which version of the GPL the re-used code or the libraries are licensed.

Most of the libraries and associated header files on a Linux system are licensed under the GNU Lesser General Public License (aka: GPLv2). Code using those libraries would not be subject to the requirement of being open-sourced, providing the libraries and associated header files are unmolested.

If the company in question was selling an embedded system, with modified kernel and/or libraries, then they'd be subject to having to publish their modifications to that code. But they still, AIUI, would not be required to publish the code that relied upon those underlying libraries or kernel.

N.B.: IANAL, either in real life nor on TV.

Thank you for recognizing this.

..

@Dramus, @mnederlanden

Question 1: Do you really think they have unmodified / unmolested code in their products?

Question 2: Do you really trust the Chinese OEM to do what they legally should be doing? Even in the USA companies have to be sued to follow the license terms.

A few case points:

1) Cisco and Linksys
Cisco settles open source case

2) Verizon
Verizon sued for GPL naughtiness • The Register

3) D-link sue in Germany for GPL violations ..

4) Fortinet also used in Germany for GPL violations ( they were forced to make FortiOS available )


and there's a lot more, many more companies which are failing to meet their obligations based on the GPL,.. you don't hear of many of those because the Software Freedom Conservancy / FSF prefers to work quietly to reach compliance.
lawsuits on open source | Source Auditor

 

[mnederlanden]

No one said you were the ONLY ones. However, YOU are the only one who made this false claim.

I love to learn. Would you mind telling me statement what you are claiming is a false claim:

Claim 1: Devices plugged into the uplink port on many POE NVRs, including our models, can't talk to devices plugged into the POE ports, directly.
Claim 2: A component can be airgaped. Airgaps are a concept that can be applied to network communications.
Claim 3: Unidirectional, outbound-only communication are allowed in airgaps.

 

[fenderman]

I love to learn. Would you mind telling me statement what you are claiming is a false claim:

Claim 1: Devices plugged into the uplink port on many POE NVRs, including our models, can't talk to devices plugged into the POE ports, directly.
Claim 2: A component can be airgaped. Airgaps are a concept that can be applied to network communications.
Claim 3: Unidirectional, outbound-only communication are allowed in airgaps.

Go back and read this thread. I won't keep going in circles with you. You are nothing more than a pompous liar. You won't get away with that here.