Anyone tried Security Camera Warehouse (SCW) NVRs and Cameras?

[mnederlanden]

I've been following the thread; you haven't actually disputed any facts, yet. You've not engaged with any of the sources I have linked. I'd be happy to learn from you, if you know more that I do, but you're not giving me that opportunity.

Here's another link that proves claim 2: Secure Data Physical Layer Air Gap Network Switches

 

[fenderman]

I've been following the thread; you haven't actually disputed any facts, yet. You've not engaged with any of the sources I have linked. I'd be happy to learn from you, if you know more that I do, but you're not giving me that opportunity.

Here's another link that proves claim 2: Secure Data Physical Layer Air Gap Network Switches

one more time your NVR is not air gapped so the fact that you're cameras may or may not be is irrelevant stop acting like a putz and stop lying on my forum. It really doesn't bode well for you or your company to lie here. You are a danger to your clients network security. You are acting irresponsibly with their security.
You misrepresent the air gap you deliberately misrepresent the security your devices have and throw in red herrings like experimental software that will not even be installed on your NVR that are exposed. You're a scammer.

 

[Dramus]

@Dramus, @mnederlanden

Question 1: Do you really think they have unmodified / unmolested code in their products?

Don't know, don't care to speculate, and it's not germane to the point. mnederlanden asserted merely running their code atop GPL'd code did not require they publish their source. That was the only point I was addressing.

 

[Dramus]

Claim 2: A component can be airgaped. Airgaps are a concept that can be applied to network communications.
Claim 3: Unidirectional, outbound-only communication are allowed in airgaps.

So you and some others who like to toss fancy-sounding network and security buzzwords and phrases around would like the clueless buying public to believe. That does not make it so. Just like throwing a bunch of software on a PC and calling it a "firewall" doesn't make it actually, you know, a firewall.

In the world of network security, real network security, "air gap" has a specific meaning.

Here's the difference between an air gap and not-an-air-gap ("<->" denotes connectivity):

Scenario #1: Air Gap
Network <-> Some Hardware / <nothing but air> / Some Other Hardware

Scenario #2: Not-An-Air-Gap
Network <-> Some Hardware <-> Some Other Hardware

In Scenario #1: If "Some Hardware" becomes compromised, "Some Other Hardware" remains secure
In Scenario #2: If "Some Hardware" becomes compromised, it can be leveraged to compromise "Some Other Hardware"

Here's another link that proves claim 2: Secure Data Physical Layer Air Gap Network Switches

Good grief. That's just more murketing drivel. Just like that in which you're engaging. IOW: You're using murketing drivel to validate murketing drivel. I think that's called circular logic.

I'm not having this conversation with you any longer. It's about as useful as arguing particle physics with a housefly.

 

[alastairstevenson]

Claim 1: Devices plugged into the uplink port on many POE NVRs, including our models, can't talk to devices plugged into the POE ports, directly.

Just for info, Hikvision and Dahua both provide access to NVR PoE-connected cameras via a NATed arrangement that Hikvision call 'Virtual Host'.
This implicitly enables the Linux kernel 'IP_forward' capability (not to be confused with 'port forwading') between the 2 NICs on the NVR, such that direct communications both in and out from LAN to PoE-connected cameras is available.
And I've had my hands on other brand NVRs where the NVR PoE ports are simply switches with direct access to the LAN that the NVR LAN interface connects to.
So no air-gaps in those examples.

To enable the full access between NVR PoE-connected cameras and the LAN just requires that the LAN routing is properly configured.
Example how-to : hikvision 7604 ni-k1 - live stream (hdmi) laggy/choppy performance

Claim 3: Unidirectional, outbound-only communication are allowed in airgaps.

Certainly, there can be security architecture configuration exceptions where via an approved barrier method a drop-box can be implemented to a trusted network from a less-trusted network.
But any exception provides opportunities for subversion if the result is worth the effort.

 

[alastairstevenson]

Here's another link that proves claim 2: Secure Data Physical Layer Air Gap Network Switches

Lol!
These are physical (mechanical) switches.
A handier way than plugging and unplugging cables, using relays.
But a definite air-gap.

 

[Dramus]

Lol!
These are physical (mechanical) switches.

Really?

I didn't even read it. That's pretty funny.

 

[mnederlanden]

These are physical (mechanical) switches.

This is why I shared it. I'm glad we agree that a mechanical switch on a device is still an airgap.

Just for info, Hikvision and Dahua both provide access to NVR PoE-connected cameras via a NATed arrangement that Hikvision call 'Virtual Host'.
This implicitly enables the Linux kernel 'IP_forward' capability (not to be confused with 'port forwading') between the 2 NICs on the NVR, such that direct communications both in and out from LAN to PoE-connected cameras is available.

Yes, and this is the software equivalent of a mechanical switch. It introduces a small amount of risk, but it is still an airgap - a conceptual one and one with a key, but one none-the-less. Without the software "key" and the cooperation of the NVR, you cannot talk to the access the cameras. You must first compromise or get permission from the NVR to access the cameras. This is still an airgap according to IPFS:

"The air gap may not be completely literal, as networks employing the use of dedicated cryptographic devices that can tunnel packets over untrusted networks while avoiding packet rate or size variation can be considered air gapped, as there is no ability for computers on opposite sides of the gap to communicate."

This would, obviously, be a better example if the key was not so publicly availible. I think it might even be fair to even say that those NVR do not have an airgap because the key is out in public. I do not know of a key for UNV devices. We plug a PC into the POE ports to accomplish what Hik/Dahua do with "Virtual Host."

Here's a quote from an engineering firm that we're using for our next line of equipment, which isn't coming from UNV:

- GbE uplink (no PoE)
- second Ethernet controller to connect to integrated 5 port switch, 4 ports POE, one non-POE (to support air gap) - 100bT internal connection

On this device, the POE ports and one uplink port can communicate with each other and the carrier board, and the other GbE port can only communicate to the carrier board. No data can pass through from the Gbe uplink lan to another lan without going through the carrier board. Yes, if you can hack the NVR, the cameras could be compromised, but there will be no key to this device and there won't be a software workaround - we don't need one, there's a hardware method on this device.

Certainly, there can be security architecture configuration exceptions where via an approved barrier method a drop-box can be implemented to a trusted network from a less-trusted network.
But any exception provides opportunities for subversion if the result is worth the effort.

Yes, a secure dropbox can be implemented in an airgap. It would introduce some risk- just like using removable media in an airgap allows for some risk. It is still an airgap because the communication is unidirectional. Just like how an airgap can use removable media to transfer to from the airgapped computer to the main network, a secure, outgoing dropbox to an established secure, known endpoint can also be used. A secure, unidirectional droopbox endpoint can even be argued that is more secure, if it allows you to remove removable media from the PC - especially considering the ways that even airgapped networks can be compromised - FM, removable media, etc.

See Using JFrog Artifactory With an Air Gap for example, for someone using the term this way.

P.S. I don't mind using another phrase, if you would be willing to offer one up, but I see a chorus of voices indicating that this is more complicated and has more variables than you are willing to entertain. Even still, there are lots of people using the word "airgap" the way that I use it. You aren't going to change everyone. Tech evolves.

 

[mat200]

Don't know, don't care to speculate, and it's not germane to the point. mnederlanden asserted merely running their code atop GPL'd code did not require they publish their source. That was the only point I was addressing.

@Dramus @mnederlanden

This makes it perfectly clear that the OEM of the cameras and any NVRs have compliance obligates w/regards to the GPL source code - regardless of asserts to the deny it:

13.1 Who Has Compliance Obligations?
All distributors of modified or unmodified versions of copylefted works unmodified versions of the works have compliance obligations. Common methods of modifying the works include innumerable common acts, such as:

• embedding those works as executable copies into a device,
• transferring a digital copy of executable copies to someone else,
• posting a patch to the copylefted software to a public mailing list.

Ref: 13 Background

 

[Dramus]

13.1 Who Has Compliance Obligations?
All distributors of modified or unmodified versions of copylefted works unmodified versions of the works have compliance obligations. Common methods of modifying the works include innumerable common acts, such as:

• embedding those works as executable copies into a device,
• transferring a digital copy of executable copies to someone else,
• posting a patch to the copylefted software to a public mailing list.

Running your code atop a GPL'd general purpose operating system or making calls to a GPL'd library does not necessarily do any of those things.

If mnederlanden's product simply runs atop standard, unmodified Linux, and does no more than make calls to standard, unmodified GPL'd libraries, he is not obliged to GPL his code. If he's selling turnkey systems that run atop a GPL'd operating system and/or make calls to vanilla GPL'd libraries I believe he's only required to point customers to where they may obtain the source code for those operating systems and libraries. I do not believe he's obliged to supply it. I believe he is also obliged to furnish a copy of the GPL license along with his products. But, again: IANAL.

@mat200, I wonder: Are you, or have you ever been a software developer? Because I have been and, on occasion, still am. And I have released code under the GPLv2 license. I've also written code, under contract, that ran upon GPL'd systems and used GPL'd libraries. All rights to that code were retained by the people that paid me to develop it.

 

[Dramus]

Even still, there are lots of people using the word "airgap" the way that I use it. You aren't going to change everyone.

There are also a lot of people who use "literally" when they mean "virtually," or even "figuratively." That doesn't make their misuse of the word right.

Tech evolves.

Abusing a tech term for the purpose of advancing a murketing program does not "advance tech." It simply robs a good word or phrase of all meaning.

 

[mat200]

Running your code atop a GPL'd general purpose operating system or making calls to a GPL'd library does not necessarily do any of those things.

If mnederlanden's product simply runs atop standard, unmodified Linux, and does no more than make calls to standard, unmodified GPL'd libraries, he is not obliged to GPL his code. If he's selling turnkey systems that run atop a GPL'd operating system and/or make calls to vanilla GPL'd libraries I believe he's only required to point customers to where they may obtain the source code for those operating systems and libraries. I do not believe he's obliged to supply it. I believe he is also obliged to furnish a copy of the GPL license along with his products. But, again: IANAL.

@mat200, I wonder: Are you, or have you ever been a software developer? Because I have been and, on occasion, still am. And I have released code under the GPLv2 license. I've also written code, under contract, that ran upon GPL'd systems and used GPL'd libraries. All rights to that code were retained by the people that paid me to develop it.

@Dramus

You having "written code" associated with "GPL systems and using GPL'ed libaries" ( LGPL I would assume ) should recognize that the section I quoted:

"13.1 Who Has Compliance Obligations?
All distributors of modified or unmodified versions of copylefted works unmodified versions of the works have compliance obligations. Common methods of modifying the works include innumerable common acts, such as:

• embedding those works as executable copies into a device,
• transferring a digital copy of executable copies to someone else,
• posting a patch to the copylefted software to a public mailing list.

Ref: 13 Background"

Was written by and reviewed by those whose job ( including some lawyers ) it is to enforce GPL license obligations. QED

The text is very clear, and clearly states that distributors of such licensed open source code have legal compliance obligations. This has been already tested in a number of courts.

 

[Dramus]

@Dramus

You having "written code" associated with "GPL systems and using GPL'ed libaries" ( LGPL I would assume ) should recognize that the section I quoted:..

The text is very clear, and clearly states that distributors of such licensed open source code have legal compliance obligations.

I never claimed they did not. What I wrote, twice, very clearly is that license does not say what you appear to think it says.

• If somebody embeds copylefted works as executable copies into a device, the originator of that device is obliged to make available to the recipients of that device a copy of the source that is copylefted
• If somebody transfers a digital copy of executable copies of copylefted code to someone else they are obliged to make available to that someone else a copy of the source code that is copylefted
• If someone patches copylefted code they are obliged to make available the patch under the same license as the patched code

What they, "they" being such as mnederlanden, are not obliged to do is open source code that merely runs upon copylefted operating systems or uses copylefted libraries. (Yes: Assuming LGPL or GPLv3. The original GPL is much more restrictive.) There is a lot of copyrighted code that runs upon Linux, and uses GPL'd libraries on those Linux systems, the source code for which remains proprietary--and completely legally so.

 

[mat200]

I never claimed they did not. What I wrote, twice, very clearly is that license does not say what you appear to think it says.

• If somebody embeds copylefted works as executable copies into a device, the originator of that device is obliged to make available to the recipients of that device a copy of the source that is copylefted
• If somebody transfers a digital copy of executable copies of copylefted code to someone else they are obliged to make available to that someone else a copy of the source code that is copylefted
• If someone patches copylefted code they are obliged to make available the patch under the same license as the patched code

What they, "they" being such as mnederlanden, are not obliged to do is open source code that merely runs upon copylefted operating systems or uses copylefted libraries. (Yes: Assuming LGPL or GPLv3. The original GPL is much more restrictive.) There is a lot of copyrighted code that runs upon Linux, and uses GPL'd libraries on those Linux systems, the source code for which remains proprietary--and completely legally so.

Hi @Dramus,

You're clearly missing the point, and continue to go back to a subset case based which does not apply in this case.

The OEM of the camera is distributing GPL'ed software with their hardware. They are obligated to make that source code available.

Also last I checked the linux kernel is still GPL v2, and Linus does not like GPL v3 based on this public statements.

No place did I say that any proprietary software which is properly isolated from the GPL software must be open sourced. I have no idea of why you keep insisting on this point.

 

[Dramus]

Hi @Dramus,

You're clearly missing the point, and continue to go back to a subset case based which does not apply in this case.

I'm not certain what you mean by a "subset case." All I've done is address your assertions, some of which you've made by reposting part of the GPL, on a point-by-point basis. I also addressed...

The OEM of the camera is distributing GPL'ed software with their hardware. They are obligated to make that source code available.

...five posts back, where I wrote:

... If he's selling turnkey systems that run atop a GPL'd operating system and/or make calls to vanilla GPL'd libraries I believe he's only required to point customers to where they may obtain the source code for those operating systems and libraries. I do not believe he's obliged to supply it. I believe he is also obliged to furnish a copy of the GPL license along with his products. But, again: IANAL.

And btw: Your original assertion was...

Last I checked linux was covered under the GPL and thus your partner is legally required to publish source code if they are using linux.

You didn't explicitly write their source code, but that was, to me, the implication. So that's the assertion I've been arguing. If I misunderstood, then never mind.

 

[mat200]

I'm not certain what you mean by a "subset case." All I've done is address your assertions, some of which you've made by reposting part of the GPL, on a point-by-point basis. I also addressed...


...five posts back, where I wrote:


And btw: Your original assertion was...

You didn't explicitly write their source code, but that was, to me, the implication. So that's the assertion I've been arguing. If I misunderstood, then never mind.

@Dramus,

Their code.

Depends.

Depends on if they've added to the GPL'ed code and redistributed it. If so, they legally are required to share those modifications as per copy right law and the license.
It also depends if they've incorporated other's code into their code. ( this often happens with developer cutting and pasting other's source code into their code )

Anyway you look at it, there is a legal requirement for those using GPL'ed code to provide that source, and any modifications to that source they may have made.