TALK ME OFF THE LEDGE

windguy

Young grasshopper
Joined
Sep 25, 2019
Messages
61
Reaction score
21
Location
Pacific Coast
Only kidding, but as I continue to research video security systems this past year, the more I read and study, the more I feel like I’m getting in over my head. Information overload for the feeble minded. Actually, this is really good brain fodder for me after retiring earlier this year. I need to challenge myself with new technology to keep my mind active.

Crime was never an issue in our bedroom community but things have changed for the worse in the last few years. It’s time to add some layers of security. I plan to beef up the door jams and hinges to mitigate doors from getting kicked in and adding a security surveillance system.

I question how effective outdoor cameras can be since it seems thieves wear hoodies and/or masks because they know houses may be using video surveillance. If they get inside, an indoor camera might catch something useful if they let their guard down and remove their cover. I talked to the local police for their advice and they say a basic video camera system is better than nothing either as a deterrent and/or for helping to profile the thieves, so I’m determined to go forward with this project.

Our cars are garaged so we are most concerned about break-ins when we are away as well as knock-knock burglars when we are home. We don’t answer the door for anyone so I’m concerned that may lead to someone thinking we’re not home and targeting our house. Having a camera near the front entryway with two-way audio might help with that issue. I haven't bought any hardware yet so I'm starting from a clean slate.

Thanks to all for supporting this fantastic forum. I hope I can be worthy of your sage advice. Be warned, I will be asking dumb questions despite how much reading I have done. I thank you in advance for your patience.
 

spammenotinoz

Young grasshopper
Joined
Apr 4, 2019
Messages
40
Reaction score
21
Location
Sydney
You know the saying, "if your in the forest with a hungry bear, you don't need to be a fast runner, just not the slowest."
Same with security. Cameras are just one aspect.
You need enough for good coverage and some low enough for facial recognition.

With my personal cameras, BI triggers my HUE lights (via PowerShell) to come-on at night and only when I am away.
I have pets (Chickens and a Dog), I get a warm comfort being able to check on them.

I've had some strange events, that I have reviewed the cams and were just kids having fun.
Watches someone crash into my bins and then get out and pick up the rubbish back up (I was amazed).

When we were renovating, I had some cheap wireless 1080p PTV cams around the house. (BI would only record and alert) on these when we were out.
I had BI alarm triggers on a cam watching the stairs, to alert if someone came up-stairs.

BI gives me the flexibility to use any almost any cloud provider (just needs to work with windows and be seen as a drive)

But yes, any decent thief can hide their face, pull the power, use a strong flashlight at the cams, but the police often have a good idea who the crims are in the area and use other objects to gauge their height, their gape and other profile elements. Also it is common (not always) for a thief to check out an area prior.
Also helps insurance claims (doesn't mean you won't need to pay the excess, just speeds up the process).

There would be many... many... other use cases, but I know recently the police in our area sent our a flyer telling people tips on improving home security and CCTV were on the list.
And also registering. So they can often use a variety of cams in the area to find the thief. I also have a Skybell Trim Plus (quite a few years old now, that is also great peace of mind).

I also use secondary zones in key areas to trigger iOS animated gifs, but only when I am away from the house.

My recommendation to a new player would be (depending on the use case)
- Prioritise low light quality over megapixels (eg: don't be put off by 2mp)
- Prioritise placement over resolution (try a temporary install before permanently mounting)
- More cameras with overlapping coverage of a lower resolution (2-4mp) are better than a few with high-resolution (8mp) cameras
- Wider the angles the better
- POE
- Record Always
- SD Card Backup if you can
- Dedicated PC (doesn't need to be expensive, follow the guide on this site)

other TIPS
- Install decent quality screen doors
- Install motion activated lights outside
- Prune hedges, to make sue the front of the house \ windows is visible from the street
- Don't leave objects outside
- Keep the lawn mowed
- Arrange for someone to collect the mail when you are away
- Use lights like HUE to come on and off at random times within specified windows
- Have a routine on something like a cheap google mini, just to listen to AM radio or something at specified times

If someone wants to get in, or f'ed up on drugs they will get in. Your aim is to make the pro's pick an easier target.
But if you have a flash car, trail bike or boar then these are common targets, they may still be determined to get in. (So hide these out of site, clean them in the back yard or before you come home ect...)
eg: Cleaning the boat or bikes at out the front every Sunday, advertises with a big roar you are likely out on Sundays.
And ofcourse, don't advertise your trip\pictures on social media, until you get back. If your insurance finds out via their detectives they can refuse a claim.
 

windguy

Young grasshopper
Joined
Sep 25, 2019
Messages
61
Reaction score
21
Location
Pacific Coast
@spammenotinoz - G'day Mate! Thanks for sharing your wisdom and experiences from Down Under. Funny (sad), different continent a Worlds away, same crime issues.

Our house is set back from the street and my hopes are that the primary camera that captures activity coming up the driveway would also be an obvious deterrent. I think that would work for some unsophisticated thieves. A new and disturbing crime trend in our area and other major cities in the US are "tourists" from Chile. Actually they are criminal gangs that travel here and setup criminal networks to target houses. Some have been caught locally but like cockroaches, more will replace them.

Is your Skybell Trim Plus integrated into you BI system or do you run it separately? It looks like an interesting product. I've read about other door bell ringer/video devices in threads on this forum. I wasn't planning on having any wireless devices like that but I might reconsider.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
2,339
Reaction score
1,357
Location
Houston Tx
:welcome:
----------------------------
First set up a good wired alarm system, before a camera system. This system needs door and window open sensors, break class sensors, if no one is home during the day inside PIR motion detectors. The alarm system need to be monitored, or have the capability to call your cell phone. I do not use inside motion detectors, I have three large dogs.

--------------------------
My standard welcome to the forum message.

Please read the cliff notes and other items in the wiki. The wiki is in the blue bar at the top of the page.

Read How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk in the wiki also.

Quick start
1) Use Dahua starlight cameras or Hikvision darkfighter cameras or ICPT Night eye cameras (https://store.ipcamtalk.com/) if you need good low light cameras.
2) use a VPN to access home network (openVPN)
3) Do not use wifi cameras.
4) Do not use cloud storage
5) Do Not use uPNP, P2P, QR, do not open ports,
6) More megapixel is not necessarily better.
7) Avoid chinese hacked cameras (most ebay, amazon, aliexpress cameras(not all, but most))
8) Do not use reolink, ring, nest cameras (they are junk)
9) If possible use a turret camera , bullet collect spiders, dome collect dirt and reflect light (IR)
10) Use only solid copper, AWG 23 or 24 ethernet wire. , no CCA (Copper Clad Aluminum)
11) use a test mount to verify the camera mount location. My test rig: rev.2
12) (Looney2ns)If you want to be able to ID faces, don't mount cams higher than 8ft. You want to know who did it, not just what happened.
13) Use a router that has openVPN built in (Most ASUS, Some NetGear....)
14) camera placement use the calculator... IPVM Camera Calculator V3

Cameras to look at
IPC-HDW2231R-ZS Review-Dahua IPC-HDW2231RP-ZS Starlight Camera-Varifocal
IPC-HDW5231-ZE Review-Dahua Starlight IPC-HDW5231R-ZE 800 meter capable ePOE
IPC-HFW4239T-ASE IPC-HFW4239T-ASE
IPC-T5442TM-AS Review IPC-T5442TM-AS-LED (Full Color, Starlight+)
IPCT-HDW5431RE-I Review - IP Cam Talk 4 MP IR Fixed Turret Network Camera
DS-2CD2325FWD-I
IPC-T5442TM-AS https://ipcamtalk.com/threads/review-oem-4mp-ai-cam-ipc-t5442tm-as-starlight.39203/ - 4MP starlight+

My preferred indoor cameras
DS-2CD2442FWD-IW
IPC-K35A https://ipcamtalk.com/threads/review-dahua-ipc-k35a-3mp-cube-camera.37581/#post-373517

Read,study,plan before spending money ..... plan plan plan
Test do not guess

-------------------------------------------------------------------------
 

windguy

Young grasshopper
Joined
Sep 25, 2019
Messages
61
Reaction score
21
Location
Pacific Coast
@SouthernYankee - thanks for the welcome and info. I haven't considered any type of door or window sensors because we want to keep the system simple with strictly video monitoring. But, I will certainly give it more thought and research at your recommendation.

I've read your standard welcome tips dozens of times by now (you'd think I'd have it memorized) and have it copied to my own personal wiki along with other relevant information I've found on the forum. It's helping me figure out what I need to build a system and create a list of components and materials. I'm following your mantra of "Read, study, plan before spending money" and "Test do not guess". I have a tendency to overthink things and appreciate the direction. Thanks!
 

spammenotinoz

Young grasshopper
Joined
Apr 4, 2019
Messages
40
Reaction score
21
Location
Sydney
While I agree a good alarm comes first, I am not sold on the need to alarm all doors and windows in an existing premise, when decent coverage can be obtained by PIR's with less damage to the property and far lower installation costs.
I would not underestimate the value of a well placed external strobe and siren (deterrent only, they don't do much when activated as people ignore them).
Multiple piezo sirens inside the house. The ones that make it feel like your ears are bursting.
A barking dog (large or small) also does wonders as a deterrent.

Now the VPN TIP gets posted here a lot, and quite honestly please understand what VPN is before you go down that path.
When you install a VPN, you basically open up a back-door from the PC you are using to your home network. This by-passes many of the security controls that may be present on your firewalls and routers.
This is the same when you VPN from home out, you by-pass your firewall and let the nasties into your PC.
But conversely if you are accessing from a hostile network (eg: public hotspot) and your trust the device, VPN's are highly recommended. But no frigging way would I VPN from a Kiosk into your own network, that is handing over the keys, removing any Firewall between that Kiosk device and your home network!!

What is more important than VPN per-say, is encrypting all traffic with a strong ciphers and using MFA. Most VPN's prioritise speed and use quite poor encryption protocols. So yes VPN can be secure but as it by-passes a number of controls, just be aware of the pros and cons.

You need to perform your own risk assessment, but this is what I do (and it's not the most secure, but is a compromise for usability);
- BI is configured to listen on the local loopback only
- STUNEL is installed and configured with Strong CIPHERS and locked to TLS 1.2 (this is not the default configuration)
You can go further and lock STUNEL down to only specific clients via certificates (if you need)
- Strong passwords in BI
- Router is whitelisted to only allow incoming BI traffic from the IP range of my telco provider (cuts down on some overseas threats)
If I was serious about security, I would replace STUNEL with a Reverse Proxy (running on a different machine) configured with MFA.
I do have VPN configured on a standbox (VM)
- Isolate your camera's (as per above, but I go further and don't configure a gateway on them, and use a very small netmask, plus block all inbound \ outbound access.
For home use, I would leave the gateway and netmask, allow NTP out, but block everything else.
Find a balance between security and usability. If you go down the VPN pass, you essentially lose the Animated GIF's...:)
 

spammenotinoz

Young grasshopper
Joined
Apr 4, 2019
Messages
40
Reaction score
21
Location
Sydney
@spammenotinoz - G'day Mate! Thanks for sharing your wisdom and experiences from Down Under. Funny (sad), different continent a Worlds away, same crime issues.

Is your Skybell Trim Plus integrated into you BI system or do you run it separately? It looks like an interesting product. I've read about other door bell ringer/video devices in threads on this forum. I wasn't planning on having any wireless devices like that but I might reconsider.
No my Skybell is stand-alone, it does support integrations such as NEST and IFTTT, but I never found the need. (Found IFTTT too slow).
The biggest letdown of the Skybell is lack of pre-recording, weak wifi.

When I chose the Skybell Trip Plus years ago, the Ring had bad reviews (low resolution, buggy) and required a costly subscription, and the Skybell was full hd, colour at night, and used the same cable and indoor chime, cables and power.
These days I would be interested to see what other products are out there, I hear ring is quite a good product now and offers a variety of wireless cameras.

I am currently testing a few Battery Powered P2P ONVIF WiFi cameras, to provide overlap and a second view for key areas, before committing to a Wired Installation.
I have been somewhat impressed, even with the night vision.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,749
Reaction score
3,785
Location
Scotland
This is the same when you VPN from home out, you by-pass your firewall and let the nasties into your PC.
Only if you connect to something malicious - such as the malware-laced video you need to pretend you are in another region in order to access.

But no frigging way would I VPN from a Kiosk into your own network, that is handing over the keys, removing any Firewall between that Kiosk device and your home network!!
If that was the case, security-savvy Corporates wouldn't be using VPN solutions to provide remote access for roving employees.
It's an outbound-originated connection from a device that blocks inbound access, using an encrypted protected stream and a robust key-exchange protocol.

What is more important than VPN per-say, is encrypting all traffic with a strong ciphers and using MFA. Most VPN's prioritise speed and use quite poor encryption protocols. So yes VPN can be secure but as it by-passes a number of controls, just be aware of the pros and cons.
With respect - you shouldn't be rubbishing the use of VPN for people who want to remote-access their home CCTV systems.
It's an orders-of-magnitude safer solution than the 'port forwarding' or P2P methods that are unfortunately so common.
 

spammenotinoz

Young grasshopper
Joined
Apr 4, 2019
Messages
40
Reaction score
21
Location
Sydney
Only if you connect to something malicious - such as the malware-laced video you need to pretend you are in another region in order to access.


If that was the case, security-savvy Corporates wouldn't be using VPN solutions to provide remote access for roving employees.
It's an outbound-originated connection from a device that blocks inbound access, using an encrypted protected stream and a robust key-exchange protocol.


With respect - you shouldn't be rubbishing the use of VPN for people who want to remote-access their home CCTV systems.
It's an orders-of-magnitude safer solution than the 'port forwarding' or P2P methods that are unfortunately so common.
perhaps re-read what I wrote, as I don’t believe I rubbished VPN. More pointed out some implications, benefits and alternatives.
I cited the perfect use case for VPN (when you trust both the source and destination). Ie: corporate controlled pc and corporate network.

100% fact vpn will bypass your firewalls native intrusion detection and other services.
100% fact 99% of vpns use such weak ciphers they are not that useful for privacy.

I also stated everyone must perform their own assessment and find what works for them.
I also stated VPN can be secure.
Helps if people know there are options.

Not being aware of the risks / negatives of VPN is pure ignorance.
 
Last edited:

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
2,339
Reaction score
1,357
Location
Houston Tx
For the alarm system, i use multiple outdoor sirens inside the house, plus multiple outdoor sirens. The sirens are so loud it is next to impossible to stay in the house. I live in a neighborhood where there are a number of stay at home retired bad asses, they pack...

The last break in i had, (before the three dogs) They kicked in the front door, They did not get the wrapped christmas packages that were visible and within 10 feet for of the door.

In reality cameras are mostly for after the fact, what happened and maybe who did it.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,749
Reaction score
3,785
Location
Scotland
100% fact 99% of vpns use such weak ciphers they are not that useful for privacy.
perhaps re-read what I wrote, as I don’t believe I rubbished VPN.
You just did - by stating as an alleged fact something that anyone reading it who is considering implementing a VPN as a safer alternative to port-forwarding/P2P would find very worrying and maybe put them off pursuing it.
A citation to underpin that claim would be helpful.

Unless you are referring to an outbound-only subscription VPN. Which is a different matter entirely.
 

spammenotinoz

Young grasshopper
Joined
Apr 4, 2019
Messages
40
Reaction score
21
Location
Sydney
Thank-you for entertaining me so far. As I said I am not anti-vpn, most people just don't understand the pro's and con's, so let me expand.

Most consumer implementations including OpenVPN and OpenWRT use the BlowFish Cipher, this is next to useless for privacy and is far less secure than combining a strong cipher and a secure protocol such as TLS 1.2+ (SSL is also useless)
Most consumers use OpenWRT which at the heart is just a bunch of outdated linux full of root exploits, that despite great efforts to patch and remediate, it's still a nightmare.
Most corporates are now better informed of the risks of VPN, and have greatly reduced their exposure or eliminated VPN. (Honestly, this wasn't just about security, but security did play a big role in the demise of corporate VPN)
Port Forwarding is basically a simple reverse proxy implementation, sure you don't get encryption but if you credentials are comprised only the service exposed is at-risk, (ie: forwarding a BI port does not expose windows vulnerabilities)
Port forwarding combined with Whitelisting is extremely secure and robust. If you want privacy add in STUNNEL with strong cipher and restrict the protocol to TLS 1.2 (the default cipher and protocol are junk)
STUNNEL can be locked down to particular clients with only authorised key pairs installed, in which case it is very difficult to compromise.
If your VPN system is comprised, an intruder direct network access, and also access to the device hosting VPN. Once on your network, as BI is hosted on Windows the attacker has many options indeed.
VPN is primarily Open Source, of which OpenVPN is the most popular. VPN is a collection of existing protocols and standard which while inherently secure, bring them together has proved problematic from a security point of view for most VPN implementations.
The other key risk, is being open source exposes the code to the hackers, reducing the time between a vulnerability being discovered and then being able to exploit in the wild. Conversely though some people like the comfort of being able to review the code themselves. That is why I continue to say it's not a one size fits all. If you are a novice you are often better with port forwarding and an optional whitelist, than implementing a VPN server or changing to an OpenWRT router with VPN without actually understanding the implications.

If you need security, don't expose your system to the internet, and if you do regardless if you chose VPN or Port Forwarding, whitelist where possible.

Whatever you use, if you select the "Secure Only" on the Options/Webserver page, despite the use of HTTP BlueIris does NOT send usernames passwords in plain text. Under the covers they use a strong stong hash-based algorithm, but yes your Video and Audio are sent unencrypted. If this is of concern STUNNEL can fix is easy and still retain full BI functionality.

While not intending to scare people off VPN, hopefully, I have put some people at ease who use port forwarding\whitelisting\stunnel or even just port forwarding.

At the end of that day, be aware of the risks, know your data and make an informed decision.

People don't need to agree, and may have strong preferences either way, That is fine, as it doesn't impact me,
 
Last edited:

windguy

Young grasshopper
Joined
Sep 25, 2019
Messages
61
Reaction score
21
Location
Pacific Coast
Good discussion about security measures using VPN and port forwarding. I just hope others can find this valuable info buried in my Welcome Message.
Seems these ideas should be copied into a VPN discussion thread for archive purposes.

I was planning on buying a new wired router for the modem cabinet that has OpenVPN (maybe a Linksys LRT214) just for that purpose where maybe I just need to get a regular wired router and setup security measures differently. Unfortunately, I have no idea how to setup any of those, it's all new to me, so I'm at a loss on how best to proceed. To VPN or not to VPN. Ha, I shouldn't look down when I'm close to the ledge!
 

windguy

Young grasshopper
Joined
Sep 25, 2019
Messages
61
Reaction score
21
Location
Pacific Coast
For the alarm system, i use multiple outdoor sirens inside the house, plus multiple outdoor sirens. The sirens are so loud it is next to impossible to stay in the house. I live in a neighborhood where there are a number of stay at home retired bad asses, they pack...

The last break in i had, (before the three dogs) They kicked in the front door, They did not get the wrapped christmas packages that were visible and within 10 feet for of the door.

In reality cameras are mostly for after the fact, what happened and maybe who did it.
Thanks for the input. I need to search the forum for discussions about audible alarms. I'd be interesting in adding an indoor and outdoor alarm to ward off any potential break-ins if I can control that through BI from a desktop or remote access cell phone using it more like a panic button situation.

Good story about your break-in except that they probably buggered up your front door and jam. Sorry about that. You sure foiled the Grinch on that one. He should have used the chimney instead. That's one reason why I want to beef up the door jams and hinges to mitigate chances of a door being kicked in. They can always break a window but at least the doors won't be a weak point. Speaking off, this reminds me of an episode of Shark Tank for a door security product. The initial demo before the sales pitch didn't go so well. If you missed this one, see the link below. Pretty funny.

 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,749
Reaction score
3,785
Location
Scotland
Most consumer implementations including OpenVPN and OpenWRT use the BlowFish Cipher,
Deprecated as of several years ago.
Current implementations use AES-256-CBC. As good as it gets.

the BlowFish Cipher, this is next to useless for privacy
A gross exaggeration.
The known attacks require eavesdropping and processing of 10s of hours of data.
This obviously needs either a MITM attack, or a physical intrusion.

The other key risk, is being open source exposes the code to the hackers, reducing the time between a vulnerability being discovered and then being able to exploit in the wild.
Giving anyone the ability to be able to scrutinise the source is one of the benefits of the open-source concept.
The result is better-quality code than closed-source implementations.
 

spammenotinoz

Young grasshopper
Joined
Apr 4, 2019
Messages
40
Reaction score
21
Location
Sydney
Deprecated as of several years ago.
Current implementations use AES-256-CBC. As good as it gets..
True, but this has only been the case for a few months in recent wrt builds. How often are noobs updating their routers and VPN servers.

Subscribe to the open VPN security notices to keep on top of VPN issues.

As I said, VPN has its benefits but it’s use does come with risks, which if breached have bigger implications than port forwarding.

Port forwarding with BI is greatly exaggerated and misunderstood.

I am also not saying port forwarding is better, nor is it worse. Different use cases with different security implications.

What I do like with VPN is the ability to add MFA and doing so improves the security posture greatly.
 

windguy

Young grasshopper
Joined
Sep 25, 2019
Messages
61
Reaction score
21
Location
Pacific Coast
So we've had some friendly discussion about VPN's and alternative. I question what someone like myself (classic noob) should do since I have zero experience implementing anything like this and I get the feeling I might be well over my head in trying. I think I can handle most of the sourcing and install aspects and some of the basic setup features with BI and the home networking. But when it comes to more complex security tasks like OpenVPN or alternatives, I have no idea if I'll be able to comprehend how to do that. So would setting up some simple port forwarding be better than nothing at all? Or should I strive to do something more secure which would require more technical intuition? Appreciate the insight.
 
Top