Sunday, February 26, 2017

Spam, courtesy of LinkedIn

Over the last few years I've been noticing an exponential increase in the amount of spam I receive from IT vendors in my company mailbox.  After occasionally replying to some of these messages and bluntly asking them where they obtained my email address, I finally learned something interesting:

Me:  Hi (name), yes, we do have a need for your services from time to time.  May I ask how you obtained my email address?
 
Vendor:  I curated LinkedIn for contacts.
 
Me:  This email address isn't associated with my LinkedIn account, and my employer is not visible to anyone who is not a Connection.  Sorry, I'm just trying to figure out why I am getting so much spam.

Vendor:  The paid subscription of LinkedIn Recruiter allows me to see people not in my immediate network.  Most companies have a standard email format i.e. first.last@company.com. Once the format is known, then I just autofill with Excel.

So apparently spammers are using LinkedIn Recruiter to find names and companies then do a bit of hacking to find out the company email format.  I'll call them SWULRs - Spammers Who Use LinkedIn Recruiter.

What can we do about this?
  1. Implement a better spam filtering solution.  In the past I used mxLogic.  After establishing service, you point your MX record to their servers, they filter out the spam and forward legitimate email to your Exchange server.  Your Exchange server only accepts connections from mxLogic.  They would never explain how they were filtering spam, but it was very effective.  And very few false positives.  Be sure to also send out through them so they can build whitelists automatically for return mail.  Out-of-office autoreplies exempted, of course.  A side benefit is disaster recovery; they spool inbound messages when your Exchange server cannot be reached.
  2. Change your company name in LinkedIn to "Company Confidential" and remove any descriptions of your company or parent company from the job description.  However, your other connections may not do this and SWULRs may use their company names combined with your name in their attempts.
  3. Use something other than flast@company.com or first.last@company.com as the email address standard at your company.  Try flastnnn@company.com where nnn is the employee's payroll ID or just a random number.  This requires convincing management of the need.  Be sure to support your argument with the estimated cost of employee time lost dealing with spam.  And watch out for the marketing department that wants email addresses to be pretty.  You've already had to explain how email addresses and URLs should not contain uppercase characters.
  4. Not a solution, but good advice:  Make sure your LinkedIn account is tied to your personal email account not your company email account.  You may be changing employers in the future, may forget to change your email address, or may not be changing employers voluntarily; losing access to your company mailbox to confirm a password reset or email address change.  This keeps company email addresses out of the LinkedIn database.  And if anyone tries to send you a LinkedIn connect request through your company email, go to the LinkedIn website directly and add the contact from there.  You don't want your company email address tied to your account in any manner.
Now I understand why Konami's IT department assigns a short set of random numbers to the end of each user's email address.  For example, cgrote427@company.com.  Initially I thought this was overkill, but it's definitely effective.

This debacle reminds me of the concerns I had over Plaxo years ago.  Users would install Plaxo on their computers to "synchronize" their contacts.  An inspection of the Plaxo terms of service and privacy policy revealed an interesting clause about email address privacy practices being subject to change in the event of a change in ownership.  Meaning Plaxo was potentially building up a huge database of users' email addresses (and those of their unwilling contacts) while providing a free "synchronization" service in anticipation of selling themselves to a mailing list company who would then change the policy and use the harvested addresses for nefarious purposes.  Users were warned accordingly.

Well to my knowledge Plaxo never sold themselves off to a mailing list company.  But LinkedIn may be the new Plaxo, in terms of threat to email privacy.

I understand that LinkedIn offers a free service to those of us who want to share our employment and skills with our business contacts, but their failure to perform proper vetting of users signing up for access to the Recruiter service justifies some action on our part to protect our valuable time.  I would rather pay LinkedIn an annual membership fee, get them to simplify the site; remove all the fat javascript code that is increasing their bandwidth operating costs and slowing down my browser, and focus on what its users want it to do, rather than run a sideline business to profit off user data.

Spam after all is a very inefficient means for vendors to reach clients.  Better to make their service discoverable through internet search or listing sites such as Yelp, Angie's List and the like.  There is a very small chance that a broadly targeted email solicitation will be of interest to a client, but a very large chance that a client searching for a service on the internet is ready to buy. 

Vendors, please have someone available to answer the phone or email when that client contacts you.  Seems like companies are allocating more resources to obtaining clients through marketing rather than maintaining adequate sales and customer service staff to facilitate actual sales.  This past month I contacted 5 companies whose product or service I am interested in buying and only heard back from 1.


External Links:

https://www.wired.com/2013/04/the-real-reason-you-should-care-about-linkedin/
The above site is best viewed using Firefox or Safari in "reading view" to bypass the "register to view article" overlay.


Friday, February 3, 2017

Subdomain vs Address

Recently I heard an internet consultant refer to the address "blog.company.com" as a "subdomain" which led me to do a bit of research into what is causing this terminology confusion.

In my experience in IT, going back to '93-94 when companies were first getting up on the internet, the 1992 first edition of the O'Reilly book DNS & BIND was considered THE bible on DNS.  That book taught us early pioneers what a "subdomain" truly is.

So understand my surprise when Googling "address vs subdomain" today revealed that almost everyone now thinks that having a hostname other than "www" in front of your domain name is a "subdomain" - all thanks to internet hosting providers who don't even know what they are talking about.

I feel like the main character from the movie "Idiocracy" who finds himself in the far future and everyone has become...well, let's just say less than well-informed.  Next thing you know people will be handing out business cards with uppercase letters in their email addresses.

Once a few hosting providers start using one another's REdefinition of a term, the error spreads across the internet like a virus. 

Let's start with a simple English analysis of the word "subdomain"

"Sub" from Latin meaning "under" makes us interpret the word to mean "a domain that is under or subordinate to another domain" - this means that the subdomain must first be a domain and second it is subordinate to another domain in some manner.

Subdomains are traditionally used to break up a higher-level domain into smaller administrative parcels.  Let's take the ca.gov domain for example, used by the state of California.

ca.gov is the domain
The NS records for this domain are:
nsX.net.ca.gov

It probably has several subdomains, but here are some I know of:

dmv.ca.gov for the Department of Motor Vehicles
The NS records for this domain are:
nsX.net.ca.gov (same as parent)

oag.ca.gov for the Office of the Attorney General
The NS records for this domain are:
nsX.doj.ca.gov (different)

Each of these two subdomains have www addresses:

www.dmv.ca.gov
www.oag.ca.gov

The oag subdomain also has an ftp address:

ftp.oag.ca.gov

Each subdomain also has different MX (mailserver) records, but I'm not going to publish them.

Traditionally a subdomain has NS records in its parent's zone file that specify the nameserver(s) hosting the zone files for the subdomain's records.  www and ftp are A records (A for Address) in the oag.ca.gov zone file.

oag.ca.gov is a subdomain
www.oag.ca.gov and ftp.oag.ca.gov are addresses

So it looks like the California IT department decided to host DNS for the DMV subdomain on their nameservers while letting the OAG IT department manage DNS on their own servers.  This is one of the legitimate reasons to create a subdomain in the first place - to delegate authority to another group. The OAG IT department can manage all the DNS records (addresses, aliases, mailservers, etc.) for their subdomain without going through the IT people at another office.

Chapter 9: Parenting from the 5th edition of DNS & BIND (Liu, Cricket and Albitz, Paul, O'Reilly Media Inc., 2006) lists three common reasons you would want to set up a subdomain:
  1. A need to delegate or distribute management of your domain to a number of organizations
  2. The large size of your domain; dividing it would make it easier to manage and reduce the load on your authoritative nameservers.
  3. A need to distinguish hosts' organization affiliations by including them in particular subdomains.
Now, just because a subdomain has an A record itself (in case people forget the www in front - sort of a "default" website for the domain) doesn't mean that every address is a subdomain.  While every basketball is a sphere not every sphere is a basketball.

A reasonable definition of a "subdomain" is that it meets one of the two following requirements:
  1. It has NS records - a "delegated" subdomain
  2. It has at least one record other than the A record for the subdomain itself - within the parent's zone file
Also, internet hosting providers need to stop calling address records "subdomains" - just call them what they are - if they add A records to the zone file, they are "addresses"


Links:

I was surprised I found a few authors on the internet who actually know what a subdomain is and bothered to try to educate others.
  1. Suso
  2. Mark Vogt on this blog and that blog
I'll add more links as I come across them.  The truth is out there.  Even Wikipedia isn't 100% accurate about the definition of a subdomain, and mentions some kind of "lively debate" over its definition.  But then again, a Wikipedia article is only as accurate as the last person to edit it.

Thursday, December 8, 2016

Raspberry Pi Security Camera Viewer

Most high-definition televisions have a "Picture-in-Picture" feature that is useless; if you are watching a HD input the PIP window can only display a low-resolution input such as RF or Composite SDTV.  Furthermore the sole Composite video input is often combined with the Component video input which may already be used by your older video game console. 

What's left?  I'll show you how to use your HDTV's coaxial cable TV RF input to view up to four network security cameras in the PIP window so you can keep an eye on your perimeter while watching something else.

We'll use the Raspberry Pi to automatically scan your network for up to four RTSP cameras and display them in a 1x1 or 2x2 grid through its composite video output fed to an RF modulator connected to your TV. 

In fact, if you still have unused "cable TV" coaxial cable running all over your home you can use it to send the camera grid to multiple televisions.  You just need to tune each TV to the RF modulator channel.  Just make sure your coaxial cables don't actually connect to the cable TV company!


The RF Modulator


I use a Channel Vision E Series E1200 but any RF modulator will do.  These take a composite video input and output it on an RF cable channel of your choice (usually between 2 and 13)

Using the correct A/V cable for the Raspberry Pi 3 is very important.  Please read this article on how cables that appear to be similar can have very different pinouts.

I have tested this Zune cable from Amazon and it works fine with the Raspberry Pi.

Camera configuration


This project requires that all your network security cameras support RTSP and use the same username, password and RTSP url suffix. 

I've been pretty happy with the Amcrest IP2M-842E Outdoor 1080P POE Security Camera available from Amazon in Black or White.  I'll assume you know how to make and run CAT6 cabling and know these need to be plugged into a POE switch or separate POE power injectors.

When you set these up using Amcrest's app be sure to configure them with the same username and password.  They all have the same RTSP url format:

rtsp://username:password@ipaddress/cam/realmonitor?channel=1&subtype=1

Subtype 1 = SD
Subtype 0 = HD

Since we will be outputting SD from the Pi there's no need to use the HD streams.  Use subtype=1.

About Network Video Recorders (NVRs)


Using RTSP streams from your cameras should not prevent you from simultaneously using an NVR (such as the one made by Amcrest) to record camera video when motion is detected in predefined zones.  This project just gives purpose to the PIP feature on your TV whether you use an NVR or not.

While most NVRs can output a 2x2 (or better) grid for monitoring your cameras, I've only seen HDMI outputs on them.  That means I can't use the NVR with the PIP feature on my TV.

I suppose the alternative to this project is to either get a TV that supports HDMI on PIP or try to find an HDMI to Composite video converter.  But I'd still need an RF modulator anyhow.  And this means the NVR can be somewhere else, secured against theft.

Raspberry Pi 3 configuration


First, follow my initial configuration guide.

Install nmap, omxplayer and screen:

sudo apt-get install nmap omxplayer screen

Edit /boot/config.txt:

sudo nano /boot/config.txt

Comment out (add # in front) ALL occurrences of hdmi_force_hotplug - it may be in there more than once!
Add overscan_scale=1 and gpu_mem=128
Uncomment sdtv_mode and set it to 0
# uncomment if hdmi display is not detected and composite is being output
#hdmi_force_hotplug=1

# uncomment for composite PAL
sdtv_mode=0

# NOOBS Auto-generated Settings:
#hdmi_force_hotplug=1

# CCTV Settings
gpu_mem=128
overscan_scale=1
With these settings if the Pi boots up and does not detect an HDMI monitor connected it will use the composite video output.

Create /home/pi/cctv:

nano /home/pi/cctv

Type in (or copy and paste) this bash script, substituting the username and password used by your cameras:

Then grant execute permissions:

chmod +x /home/pi/cctv

Test the script by running it manually, specifying the horizontal and vertical resolution that works best for you:

./cctv 640 480

To configure the Pi to run the script on boot, add this line to /etc/rc.local before exit 0:

/home/pi/cctv 640 480

Wednesday, December 7, 2016

Raspberry Pi 3 initial configuration

Here are the steps I use when setting up a new Raspberry Pi 3.

I usually get an 8GB microSD card but depending on the project I've gone larger.  I like the SanDisk Extreme microSDHC UHS-I. 

Make sure you have the proper power supply for the Pi 3.  I believe it needs to be at least 2.5 amps. 

Download the NOOBS zip file from the Raspberry Pi .org site and unzip its contents into the microSD card from your PC.  The cards I buy are preformatted FAT32 which works fine for NOOBS.

Slip the microSD card into the Pi 3 and boot it up.  If you press the w key you can connect to your home wifi network in order to view the complete list of installation options.  You need to do this so you can select the Lite version of the Raspbian OS, which is my preference.

After the installation is completed and the Pi has rebooted, log in as user pi with password raspberry.

Change the root password to raspberry so you don't forget it (in case you need to su)

sudo passwd root

Go through the locale & internationalization options in raspi-config to set your timezone, keyboard, country, etc.

sudo raspi-config

Configure wpa_supplicant.conf so the Pi connects to your home wifi network on boot:

Setting WiFi up via the command line

Reboot the Pi:

sudo reboot

Update the Pi:

sudo apt-get update
sudo apt-get upgrade


Here's another way to change the keyboard configuration to US (the Pi defaults to a UK configuration):

sudo dpkg-reconfigure keyboard-configuration

Edit /etc/rsyslog.conf:

sudo nano /etc/rsyslog.conf

Comment out these lines at the bottom:
#daemon.*;mail.*;\
#       news.err;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       |/dev/xconsole
Set the timezone of the Pi.  Run the next command from the console rather than over SSH:

sudo dpkg-reconfigure tzdata

Older Pi kernel versions defaulted power management to on which in conjunction with another setting may result in the integrated wifi interface going to sleep - most inconvenient when trying to manage the prop over wifi!

The apt-get update and upgrade steps performed above should upgrade the kernel.  You can check your kernel version by issuing the following command:

sudo uname -a

As of this writing my kernel version is 4.4.34-v7+ #930 SMP.

You can check the power save mode of the wifi interface using the following command:

sudo iw wlan0 get power_save

If it says power save mode is On then you can try adding this line to /etc/network/interfaces after the wlan0 section:

post-up iw wlan0 set power_save off

Then reboot and check the power save mode of the interface again to confirm it is now off.  If you ever see this mode change back to On try searching the internet to solutions for the power management issue and try different solutions until it is resolved.  Following the above steps resolved the issue for me.