Sunday 5 January 2014

Sorting out the Sweex

You know how it goes - in the middle of sorting out one problem, you find that you have to sort out another, and while you're doing that, you find  ....

I was getting problems with a server called "data4". That's a Raspberry Pi, with a 400 gb hard drive attached. I use it for doing backups of sensitive data that has to be encrypted - mostly, that means credit card data. And so data4 has encryption on it, using the Linux encrypted file system.

I looked at the SMART data for the drive, and it had 93 replaced sectors. That means that the drive is limping, and needs to be replaced. It's probably not the fault of the Raspberry Pi.

But, instead of replacing the drive, I decided to bring up another computer to do the job, or rather to add another function to an existing computer. So I chose a computer that was already being used for backups, and had 100 gb on a spare drive. I set up an encrypted file system on that drive (that's very easy to do, look here) and started copying the data to it.
And while I was doing it, the limping drive conked out completely. Never mind, all I need to do, is use the new drive to do the same backup.

I also use that drive for monitoring the Data Shed. I have an IP camera pointing at the sensitive areas, and it records video, in case I have some problem that requires me to see which of my staff was there when the problem happened - that's a PCI DSS requirement. Of course, there's only one member of staff - me. But still, it's a requirement. The box must be ticked!

On the new backup computer, everything was working ... except the camera. I soon realised that, although the camera was working, I couldn't access it from the new computer, and it was obvious why. The camera is on, data4 was on but the new backup computer is

Some history.

A long, long, long time ago, I was allocated to as my very own range of IP addresses, so I could have up to 254 computers. A long, long time ago, I realised that this wouldn't be enough, so I made all my computers have addresses that start with 10, and I started off with to 255, in honour of the addresses that I was allocated. That means that, internally, I address a computer as, for example,, but if I want to allow external access, then I have to set up an equation that tells my firewall to translate to and vice versa. And if I want the outside world not to have access to, then I simply do not set up that translation. It's called NAT, "Network address translation". And it's magic; not only do I get all that security, I can also use any IP address that starts with 10, so instead of just 254 computers, I can have 16 million. Which should be enough. By the way, the use of NAT turned out to be very helpful when I had to change my IP address range from 195.149.17.x to something completely different, because it was more convenient for my ISP, my inconvenience not being a factor, of course. Because I was using NAT, the change was pretty painless. And that's nice, it means that if I want to change my ISP, which will means changing all my IP addresses again, it'll be pretty painless again.

So I was happily using all sorts of addresses that started with 10, but on my IP camera ... oops. I set it up a long time ago, and I gave it the netmask Which means, "you only need to reply to computers that start with 10.149.17". So you can see what happened; my new backup computer was, and the IP camera was ignoring it.

OK, simple problem, easily fixed. Hah! That's where it started to get difficult.

I logged in to the IP camera to change the netmask to (which means "reply to all computers that start with 10.", and the IP camera said "Please Use Internet Explorer 5.0 or higher". But I'm using Firefox on a Linux computer. It wouldn't accept Opera or Chrome, either. So I switched to the Windows box, running Windows 7, used for GSAK and Memory Map, that don't have a Linux version. The IP Camera let me access its configuration, but now the Windows box was saying "That thing you're asking me to run is unsigned and therefore untrusted" and it dumped me out.

After trying a few times, I decided that it just wasn't going to let me do this, so I went back to Firefox under Linux, and looked for a way to pretend to be Internet Explorer.

 When your browser acesses a web page, it announces what it is, via a thing callled "User Agent". And I found something that would let me pretend to be Internet Explorer version 6, 7, 8 or various other things. I happily installed it, and tried the IP camera again. "Please Use Internet Explorer 5.0 or higher". It wasn't fooled. I tried various things, but couldn't persuade the IP Camera to believe that I was using Internet Explorer.

At that point, I started to think that maybe the only way to resolve this, would be to  change the IP address of the backup computer to be in the range 10.149.17.something. But I hadn't quite got to the end of my tether. Google is my friend.

I asked Google, "How do I make Windows 7 let me run an unsigned app, if I'm willing to take the risk?" Because I don't think there's a risk, this app is coming from my IP camera. And there is a way. If you need this, Google is your friend too.

So that let me access the IP camera configuration, I changed the netmask to, and now it all works.

No comments:

Post a Comment