ITHCWY: Robert Ellison's Blog

Securing the Internet of Things

Securing the Internet of Things

We can’t trust manufactures to build secure connected devices and so routers need to be updated to solve this problem once per network.

The distributed denial of service (DDOS) attack on Friday, October 21 was apparently caused by dodgy webcams. But next time it will be Nest or Alexa or Hue - not picking on Google, Amazon or Philips specifically here, those just happen to be the IOT devices currently plugged into my home network. My washing machine and drier would be as well but fortunately LG’s dismal app has saved me from myself by not working for toffee. Oh, I have some DropCams too. And my car is connected. The next attack will probably just come from me.

My fix: update routers to sandbox these devices. A Nest thermostat can only talk to nest.com. If it wants to DDOS Reddit too bad, no connection allowed no matter how badly the device is compromised.

When a new device is connected the router looks it up (MAC address registry?) and then puts it in the appropriate sandbox.

If Nest needs to connect to weather.gov to check the forecast then Google would need to proxy this via nest.com. If the device goes bad it’s only got one domain to attack (so there’s a pretty good incentive for the manufacturer to make sure it doesn’t).

The only downside is new routers or new router firmware. Given the current state of IOT I’d buy one.

As usual if any of my billionaire investor readers are interested get in touch.

Where did that app icon go, Android?

Where did that app icon go, Android?

As much as I’m looking forward to Daydream VR and trying to train my Google Assistant to swear there is one big problem left with Android that Mountain View should tackle first.

Where the fuck did my icon go Android?

Every so often when I update apps an icon is missing from my home screen. It’s one of sixteen apps that I use frequently enough to have pinned there but I can’t remember what it was until my muscle memory sends my finger flying to the empty square an hour or day later. Until then I’m distracted and can’t focus and scroll helplessly through the recently updated list in Google Play trying to figure out which of the updates is the culprit.

It’s not the first time I’ve been through this so I took a screenshot of my home screen just so I could not go through this again. But Google Photos backed it up and deleted it to save space so it’s somewhere in Drive that I can’t find doing me no good at all. When I figure this out I’m going to borrow my daughter’s instax and keep a hard copy in my wallet.

Google booking me a restaurant and a babysitter at a whim won’t save the time I lose to hunting down missing apps.

It might be fixed in Nougat but I can’t update for an unknown number of months because of device/carrier/manufacturer fragmentation so that’s still Google’s fault.

I have been a HTC loyalist so maybe it’s Sense and not Android in which case sorry Google, I should get mad at HTC instead.

I’m pretty sure it was Goodreads.

Google I/O 2016

An Echo knockoff and rapturous applause for variable font size in a messaging app. Not much innovation so far this year.

The horrific trend in Inbox and now Allo is machine learning auto reply so you can send something canned and inauthentic instead of actually speaking with people. Zombie Robs might approve but I'm far from convinced.

Updated 2016-05-18 14:12:

Android N looks super cool and I can't wait. The #1 productivity enhancement I'd like to see though is copy and paste icons that look like copy and paste. I do not have a clue currently.

Updated 2016-05-18 14:24:

No headset.

Updated 2016-05-18 14:40:

Android Studio is very nice. Eclipse was painful. I actually like Android Studio more than Xamarin which is saying a lot for a C# leaning person.

Automate Google PageSpeed Insights with Apps Script

Upload

Here's a quick script to automatically monitor your Google PageSpeed Insights desktop and mobile scores for a web page:

var pageSpeedApiKey = '...';
var pageSpeedMonitorUrl = '...';

function monitor() {
  var desktop = callPageSpeed('desktop');
  var mobile = callPageSpeed('mobile');
  var spreadsheet = SpreadsheetApp.getActiveSpreadsheet();
  var sheet = spreadsheet.getSheetByName('results');
  sheet.appendRow([
                   Utilities.formatDate(new Date(), 'GMT', 'yyyy-MM-dd'),
                   desktop.score,
                   mobile.score
                  ]);
    
    // more available, i.e. desktop.pageStats.numberResources
}

function callPageSpeed(strategy) {
  var pageSpeedUrl = 'https://www.googleapis.com/pagespeedonline/v1/runPagespeed?url=' + pageSpeedMonitorUrl + '&key=' + pageSpeedApiKey + '&strategy=' + strategy;
  var response = UrlFetchApp.fetch(pageSpeedUrl);
  var json = response.getContentText();
  return JSON.parse(json);
}

You need a spreadsheet with a tab called results and an API key for PageSpeed Insights (activate the API in the console and create an API key for it, the browser based / JavaScript option). Paste the code above into the script editor for the spreadsheet and add your API key and URL to monitor. Then just choose triggers from the Resources menu and schedule the monitor function to run once per day.

Note that this currently just logs the overall score. There are a bunch of other values returned (like number and types of resources on the page) that you could choose to monitor as well. It would also be easy to extend this to monitor more URLs, or to send you an email if the score drops below a threshold.

Google Cloud Vision Sightings

Google Cloud Vision Sightings

I've been feeding webcam images into the Google Cloud Vision API for a few weeks now so I thought I'd take a look at what it thinks it can see. The image above shows every label returned from the API with my confidence going from the bottom to the top and Google's confidence going from left to right (so the top right hand corner contains labels that we both agree on).

Google is super-confident that it has seen a location. Can't really argue with it there.

It's more confident that it has seen an ice hotel than a sunrise (and it has seen a lot of sunrises at this point). Maybe I need to explore the Outer Sunset more.

Google is 60.96% confident that it has seen a ballistic missile submarine. I suppose that's plausible, I do have an ocean view but it's rather far away and unless there was an emergency blow that didn't make the news I'm going to have to call bullshit on that one. It's 72.66% confident that an Aston Martin DB9 went past which is pretty specific. Possibly a helicopter slung delivery?

Maybe I'm sending basically the same image in too many times and the poor system is going quietly mad and throwing out increasingly desperate guesses. Probably I've just learned that I should use 80%+ as my confidence threshold before triggering an email...

(Previously)

Chromecast won't connect to wifi - finally found the fix

Chromecast won't connect to wifi - finally found the fix

I've struggled for a while with Chromecast. The idea is great. I love using my phone rather than a remote. I like the idea of being able to cast any screen or browser tab in principle (in practice I think I've only done this once). I like the nice curated background pictures and that I could get round to using my own photos one day.

But here is how it works in practice. Fire up app. Select Chromecast icon and watch it go through the motions of connecting. Nothing streams. Reboot Chromecast, phone and router. Hard reset Chromecast and configure from scratch again. Reboot everything some more. Disconnect house from grid for ten minutes and switch off gas mains as well to be on the safe side. Finally, streaming! Repeat.

It's miserable. With both a Chromecast and a Chromecast 2 (which I really hoped might fix the problem). I've been through two different routers and I've tried a bunch of different settings but nothing seems to make the thing work. I even renamed the device to remove spaces.

For a while I considered buying an OnHub. Maybe Google's router would work with Chromecast? But it can't be bothered with Ethernet ports for some reason and so I'd need a new switch and then I'd probably need another power port and how important is John Oliver right now anyway (very)?

As much as I want Chromecast to work I've binned the wretched thing and bought an Amazon Fire TV Stick. Same basic principle but with apps on the device rather than your phone and a remote control.

I'd rather not have another remote, but it works instantly and without risking an aneurysm. It's also available with voice control which lets you both search for programs and trigger Alexa (my typical morning is asking Alexa for a flash briefing and then sobbing quietly when a daughter yells 'Alexa, stop... Alexa, play Gangnam Style').

My only gripe so far is that the voice search doesn't search inside non-Amazon apps (Netflix, HBO, etc).

Get an email when your security camera sees something new (Apps Script + Cloud Vision)

Get an email when your security camera sees something new (Apps Script + Cloud Vision)

Nest (previously DropCam) can email you when it detects activity but that gets boring quickly. How about an email only when it sees something totally new?

The script below downloads a frame from a web cam and then calls the Google Cloud Vision API to label features. It keeps a record of everything that has previously been seen and only sends an email when a new feature is detected. You could easily tweak this to email on a specific feature (i.e. every time your dog is spotted), or to count the number of times a feature appears. I'm using a Nest cam but any security camera that has a publicly visible image download URL will work.

var OAuthCreds = {
  "type""service_account",
  //...
};

var SendEmailTo = '';
var MonitorImageUrl = '';



function main() {
  var timestamp = Date.now().toString();
  var scriptProperties = PropertiesService.getScriptProperties();
  var currentProps = scriptProperties.getProperties();
  
  Logger.log('Grabbing a frame');
  var url = MonitorImageUrl + '&cb=' + timestamp;
  var response = UrlFetchApp.fetch(url);
  var image = response.getBlob();
  image.setName('image.jpg');
  var bytes = image.getBytes();
  var encodedImage = Utilities.base64EncodeWebSafe(bytes);
  
  Logger.log('Calling cloud vision');
  var service = getService();
  if (service.hasAccess()) {
    
    var request = {
      "requests":[
        {
          "image":{
            "content": encodedImage
          },
          "features":[
            {
              "type""LABEL_DETECTION",
              "maxResults":50
            }
          ]
        }
      ]
    }
    
    var annotateUrl = 'https://vision.googleapis.com/v1/images:annotate';
    var annotateResponse = UrlFetchApp.fetch(annotateUrl, {
      "headers": {
        Authorization: 'Bearer ' + service.getAccessToken()
      },
      "method" : "post",
      "contentType" : "application/json",
      "payload" : JSON.stringify(request, null, 2)
    });
    var json = JSON.parse(annotateResponse.getContentText());
    
    var anythingNew = false;
    var newText = '';
    
    for (var l = 0; l < json.responses[0].labelAnnotations.length; l++) {
      var description = json.responses[0].labelAnnotations[l].description;
      var score = json.responses[0].labelAnnotations[l].score;
      
      if (!(description in currentProps)) {
        Logger.log('Found new feature: ' + description);
        scriptProperties.setProperty(description, score);
        anythingNew = true;
        newText += 'Found: ' + description + ' (score: ' + score + ')\r\n';
      }
    }
    
    if (anythingNew) {
      MailApp.sendEmail(SendEmailTo, 'Found something new on the webcam ' + new Date(), newText, { 
        attachments: [image] 
      });
    }
    
  } else {
    Logger.log(service.getLastError());
  }
}

// modified from https://github.com/googlesamples/apps-script-oauth2/blob/master/samples/GoogleServiceAccount.gs#L50 below...
function getService() {
  return OAuth2.createService('CloudVision')
      // Set the endpoint URL.
      .setTokenUrl(OAuthCreds.token_uri)

      // Set the private key and issuer.
      .setPrivateKey(OAuthCreds.private_key)
      .setIssuer(OAuthCreds.client_email)

      // Set the name of the user to impersonate. This will only work for
      // Google Apps for Work/EDU accounts whose admin has setup domain-wide
      // delegation:
      // https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
     // .setSubject(USER_EMAIL)

      // Set the property store where authorized tokens should be persisted.
      .setPropertyStore(PropertiesService.getScriptProperties())

      // Set the scope. This must match one of the scopes configured during the
      // setup of domain-wide delegation.
      .setScope('https://www.googleapis.com/auth/cloud-platform');
}

function reset() {
  var service = getService();
  service.reset();
}

There is a bit of setup to get this working. Create a new Apps Script project in Google Drive and paste the code above in. You'll need to provide you own values for the three variables at the top.

OAuthCreds is the contents of the JSON format private key file for a Google Developer Console project. Go to the console, create a new project and enable the Cloud Vision API. You'll also need to enable billing (more on this below) - a trial account will work fine for this. Once the API is enabled create a service account under Credentials and download the JSON file. Just paste the contents of this into the script.

That's the hard part over. Now enter the URL of the image to monitor (see this post for instructions on finding this for a Nest / DropCam device) as MonitorImageUrl and your email address for SendEmailTo.

One last thing - follow the instructions here to reference the OAuth2 for Apps Script library.

Once this is all done run the script (the main() function) and authorize it. You should get an email with a picture attached and a list of the labels detected together with a confidence score from 0 to 1. If this doesn't happen check the logs (under the View menu).

You can now schedule the script to run repeatedly (Resources -> Current project's triggers). You get up to 1,000 units a month for free so once an hour should be safe. If you need more frequent updates check the Cloud Vision pricing guide for details.

After a few runs you should only get an email when something new is detected. If you're seeing too many wild guesses then add a filter on the score to exclude low confidence features.

Enjoy, and leave a comment if you have problems (or modify this in interesting ways).

(Previously)

Google Inbox Account Switching

Google Inbox Account Switching

Google is generally pretty good about managing multiple accounts but sometimes you get completely stuck. One example is Google Inbox where your primary account is Google Apps for Work without Inbox enabled. You just get a screen saying that Inbox needs to be activated and no option to switch to another account.

There is a fix, and this sometimes works for other products as well. In the URL (https://inbox.google.com/u/0/) there is a user number. Change the 0 to 1 (or maybe 2, 3, etc depending on the number of accounts) and you can get Inbox up and running again.

One case I haven't found a clean workaround for is importing a segment or custom report in Google Analytics. You just get the default profile and if it's not what you're after then there is no way to switch. What does work here is launching an incognito window, signing in to the relevant account and then using the import link. A bit painful but gets the job done.

Not to be anal but (any number of dogs...)

Not to be anal but (any number of dogs...)

Google is going to start ranking pages based on facts. I'm game. This MUNI sign has always bothered me.

The highest capacity vehicle in the MUNI fleet has to be a two-car light rail vehicle. Capacity 436 people. The average weight of a person is 185 pounds. So we're looking at 80,660 pounds per rush hour train.

The lightest dog is a 1.4 pound Chihuahua named Ducky.

So at the absolute outside with no other passengers the limit is 57,614 dogs. I'm going to have to make some stickers...

Capture DropCam (Nest Cam) frames to Google Drive

Capture DropCam frames to Google Drive

Here's an easy way to capture frames from a DropCam to Google Drive. This only works if you have a public feed for your DropCam.

Go to the public page for your DropCam (Settings -> Public -> Short URL Link) and then view source for that page. Near the top you can find the still image URL for your DropCam:

<meta property="og:image" content="https://nexusapi.dropcam.com/get_image?uuid=12345&height=200" />

In Google Drive create a new Apps Script (If you don't already have Apps Script you can find it via Connect more apps...). Paste in the following code:

function downloadFrame() {
  var timestamp = Date.now().toString();
  
  var url = 'https://nexusapi.dropcam.com/get_image?uuid=12345&height=1280&cb=' + timestamp;
  var response = UrlFetchApp.fetch(url);
  var blob = response.getBlob();
  blob.setName(timestamp + '.jpg');
  
  var folders = DriveApp.getFoldersByName('DCFrames');
  while (folders.hasNext()) {
    var folder = folders.next();
    folder.createFile(blob);
    break;
  }
}

Replace the uuid parameter in the URL with the uuid from the still image URL for your DropCam. Note that the height parameter in the script has been changed to 1280 to get the largest possible image. A timestamp is being used to add a random cache busting parameter to the still image URL and is also used as the filename for the image.

The script will save the images to a folder called DCFrames - either create this folder in your drive or change this parameter to the desired folder.

Run the script and check that it's working. If everything looks good go to Resources -> Current project's triggers in the Apps Script editor. You can now set up a timer to save a frame as frequently as every minute (which I'm using to collect frames to make a daily time lapse movie). You can also ask Apps Script to send you an email when the script fails.

Updated 2015-07-01: DropCam is now Nest Cam - assuming that Nest keep the API going everything should keep working as above for both types of camera.