Joe Harris

Ahh sorry JW - Didn't want it in my sig as non-trade can then see it and it was for you guys to have before I disappear from trade Will check my PMs now in case full, it might just be down to status flux (will go and reverse the polarity and see if it helps).

lol Not had time recent;y - But I have been doing a lot of similar writing up on Hacktivists and criminal gangs using online space to try and get rich.... Nothing changes in that the same principles in physical security apply online - path of least resistance still happens and common sense helps a lot. I will be writing more again soon though. lol #palmface Thanks for all the kind words guys - Again though, don't think badly of anyone enforcing a rule - I am happy to be non-trade as I am by definition now ex and rules is rules (Excepting Matt ofc ). I will be happy as long as I can still catch up with you guys from time to time and if you need to PM to ask a question instead of posting then that's fine by me. Happy for any of you to have those details as I know you are all pucker. As for the mortgage, of course I can help - Step into your nearest branch for a simple, personal and fair bit of advice

btw - You know these industries are going to converge eventually anyway right? Don't you guys read the blogs

Would be good to catch up again Adi - My number is still the same Don't let the role change cause any arguments guys, I said previously I am happy to be non-trade given the changeover I would still like to help answer any questions I can though based on previous experience so if there is a way to do that in an appropriate way then it would be good. Lifes too short (like norm) 'J

Hi Guys, Been a while and I miss the banter with you lads. Just thought i'd stop by and say the new role is going very well indeed - I'm now playing a key role in infosec with Santander and I am loving it. I've been able to get very involved at the deep end pretty quickly and have been working with other companies as well so there is a lot of variety in the role. Working locally (Leicester) at London rates and with only very few trips to the capital. I still keep my toe in the industry and have been doing some work on electronic security still - specifically on the software / networking side and I still keep up with the news. I miss the old trade but at the same time I would be lying if I didn't say that I have a new spring in my step and am getting paid now for what to me is a hobby I love. If you have any questions then fire away and if I can ever help in my new sphere (or the old) then please give me a shout. 'J

. We should be utilising Dual SIM card devices to improve security and resilience... As anyone in the Electronic Security industry will be aware, there have recently been many reported intermittent failures across all of the current Major Network Operators (MNO's) such as T-Mobile and Vodafone Some of this has been the result of MNOs upgrading their services to support 4G signalling (In some cases re-purposing 2G bandwidth for 4G services). Other outages have been due to planned maintenance work in the majority of cases. A small number have been the result of unplanned and unforeseen technical issues. Our friends in Éire have also seen a number of instances where the mobile communications have been blocked intentionally by those seeking to attack a protected site or asset. A significant proportion of the devices which currently utilise GPRS / 3G connections are dual path devices where the signal can be routed through the alternate path in the event of such an outage - Just as it was designed to do so. We are as an industry, increasingly embracing the idea of replacing single path PSTN devices with (in some cases) single path mobile path devices. Some would contend that the death of PSTN connectivity is a certainty at some point in the future. It can certainly be agreed that pressures to compress data traffic of analogue communications could lead to further issues such as seen previously. If we are to go ahead with such a mass migration of signalling devices, across to a medium that is currently under significant pressure to evolve, then we should ensure that we are taking all appropriate steps to mitigate any potential for our single path devices to fail to signal. I propose that we should adopt Dual SIM devices wherever possible to improve our capacity to overcome either malicious attempts to prevent signalling and also provide for redundancy of communications when a MNO has an outage of their core networks (something which has happened too often already). Some providers may indicate that they already provide a SIM capable of switching between several networks. This is absolutely true, however, what is not made clear in some cases is that an outage of the MNO with whom the SIM is hosted would mean that the SIM cannot 'lock onto' another network and is in effect rendered incapable of signalling due to an outage of a single supplier. With a Dual SIM card device, each SIM can have a different host network and as such provide much greater resilience. A number of smart phones already utilise Dual SIM capability, in part to support international travel and also in part for improved signalling capability and fault mitigation. As an industry we have for many years struggled to keep up with the changing pace of technology. In this aspect, we should now take the lead and establish the very best practise in the tradition of true British engineering and quality. Take the time to encourage your signalling providers of choice and the ARCs you utilise to support this approach and set the bar higher in our continuing fight to secure and protect our end users.

...Is 2014 the year when we will see the death of the remote control and the introduction of 24hr monitoring inside every living room? For many years TV manufacturers have made the bulk of their profits from the selling of increasingly minimised hardware at reasonable profits. This has been supported by innovations such as increasingly larger screens followed by LCD,LED,HD,3D and 4K providing yet another “next new thing” to allow them to sell a combination as yet another new TV to those who always want the latest available technology. This has provided substantial profits to the likes of Samsung, Panasonic and Toshiba and other hardware manufacturers over the years. More recently, the introduction of so called ‘Smart TVs’ has provided a new income stream as TV manufacturers have been able to provide their own ‘App stores’ to provide built in software applications to provide additional functionality to users such as Skype or Netflix integrations. This has only generated a modest amount of revenue though and is likely still generating more cost in terms of research and development at this time leading to a net loss. Both of these areas could soon be overshadowed however by a significant upcoming change in the role that TVs will play in how we interact with the services available… A rising number of TVs now ship with built in cameras to allow video calls to be seamlessly integrated and to enable gesture controls. This same functionality has been proven to allow the possibility of tracking eye movements and facial expressions. Extend this one small step further and with a Kinect style ability to recognise individuals there is suddenly a huge new market emerging for TV manufacturers to take advantage of. Relevant content Why would an advertiser want to show their advert while their target audience is not watching? Why would a teenager watching the TV want to see an advert for "shiny, clean dentures"? Similarly, your 100 year old relative is unlikely to want to take up skateboarding. This is wasted advertising money… Instead, if they know that certain people are watching, then they might want to instead show some relevant content for them or place their advert elsewhere. If facial expressions and eye movement can be tracked using the built in camera, then advertisers can suddenly learn what impact the wording of their adverts has upon specific users and tailor audio tracks to get their attention. Perhaps “Best pizza in the whole of Manchester!” did not make you look up from your smartphone, but “Best Hot Pepperoni Pizza at your door in 30 seconds!” may have you looking up and/or licking your lips… Can you imagine how powerful this could be for the multi-billion pound advertising industry? The humble TV suddenly becomes a tool to target viewers on the basis of who is in the room with different adverts shown to Peter or Paul based on their personal, perhaps even sub-conscious preferences. With the significant income that TV manufacturers could generate from advertisers to have access to this immensely valuable metadata, it is likely that they would want all of their new TVs to feature built in cameras. It is also possible that the costs of new TVs in future would be much lower as they do not need lots of new technology to support this technique as it is mostly down to video analysis of the scene caught by a built in camera. Privacy Expectations If users suddenly begin to understand though, that they have become mere products in this supply chain, then it would be only natural for those who want to protect their privacy to want to cover up cameras so as to maintain their own comfort level of sharing information. This of course would stop the TV manufacturers in their tracks and suddenly remove the input of all of the potentially much more lucrative reaction data. This is especially the case if they subsidise the cost of new sets by using the sold data to offset the manufacturing costs. So how do you prevent people from covering up the cameras? This tricky issue is perhaps easily resolved by adding a new ‘feature’ by the way of gesture controlled televisions where no remote control is available or indeed possible. If you take the remote control out of the equation then the only way to adjust the volume or change the channel will be to leave the camera uncovered to allow gesture recognition. Just before UK readers shout: “Hah! I will just use my Sky box controller or Virgin remote” or American readers grab their TiVo remotes, I would urge you to consider that these set top box providers are probably looking at the exact same market space also at the moment, for the very same reasons. It would be interesting to hear the UK Information Commissioners take on this potential development and the impact that it might have regarding privacy versus profit. So to summarise, what does this mean in practical terms as the next few years unfold? Gesture controls will be advertised as a feature TV Remote controls will no longer be provided Cameras will be a standard feature at increasing resolutions Set top box providers and TV manufacturers will compete for market share Viewers will be at risk of living in a viewing ‘bubble’ without diversity Blocking the camera will be rendered impractical / inefficient TVs will be cheaper You will become the product Shares in TV manufacturers may be a good purchase decision in 2014 Adverts may become dynamic and hosted by TV manufacturers as a service Advertisement funded TV content providers may feel impact (Think ITV...) Service provision may be funded by access to camera output Smart TVs already pose a data security risk - Mandatory cameras extend this References: Ongoing - Smart TVs on Wikipedia 28/10/13 - Getting Smart on Smart TVs: Awareness Increases Likelihood of Consumer Purchasing, Survey Shows 04/09/13 - Smart TV interactive ad formats increase brand engagement 20/12/13 - Media Devices Hit 140 Million, Smart TVs Push Increase 18/08/13 - Google patents 'pay-per-gaze' eye-tracking that could measure emotional response to real-world ads 08/05/13 - Eye-Tracking Technologies Are About To Make Advertising Even More Invasive

? Your first 5 posts were a bit random gim

Nice one Paul

Those with Gold accreditation or seeking it should be putting pressure on the NSI to promote the value to the end users. I take on board Matts point about the value issue. We can all either ignore it (note that this applies equally to SSAIB) or we can promote and educate and at the same time fine tune the process regarding tackling poor performance. We can throw the lot on the scrap pile but let's be honest, what model would you replace it with that is better suited?

They should do that just for the lols

The gold / silver debate is a tough one - Not to forget that some firms cannot be gold if they want to... For example if they are a one man band you can only acheive silver as you need at least two staff (including yourself) to get gold.

I appreciate the insight still. It just highlights the unquestioning way industry accepts statements and that we ought to be questioning them where established third party certification has not been carried out.

The ARC can do any seed - they may need to pay to implement though if they don't know how to do db inserts

One of my many arguments for standardised protocols. Why reinvent the wheel? Especially when you make a round wheel square in the process.....

Absolutely

It's invigorating to see products and applications looked at through a different lens and I am sure it intrigues CG to see what is out there. lol

Are we ready for the next generation networks?.. In some ways the traditional notions we hold of privacy are currently holding us back. They are preventing us from taking full advantage of the possibilities that technology is making available to us right now. I genuinely foresee a point in time where we will overcome such social stigmas (this really is all it is) and experience the benefits that will come, only from truly embracing all that technology can offer us. So how do we get from point A to point B? Currently we strictly control who has access to our personal data. We painstakingly and meticulously specify which websites can access what data and are regularly asked to give permission / authorise and sign-in on a daily basis. We default to 'not sharing' and are suspicious (usually rightfully so) of any requests for details that are not giving us what we asked for. Services relating to health, wealth and security among others are slow and painful to authenticate to and only relate to each other when we go out of our way to inform and advise. We settle for sub-optimal performance as we do not know anything better. How does this compare to 'Point B'? By the time we reach this stage we can expect all services with which we interact to be uniquely personalised. It would be considered normal that all shops recognise us and offer relevant promotions with clothing shops showing styles modelled by us, content which is interesting to us will be presented from all media outlets and systems which required manual configuration previously just to "work" will instead seamlessly operate based on any interaction we make with any other equipment or system. If we choose to purchase a new fridge then our car, TV and alarm clock should know about it and shops should stop trying to sell us one. Our home power management systems of the future should be able to tell when we are out, our heating should self adjust, windows should close and the premises should automatically become secured. These are basic examples, but you get the idea. How do we then achieve this huge leap of faith from not wanting anyone to know what TV programs you like to allowing any relevant service to access that data? The two stage solution... I believe that due to our learnt behaviour of being 'inherently suspicious' the majority of us will need to do this in two stages. Firstly we would use an online avatar to represent us that has no known link to our real identity. This avatar can be customised and will allow us to choose to add more understanding and know-how over a period of time without completely signing over access to everything about us. As this avatar becomes more useful and effective we may then come to reach a point where some brave souls volunteer for the second stage which is to give this online avatar our 'real life' identity. Building trust like this may take time but will give a strong foundation to build upon. At this point the GUID (Global unique ID) relating to our avatar would instead become linked to our actual self and with less manual effort our behaviour would lead to point B and the ideal symbiosis of technology and personality could be achieved. Some cultures may find it easier to jump directly to this second stage due to cultural differences in upbringing and behaviour, this could potentially lead to an advantage to those who 'let go' sooner over those who need to take a longer, winding path to reach the same almost inevitable conclusion. Orwellian? Yes maybe, but what can we achieve once we focus beyond our traditional notions of the self?...

Good on you for the kind effort Driller - Top class

http://www.professionalsecurity.co.uk/products/cctv/drone-on-show-3/

Change is coming, like it or not... There is currently a movement by many businesses within our industry to get involved with much more than just 'vanilla' alarm installations. What does the near and distant future hold for those involved with service delivery, manufacturing, installation or the monitoring of such systems? Are we truly on the way to Security 2.0? It is a clichéd term, but we are currently on a one way street towards our industry either embracing other technologies and service offerings OR facing the very real prospect that our services will be provided by other industries in our place. They will not provide these at a standard which is anything close to our current quality and performance, yet with the apparent move towards an eventual privatisation of emergency response and with apathy from some key stakeholders towards resolving these issues we must accept that maybe the way we have always done things is not perhaps the only viable solution. Growing demands of the 'hyper-connected' generation... End users have been somewhat spoilt by an age of technology that has provided information at their fingertips. Interaction is available instantly, on-demand and in several different formats allowing end users to decide to use their laptop, phone or several other mediums to check their status and to provide a means for them to control. This has been also available in our industry in many ways with smart phone apps for control panels, CCTV systems and direct access to control their alarm monitoring. This is not going far enough though. This is control in a granular fashion with multiple applications and protocols being used and a 'clunky' approach to solving issues and having to cross reference several systems to get answers. The user experience (UX) needs to improve drastically if we are to keep up. Events such as CES2013 have highlighted the developments in white goods and home automation systems showcasing smart homes and their benefits. This has the potential to develop into an 'expectation' in new homes as clients look to a UX that matches the rapid pace of their changing demands. What, where and how.. So where do we fit into all this, considering there is already an established and rapidly growing industry providing home automation and AV solutions? As an industry we have previously provided 'system integration' which allowed end users to benefit from the best in class of each type of product whilst still allowing such systems to work together in what was a seamless manner offering a fantastic UX as far as the end user is concerned. This has always been a strength in our industry and one that we have shown great expertise in, though this has been supported by rigorous standards and protocols with flexibility and the enforcement of these among equipment manufacturers. If we are to provide the same level of interoperability with evolving markets and next generation products that are not yet available (Google Glass / iWatch / Etc...) then we need to begin to agree on how we are going to achieve this. One of the most critical points is to try and avoid the closed (proprietary) protocol approach and inflexible standards that have stifled our industry to date which have been a major part of our inability to move as quickly as the technology has. We should consider being less technology specific and aim to instead define in our standards a clear end goal and aspirational targets yet with scope for multiple methods of meeting these. Standards are by their nature outdated as soon as they are released. We should aim to find ways to improve engagement with their development and enforcement and look to other industries to ensure that we are delivering the best possible offering. Is the current system effective at delivering the intended aims such as protecting end users? One of the most crucial elements is to select the most appropriate 'eco-system' of a platform and protocol combination that will support developments and allow complete interoperability. Choosing a winner... In moving forwards there are currently several platforms to allow communication between our current systems and likely potential future developments. We already have some systems available to support building management and 'smart home' systems: X-10: Basic protocol which has been in use for a while. Uses home power network Z-Wave: Widely supported product range and was the first wireless protocol Modbus: Very basic wired serial connectivity Insteon: Enables wireless comms on X-10 format and improved UX ZigBee: Newer wireless technology but struggles if multiple manufacturers kit used Both Z-Wave and ZigBee have an alliance behind them to promote the benefits of the platform and to support uptake. In some cases a combination of these technologies can be used to acheive the end result. For example some Smart Meters use Modbus protocol to exchange data via an RS232 port but then Z-Wave or ZigBee or others, to then pass that information on outside the device. So how do we pick a winner from all of these standards and more? What benefit is there from all manufacturers and system integrators using the same languages? We can focus on patching and fixing multiple disperate protocols until we are blue in the face, or, we can all agree on an approach and then put that same energy into developing the possibilities that are enabled through the agreed technology. There may be countless disagreements at first, but if we can stand united as an industry then that would give us strength to tackle some of the more difficult challenges and showcase the potential of our place in this emergent market. We have in the past struggled to work collaboratively, but social media and changing attitudes now mean that we can have much more open and frank discussion and can see the immediate benefits of doing so. As an industry we have a lot to offer and we can create world class solutions when we work effectively. I am optimistic that we can all pick a winner and that we can all succeed. I would ask all readers to consider what they can do to work effectively with others to ensure that we provide a solution that puts us on the map as world leaders in innovation and effective collaboration. Legal Notice: All images and logos remain trademarks of their respective owners and are used in accordance with the fair use of a copyrighted work for purposes such as comment, criticism, news reporting, teaching or research.

Clarion Events will be putting an event on for installers at the NEC in May 2014

I love how they used the move to justify lowering prices, they should lower them this year.

I'll be going to IFSEC this year

Ghost in the machine... With around three quarters of remotely accessible CCTV systems allowing intruders free access to invade privacy and compromise entire corporate computer networks, is it time to say 'enough is enough' to manufacturers and insist upon firmware changes to improve security control? This is not isolated to consumer level CCTV platforms only. Many 'professional' DVRs & NVRs are installed with default administrator accounts unchanged or additional accounts created and system owners given control over the default account (which they then fail to change). This means that anyone who is able to connect to the unit remotely can simply enter the default username & password (which can be found within seconds through a simple google search in almost all cases) and then have access to the system as completely as if they were standing in front of the unit. To compound matters further CCTV systems are rarely secured to only allow specific IP addresses to connect to them and at the same time they broadcast their presence through banner information given out to any device that queries the unit (This means it is easy to find such devices in the wild). In ~80% of installations the default passwords remain in place for the first three months. This drops to an average of ~70% after three months as some systems are made more secure by their removal. This still leaves vast numbers of units out there which can be listed by country / ISP / city, or date of installation and more which are openly accessible to any IP address. Some examples: AVTech - Over 420,000 units exposed - (14,000 in Great Britain / 12,000 in America) Hikvision - Over 710,000 units broadcasting - (10,000 in Great Britain / 16,000 in America) Dedicated Micros - Over 18,000 units detected - (8,000 in Great Britain / 7,000 in America) You might be thinking, so what, it's just CCTV - what's the worst that can happen? It should be remembered at all times that modern DVRs are in effect computers in most cases. Usually based on linux these machines are carrying out a specific task but can be put to use for other non DVR activity with ease. Each compromised DVR is in effect an open computer allowing anyone and everyone access to a corporate network potentially. If security of the DVR is poor then it is possible that network security within a corporation is equally lax. Last year a CCTV module was added to a tool called Metasploit, widely used in the blackhat community this tool allows users to attack a DVR, testing default access and brute forcing passwords. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems. Whose fault is it really?... It can sometimes be difficult to pin down exactly where the fault lies as there is a blurring of responsibilities in some contractual agreements. A professional installer may fit a DVR and put in place a secure username and password combination for remote management or viewing by a remote RVRC or ARC. They may also advise the system owner to put in place ACL (Access control lists) so that only authorised IP addresses are allowed to connect to the device as well as giving advice on blocking netbios responses and port forwarding. However, if a user insists on being able to access the device remotely and chooses to keep the simple to remember default account and not to implement such measures then the machine can remain vulnerable. Often the company responsible for installing, maintaining or monitoring the system does not have control over the network used by the device for transmission. Even if the password is changed there exist a large number of exploits on known DVRs and in many cases these and similar exploits can be applied to other DVRs as the programming code is sometimes not as secure as it ought to be. The CCTV hardware sector has been under intense price pressure in recent years and with a downward spiralling price index it has been common to see a reduction in the number of developers and code writers employed by some companies which could potentially increase the risk of security holes remaining in a product. In the event that a breach receives widespread mainstream media coverage it does not just reflect badly upon an end user themselves as the security industry on the whole would receive bad press even if not at fault. How do we fix it?... In part this may require some contract review to ensure that clear definitions are in place by all businesses as to the responsibility that both they and the client hold. Clear understanding must be given as to the potential risks and good practise should be recommended in securing the unit. Perhaps a move towards mobile broadband and IPv6 will mean that we can take back control of securing the communication channel? We must however tackle the issue of default user accounts existing in the first place. There is no need to have such accounts any more. Even if such accounts could be made unique to each device it would be an improvement, but in an ideal world the units would prompt for a unique username and password combination on first powering up with an option to default the unit only by an physical action on the unit itself in some secure manner. Dedicated Micros units for example come configured with up to five seperate default accounts of which three have admin level access and allow full control over a unit. Are your engineering teams ensuring that all of these accounts are removed? I recently asked the technical support staff at several DVR manufacturers why they still use default accounts despite the huge risks involved when they are regularly left in place? I was repeatedly advised that it made their job much easier when providing remote support to users and engineers. Newer Axis cameras feature the technique of forcing a password change on first access and it is much more secure as a result. We should be hammering the doors of manufacturers to ask them to indtroduce this approach in their new firmware revisions (no hardware change should be required in most cases). We should also be encouraging the standards to push towards a more robust approach to handling default accounts. Manufacturers often boast of how much value is protected by their devices (it's a safe boast that does not reveal how many units they sold) - It is this same value that is potentially at risk. The next time you are presented with new CCTV equipment or a new manufacturer, ensure that you ask them how they ensure that their products remain secure as it is your reputation at stake. Action to be taken: Installers Check contractual agreements Ensure engineers trained in best practise Audit existing installations Verify guidance given to end users Ensure firmware is updated regularly Manufacturers Remove generic default accounts Deploy an effective mechanism for security Check existing exploits to ensure none affect your units Keep up to date with new exploits Notify your clients when you discover older firmware is at risk Maintain a 'risk register' of some kind for trade members to be aware of potential risks End Users Protect their own networks by blocking Netbios Allow access only to specific IP addresses Change / Remove default accounts!! Use secure passwords (6 Characters or more / Alphanumeric / Mixed case) Ensure that internal communications to and from the device are restricted