This is going to be a multi-part post about securing your home/business network and separating your IoT devices into their own to keep them and yourself “safer”. With the explosion of IoT in the recent years, it is hard to find anything without some sort of “smart” capabilities. Whether it is a TV, Sonos, Nest thermostat, or even a fridge or a washing machine, more and more manufacturers are adding internet capabilities to their devices. This could be a topic of its own, but we are here to discuss network security. For most home owners with regular wireless gateways, there simply isn’t any possibility of creating a complex network with the stock firmware. To boot, most devices encourage or expect you to install the device on the same network as your PC or mobile so it can more easily connect. You have to either be lucky enough to own a router that can be upgraded to one of the open source firmware options, or do your research and purchase a router that is supported. Of those supported devices, you still have to be lucky enough to have one that will work well with the custom firmware. In some cases, you may have poor WiFi signal or lose a WiFi band (more about this later). The other option, is to use a used/cheap business class router. Some of these are actually cheaper than the higher end wireless routers. No matter the path you choose, you have to do lots of searching and learn a lot about networking to be able to do this sort of setup. So for the rest of this article, I’m going to provide an overview of the options and then get deeper into how the network should be setup. Follow up articles will detail specific applications or devices and how they should be setup.

Consumer grade hardware and custom firmware

This is the first option that we talked about. Here you could go with a router like the Asus AC-RT66U or the Linksys WRT series, but make sure to do your due diligence and confirm that the router you have or you want to get is supported. This includes reading the forums on other users that have setup these routers to see if they have run into issues or not. Here are some of your options for custom firmware:

• DD-WRT – This is perhaps the most popular option and the one with the widest support for consumer grade routers. Its UI layout is smart enough that basic setup should be a breeze, but it is capable of so much more if you spend the time to dig into it.
• Tomato – This one has a few versions, but I’ve linked to the more popular version of it. This is like DD-WRT on Steriods since it also provides you live refresh and better statistics tracking right out of the box.
• Advanced Tomato – This is the same as Tomato but with much nicer UI. I really enjoyed using this briefly. If you like Tomato, you’e gonna love this.
• OpenWRT / LEDE – LEDE was a fork of OpenWRT, but they have recently announced that they are merging again. This has the least number of supported devices and relieves are less frequent, but if you know your networking, its the best option. This is the only one that includes a package manager UI to you can add other packages easily through the UI. This also makes it easier to add functionality that the other firmwares may not provide out of the box.

Note: This is not for the faint of heart. you could brick your router and have a hell of a time getting it back to its stock firmware, so proceed with caution.

Business grade hardware

As a stepping stone, I recommend you play around by installing one of the custom firmwares mentioned previously on the router that you have so you get familiar with the concepts, and once you get fed up of fighting to get things working, you move up to business grade hardware. I am assuming that you are not reading this far unless you’re a noob. The options here are endless and so are the expenses, so I’ll stick to the option that I’ve had experience with (installing at costomer locations), which gives you a big bang for the buck. Ubiquiti! They provide a range of wired and wireless products that are pretty much in line with high end consumer devices in price, but from a stability and functionality perspective, they are flawless (as much as can be). For example, an Edge Router Lite 3 plus a Unifi AC Pro model can cost less than a Linksys Max-Stream AC4000 MU-MIMO Wi-Fi Tri-Band Router and provide way more functionality and most probably better performance. Setting up a network in a 2700sq.ft. space, I ended up replacing two wireless routers, with just the one Unifi AC Pro. Of course had to use the Edge Router Lite as well since the Unifi by itself does not have everything you need, and you may need a (managed) switch as well if setting up a more complex VLAN. The one downside to the Unifi line of products is that they require a controller software be running on a PC or the cloud key so you can control them (i.e. there is no web interface without the controller software), but still this is a great setup.

The Network

Now the real part. As Spiderman’s wise uncle Ben said, “With great power comes great responsibility.” So the more smart devices you have (more power), the more you need to be careful (responsible). There have been numerous articles about many smart devices that have been either communicating in the open (intentionally or otherwise) or are left open to hacking, so it only makes sense to separate these devices from the rest of your network. We’ll start with the base setup and then make things more complicated optionally. Lets talk in more detail about how this should work:

• VLAN 10 is the business/home network. Computers and devices on this network have full internet access, as well as full access to the IoT network (VLAN 20).
• VLAN 20 is the IoT network. This network is isolated from both the business/home network and the guest network. You could provide full internet access to this network or optionally limit access here as well to well known protocols like HTTP/S, DNS, NTP, etc.
• VLAN 30 is the guest network which should not have access to either of the other networks; just Internet. Again, internet access here could be limited to just a few protocols as well. You could further protect yourself and your guests by using the AP isolation feature of your Wireless Access Point if it has it.

Where things get complicated is when you try to setup the firewall rules to make all this work and depending on your router the instructions are different. I’ll cover the details of the setup in future articles. read more

Yesterday, at the Apple press event on March 9th, Apple announced various new hardware and software updates.  Amongst them was HBO Now, which is a stand alone service provided exclusively through Apple TV when it starts .  However, much like most of the other cord-cutting ways of watching legal TV episodes and Movies (Hulu, TV Network Websites), the service will not be available in Canada. You can add this to all the other non-competitive services, monopolized services that we have to live with here in Canada. read more

That is a pretty obvious statement with the size of the company and the services it offers, but I did not have enough of an appreciation for that statement until recently. It is easy to dismiss the statement as an obvious one, but it is a little scary to me. No one company should affect the internet to this extent. What am I taking about? One of the recent projects I worked on required me to simulate being offline by not allowing my machine to talk to Google. While doing this work, I updated my hosts file to point google.com to a dummy IP address and at the end of the day, having finished work and wanting to just read up on the days event, I started browsing the internet. The only issue was that the internet did not work. Almost every page I went to would load halfway and stop. I started to suspect my internet connection and rebooted the modem, router, and computer but to no avail. Then I remembered the hosts file change that I had made. Surely, blocking Google would not stop 90% of the internet pages?….right? Well it does! And that, is way too power for any one company. Imagine, a hack, a DNS spoof, just by blocking Google, most users on the internet would have a very slow experience. I’m scared of the Google. read more

The internets are busy writing about Google Reader being shutdown on July 1st, and how RSS is dead. The argument I read in one of the articles was the RSS and Google Reader, while functional, were not sexy enough and are being replaced by the likes of Flipboard, and Pulse. Sure, there is some truth to that, but I argue that as long as there are blogs and blog writers RSS will live on, not to mention that a lot of what Flipboard and the like use to populate their pages is RSS. Update (3/14/2013): Since many have to go through the pain of recreating our feeds in another tool, I found a good article on exporting your starred items. Its based on an older version of reader, but it still works (hint: to make your starred item feed public, click the rss icon which looks disabled). read more

Apple’s next version of OSX is around the corner, and it continues to blur the lines between iOS and OSX. You can read more about that on Gizmodo. By why not just allow iOS apps to run on OSX? With all the talks about sandboxing apps and bringing more iOS features to OSX, it just seems like they are trying to take off the band-aid slowly, rather than doing it and getting it over with. OSX already runs the iOS simulator which has amazing performance on OSX….so just make it into a wrapper app that gets kicked off as soon as an iOS app is launched in OSX. It should be relatively easy to determine if the app is intended for iPhone of iPad and size the app accordingly. This would instantly increase the number of customers for any iOS app, not to mention bringing in a ton of new apps to OSX. I don’t see a downside. Do you? read more

For years Web App developers have dreaded the browser fragmentation and having to support IE. It required a lot of extra finess in both Web frameworks and Web App code to make sure things worked close to intended across all browsers specifically IE. Now that the focus has shifted to the mobile web, history is repeating itself. While HTML5 is generally supported on all modern Smart phones, and the most popular browsers are Web-kit based, it seems that those in charge have not learnt from the lessons of the past. In my personal experience with various mobile web frameworks, the Android platform in general and the fragmentation between Android devices is a huge problem. Once of the current best mobile web frameworks, Sencha Touch, works like a dream on the iPhone, but the same code on Android is unpredictable at times. This is exactly why with its second release, Sencha is concentrating on addressing performance and specifically for Android. Needless to say, this is only part of the issue with The Android platform and its fragmentation. Writing native apps, or even working with ubiquitous frameworks like Appcelerator Titanium is also a nightmare when it come sto Android. Don’t get me wrong, I think Android has potential, but as I have said before, if you can’t control the Hardware and Software, you cannot reproduce the experience of the iPhone. Here is hoping that with its aquisition of Motorola Mobility, Google can create a better Android, cuz the alternative is to suffer the same fate as IE has. read more

My phone finally arrived yesterday, but that is just when things got even more interesting. Here I am with a brand new iPhone, but no internet, and no micro SIM. Of all the days in the year, my cable provider decided to do maintenance on the one day in the past three years that I have a new iPhone….and to do it all day. To boot, the micro SIM cutter that I had ordered off eBay had still not arrived. So the big question was how do i activate my new phone and start using it? I had waited enough.

Cutting your own SIM

The first step was to cut the SIM I had so that I could even get the phone going. This was much easier than I thought. Using a box cutter and a co-workers iPhone 4/SIM I only had to go over each line a couple of times, before the SIM would just easily break on that side. The measurements were rough, but it fit in the SIM holder.

Activating without internet

This was a little harder, but tethering is not as restricted in Canada as it is in the US so I used the second iPhone 4 to setup a personal hotspot. The issue was the with the update to iOS 5, somehow the personal hotspot feature was not available any more, so I had to reset the networking to get that going. Now I had a new micro SIM and connection to the internet to activate the phone.

Success! … sort of

After activating the phone and restoring it, I ran into another issue that I could not resolve. The phone just refused to receive cellular signal. Even though this worked just fine during activation and restoration, all i got now was No Service. It all worked out in the end after a long visit to the Apple Store to replace my brand new phone:)

Lessons learnt

1. Cutting a SIM down to a micro SIM is relatively easy (my SIM cutter finally arrived today)
2. Resetting the network settings will get you back your Personal Hotspot settings
3. Typing diag:// in Safari will bring up a diagnostics window that will send info to Apple. You won’t see the diagnostics, but I did not know about this feature
4. Siri is absolutely the best feature of the iPhone 4S, but its rather useless in Canada

read more

I, personally, had high hopes for Web OS and Palm. I truly believed that it was the only worthy opponent to iOS and from the moment it was announced I was ready to buy into it except for the cheesy phone design. That was not the only mistake that Palm made though, and HP’s announcement on Friday put the final nail in the coffin … or did it?

The Mistakes

1. Apple proved that soft keyboards are every bit as practical as physical keyboards, yet the Palm Pre added extra thickness to provide one, not to mention the ugly case design.
2. The Palm Pixi was not only uglier, but also added a new aspect ratio for developers to have to deal with.
3. Palm struck a deal with Sprint which meant that the Pre and Pixi where not available for GSM networks and would not be available world wide. On top of that, Sprint was not only not a consumer favorite but also the lacked the user base of both AT&T and Verizon.
4. For a mobile OS that was advertised as web based, support for HTML 5 was more limited than on the iPhone. The end result was that Palm did not win over a lot of developers.

A New Hope

When HP bought Palm, I thought they understood the value of what they were buying. WebOS on every device (Printers, Phones, Tablets, Desktops) sounded like things were moving in the right direction. Now WebOS had the money behind it to do really well, but then things went awry again.

1. It took HP along time to put new WebOS devices on the market. Not necessarily a mistake, but the devices were not that impressive after this long a wait.
2. The Touchpad was priced on part with the iPad even though it did not have the App ecosystem that iOS has.
3. The Touchpad reviews where not good due to the hardware that was not up to par with the OS.
4. HP immediately released updated Touchpad with better specs, infuriating the few fans that bought in early.
5. And finally, HP announced that the Touchpad is dead.

The last five points happened in a span of a couple of months.

Is It Dead?

Not really. HP still plans to license it to device manufacturers and perhaps still embed it in printers and such, but I doubt it will ever be able to compete with iOS or even Android. The latter mainly due to the fact that WebOS has failed to attract a good developer community to provide it with apps. I believe that Apple’s strongest point is that it controls both the hardware and software, so it can guarantee the user experience. While I disagreed with this in the PC era, it is definitely key in the post PC era. To this point, the only true competitors that had any chance of competing where HP, who has already put up the white flag, and RIM, who just cannot get its head around a device that is not email centric. Windows Phone 7 and Android do not control the hardware and the effect is obvious depending on which device you buy. My far fetched hope is for WebOS to become the Linux of the Post PC era and for HP to become the RedHat. read more

Google recently announced a new beta version of Chrome that supports NaCl, or Native Client. It allows C/C++ code to be natively executed inside the browser with restrictions. The new API is called Pepper, but it sounds much like the plagued ActiveX technology that Microsoft offered with IE a few years ago. What do you think? read more

I have recently shifted to Android since I had to do some development for it and I had to see for myslef if the phone was really as bad as the simulator on the Mac.

The short story is that it is impressive in its own way, but it is not an easy switch from the iPhone.

As I get more time I will be posting my experience with it, along with what I liked and disliked.

read more