I was asked to describe the stuff I use for my not-so-smart home and how it fits together. This was originally an email, but I figure other people might find it interesting This is as complete as I can think! The goal, where possible, is to have everything under local control and not dependent on the cloud. Setup may require cloud… Lights Philips hue bulbs where possible (including the mirror light)
If you’re anything like me then you sometimes miss the doorbell ringing. It may be because you’re engrossed in a movie and the doorbell sound doesn’t register. Or you might be (in these COVID times) in a make shift home-office with the door closed and an air-con blasting out. Or you may even be out of home. Can we add some home-automation smarts to a dumb doorbell? How does a doorbell work?
Previously I modified a cheap electric safe to work with an Arduino, because the original controller board had failed. But because my build skills aren’t the best, I kept getting serial port issues, and more than once needed to get to the emergency key to open the safe. At the same time someone asked me if the same design would work with one of the real cheap ($30) safes on Amazon.
Previously I described a relatively modern set of TLS settings that would give an A+ score on SSLtest. This was based purely on an RSA certificate. There exist another type of certificate, based on Elliptical Curve cryptography. You may see this referenced as ECC or, for web sites, ECDSA. An ECDSA certificate is smaller than an RSA cert (eg a 256bit ECDSA cert is roughly the equivalent of a 3072bit RSA one).
Working in Cyber Security I’m frequently reminded that the reason we do all the things we do is, ultimately, to protect the data. After all, apps are there to process data, servers (and clouds) are there to run apps and store data. So the whole of cyber security is there to protect the data. It may be Identity and Access Management (restrict access to data to those people who should have access to it).
Back in 2016 I documented how to get an A+ TLS score. With minor changes this still works. But times have changed. In particular older versions of TLS aren’t good; at a very least you must support nothing less than TLS1.2. Consequences of limiting to TLS 1.2 or better If you set your server to deny anything less than TLS 1.2 then sites like SSLlab tell us that older clients can no longer connect.
As I was rebuilding my network I came across a problem. In my basement I had previous run a cable from my core switch around the room to the other side, where I had a small 100baseT switch to handle the equipment on that table. I’d also run another cable across the ceiling to the back of the house, where I had the Powerline network. Everything seemed to be working fine, and it had been doing so for years.
3 years ago I replaced OpenWRT with a home grown router. It’s worked pretty well, but I wanted to take advantage of improvements in networking (5Ghz!) and also improve coverage. This kinda became important due to COVID lockdown and Work From Home. My library, where I was working from, had very weak network signal. I needed to do better. So I decided to look at turning off in the inbuilt WiFi and use an external WAP (Wireless Access Point, or just AP).
What is a firewall? Think of an office building with a keycard entry system. To get into the building you need to put your card to the reader. If it think you’re authorized then the gate will open and you can enter. Similarly, a number of offices require you to “badge out” as well. This badge/gate system is a simple analogy for a firewall. A network firewall may be considered to be a security gate to separate the network up into “inside” and “outside” and you define rules to allow traffic to pass through the gate.
Here’s a common requirement: We want to transfer a file containing sensitive data to a partner; they want us to put the data in their S3 bucket. How can we do this securely? Now you might start with putting controls around the S3 bucket itself; make sure it’s properly locked down, audit logs and so on. But there’s a number of issues with this. In particular, S3 bucket permissions are easy to get wrong.
