Sunday, December 4, 2016

Update: LED Hack for Christmas Houses

2016 Update: Updated links to parts sources - some had broken since the original post.  Also: For a festive touch, we use color-changing LED tea lights in the Fezziwig building.  That guy knew how to party!

Last weekend my wife and I started getting the Christmas decorations out of storage.  One of my wife's holiday favorites is a set of Dickens-style houses/buildings, some have signs like "Scrooge & Marley" "Fezziwig" etc.  Each has a C7 lamp and a cord.  Given the number of houses she has, cord management is always an issue.  We wind up trying to hide them with fluffy "snow" fabric, and then we have to hide a socket-strip and all the plugs.  The lights get hot, so in proximity to the fabric there's always a fire risk if one of the lights were to pop out.  The houses are fun, but it's a huge mess, so we decided to homebrew some LED lights for them.

Top removed from thread protector
We started by buying a set of small submersible LED tea lights.  These typically come in packs of 10 - 12, are used for weddings and such (toss them in the bottom of the punch bowl, etc), and cost about $0.80 each.  You can get them in white, color-changing, or a mixed set.  Each light uses a couple of CR2032 batteries, so we picked up a pack of 20 for under $8.00. The lights arrived with batteries, and only one of them was depleted, so we were good to go.  We also discovered that a color-changing light had got mixed into our set of white lights, which the kids decided was really cool because that house "looks like they're having a party". 

LED glued into thread protector
As it turns out, some of her houses have larger openings for the C7 lamps, so we just set the light on the table and put the house on top of it.  The others had smaller openings, so I needed to hack something up.  We considered using modeling clay, but I thought that might get messy.  Sugru or InstaMorph (moldable rubber) would have been great, but I used all my Sugru to make a custom mount for a Wii sensor.  Then I remembered that I had a bag of pipe thread protectors left over from an amateur radio antenna install - I use them to make custom grommets for my coax cable ingress box.

Perfect fit!
As it turns out, the LED lights friction-fit perfectly into thread protectors.  So I sliced off the end to expose the LED.  I put a few drops of hot glue on the thread protector to secure the LED.  They fit perfectly into the holes where the C7 lamps used to go, and they put off good light.

We're pleased with the end result, but if I had to make a change I would use amber/yellow LEDs instead of the pure white we have now.  Maybe over time I'll swap in some of those if the white ones fail.  In the meantime, our Dickens Village is lit up with no cords or concerns about fire danger. 

Wednesday, November 30, 2016

Earthquake Go-Kit - Pirate Radio?

In the wake New Zealand's recent Kaikōura earthquake, locals have been relying on an FM radio station called "Brian FM 100.3" to provide them with news about where to find food, running water, and toilets.  The broadcasters set up a similar radio station in the aftermath of the 2011 Christchurch earthquake.

Radio New Zealand article

In the US, this would probably be unnecessary - most of our broadcast stations have well-engineered towers, backup towers and power sources, and redundant studios.  New Zealand likely has a lot of idle FM spectrum, even when there's not an earthquake, so the Brian FM network can move around as needed to provide coverage and information to hard-hit or remote areas.

Monday, November 28, 2016

Build a (fire)wall and make China pay for it

I've been gradually building up a Raspberry Pi for use in my shack, and I've also been experimenting with a home control and security systems hosted on Pi platforms.  To be really useful, a home control system needs to be accessible from outside my home, and a remote radio setup would also be nice.  This has led me down a path of learning about how to conveniently but safely expose ports on my Pi platforms to the internet.

At any given moment, there are thousands of attackers active on the internet.  If you expose ports like TCP 80 (web server), or TCP 22 (ssh) you will be attacked, likely within minutes.  These attacks range from sophisticated hack attempts carried out by state-sponsored security teams, to teenagers running automated scanners that look for obvious weaknesses like unmodified default passwords.

Most attacks try to leverage brute-force methods - they start with a presumption that the superuser login is "pi" (the default) and work through a list of obvious passwords like the default "raspberry", or "pi", or "password", or "123456", etc.

Presuming you've changed your superuser password (and ideally your login name) an easy method to add security is to implement fail2ban.  The fail2ban method tracks failed login attempts over time, and if the same IP address fails more than X times within Y minutes, that address is then added to a ban list in iptables.  If your password is non-obvious, this works fairly well.  The problem is that, without additional setup, iptables exist in memory and are wiped on every reboot.  And because they exist in memory, you'll ultimately waste Pi resources trying to exclude billions of IP addresses.  It's possible to preemptively ban ranges and subnets of IP addresses, but you're still talking about nearly 8,000 entries just for a single country like China.  Also; fail2ban only works if someone actually attempts a login - it does nothing about attackers who probe connections without logging in.

The reality is, the number of IP addresses from which I want to allow connection is very small, and (unless I'm traveling) they're all US-based.  So the trick is to only allow connection from IP addresses originating in the US.  Turns out this is possible using GeoIP and some scripting.  The GeoIP method uses a file database of IP address ranges listed by country.  When an ssh client connects, their IP address is compared with the database.  If the IP address is not from the US, it refuses the connection.
I still run fail2ban, to handle any US-based attackers, and to deal with any non-ssh traffic.  Let me know in comments if you use GeoIP for security, and what you think of my strategies.