I don't get particularly excited by birds normally
Same. Sometimes one of my deer will get thwacked by a car just hard enough it stumbles up my driveway and falls over. There will be 3 golden eagles and 2 bald eagles fighting over it. The first time I saw them I had a double-take ... I swore at first I saw men sitting on my driveway fence. Golden eagles are massive and quite awe inspiring to watch. When they fight over road kill they stretch their wings out entirely.
Each time I have to make sure I still have an outdoor cat and I have to keep an eye on him until they are done. They seem to only eat the soft bits and leave the muscle meat for the ravens. Then the deer turns into a fly factory which I have to spray.
Unpopular answer but ask your favorite AI to show the history of how taxes increased in the USA since 1913 and what those taxes were spent on. Then ask how often such programs are ever removed and the taxes are reduced and surplus given back to the people.
Related recent discussion of taxes in California [1]
Why is there a flock camera indoors at a school in the first place? Are the schools supposed to be putting video and audio footage of children on 3rd party storage platforms? Are the parents aware of this? Perhaps PTA meetings should discuss. That seems like something that should be using close circuit PoE cameras to local NVR's with on-prem encrypted storage with a retention policy if there must be cameras. Encrypted CEPH perhaps? [3]
Just as one example Zoneminder [1][2] can be clustered and distributed assuming a large campus. I'm sure there must be other open source NVR's that can do the same. School IT staff should try out a small deployment first and then extend it year over year. Local AI should detect and alert on fights, abuse from teachers, anyone with a weapon, someone injured, etc...
Bob can be granted access to specific cameras that relate to his role to avoid Repetitive Strain Injury RSI among other issues.
The main reason that organizations choose commercially managed solutions is because they don't have local expertise or staff to do things themselves. I do agree that on-prem solutions are better, but Zoneminder is probably not a great option. Besides being old and clunky, it also isn't anywhere near a complete solution, and the IP cameras people often choose to connect to them are often security nightmares. There are many good and complete commercial offerings that are secure and keep video locally.
I totally get what you are saying and there are certainly some schools that lack IT staff, budget and experience but there are some schools that have big budgets and plenty of IT people sitting on their hands that could slowly build this out, document it in a way that schools could budget around YoY and set examples for other schools. Maybe even use it as a project to get students some college credits.
If there are better options than Zoneminder please do share the tutorial videos with others here so they have greater options. I am old and clunky so ZM works for me. Some may even say old and clunky can mean reliable and low maintenance. There are probably some school IT admins reading this. ZM has great documentation and tutorial videos in my opinion. It is also used by a large number of corporations.
Just my own philosophy but I am leery of expensive turn-key commercial solutions as they lead to proprietary solutions that school IT won't understand and will just lead to dead cameras and empty NVR's when law enforcement need them the most. It will be one of the first maintenance contracts that get cut from budgets.
Just because someone has an IT staff doesn't necessarily mean that staff really has the expertise to set up a bespoke surveillance system properly. Nor does it really make it a good idea to do so. Nor is it even a good use of time when packaged systems can fulfill most requirements with less integration risk.
The software running on an NVR is only one small part of a surveillance system. I'd be much more worried about the choice IP cameras themselves, which are notoriously problematic. And if you look at the cameras which are well regarded and high quality -- typically those vendors have their own NVR solutions which are also well regarded and already tested to work well with their cameras.
> I am leery of expensive turn-key commercial solutions as they lead to proprietary solutions that school IT won't understand
If IT can't adequately evaluate and choose a turn-key solution, I doubt their ability to piece together their own system.
> If there are better options than Zoneminder please do share the tutorial videos with others here so they have greater options. I am old and clunky so ZM works for me. Some may even say old and clunky can mean reliable and low maintenance.
The last time I tried Zoneminder, the problem I had was that the detection algorithms were so bad that I found them useless. The cameras I had were all outdoors and their algorithm struggled to strike a balance between detecting legitimate motion and not falsely triggering when lighting conditions changed. I tried some other projects that had better algorithms for filtering out changes in exposure and lighting (I forget which ones), but there's also some now that have AI object detection. But ultimately I've migrated away because commercial options got better, cheaper, and more feature filled.
If I picked a new system today I'd probably try something like: https://www.ui.com/us/en/camera-security I don't have any personal experience with it but the value looks incredible.
The last time I tried Zoneminder, the problem I had was that the detection algorithms were so bad that I found them useless.
Fair enough. I've had them set off by deer no matter how hard I try to avoid it. I think they know they are getting my attention.
For what it's worth in a school setting there can be monitors in multiple admin offices, the admin waiting area, school police office and other offices to group source monitoring of strange activity. Otherwise if nothing else it is useful to be able to go back an hour, a few hours or days to verify the "he said, she said" accusations often uttered in school.
That and paying to offload legal liability to a vendor.
Lots of great, free, widely adopted open source technology solutions aren't adopted by public sector because their legal staff won't accept the liability of not having a paid contract that makes guarantees. Great use of tax dollars.
> Are the parents aware of this? Perhaps PTA meetings should discuss.
Not everyone grows up in such an idyllic environment where there is an active and engaged PTA or concerned parents who feel like they have a voice. Moreover the perceived need for security cameras is probably inversely proportional to places with active PTA groups (though maybe not). Either way, suggesting tech solutions is rearranging deck chairs on the Titanic.
Either way, suggesting tech solutions is rearranging deck chairs on the Titanic.
My gripe will be the music they are playing whilst I am moving the deck chairs on the Titanic. Enough ragtime already. I will take some Moonlight Bay please [1].
Oh and to your point of course there will be places that can't do this. They should be focusing on the proper disassembly cleaning lubricating and reassembly of their Hi-Point's. Such schools should have mandatory handgun safety courses like the old days. Or current times for the Swiss [2].
Arguing over on-prem vs cloud misses the entire point.The architecture doesn't matter when the core requirement itself is just insane surveillance.We should be angry that our engineering is being weaponized to fulfill such a sick requirement in the first place.
IPv10 is a proposed, non-standardized Internet Protocol designed to bridge the gap between IPv4 and IPv6, enabling direct communication between them without complex NAT64/DNS64 translation. Proposed in IETF drafts, it relies on dual-stacked hosts (running both 4 and 6) to create a hybrid packet format, allowing seamless interoperability.
Could it be related to Netgear being manufactured in Vietnam Thailand and Indonesia to avoid China tariffs and that somehow got them through an audit? I only ask if the overall unwritten goal is to avoid China.
> Could it be related to Netgear being manufactured in Vietnam Thailand and Indonesia to avoid China tariffs and that somehow got them through an audit? I only ask if the overall unwritten goal is to avoid China.
> Pursuing activities antagonistic to [China] has become further paralyzed by Commerce Secretary Howard Lutnick ordering staff that they need his signoff for any China-related actions, people familiar with the matter said. As a result, even senior Commerce officials at times sit by his office waiting or outside the building, watching for his car. Officials at other agencies pursued a ban on a China-linked router maker by styling it as an order that doesn’t name the company or China.
> ...
> One such office had already determined that China-founded router company TP-Link and China-linked internet-connected trucks and buses pose national security risks. Officials thought vulnerabilities in their software could provide China access to spy on U.S. communications or access sensitive infrastructure.
> Interagency reviews had reached a similar conclusion about the risk of TP-Link and supported a ban. Staff had set in motion new rule-making to restrict U.S. sales of those products before they were put on hold and office leadership dismissed, according to officials familiar with the process.
> ...
> Supporters of a ban on TP-Link in March eked out a victory. The Federal Communications Commission announced a ban on new imports of all foreign-made routers, “regardless of the nationality of the producer,” a blanket prohibition that also accomplishes sidelining Chinese routers without naming the country or TP-Link. The new rule was designed in part to minimize disruptions to Trump’s relationship with Xi, people familiar with the matter said.
Read the fine print in your contract. Unlimited usually does not really mean unlimited but if you think it does then consult with a lawyer. Nobody on HN will be able to force your ISP to keep you connected even if they agree. A tech should have an ID badge but they can also disco from the telephone pole if they can not access the property, it's just more hassle for them because they need the cable maint truck and they only have so many with the cherry picker lift.
If you wanted a technical answer it is probably something along the line of your neighborhood is probably over-subscribed on that laser group and or the CMTS is probably really old and over-subscribed. Even if that were the case you would not be able to force them to upgrade anything as it would not be in your contract.
As pnw_throwaway said just get a seed box. It will cost you more money but will avoid the hassle and drama in the neighborhood.
I was more intrigued by the discrepancy of my account being in good standing and a random tech rep deciding to physically disconnect the line to my house. I do have two 1Gbps seedboxes through OneProvider and those are saturated 24/7. They transfer about 300TB a month each. Having the long-term storage for preservation at home was just a bonus.
Depending on how far you are physically from OneProvider another option may be to bring a fast storage devices to them and transfer files off it to bring home. Or you may be able to ship storage to them for that purpose. They may even have a solution to offload your data to something they can ship to you. It rarely hurts to ask. Others have probably asked before you.
As for the cable company there are worse user experiences and always will be by design. Even the latest DOCSIS standards won't help if the ISP is over-subscribed in the neighborhood and/or at their edge or if they have fired or lost all their good network engineers. It will be an endless battle with their users. XFinity formerly Comcast formerly Excite@home formerly a few other names have gone through similar growing pains.
If all else fails one may have the option move to a neighborhood that has fiber vaults and hopefully a decent price on trenching it to the house or already has it preinstalled to the house. Even fiber providers will keep an eye on bandwidth hogs. Unlimited plans are never really unlimited. There is usually fine print. Get a contract in writing that allows you to saturate the link 24/7/365 and be ready for sticker shock. A few to several $k/mo.
i would be kinda concerned, what else was done when the cable was disconnected, such as connect to a sniffer,and do some back n forth packet inspection as the client reconnects and starts torrenting again.
They don't need to come on site to sniff your traffic. US law, and likely others, stipulate that the ISP is able to sniff traffic without a truck roll.
and when you sniff right at the customers dropline, its hard to expect someone to believe its not the subscriber, its some imposter forging packets and spoofing your IP.
i really isnt good press to, lets say, accuse subscribers of Criminal involvment based on IP spoofs or hash collisions, so its a good idea to chase it all the way down to the drop line, and any pwnd boxes
Just be aware any reasonable network will block this.
Russia blocked it for Cloudflare because the outer SNI was obviously just for ECH but that won't stop anyone from using generic or throw-away domains as the outer SNI. As for reasonable I don't quite follow. Only censorious countries or ISP's would do such a thing.
I can foresee Firewall vendors possibly adding a category for known outer-SNI domains used for ECH but at some point that list would be quite cumbersome and may run into the same problems as blocking CDN IP addresses.
FWIW Nginx 1.30 [1] just released and supports it so most distributions will have support as soon as those responsible for builds and testing builds push it forward.
"Nginx 1.30 incorporates all of the changes from the Nginx 1.29.x mainline branch to provide a lot of new functionality like Multipath TCP (MPTCP)."
"Nginx 1.30 also adds HTTP/2 to backend and Encrypted Client Hello (ECH), sticky sessions support for upstreams, and the default proxy HTTP version being set to HTTP/1.1 with Keep-Alive enabled."
But, in a personal/single website server, ech does not really add privacy, adversaries can still observe the IP metadata and compare what's hosted there
I don't quite follow. I have dozens of throw-away silly hobby domains. I can use any of them as the outer-SNI. How is someone observing the traffic going to know the inner-SNI domain unless someone builds a massive database of all known inner+outer combinations which can be changed on a whim? ECH requires DOH so unless the ISP has tricked the user into using their DOH end-point they can't see the HTTPS resource record.
It's not that adversaries can directly see the domain name; this doesn't have anything to do with domain fronting. The issue is that ECH doesn't hide the server's IP address, so it's mostly useless for privacy if that IP address uniquely identifies that server. The situation where it helps is if the server shares that IP address with lots of other people, i.e., if it's behind a big cloud CDN that supports ECH (AFAIK that's currently just Cloudflare). But if that's the case, it doesn't matter whether Nginx or whatever other web server you run supports ECH, because your users' TLS negotiations aren't with that server, they're with Cloudflare.
I can't speak for anyone else but I think I can work around that by moving the site around to different VPS nodes from time to time. I get bored with my silly hobby sites all the time and nuke the VM's then fire them up later which gives them a new IP. I don't know what others might do if anything.
If I had a long running site I could do the same thing by having multiple font-end caching nodes using HAProxy or NGinx that come and go but I acknowledge others may not have the time to do that and most probably would not.
That's not quite it. The issue is that there's no other traffic bound to that IP - ECH doesn't buy you any security, because an observer doesn't even need to look at the content of the traffic to know where it's headed.
Maybe it will be more useful for outbound from NGinx or HAProxy to the origin server using ECH so the destination ISP has no idea what sites are on the origin assuming that traffic is not passing over a VPN already.
Anyone who wants to track your users can just follow the IP changes as they occur in real time.
That's cool. I only make my own mini-CDN's.
There is always the option to put sites on a .onion domain but I don't host anything nearly exciting or controversial enough. For text that's probably a good option. I don't know if Tor is fast enough for binary or streaming sites yet. No idea how many here even know how to access a .onion site.
I will test out your theory and see if anyone bothers to track my IP addresses and does anything with them. I probably need to come up with something edgy that people would want to block. Idea's for something edgy?
Doesn't matter, I (not OP, but also operating VPS) still want to support this, so the clients can eventually assume all correctly configured servers support it.
Same. Sometimes one of my deer will get thwacked by a car just hard enough it stumbles up my driveway and falls over. There will be 3 golden eagles and 2 bald eagles fighting over it. The first time I saw them I had a double-take ... I swore at first I saw men sitting on my driveway fence. Golden eagles are massive and quite awe inspiring to watch. When they fight over road kill they stretch their wings out entirely.
Each time I have to make sure I still have an outdoor cat and I have to keep an eye on him until they are done. They seem to only eat the soft bits and leave the muscle meat for the ravens. Then the deer turns into a fly factory which I have to spray.
reply