PASSWORD REQUIREMENTS OF DEVICES

One of my pet peeves is when a device manufacturer decides to have a different password scheme than what I (the system admin) choose to use. I may have a few hundred cameras installed on a private network with no Internet access, all using the same password. Then I buy a new model camera and this device is going to require me to have another password, because they think that’s safer and better than what I designed. Either I change all of them to fit the new password, or I have to remember more than one password.

I get it. If someone is using the device on an open system, then having a really secure password is a great idea. But when I’m dealing with hundreds of cameras and need to tweak settings on them individually, AND they are all inaccessible by anyone else, then it is a bad idea. I’ve also encountered devices that expire passwords, because an engineer somewhere decided that would be a good idea. Except that some devices only get looked at every 5 to 10 years when IT decides to make a change to the network scheme. What could be a quick change becomes several more minutes per device because a gizmo is demanding that I change the password. That sometimes requires that I tell software to first allow the change, sign-in and make the forced change, change it back, disable password expiry (if possible), then return control to the software.

If someone can actually get inside and get to the system, then individual device passwords are the least of my worries.

SAMSUNG CAMERA SNV-L6013RN FATAL DESIGN FLAW

I was adjusting the view on a hallway security camera when it stopped functioning entirely. I couldn’t fathom how it would just stop. I had not harmed the cable or struck the camera in any way. What happened?

I removed the camera and took it apart. Even then the problem wasn’t immediately apparent. Then I noticed how the part I was moving hovers barely a millimeter above a bare circuit board with very tiny fragile parts. Sure enough, just rotating the round lens part caught on these tiny electronic parts and broke them off of the circuit board, destroying the camera!

What engineer thought this was a good design?! At least put a floor under the rotating part to protect the electronics.

HONEYWELL NetAXS NX4S1 AND TLS 1.0

One place I support has 32 NetAXS 4-door panels. These have always been quirky, but they have a rather major flaw in that they only communicate with a browser that uses TLS 1.0, which is now discontinued due to cyber security reasons. Honeywell has not announced any new firmware for these discontinued panels, and we are looking at around $64,000 to replace these with Honeywell’s only current option the MPA2 panel (2-door). The irony is that we have a LOT of the much older N1000 and N1000-4X panels which are happily chugging along. These use a couple of add-on devices to talk to the network, and those devices do not require HTTPS, so are still working fine behind the firewall.

The problem is that the site is changing IP range and I need to update each panel manually. The steps are:

  1. I have first use Winpak in Control Map to enable web mode for each NetAXS panel,
  2. then connect to the panel’s IP address using https and set the panel into web mode,
  3. make the changes, and change back to WIN-PAK mode.
  4. Some panels have expired passwords which adds another thing to do.

Using an old version of Firefox-78-portable, I can get it into web mode and make the changes. All modern browsers have discontinued TLS 1.0, so my options are limited. Another way is to use IE 11 in compatibility mode (there is a Compatibility Mode option in settings, add the IP address of the panels to a list).

Honeywell SHOULD support its installed customer base by releasing an updated firmware that fixes this issue. They could stop requiring TLS at all, or at least update to TLS 1.2. These panels function fine, so leaving us having to find old version of browsers is rude. Leaving customers stranded like this is really not ok. And make a modern 4-door panel already!

DON’T PUT ALL YOUR BUSINESS EGGS IN ONE BASKET

Small businesses online are facing some new challenges. If you are thinking of starting an online presence, make sure you read the contracts of the online providers (website domain, storefront, payment processing) and don’t put all your eggs in one basket.

SHUTDOWNS
I’ve seen a few Etsy, Instagram, Shopify, and YouTube channels closed down recently, and online payment methods shut off. None of the items being sold are illegal or making medicinal claims. One was sewing related, another flower related, two related to legal mushrooms. The store owners complain that there was no notice and no appeal. Etsy explicity states in their contract that “We may terminate or suspend your account (and any related accounts) and your access to the Services at any time, for any reason, and without advance notice. If we do so, it’s important to understand that you don’t have a contractual or legal right to continue to use our Services, for example, to sell or buy on our websites or mobile apps. Etsy may refuse service to anyone, at any time, for any reason.”

SUPPRESSION
Some are saying that despite previously having great results with their websites appearing in search engines, that now they have become suppressed and don’t even show up. Added to the rest of the apparent take-downs, this seems to indicate a behind-the-scenes agreement and suppression of communication about normal legal things that some don’t want legal, or even discussed educationally in social media. That is not ok in a free society. One seller says that based on her interactions in the forums with others who used to sell on these platforms that ANY claim of helping a condition (even shampoo for dry hair) will result in a takedown. That sounds (if accurate) like either the feds and/or pharma behind the changes. But with no announcements, no public disclosure, and contracts that let the platforms act with fiat, there is little hope of finding out who is behind it and what their motives are.

CONTRACT
With a contract like that, you cannot expect fair or kind behavior. Your business can be destroyed in a second by their whim, and it is important to note that YOU have set yourself up for failure. Last year a family business that had 10 years with Etsy and consistent 5-star ratings was suddenly closed and no appeal allowed. The apparent cause was getting 2 minor complaints in a month, and Etsy demands less than 1% dissatisfaction from customers. “Any time, for any reason”. But most people assume it would never happen to them.

PAYMENT METHODS SHUT OFF
Other businesses are finding that they can no longer use PayPal, and while they are not officially shut out, their customers get an odd looping prompt to “add a payment option”, when one or more already exist in PayPal. I have no speculation about this because there is so little on which to form an opinion. But the silent change gives plausible deniability to PayPal.

A standard business website, possibly with a 3rd party that processes the transactions for a fee is likely the best approach for protecting an online business.

DEPENDENCY
My point in writing is not to make Etsy and others change their policies. Their platform is their property. Dependency on these platforms is the problem, but finding a way to sell online that isn’t linked to them is more difficult, that is why so many use them. Autonomous business websites are a far better approach, but online sales are still often conducted with Paypal, Venmo, and even crypto. If those companies decide not to process the transaction (or in the case of crypto become carte blanche illegal by the feds deciding to “protect the public”), credit cards are the last method available usually. If even those companies decide not to process the transactions because they claim your company violated a rule and there is no appeal, what is to be done?

This link is to a story about the family business that was shut down without notice:
https://www.rexburgstandardjournal.com/family-struggles-when-etsy-shuts-down-their-10-year-old-business/article_45584f82-f642-54de-a6e2-f6f6753cdf2b.html

BOTS?
It is entirely possible that the businesses are being shut down by a computer algorithm. Those are far cheaper than hiring a human to make sensible decisions. But computers only do as instructed, even if the program is poorly written. The past month I’ve been watching stocks of high-value companies falling in a nosedive, leaving even experts puzzled as to what is driving the sell-off. My hunch is that it is driven by computer algorithms, nothing more. Another angle on it is that the nosedive is on purpose to create fear, to sink competition, and to increase control over the market. Those with many billions of dollars aren’t fazed by your retirement being vaporized. You mean nothing to them, or rather they do not place value on your well-being.

MALICIOUS?
Add to this that some third-party people really like to see you fail. It makes them feel powerful, and in a way they are. Sometimes taking a stand on anything on YouTube or Facebook will garner enemies, and they can issue complaints to Instagram and have you shut down with no appeal. They will follow you online with the goal of making life hell, and there is really no means of tracking them or preventing this. “As funny as it may seem, some folks get their kicks stomping on a dream”.

Link to one website owner talking about this:
https://www.youtube.com/watch?v=TbNVYjxeVHg

However, I did a very quick search for things like “shopify mushrooms”, “etsy chaga”, “etsy muscaria”, “etsy flint steel” “etsy jewelry” and found several active stores. So, I’m not yet sure what to make of the claims. I’m doing some followup and am still finding Etsy and Shopify stores that are selling the red fungus, survival foods, flint and steel kits for fire making, and jewelry. The takedowns don’t seem to be across the board (or maybe they haven’t reached these sites yet), but perhaps more targeted. I wonder if this is a form of hostile competition, or the stalker types causing trouble for certain folks by reporting them to the platforms. Thoughts?

Gasoline can hell

Since the new gasoline/petrol can rules came out, it has been nearly impossible to find a decent plastic gas can. The nozzles are so complicated now that dispensing gasoline typically gets fuel all over the place, thus increasing the hazard dramatically. I’ve heard that the new anti-explosion measures were put in place to help protect Darwin Award candidates who pour gasoline on fires.

I bought some replacement nozzles on Amazon to try and bypass these new gizmos, and they looked very promising. Fast-forward two months and the thin indented gaskets used on the nozzles soften in the presence of fuel, and tear when the nozzle is screwed too tightly onto the gas can, meaning the new nozzle will also dribble rather a lot of gasoline when used. The other problem is the gasket they use is indented to fit over the lip of the nozzle and the white anti-flame gizmo inside the nozzle. This weakens the gasket and lets it tear or twist when the collar is attached, making the seal break and lets gasoline leak.

I chose to remove the white part and replace the single indented gasket with two gaskets, one on either side of the black nozzle lip. This seals both areas that could leak gasoline.

I’ve read that nitrile is the best material for gasoline resistance, but I also bought a sheet of Fel-Pro rubberized cork gasket sheet and cut a couple of gaskets to try. (Cut to the chase: the Fel-Pro cut in 44mm OD 33mm ID works perfectly, but only tighten collar until it stops. Any further will deform the gasket.)

SIZES OF REPLACEMENT NOZZLE PARTS:
COLLAR THREAD DIAMETER IS 1 5/8 INCHES OR 41mm (40mm OD gasket is slightly undersized for the can-side gasket, it falls out when taking off the yellow collar. 41mm OD should stay in place.) Trough of thread is 44mm. This is important for sizing a gasket that will fit inside the threads and be held in place.


COLLAR LIP HOLE IS 1 5/16 INCHES OR 33.5mm (33mm ID gasket hole actually lets nozzle neck fit through the gasket easily while being held in place by the collar lip)

Some brands of gas can like Blitz use a pressure fit rounded plastic part instead of a flexible gasket. That seems to work better than the thin flexible gasket, but I’m hoping a thicker gasket of nitrile will fix the issue of leaks on the replacement nozzles. If not, I may be investing in an expensive metal “Jerry can”.

Here was the original can and spout, Scepter brand:

This is what I had after replacing the nozzle:

The Fel-Pro rubberized cork gaskets worked perfectly. I cut out two (very rough) gaskets and placed them on each side of the nozzle lip. One seals between the red tank and the nozzle, and the other between the nozzle and the yellow collar. The lip of the nozzle is sandwiched between the gaskets. At first I tightened down as hard as I could, thinking it would seal better, but that leaked a lot because the gasket became deformed. I then re-seated the gasket and tightened just until it stopped. No leaking at all! W00t! This may be true for the indented gasket that comes with the kit, but I haven’t tried this yet.

I tried to find a better and cleaner way to cut the material than scissors and a drill, but this worked. Just don’t leave any pieces that could come off into your gas tank. Metal dies in 41mm and 34mm are too spendy for the amount I would use them. Cheapest I found were Mayhew though they can cut both holes at the same time.

I did just try 41mm OD x 33mm ID x 4mm nitrile rings. Failed. So far the solution seems to be the Fel-Pro material, perhaps because it is flat it seals better. I can’t seem to find flat o-rings.

Honeywell MPA2 Card Access Panel

I install a lot of card access panels and card readers, and up until now have mostly used the Honeywell NetAXS panels. But they have an outdated method of initial configuration via a built-in web page that uses TLS 1.0. Modern browsers are going to discontinue support for this since it is considered a security risk. When I contacted Honeywell about fixing this with a firmware update they said that they are discontinuing support for these panels… Great.

So I purchased their newer (2019) MPA2 panel for a new project. It only supports 2 doors instead of 4, but is $1000 cheaper than the NetAXS panel. The actual circuit board is 1/3 to 1/2 the size of the NetAXS panel but comes with an enclosure that could possibly fit two circuit boards.

The MPA2 panel is peculiar in how they designed the connections for both readers and latches (and REX and other gizmos). Instead of screw terminals, they have RJ45 jacks and custom plugs with built-in screw terminals. I had to spend hours going over the installation manual to figure out how to even begin wiring a reader. I had to compare the previous NetAXS panel that had color coded terminals along with text description of each wire, and then decipher what Honeywell intended with the new connectors.

The same process applied to the door latch cabling. They couldn’t just make it obvious, I had to spend hours digging and comparing their CAT6 images with the 18/2 cabling I will be using for the latch. Below are pictures of what I found along with brief descriptions of the wiring. First the reader wiring and then the strike/latch wiring.

The image on the top left is from the NetAXS panel screw terminal for card readers. I took their image from the manual and added colors to the Wiegand section. The lower left shows the new connector with an RJ45 plug. But all the colors are for Ethernet cable. I suppose some readers probably have CAT6 connections, but the ones we use are still 18/6 cable. So I made the chart below to help guide me in the field. I also added a blurb about the latch/strike wiring in the upper right. But I include a picture of what I mean down below.

Below is a picture of the latch/strike wiring for door 1.1 (they label the two doors 1.1 and 1.2). They provide two ways of wiring the strike cable, a green push terminal and the 2nd RJ45 jack from the left. Use one or the other. If you use the RJ45 you may need to also use their odd RJ45 connector. Both work at the same time, but you will probably use one or the other.

Barely visible on the green circuit board are the labels for the holes. I’m an old fart, so it took me a while to see those. But they seem to have got the NC on the left of the green connector incorrect. Or perhaps the jumpers to the right of the connector change that, I haven’t read that far. But the default from the factory is Normally Open on the bottom (I tested continuity). The black wire is in NC1 and the red in GND. I’d probably reverse those in real life, I just wanted a picture. (NOTE: This was just to activate a gate controller, so only continuity was needed. See the very last picture for a fully wired MPA2 panel with powered latches)

The odd RJ45 connector (shown above lower left) uses pins 4 and 8 for the relay. Using T568B color coding, those are the solid blue and solid brown wires in a CAT6 cable. There may be other choices but these were the ones I chose.

So there is my first foray into the Honeywell MPA2 panel and how to wire it. They abandoned the odd wall-wart power supply and include a new design inside of the metal enclosure. They also say that the board can be run via POE, but I have not yet tried that since the location for my panel is remote with no network switch.

UPDATE MAY 21 2022 – DEFECTIVE PANELS
I have had two MPA2 panels either break or be defective out of the box. The symptom is that Reader 1 on the left (RJ45) doesn’t work. The LEDs on the 1st and 4th RJ45 stay on either as yellow or green. Card reader may beep normally, but no relay reacts and Winpak does not get notified of the card read. I called Honeywell tech support and sent them a picture (they apparently had not seen this issue) and they declared the board to be defective. They told me to deal with the vendor from whom we bought the panel. Sadly, we bought the panels months before we installed them, so no warranty. $$$ for the vendor, bupkis for us.

UPDATE FEBRUARY 2022
Here is how I fully wired a new Honeywell MPA2 panel. Not super tidy, but wiring is simple. I’ve taken to just putting jumpers on the two tamper sensors to make it more tidy.

And here is a very basic drawing to help convey the logic of the latch wiring with external power. I don’t know why, but I have to work through the logic every time. The relays complete one half of the circuit. The other half is already complete (black wires in my panels).

UPDATE APRIL 2022

Today I finally understood how the relays relate to readers on the MPA2. Reader 1 opens Relay 1 (Output 1 in Winpak), which is normal. But Reader 2 opens Relay 2 (Output 7 in Winpak). Not Output 2, not 3, but 7. 7 is the default for Reader 2, so keep it. Here is a picture showing the relays. There are four relays, and most people would assume these would be 1, 2, 3, 4, but that is incorrect. They could have labeled them something consistent in the program, but they didn’t.

UPDATE 4-20-2022

One of my panels has been deemed defective by Honeywell support. I sent them a picture of the motherboard showing the RJ45 port for Reader 2. The LEDs are lit yellow constantly, even if the reader is unplugged. I did a factory reset and even updated to the latest firmware, but the LEDs stay lit. Other symptom is that the reader beeps normally but no events show in Winpak, and no relay gets energized. We are probably beyond the return date, so will keep this panel as a single-door panel, and just buy a new one. We had the panels for months before we were able to get Winpak working on a new server.

The combination of having Honeywell go from 4-door panels to 2-door, and then having Winpak be so damn picky about prerequisites has us looking for a different solution. We have a ton of embedded Honeywell panels, but if we find a better overall solution we hope to migrate away from Honeywell. The other negative feature of Winpak is the database size limit of SQL Express. We’ve hit the 10GB limit repeatedly in the past 5 years. We had hoped to use the full version of SQL server, but could not get any advice on making it work.

“Chestnut” mushrooms – not the same in USA vs UK

I am growing bags of what we call Chestnut mushrooms in the USA, and began looking for recipes. I kept finding a LOT of recipes that are for what we call Crimini mushrooms. Then I noticed that the recipes all came from the UK. Aha, the downfall of using “common names” for mushrooms. Over there, they call my kind of mushrooms Cinnamon Caps. Here are a couple of images (not mine, since mine have not yet fruited).

Crimini, Chestnut (UK, etc) – Agaricus bisporus, likes a manure-based substrate

Chestnut (USA), Cinnamon Cap – Pholiota adiposa, grows on wood

Two numbers sent when using iClass Wiegand cards

UPDATE 11/19/20: I issued a new card to one of the people having this issue. The problem continued, and the false number was THE SAME. This makes me wonder if it is somehow a corrupt database issue. I don’t see how else the same false number would follow him. I’ll assign yet another to the person and see what happens.

When certain HID iClass cards are used at certain HID iClass card readers, they yield two card numbers each time the card is beeped. This led to a bit of panic when a report made it look like terminated employees were trying to gain access to secure areas. But a more detailed report showed that the invalid cards were being read at exactly the same time as certain valid cards, and only after those particular valid cards. The numbers are consistently matched to certain cards.

However, the same valid cards presented to other HID iClass readers do not yield the secondary number. This makes me wonder if the readers are causing the issue through some quality control variance. I read that they process the card information through a “complex mathematical” formula before even sending the card data to the access panel, and reject the read if it fails a checksum. In this case, it is sending two numbers, the correct one and then immediately the 2nd number (and this is with “constant card reads” disabled on the panel).

Valid Also
36812 36100
30364 36100
31468 37393
30931 24836
34853 30629
35514 36533
30981 45975

I found it curious that two cards produce the same false secondary number.

I also found that Linear Wiegand remotes and receivers that are not iClass and from a different manufacturer are also producing two “card” numbers, except that the false number is sent first consistently.

WHY IS THIS A PROBLEM?
There are a couple of worrisome issues with this false number generation.
1) If the 2nd number is a real card, it makes it look like that card is trying to gain access to a secure area outside of its assigned permissions.

2) If an invalid card has a secondary false number that happens to be valid for that reader, the access panel will likely unlock the door for the false number. I have not yet verified this, but it seems possible.

ROKU Doesn’t See Amazon Prime Subscriptions (and the fix)

I went through an angry tirade today trying to get Britbox to show up on my Roku device so the wife could continue watching the Father Brown mysteries. At first I was told we had it through Comcast, so I went to see if it had been dropped. They didn’t have it as an offering.

Then I was told it was on Amazon Prime, and that we had a subscription. But when I’d bring up Prime Video on my Roku, it kept saying we could watch Father Brown if we subscribed… So I went online with my computer and looked at our Amazon subscriptions, and there was Britbox. But the Roku didn’t see it.

Long story short, I signed out of Prime Video on the Roku, signed back in, it gave me a code to type in on my computer, did so, and then the subscription appeared on the Roku device’s connection to Prime Video.

It had a live Internet connection, so none of that should have been needed, but that’s how I got it working.

NetAXS panels, updating from old firmware

I support several Honeywell NetAXS panels, and recently discovered that with the latest firmware (2017), there is a significant boost in speed when doing a full initialization of the panel. We had previously elected to not upgrade panels because we didn’t see any added functionality.

Recently I found some of our panels had pretty old firmware, version 3.4.3. The latest is 3.6.25. But on the panels with old firmware, although I could log into the panel, the menu on the left was non-functional. No mouse clicks were recognized. That meant I could not get to the section where I can update the firmware. I tried older browsers, and three different browsers (IE, Chrome, and Firefox). All had the same result.
1_screen menu

[NOTE: Firefox 78 works the fastest by far. Support will tell you to use Chrome, but it can take 10 minutes between clicks! NetAXS panels use an outdated and insecure Transport Layer Security 1.0 or 1.1. All browsers and even Windows are going to stop supporting or allowing connections using this. For now, we can still log into the panels. Hopefully Honeywell will not abandon their customers, and will give a new firmware with updated modern TLS. A faster processor and gigabit Ethernet would be damn nice as well.]

I was going to call Honeywell support about it, but then I recalled seeing direct URLs display when I was working on a panel with the latest firmware. If I go to the system section and hover over the tab for Host/Loop, at the bottom of the screen a URL displays the direct link to that tab! I wrote down all the direct links I would need and went back to the older panels.
2_tab url bottom

3_inspect users

They worked! I was able to get directly to the tabs I needed in order to put the panel in to Web Mode, “download” the new firmware (and OS file if needed), and update the password.

Here are the link:

https://IP ADDRESS OF PANEL/ns4/sysconfig_pci.htm (Host/Loop)

https://IP ADDRESS OF PANEL/ns4/sysconfig_general.htm (General tab)

https://IP ADDRESS OF PANEL/ns4/upload.htm (File Management)

https://IP ADDRESS OF PANEL/ns4/sysconfig_net.htm (Network settings)

https://IP ADDRESS OF PANEL/ns4/user_config.htm (User passwords)

https://IP ADDRESS OF PANEL/ns4/sysconfig_sslcertificate.htm (SSL)

When updating the firmware, the reboot cycle takes a LOT longer than a normal reboot. Give it a good 20 minutes to come back to run mode.

When the new firmware loads, it will prompt you for a new password when you log in. You can set it back to whatever you like if you go to Users, click on the user in the table, type in the password and click the Modify button.

Then you’ll need to set the panel back to WinPak mode, assuming you use a server to update your panels.

NOTE: If you can’t figure out the password to the panel, You can reset the panel if you have physical access. This only wipes the password, not the IP address you assigned it. I’m not sure why they did it that way, because if you didn’t know the exact IP, you may not be able to log in. To reset the panel, set all of the DIP switches to OFF and then power-cycle the panel (pull the AC and the backup battery).