Anonymous Traffic Survey Cameras

Manual Traffic Surveys

Many peo­ple in the UK may be famil­iar with see­ing groups of peo­ple, or some­times a parked vechi­cle, clear­ly dis­play­ing a sign say­ing ‘Traf­fic Sur­vey.’ These peo­ple are employed to keep a tal­ly of the num­ber of vehi­cles using a road, and the types of vehi­cles. This infor­ma­tion is impor­tant for plan­ning infra­struc­ture, help­ing more effi­cient pro­vi­sion of trans­port capac­i­ty for cars, trucks/lorries and bus­es.

Pressure Sensors

Pressure-sensitive Traffic Data Collection System (from www.surveymarketing.co.uk)
Pres­sure-sen­si­tive Traf­fic Data Col­lec­tion Sys­tem (from www.surveymarketing.co.uk)

Many will also have seen tem­po­rary pres­sure sen­sors across roads, linked to a data col­lec­tion box attached to a street lamp. This sys­tem also pro­vides use­ful data on the num­ber of vehi­cles using a road.

By using two pres­sure sen­sors, its pos­si­ble to fair­ly accu­rate­ly record the num­bers of vehi­cles pass­ing in two direc­tions. How­ev­er, there may be some inac­cu­ra­cies when vehi­cles pass simul­ta­ne­ous­ly or almost simul­ta­ne­ous­ly. A 15-minute time peri­od may have an inac­cu­ra­cy of 10% (http://www.windmill.co.uk/vehicle-sensing.html). For roads with more than two lanes, accu­ra­cy would be even less and the sys­tem prob­a­bly wouldn’t be fea­si­ble.

Electronic Sensors

Piezoelectric Sensor Dug into Road
Piezo­elec­tric Sen­sor Dug into Road

There are also elec­tron­ic solu­tions dug into roads, which I’ve noticed on approach­es to traf­fic lights. These may be used to alter tim­ings of traf­fic lights depend­ing on traf­fic, and it seems they could also be used for traf­fic sur­vey data col­lec­tion. You may have noticed traf­fic lights chang­ing as you approach them, and a sys­tem like this may be detect­ing the mechan­i­cal ener­gy of your vehi­cle pass­ing over sen­sors. I expect there are also mag­net­ic ver­sions of these sen­sors, that sense the metal­lic body of a vehi­cle. Some­times motor­cy­cles in the US do not trig­ger these sys­tems at auto­mat­ed inter­sec­tions, caus­ing prob­lems, and some state laws allow­ing vehi­cles to pass if a sen­sor fails to detect a vehicle’s pres­ence.

Video Surveys

Scout Pole­mount Traf­fic Sur­vey Cam­era

I’ve noticed what seems like a new tech­nol­o­gy recent­ly, with a video cam­era mount­ed on a street light, and a data col­lec­tion box attached to it. After research­ing it, these are video cam­eras that record con­ven­tion­al HD video for a peri­od of 3 to 7 days. The mod­el I saw in use also has advanced fea­tures like remote man­age­ment and event alerts sent via mobile cel­lu­lar net­works (LTE), allow­ing set­tings to be changed and noti­fi­ca­tions of prob­lems with­out hav­ing to trav­el back to where the unit is deployed.

Computer Vision (CV)

I expect com­put­er vision tech­niques (e.g. OpenCV) are lat­er used to analyse the num­bers and types of vehi­cles pass­ing:

Anonymity and Privacy

I expect there are strict rules in place to pre­vent ANPR (Auto­mat­ic Num­ber Plate Recog­ni­tion) being used, as this may vio­late the pri­va­cy of dri­vers. How­ev­er, if there are not, I expect trav­el time sur­veys could be made by cal­cu­lat­ing how long a com­mute takes for indi­vid­ual dri­vers, and how they change over time. Per­haps if this was cal­cu­lat­ed anony­mous­ly, it would be a usable tech­nique.

While there have been com­pa­nies that have mon­i­tored cell­phones with Blue­tooth and Wi-Fi ser­i­al num­bers, often the gen­er­al pub­lic have expressed con­cerns over pri­va­cy. An exam­ple hard­ware provider for this is http://www.libelium.com.

In con­clu­sion, I found it inter­est­ing to research what these cam­eras and oth­er equip­ment I see are used for, and expect it is an inter­est­ing field analysing queues of videos for traf­fic data.

Cyber Security is the Theme of 2017

There have been many high pro­file major cyber secu­ri­ty inci­dents this year, includ­ing:

There are many best prac­tices which were obvi­ous­ly ignored, allow­ing these breach­es. Equifax’s breach was caused by a months-old soft­ware patch to Apache Struts not being applied.

While there is a cost to imple­ment­ing these secu­ri­ty patch­es, in 2018 I hope to see deci­sion mak­ers put more weight on cyber secu­ri­ty as they see the true cost of these breach­es. The Apache Struts / Equifax inci­dent for exam­ple may have required recom­pil­ing of all web appli­ca­tions and a main­te­nance win­dow last­ing a few hours, but this would be val­ue for mon­ey com­pared to the total cost of the breach.

I’ve imple­ment­ed and improved cyber secu­ri­ty prac­tices in a num­ber of ways includ­ing:

  • Automat­ing oper­at­ing sys­tem and soft­ware patch deploy­ments on a Win­dows domain using Man­ageEngine Desk­top Cen­tral, and imple­ment­ing audit­ing to ver­i­fy and report on failed patch­es.
  • Hav­ing a thor­ough knowl­edge of tech­nolo­gies I use when devel­op­ing web appli­ca­tions, allow­ing me to imple­ment them secure­ly. For exam­ple, by tak­ing the time to learn how ses­sion authen­ti­ca­tion cook­ies work at a deep lev­el, I am able to ensure my appli­ca­tions are secure. There are of course many more lev­els than authen­ti­ca­tion to secure.
  • Advis­ing local busi­ness­es when I see an inse­cure WiFi con­nec­tion. Recent­ly I saw a retail estab­lish­ment offer­ing free WiFi, and this net­work allowed access to a sub­stan­tial HVAC sys­tem with a default user­name and pass­word.
  • Advis­ing on the use of an encrypt­ed VPN when trav­el­ling and using unse­cured WiFi con­nec­tions, to pre­vent pack­et sniff­ing and Man in the Mid­dle attacks.

While it can be argued that noth­ing in such a con­nect­ed world can be 100% secure, pro­fes­sion­al knowl­edge and busi­ness deci­sions in the field of cyber secu­ri­ty are becom­ing increas­ing­ly impor­tant.

Page Speed Load Time Optimizations

Here are a few impor­tant ways to speed up page load­ing times, togeth­er with the improved record­ed times for com­par­i­son on a typ­i­cal Word­Press web site. While Word­Press is hard­ly an opti­mized web appli­ca­tion, it does ben­e­fit from the same speedup meth­ods as most web appli­ca­tions.

I used Google Chrome Devel­op­er Tools to time net­work trans­fers and page load times. There are var­i­ous web-based tools avail­able as well:

Initial speed — 1.412 sec (TTFB 0.12 sec)

This was the speed on a fresh install of a Word­Press web site on a small VPS run­ning Nginx and PHP-FPM.

Enabling GZip compression — 1.326 sec (TTFB 0.13 sec)

Using com­pres­sion on net­work trans­fers can great­ly reduce file sizes, espe­cial­ly for text-based files such as HTML, CSS and JavaScript. The CPU over­head on mod­ern servers is neg­li­gi­ble, and can be cached if required.

PHP Opcode cache — 1.299 sec (TTFB 0.124 sec)

PHP scripts are typ­i­cal­ly com­piled to byte­code on demand. By caching this com­pli­ca­tion with OPcache or APC, page load times and serv­er load can be sig­nif­i­cant­ly reduced. APC did include a fast key/value cache, which has now been replaced by APCu.

WordPress Cache — 0.733 sec (TTFB 0.122 sec)

There are many Word­Press cache plu­g­ins avail­able, which reduce the amount of PHP code that has to be run on every request. Some caches can gen­er­ate flat files, which are sig­nif­i­cant­ly faster, and can be used with Nginx.

Nginx FastCGI Cache — 0.731 sec (TTFB 0.119 sec)

Nginx is able to use a fast memory/disk cache to cache requests to PHP-FPM, fur­ther reduc­ing page load times and serv­er loads. This can be very ben­e­fi­cial on web sites with high load.

There are many oth­er ways to speed up page load times, includ­ing depen­den­cy con­cate­na­tion and mini­fi­ca­tion and image opti­miza­tion. It is also impor­tant to opti­mize client-side JavaScript to allow the user’s web brows­er to dis­play con­tent quick­ly.

AnyCast DNS

An ini­tial vis­it to a web site requires a DNS lookup. Tra­di­tion­al­ly DNS has no way to send requests to the geo­graph­i­cal­ly clos­est serv­er, but this is pos­si­ble with Any­Cast DNS. This fea­ture is avail­able on many providers includ­ing Amazon’s Route 53, Google’s Cloud Plat­form and Microsoft Azure. It func­tions by allow­ing mul­ti­ple servers dis­trib­uted through­out the world to have the same IP address.

By using Any­Cast DNS, I was able to reduce an ini­tial DNS request from 93 mil­lisec­onds to 18 mil­lisec­onds. Com­bined with hav­ing an opti­mized web serv­er geo­graph­i­cal­ly close, even an ini­tial vis­it to a web page can be dis­played instan­ta­neous­ly.

Before Any­castDNS
After Any­castDNS

Conclusion

Sub­tract­ing the round trip time to the serv­er of 0.116 sec­onds, these opti­miza­tions reduced the effec­tive Time To First Byte to 3 mil­lisec­onds. On a busy serv­er, these opti­miza­tions will make a sig­nif­i­cant dif­fer­ence to the capac­i­ty of the serv­er.

 

SSL/HTTPS Mixed Content Warnings — How to Automatically Report Errors

The gen­er­al push to use SSL/HTTPS for every web site is improv­ing secu­ri­ty and pri­va­cy on the Inter­net. How­ev­er, every request a web site makes will need to be secure, or browsers can remove the ‘Secure’ indi­ca­tor, show a warn­ing sym­bol, and some­times pop up errors.

You can add a sim­ple head­er that will tell browsers to report back to your serv­er if any inse­cure requests are made. I com­bined this with a sim­ple PHP script that logs to the server’s error log.  This alerts me to sites I host and devel­op that have inse­cure con­tent, so I can fix them.

Step 1 — Add the Content Security Policy reporting header

add_header Content-Security-Policy-Report-Only "report-uri /csp-report-endpoint.php";

Step 2 — Add PHP Script

Add this sim­ple PHP script as csp-report-endpoint.php:

<?php
error_log(file_get_contents("php://input"));

Now, when a site attempts to load an inse­cure resource, you will get a mes­sage in your error log, and you can use this infor­ma­tion to fix your site.

How to watch the NTU Falcon Cam on PC, Mac, iOS and Android

Like many peo­ple I enjoy watch­ing the live stream­ing cam­eras set up at Not­ting­ham Trent Uni­ver­si­ty which show live footage of a fam­i­ly of pere­grine fal­cons.

Unfor­tu­nate­ly the uni­ver­si­ty streams as RTMP, which gen­er­al­ly requires Flash to stream in a web brows­er. As Flash is now gen­er­al­ly dis­abled on browsers like Mozil­la Fire­fox and Google Chrome, I’ve noticed many peo­ple hav­ing prob­lems watch­ing the cam­eras, so I wrote this short guide on a way to play the cam­eras:

For PC and Mac

  1. Down­load and install VLC Play­er
  2. Down­load this file (right click and Save As): https://www.jonhassall.com/downloads/ntufalconcams.m3u
  3. Open VLC Play­er, Media -> Open File, and open the file you down­loaded
  4. Press the track skip but­tons to change cam­eras

For Android smartphone

  1. Install the VLC Play­er app from Google Play
  2. Open the VLC Play­er app
  3. Press ‘Open MRL’ from the left menu, and type:
    https://www.jonhassall.com/downloads/ntufalconcams.m3u
  4. I find it can take a good 30 sec­onds for the stream to open. Play con­trols appear if you swipe up from the bot­tom of the screen. It isn’t very intu­itive

iPhone/iPad

  1. Install the VLC for Mobile app from the App Store
  2. Open the VLC Play­er app
  3. Press ‘Net­work Stream’ from the left menu
  4. Type this URL into the box at the top:
    https://www.jonhassall.com/downloads/ntufalconcams.m3u
  5. Press ‘Open Net­work Stream’
  6. Press ‘ntucalconcams.m3u’ which should now be added to the list
  7. The cam­era streams should now show. It can take 30 sec­onds to start. Use the track skip but­tons to change between the three cam­eras.

 

Hope­ful­ly in the future NTU will either stream direct­ly to a HTML5 com­pat­i­ble for­mat, or set up a live stream­ing con­ver­sion serv­er.

Hope this helps peo­ple enjoy watch­ing the fal­cons.

 

  

Improving SSL/HTTPS Security to an A+

These sim­ple steps can improve your Qualys SSL Report to an A+:

Step 1: Getting my initial report (B):

You can get a Qualys SSL Report on any site. My rat­ing start­ed as a B with a rea­son­ably good set­up:

Step 2: Improving Ciphers List

SSL v2 is inse­cure, so it need­ed to be dis­abled, and SSLv3 also need­ed to be dis­abled as TLS 1.0 suf­fers a down­grade attack, allow­ing an attack­er to force SSLv3 dis­abling for­ward secre­cy. I updat­ed my nginx con­fig to use:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

I opt­ed to con­fig­ure this in the main nginx.conf file, rather than each domain, as I saw now rea­son I would make indi­vid­ual changes on a domain basis.

I also enabled ssl_prefer_server_ciphers and ssl_session_cache:

ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

And used this cipher suite which main­tains max­i­mum back­wards com­pat­i­bil­i­ty. Although I’m using SNI which isn’t sup­port­ed by IE6, I pre­fer my sites to be as back­wards com­pat­i­ble as pos­si­ble.

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

I also added these lines:

ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;

I retest­ed the site, and improved to an A rat­ing:

Step 3: Deffie Hellman Ephemeral Parameters

Diffie-Hell­man ensures that pre-mas­ter keys can­not be inter­cept­ed by Man In The Mid­dle attacks, and it is easy to enable in Nginx.

First gen­er­ate a stronger DHE para­me­ter… be pre­pared to wait around 15 min­utes for OpenSSL to gen­er­ate this cer­tifi­cate:

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

Then con­fig­ure Nginx to use it:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

On retest­ing, I achieved the A+ grade!

Step 4: Add a DNS CAA record

The Cer­ti­fi­ca­tion Author­i­ty Autho­riza­tion (CAA) DNS record allows you to use your DNS records as a mech­a­nism to whitelist cer­tifi­cate author­i­ties that are allowed to issue cer­tifi­cates for their host­names.

To imple­ment this, I had to change from Ama­zon AWS Route 53, to Google Cloud DNS, as AWS shame­ful­ly doesn’t pro­vide CAA report.

I use Let’s Encrypt, and added this DNS record:

0 issue "letsencrypt.org"

Cur­rent­ly this is option­al, but it will be manda­to­ry from Sep­tem­ber 2017.

Step 5: Add HTTP Strict Transport Security (HSTS) Header

A head­er can be sent from your serv­er which will inform browsers to only make HTTPS requests. Browsers will no longer make HTTP requests until the head­er expires. This has two main ben­e­fits: a spoofed site with­out your SSL cer­tifi­cate will not be effec­tive, and sub­se­quent vis­its to your site will go straight to your HTTPS ver­sion with­out a redi­rect, mak­ing page load­ing faster.

Be sure to use a low expiry time while devel­op­ing your site, as once a brows­er caches the head­er, it is not pos­si­ble to clear it. Once you’ve sent this head­er, expect your site to be HTTPS in the long term, with no going back.

add_header Strict-Transport-Security "max-age=31536000; preload" always;

For devel­op­ment, use this short­er time:

add_header Strict-Transport-Security "max-age=360;" always;

There is a push to have browsers have a pre­loaded list of HTTPS/HSTS enabled sites, but the strict require­ments for sub­mis­sion require sev­er­al sub-domain redi­rects, which in my opin­ion would reduce over­all per­for­mance. I don’t see the harm in still send­ing the ‘pre­load’ para­me­ter.

 

Further reading:

Jonathan Hassall