Anyone tried Security Camera Warehouse (SCW) NVRs and Cameras?

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
but why would I want to do this? Now my PC is insecure.
ah, but you would not open the pc to the internet. There is something called a vpn, in fact your website recommends it, despite also providing instructions for port forwarding. Its amazing how little you know. Please see the wiki section of this forum for instructions on securing your network. This way you can properly guide your customers.
This saddest part of this comment is, we all know that NVR's are not secure and are always being hacked. The manufactures are slow to provide updates. Yet you claim that windows is not secure. Tell you what, you can update your windows machine at YOUR leisure because MS is always providing timely patches, you CANNOT update YOUR NVRs because you are dependent on uniview for updates. So your logic is, my unit is more secure because we dont have updates available?
 

mnederlanden

Young grasshopper
Joined
May 28, 2019
Messages
32
Reaction score
0
Location
USA
we all know that NVR's are not secure and are always being hacked.
This is a pretty common claim that isn't accurate: here's a guide we wrote on NVR vs Camera hackswhen someone else made a claim pretty similar to this one.

The major hacks on the news have been camera not NVR hacks: BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet , https://www.washingtonpost.com/business/economy/years-after-regulatory-crackdown-some-security-cameras-still-open-to-hackers/2017/11/14/b15f8428-c980-11e7-8321-481fd63f174d_story.html?utm_term=.26bc81db5186 , A Massive Number Of IoT Cameras Are Hackable -- And Now The Next Web Crisis Looms , Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks , How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet , Thousands of hacked CCTV devices used in DDoS attacks

This is why we suggest using the NVR's airgap for the cameras and only letting the single NVR be on the main network.

dont have updates available?
No, we don't have updates availible for download. The updates happen through the cloud directly to the camera/NVR. You don't have to download anything.

you CANNOT update YOUR NVRs
Do you write you own firmware for your products? At least SCW's products aren't on the NDAA ban list...
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
This is a pretty common claim that isn't accurate: here's a guide we wrote on NVR vs Camera hackswhen someone else made a claim pretty similar to this one.

The major hacks on the news have been camera not NVR hacks: BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet , https://www.washingtonpost.com/business/economy/years-after-regulatory-crackdown-some-security-cameras-still-open-to-hackers/2017/11/14/b15f8428-c980-11e7-8321-481fd63f174d_story.html?utm_term=.26bc81db5186 , A Massive Number Of IoT Cameras Are Hackable -- And Now The Next Web Crisis Looms , Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks , How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet , Thousands of hacked CCTV devices used in DDoS attacks

This is why we suggest using the NVR's airgap for the cameras and only letting the single NVR be on the main network.



No, we don't have updates availible for download. The updates happen through the cloud directly to the camera/NVR. You don't have to download anything.



Do you write you own firmware for your products?
Now we know you're full of crap. The NVR is just as susceptable to get hacked as the cameras. Not sure why you make up this information about an air gap which is meaningless and ineffective. it's appalling that you give this type of dangerous advice to your customers.
You completely missed the point about the firmware, it doesn't matter how its installed the point is it's only an available when the manufacturer decides to make it available which is far and in-between and slow to respond the real world threats. It is well known that IP cam talk cameras are hikvision, and just like you don't make your own firmware and are wholly reliant on uniview the same applies with hikvision. the difference is that you're not honest with your customers about the threats and dangers which is very sad. You are a threat to their network security.
 
Last edited:

mnederlanden

Young grasshopper
Joined
May 28, 2019
Messages
32
Reaction score
0
Location
USA
So, the speed of your response shows that you didn't read the link I shared. If you had, you would have seen that we do share that info in the section called
"NVRs are Hacked Far Less Frequently."
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
So, the speed of your response shows that you didn't read the link I shared. If you had, you would have seen that we do share that info in the section called
"NVRs are Hacked Far Less Frequently."
You misjudge my capability to read English. Far less frequently is a meaningless term and useless. Once again this proves what a danger you are do your customers network security. Shameful.
 

mnederlanden

Young grasshopper
Joined
May 28, 2019
Messages
32
Reaction score
0
Location
USA
You're pretty quick on the insults and pretty short on the explanation. Do you mind providing an explanation of what you think we're doing that is so "shameful"?

Here's what we do:
1. Cirrus won't make it so that you have to open ports or VPN, soon. (Not the next release, which will be out this week - multi-monitor support, adobe-style window UIs, dark mode for Mac, officially on the Windows + Mac app stores -- but the one we are scheduled to work on thereafter). It'll just work without setup at all.
2. We set up up VPNs if the client wants us to. We recommend VPNs for corporate networks or anywhere where intellectual property might be exchanged or created.
3. We let home users choose to open ports, if they want to just do something easy to maintain. A large number of our home user clients don't have the technical expertise to set up, maintain, or use a VPN.
4. We manage the risk by choosing our partners carefully. The risk is very low since we have selected partners without known vulnerabilities or major histories of hacks: see Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits and Uniview Recorder Backdoor Examined and the update. That's a pretty good track record.
5. We never even carried the NVR-201E, optining for the more expensive, more capable, and more advanced product line so...
6. If you don't want to open port or setup a VPN, we can still set tour NVR to be able to send alerts, it can still be able to use our Snapshot email feature, which sends out emails with thumbnails, and our Snapshot FTP feature, which uploads video to a FTP server on analytics event or motion.
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
You're pretty quick on the insults and pretty short on the explanation. Do you mind providing an explanation of what you think we're doing that is so "shameful"?

Here's what we do:
1. Cirrus won't make it so that you have to open ports or VPN, soon. (Not the next release, which will be out this week - multi-monitor support, adobe-style window UIs, dark mode for Mac, officially on the Windows + Mac app stores -- but the one we are scheduled to work on thereafter). It'll just work without setup at all.
2. We set up up VPNs if the client wants us to. We recommend VPNs for corporate networks or anywhere where intellectual property might be exchanged or created.
3. We let home users choose to open ports, if they want to just do something easy to maintain. A large number of our home user clients don't have the technical expertise to set up, maintain, or use a VPN.
4. We manage the risk by choosing our partners carefully. The risk is very low since we have selected partners without known vulnerabilities or major histories of hacks: see Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits and Uniview Recorder Backdoor Examined and the update. That's a pretty good track record.
4. We never even carried the NVR-201E, optining for the more expensive, more capable, and more advanced product line so...
When you lie here about network security you will be shamed. You deliberately posted the air gap nonsense. That is shameful.

You admit to having no issue with port forwarding for your users. Shameful and quite scary.
 

mnederlanden

Young grasshopper
Joined
May 28, 2019
Messages
32
Reaction score
0
Location
USA
Again, lots of claims with very little proof. Why are air gaps nonsense? Why should I be afraid of port forwarding a product with no known vulnerabilities and no history of hacking?
 

mnederlanden

Young grasshopper
Joined
May 28, 2019
Messages
32
Reaction score
0
Location
USA
Right, but we have a very active support team and we control our own DNS. When a Hikvision vulnerability was discovered in 2015, we quickly mobilized to track, restrict access, and upgrade every device that had an issue.

You complain that we cost too much, but we put a ton of effort into this arena.

As our homepage says, we not selling you a product - we're partnering up.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Right, but we have a very active support team and we control our own DNS. When a Hikvision vulnerability was discovered in 2015, we quickly mobilized to track, restrict access, and upgrade every device that had an issue.

You complain that we cost too much, but we put a ton of effort into this arena.

As our homepage says, we not selling you a product - we're partnering up.
That vulnerability was discovered well before hikvision offered a patch for it. That's my entire point you cannot rely on these Chinese manufacturers for security.

You could not possibly upgrade every device unless you had access to the hikvision NVR which again is troubling.
 

mnederlanden

Young grasshopper
Joined
May 28, 2019
Messages
32
Reaction score
0
Location
USA
We did not find infected devices when we upgraded. Your fears are mostly imaginary and hypothetical. Again, it is cameras that the vast majority of hacks utilize - not NVRs.

Additionally, we will happily set up VPNs for customers who want one and who know how to use one.

Either way, these concerns disappear on the next release of Cirrus.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
We did not find infected devices when we upgraded. Your fears are mostly imaginary and hypothetical.

Either way, they disappear on the next release of Cirrus.
They are not imaginary and once again you've proven that you have no problem posting misleading and false information. There is no way you would know whether any of the devices were hacked unless the hacker made some obvious changes. We also have no idea how many machines you updated and how you magically got access to these machines. The threat is far from imaginary as we have seen with the most recent hacks. Feel free to bury your head in the sand, here we don't do that, we expose those that do.
The release of your software will do nothing to mitigate this risk.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
here's a guide we wrote on NVR vs Camera hackswhen someone else made a claim pretty similar to this one.
Out of curiosity I read the report you linked to.
My initial reaction was that it is full of generalisations disguised as facts that are both correct and incorrect. But certainly misleading.
I'd thought to comment on and challenge each, but then decided not to as there were rather a lot.

But some samples.
"NVRs are Hacked Far Less Frequently."
Self evidently true, and untrue, depending on the (unspecified) definition of 'frequently'.
There are many more cameras than NVRs.
The firmware is bigger in scale and complexity than cameras, so has more opportunities for vulnerabilities, a bigger attack surface, and typically more of that surface is exposed by the use case of the device.
The architecture and implementation is no less vulnerable than IP cameras.

This is why we suggest using the NVR's airgap for the cameras and only letting the single NVR be on the main network.
That's a simplistic and flawed suggestion that will misleading those it is given to.
NVRs do not have a network airpap.
In many PoE NVRs the PoE ports are configured as a an ethernet switch on the same LAN as the NVR LAN interface, giving full accessibility.
On Hikvision and Dahua NVRs, the system provides an 'IP_forwarding' (not to be confused with 'port forwarding' function between the NVR PoE-connected devices and the NVR LAN.
No airgaps there.

We set up up VPNs if the client wants us to.
That's disingenuous - your average client will lack the awareness and knowledge to request that, or understand the risks it mitigates.
You role should be to be proactive on their security, not reactive.

We let home users choose to open ports, if they want to just do something easy to maintain.
That is such a scary thing to admit - shame on you!
You role should be to be proactive on their security, not reactive.
Presumably you tell them that if they do so, they put all their connected devices and associated data at serious risk of compromise?
I thought not.

Well, you certainly don't get my endorsement for your offerings.
 

cosmo

Getting the hang of it
Joined
Mar 12, 2016
Messages
182
Reaction score
18
My original post was on whether anyone had experience with SCM and if so, how it differed to HikVision or Dahua.

I am appreciative that the CEO of SCM, Matt, chimed in. There are a lot of passionate people on this forum, a lot of information, a lot of opinions, and that's generally a good thing. There is also a tendency for passionate folks to debate vigorously over why their way of doing things is superior to someone else's. Often though, this ends up a rhetorical debate with some ruffled feathers because what gets left out is the objectives of both people. If the objectives are different, it is quite possible to have multiple, quite different, solutions.

Blue Iris, at a cursory glance, looks suited to someone technically savvy, or at least has the time to get a system up and running. You have to identify and purchase appropriate hardware for your needs, install a clean version of Windows, do all the updates, disable them, install Blue Iris, set up the switch for your cameras, configure the networking, then start configuring Blue Iris. With SCW (Or anyone's POE NVR), you plug the cameras in, turn it on and you have a functioning security system.

So which is better? Maybe it all depends what you want and what you are willing to do to get it. I see Matt as filling a void. There are those who want a turnkey system and are willing to pay for it. There are tech enthusiasts who want to get a good deal on hardware, are willing to take the risk of importing grey market hardware direct from China and invest their time learning about all the nuances of upgrades, including dealing with problems and no support outside forums like this one. There are those that are willing to pay a premium for authorized distributors on Chinese brands in the US (Like B&H) and have limited support, perhaps a warranty, but still largely on their own. And there is all the boxed security systems from big box retailers like Frys selling cheap Swann systems, or online vendors, where you are still mostly on your own. And some of the cheap hardware out there is cheap for a reason. It is up to the customer to pore over the functionality and figure out what it all means. Lots of choices. But the void that SCW seems to be filling is to provide a reasonable range of good quality cameras and NVRs with good pre-sales and after sales support. In addition, providing additional software to complement the manufacturer's offerings. While it seems that the hardware is rebadged from Chinese manufacturers, this is the norm today. The value that I see in buying a system from SCW is that their business is reliant upon them choosing good quality hardware, testing the software to make sure everything is working, and providing warm bodies on the end of a phone in the event of a problem. They are more likely to have a connection to fix something with the vendor than an individual buying Chinese grey market hardware direct.

So I think in my mind that sums up the pro and con on Blue Iris vs SCW. Do it yourself vs. an out of the box, hotline supported installation. The technical merits of one over the other is a more in depth discussion. Is Linux more suitable than Windows as a platform for a 24x7 server? Is it risky puting your faith in a one developer software company? What are the scalability limits of server based surveillance processing vs. doing it on the cameras?

In my view, it comes down to what you need, the quality & reliability of the system and the responsiveness of the vendor to problems.

I know my functional requirement. I just haven't figured out yet which system is going to work the best for me.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
My original post was on whether anyone had experience with SCM and if so, how it differed to HikVision or Dahua.

I am appreciative that the CEO of SCM, Matt, chimed in. There are a lot of passionate people on this forum, a lot of information, a lot of opinions, and that's generally a good thing. There is also a tendency for passionate folks to debate vigorously over why their way of doing things is superior to someone else's. Often though, this ends up a rhetorical debate with some ruffled feathers because what gets left out is the objectives of both people. If the objectives are different, it is quite possible to have multiple, quite different, solutions.

Blue Iris, at a cursory glance, looks suited to someone technically savvy, or at least has the time to get a system up and running. You have to identify and purchase appropriate hardware for your needs, install a clean version of Windows, do all the updates, disable them, install Blue Iris, set up the switch for your cameras, configure the networking, then start configuring Blue Iris. With SCW (Or anyone's POE NVR), you plug the cameras in, turn it on and you have a functioning security system.

So which is better? Maybe it all depends what you want and what you are willing to do to get it. I see Matt as filling a void. There are those who want a turnkey system and are willing to pay for it. There are tech enthusiasts who want to get a good deal on hardware, are willing to take the risk of importing grey market hardware direct from China and invest their time learning about all the nuances of upgrades, including dealing with problems and no support outside forums like this one. There are those that are willing to pay a premium for authorized distributors on Chinese brands in the US (Like B&H) and have limited support, perhaps a warranty, but still largely on their own. And there is all the boxed security systems from big box retailers like Frys selling cheap Swann systems, or online vendors, where you are still mostly on your own. And some of the cheap hardware out there is cheap for a reason. It is up to the customer to pore over the functionality and figure out what it all means. Lots of choices. But the void that SCW seems to be filling is to provide a reasonable range of good quality cameras and NVRs with good pre-sales and after sales support. In addition, providing additional software to complement the manufacturer's offerings. While it seems that the hardware is rebadged from Chinese manufacturers, this is the norm today. The value that I see in buying a system from SCW is that their business is reliant upon them choosing good quality hardware, testing the software to make sure everything is working, and providing warm bodies on the end of a phone in the event of a problem. They are more likely to have a connection to fix something with the vendor than an individual buying Chinese grey market hardware direct.

So I think in my mind that sums up the pro and con on Blue Iris vs SCW. Do it yourself vs. an out of the box, hotline supported installation. The technical merits of one over the other is a more in depth discussion. Is Linux more suitable than Windows as a platform for a 24x7 server? Is it risky puting your faith in a one developer software company? What are the scalability limits of server based surveillance processing vs. doing it on the cameras?

In my view, it comes down to what you need, the quality & reliability of the system and the responsiveness of the vendor to problems.

I know my functional requirement. I just haven't figured out yet which system is going to work the best for me.
Lots of non tech savvy folks here using blue iris, teachers accountants grandpas grandmas. The setup for blue iris takes no more than 30 minuets.
You cannot simply plug cameras into an nvr and be done. Plug and play is a lie. You are still required to properly setup the NVR for recording and remote viewing. Not to mention that if you really want to leverage network cameras and not home run all your cables to the NVR you need to manually setup the cameras in the NVR. You cannot mix and match cameras and also retain all advanced IVS features which is very limiting with uniview/scw cameras as they dont have many design and sensor configurations.
There are lots of places that sell turnkey systems including costco and installers.
If you want to pay 50-100 bux extra per camera for a "warm body" on the other end then you are better off finding a local installer to do the job for you. Certainly as SCW has shown they cant be trusted to properly secure their customers networks.
There is no risk when buying via china, they savings are so great you could self insure yourself many times over.
BI is 50 bux, and you are worried about the risk? If he dies tomorrow, you can move on to a new vms. ITS 50 BUX!!!!
Windows is PERFECT for a 24x7 server. I run over 20 blue iris machines. Avigilon milestone etc run on windows, perhaps you and SCW need to call them and advise them that its a poor choice. SCW's own software runs on windows!!!!!!
Blue iris SUPPORTS CAMERA BASED MOTION if you want it!!!!!! What is the availability of an 8ch nvr when you need the ninth camera?
There are many other vms options out there and most are better than these standalone NVR's.
 
Top