Choregraphe security issue - nao-robot

I am trying to find a way to secure our robot against unwanted Choregraphe connections. We are required to work on a University-wide network, and we need a way to stop people from connecting who may have obtained the robot's IP address at some stage without our knowledge.
As there is no access to the root user account on the Pepper, I cannot simply lock down access using iptables, so I thought I might try looking at a way to forcibly close connections from ALChoregraphe when it registers on the robot.
However, running the command:
qicli info ALChoregraphe
I can see that the only method available is requestDisconnection. There is no way to close the connection forcibly.
I have tried using ALServiceManager to stop the service, but it apparently only knows about services that are installed as packages.
So far the only solution I have is to change the color of the eye LEDs to indicate that a connection has been established, and reset them when a disconnect is received.
Aside from moving the robot to its own network, do you have any suggestions on how I could go about handling this?
Thanks!

At the moment, there is no other way to prevent connections to the robots. All you can do is to make sure that unwanted clients cannot access the network of your robot.

In Choregraphe 2.4 and later, you can kick the existing Choregraphe after 30 seconds. If anyway it fails, you should unregister the services ALChoregraphe and ALChoregrapheRecorder using qicli call ServiceDirectory.unregisterService <serviceID> where serviceID is the number facing the services when listed with qicli info.

Related

ipmi-console: SOL connection idle on dell servers

I'm working with server automation tools on some Dell C2100 and C1100 servers. What I intend to do is connecting via Serial Over Lan using ipmi.
A few weeks ago, I was able to connect to one of my servers using ipmi-console (from freeipmi), like this:
ipmi-console -h IPADDRESS -u USER -P
This started up a SOL connection, and this way I was able to automate some interactions with the server's BIOS settings and other stuff.
However, a few days later, the same script didn't work anymore. It just says "[SOL established]", and that's it: the SOL connection never shows any feedback, and it stays idle until I close the connection.
My question is: what could possibly have changed that the SOL connection is not working anymore.
I obviously checked for anything related to SOL and IPMI, both in BIOS settings and using BMC web GUI. But everything looks normal, and I didn't recall to have changed anything there between the time the connections worked and then they stopped working. IDK what else to check, and it just fails w/o errors anywhere.
Perhaps this is a common thing with IPMI and/or SOL, but I frankly don't understand it. So, any pointer would be nice.
Thanks in advance.
FreeIPMI maintainer here. When no data is being output, it is typically a configuration problem. Assuming none of that changed, one idea.
On some motherboards, I've seen the BMC internally "lose its connection" to the serial chip, thus it doesn't get any serial data and thus doesn't have anything to send out. Unfortunately a hard power reset is often needed to solve this (b/c the BMC always is "on" via standby power, it must be a hard reset to reset it). Hard resetting the BMC directly might work as well, you can do this in FreeIPMI via bmc-device --cold-reset.
Finally, I've found what was going on.
It happened that somehow a value DID change on the BIOS settings, most likely my own mistake: remote connection ability was disabled. That means, it seems, that SOL works, but it doesn't redirect anything. Given that I was able to connect through SOL, it seemed obvious that remote connection ability was enabled.
Once enabled that BIOS setting, everything was back to normal.
BTW: freeipmi is awesome. Thanks for maintaining it Albert.

Trouble proxying into computer

I am trying read traffic from a couple of test mobile devices, iphones, androids etc. I've done this for over a year using primarily Fiddler but also Charles. I did it up until yesterday without any issue. But today the devices do not appear to be connecting to my computer. I have confirmed that everything is configured right eg. device is set to use my computer as a proxy after I put in my computers IP address that I got by doing a simple ipconfig, sorry if this all sounds redundant but just letting you know my steps, better to have more information than less. I also turned off my firewall no change.
I thought perhaps something was done to our network, but I installed Fiddler on a coworkers computer and was able to proxy into that computer without any issue. Confirmed all drivers are up to date and really there was no change between yesterday and today except a deep scan with Malwarebites. Frankly sort of at a loss for what it might be, I have reinstalled Fiddler on my computer (the primary one I use, didn't reinstall Charles cause I don't want to deal with license issue right now) but at same time what are the chances that both stopped working at same time.
There's a high likelihood that your PC's firewall is blocking the inbound connection. You should check your firewall configuration to see if it's configured to allow inbound connections to Fiddler.
On your Fiddler-running PC, ensure Tools > Fiddler Options > Connections > Allow Remote Computers to connect is checked (if not, check it and restart).
From your co-worker's PC, try visiting http://<FiddlerPCName>:8888/ in the browser. Does the traffic appear in Fiddler?

As a working-traveler, is there a way to get around port 80 blockage without touching the router?

I work while traveling at the moment. I'm at the point where I want to start setting up the paypal integration, but I can't because I can't open port 80 up so that paypal sandbox can communicate with my computer. I've tried getting my own USB modem w/ sim card (data plan) but it seems they are really aggressive with blocking ports on those also.
So, i can't get to the routers in the hotels since it would be wrong (and i don't have the passwords).
Is there some kind of trick that I can use so I can mess with paypal sandbox integration? I've tried using hosting (godaddy) but it's awful slow to keep uploading changes to a host just to see if what you did worked (not to mention problems with debugging).
Looks like i didn't get any help this time, but i found a way around it! I created a VPN in Windows 7 in my home network (so my work laptop can connect back home). I checked the setting that allows remote vpn connections to pick their own IP address so my work laptop would have a static ip.
I then simply opened up port 80, and forwarded it to the static IP set for my laptop. I can't believe it, but it works!

Silverlight client port check

I'm facing a problem that gives me a quite hard time ...
People having trouble to execute a program that needs specific ports to be open, sadly they don't know if its a clientside problem caused by blocked ports, of it its simply a software problem.
So I thought about making a program that checks if the user can access the provided ports, after I made the WPF application, I was thinking about having an easier access to such functionality and tried to produce a Silverlight Version.
Questions:
a.) Is there even a way to check if the user can connect to specific ports that aren't in the range of 4502 - 4534 within a silverlight application that runs as plugin in the web browser ?
b.) Is there a way to do this, even without having access to the specific server to provide a policy file?
If you trying to do it from the in-browser application that its a no. Trusted silverlight application should be able to connect to any port without restrictions.

How do I detect the presence/absence of internet connection on a machine?

I need to detect the presence/absence of internet connection. More precisely, let us suppose that the application is broken up into 2 parts - A and B.
A is responsible for checking whether or not the system is connected to the internet. If it finds that there is no connection, it starts up part B. And as soon as it detects that there is a network connection, it kills B and continues its own work.
What would be the best way to do the A part of the application? Continual pings sounds hideous. There has to be a better way of doing this (preferably in C).
With sufficient privilege you can test the various network interfaces and examine their state. This would tell you if any of the interfaces was connected to a network and operating. However, this won't tell you if the connection is actually usable, i.e., connected to the internet (or your local net if that's all you need). I don't know of anyway to do that short of actually using it.
Using ICMP (ping) can be useful at a low level, but presumably what you need is a connection to an actual endpoint via TCP/IP to do real work. I would say that you should change the design of your application so that B is responsible for indicating when it is unable to continue due to the absence of resources that it relies on -- network or otherwise. A and B should communicate so that A is aware of the situation and is able to either kill B or respond to B terminating itself and thus continuing its work.
A lot of companies have measures in place to prevent outgoing ICMP requests, TCP connections to ports other than 80/443 for example, or even to prevent you from reaching the internet directly by (transparently) proxying your traffic.
Under an internet connection I would understand any way to contact the outside, be it UDP, TCP or ICMP. Depending on what your application needs to contact the internet for, I would suggest to check over the same protocol, as that is the only thing that matters to your app.
If your application uses HTTP to communicate to an external source, try to connect to a few sites you would suspect to not be blacklisted and that have a reliable uptime. Like google.com, microsoft.com, apple.com, and so on...
Edit:
I am unsure what the specifics are, so let me give you an example with a hypothetical situation.
Application A collects data on the system it is running on and forwards it to a Web Service listening on yourserverhost.yourcompany.com:80
Application B would basically take over the job of the Web Service when it is down and log everything so no data is lost.
When all is well, App A will be sending the data to your web service
Once this connection drops, you immediatly launch App B (the obvious remark here would be, why not keep App B running as a failsafe)
App A connects to App B and forwards what it had been buffering
App A continues to try to reestablish the connection to your Web Service and once it is back up will request App B to stop
If the problem you are facing is nothing like this, please provide a more concrete description of what App A and App B are supposed to be doing. I will be more than happy to help.
In your code, you have to check whether the internet connection exists by using a socket to open a connection to a website.
Firstrun: Ask user to input the network parameters, like proxy settings. Save this info.
Next runs: Use these settings to check for the Internet connection. You may simply do a DNS search.
If results are negative, ask user to check settings.
Check whether the cable is connected , if so ping your internet connection to any host as google.com.
ping google.com

Resources