Canon IP web camera - it's potentially useful, what do we want to do with it?

So I’ve been laid up sick as hell in bed this morning with either food poisoning or a stomach bug and I was worried about this box of stuff that I couldn’t find that I was working on at the hive saturday. I thought “Wow. Wouldn’t that Canon webcam that you can aim be handy right about now?”

So I did some poking.

The camera is a Canon VB-C50i. It’s fancypants. It has its own API along with a Java app for controlling the camera and getting images.

My brain wasn’t working nearly enough to tackle the API side of things so I decided to try to get the Java applet working.

Step 1: forward port 9187 (arbitrary) of → (webcam)
Step 2: try to fire up the java applet (fail)
Step 3: took a look at the page source. the html generated was pointing to not
Step 4: generate a BS html page with the address manually changed. Doing this caused the app to try to load but it still wouldn’t communcate
Step 5: Fire up VMSphere, connect to the ESXi server at the hive remotely (creds available on request)
Step 6: Fire up the Ubuntu desktop VM that I keep around. Point its web browser at, start Java app, voila. (see attached)
Missing box: found. (note: I had to wait till the sun came up and more light came in the space to be able to see clearly)

So at this point, I have it “working” in a very minimal and convoluted sense of the word “working.”

My main point of this email is to discuss whether we want this camera to be available remotely and how to do it.

I took a little bit more careful look at the camera’s setup screens, as well as running nmap on it.
I’ve come to the follow conclusions:
-The camera uses port 80 for it’s “friendly” control interface.
-The camera does not have any security (i.e. access control) features built-in that are worth a damn
-The camera has a FTP server on it (???)
-Ports 65310 and 65311 are used by the Java app for control and imagery

If we wanted to get this working as a remotely-accessible resource (which I think would be a good idea), it would be kind of tricky.
-Regardless of which approach was taken, we’d have to put some kind of authentication structure in front of it. (Trivial) I personally don’t like the idea of an open-to-the-public webcam that can zoom well enough to read the text of pages of a book / screeen.
-The simplest approach I can think of would be to use nginx and subs_filter to run a proxy on an internal machine (hubuntu, a VM) that would rewrite any URLs from 172->external. We’d also have to forward the control ports from the firewall → camera. This doesn’t make me feel warm and fuzzy but I could probably make it work.
-The Java applet on the camera could be downloaded and possibly run on a webserver inside the space (hubuntu?) where it could talk to the camera and be available to talk to the outside world. I haven’t done that much server-side java and I don’t know if this is even a good idea.

-Dave B.

missing box.jpg

I think a web server in the space with authentication would work fine. Should we just make a quick app that uses the API? Then we can control accessibility (as far as what features are exposed).

We need to get the dyndns setup with the bind server (I can help with that) and maybe start openldap?

I do have a radius server that is running on the pfsense machine; It’s sole purpose (right now) is acting as an authentication server for the network components (switches, access points, etc). If you get an openldap server up and running, and want to spend a bit of time installing a radius server, I’ll be more than happy to migrate away from the radius server running on pfsense and have one, authoritative, authentication source.


This is The Plan ™. OpenLDAP, RADIUS, Kerberos, Samba authenticating off the same store.

Why are we concerned about exposing the PTZ features to the public internet? It’s not like someone can see into the bathroom or some other inappropriate location. This was the camera that I had publicly accessible in my 7th street OFFICES for over two years to view the 700g reef tank we had and we didn’t limit anything. In fact, we had fun with it and played games like “find the dot” where we would post a dot sticker somewhere in the office and people would come in and look for it each day.

On a previous PTZ camera we streamed the video to a streaming service so the camera wasn’t directly exposed and wrote some scripts on our web site that would relay the commands to the secret IP address of the web cam. We had dozens of spots around the offices that were “marked” in a list on the web page and the users could click on a link to move the camera to that fixed location. That way we could give virtual tours of our offices and showcasing our mad dev skills back around 2000. (which is what I had in mind when I dropped the camera off)

I also dropped off a mounting pipe before the holidays that we had made which allows us to suspend the camera in the middle of the room from the ceiling at a reasonable viewing angle. I thought if we put the bar somewhere above the workstation that’s at the end of the electronics bench, we could see most of the work areas of the HIVE and allow people to get live tours of everything except the laser room.


I am not excited about a remotely publicly accessible camera that is capable of zooming enough to read the text off my laptop’s screen. Call me weird or paranoid or whatever, but I think it should be limited to hive members, not everyone. Then again, I’m just one person and clearly everyone doesn’t agree with me.

I think I would be OK for set locations like Ed described where there was a website where you could click and the camera would then go to that location. That would allow someone to look around the space without being able to control the zoom or the exact angle. It would still be possible to read email or watch the keystrokes of a password but luck would need to be on their side.