Quotulatiousness

November 10, 2018

Don’t expect the “Internet-of-Things” to get better security without Uncle Sam’s pressure

Filed under: Business, Government, Technology — Tags: , — Nicholas @ 05:00

Bruce Schneier believes it will take government action (or as The Register phrased it, “Uncle Sam … putting boots to asses”) to get any significant improvement in Internet-of-Shit device security:

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.

So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their products up to the internet will implement proper security protections.

“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.

“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

Schneier went on to point out that, as it stands, companies have little reason to implement safeguards into their products, while consumers aren’t interested in reading up about appliance vendors’ security policies.

“I don’t think it is going to be the market,” Schneier argued. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”

Schneier is not alone in his assessment either. Fellow panellist Johnson & Johnson CISO Marene Allison noted that manufacturers have nothing akin to a bill of materials for their IP stacks, so even if customers want to know how their products and data are secured, they’re left in the dark.

“Most of the stuff out there, even as a security professional, I have to ask myself, what do they mean?” Allison said.

September 11, 2018

Fear the Internet-of-Things

Filed under: Business, Technology — Tags: , , , — Nicholas @ 05:00

Martin Giles talks to Bruce Schneier about his new book, Click Here to Kill Everybody:

The title of your book seems deliberately alarmist. Is that just an attempt to juice sales?

It may sound like publishing clickbait, but I’m trying to make the point that the internet now affects the world in a direct physical manner, and that changes everything. It’s no longer about risks to data, but about risks to life and property. And the title really points out that there’s physical danger here, and that things are different than they were just five years ago.

How’s this shift changing our notion of cybersecurity?

Our cars, our medical devices, our household appliances are all now computers with things attached to them. Your refrigerator is a computer that keeps things cold, and a microwave oven is a computer that makes things hot. And your car is a computer with four wheels and an engine. Computers are no longer just a screen we turn on and look at, and that’s the big change. What was computer security, its own separate realm, is now everything security.

You’ve come up with a new term, “Internet+,” to encapsulate this shift. But we already have the phrase “internet of things” to describe it, don’t we?

I hated having to create another buzzword, because there are already too many of them. But the internet of things is too narrow. It refers to the connected appliances, thermostats, and other gadgets. That’s just a part of what we’re talking about here. It’s really the internet of things plus the computers plus the services plus the large databases being built plus the internet companies plus us. I just shortened all this to “Internet+.”

Let’s focus on the “us” part of that equation. You say in the book that we’re becoming “virtual cyborgs.” What do you mean by that?

We’re already intimately tied to devices like our phones, which we look at many times a day, and search engines, which are kind of like our online brains. Our power system, our transportation network, our communications systems, are all on the internet. If it goes down, to a very real extent society grinds to a halt, because we’re so dependent on it at every level. Computers aren’t yet widely embedded in our bodies, but they’re deeply embedded in our lives.

Can’t we just unplug ourselves somewhat to limit the risks?

That’s getting harder and harder to do. I tried to buy a car that wasn’t connected to the internet, and I failed. It’s not that there were no cars available like this, but the ones in the range I wanted all came with an internet connection. Even if it could be turned off, there was no guarantee hackers couldn’t turn it back on remotely.

Hackers can also exploit security vulnerabilities in one kind of device to attack others, right?

There are lots of examples of this. The Mirai botnet exploited vulnerabilities in home devices like DVRs and webcams. These things were taken over by hackers and used to launch an attack on a domain-name server, which then knocked a bunch of popular websites offline. The hackers who attacked Target got into the retailer’s payment network through a vulnerability in the IT systems of a contractor working on some of its stores.

June 5, 2018

The Internet-of-Things as “Moore’s Revenge”

Filed under: Technology — Tags: , , , — Nicholas @ 03:00

El Reg‘s Mark Pesce on the end of Moore’s Law and the start of Moore’s Revenge:

… the cost of making a device “smart” – whether that means, aware, intelligent, connected, or something else altogether – is now trivial. We’re therefore quickly transitioning from the Death of Moore’s Law into the era of Moore’s Revenge – where pretty much every manufactured object has a chip in it.

This is going to change the whole world, and it’s going to begin with a fundamental reorientation of IT, away from the “pinnacle” desktops and servers, toward the “smart dust” everywhere in the world: collecting data, providing services – and offering up a near infinity of attack surfaces. Dumb is often harder to hack than smart, but – as we saw last month in the Z-Wave attack that impacted hundreds of millions of devices – once you’ve got a way in, enormous damage can result.

The focus on security will produce new costs for businesses – and it will be on IT to ensure those costs don’t exceed the benefits of this massively chipped-and-connected world. It’ll be a close-run thing.

It’s also likely to be a world where nothing works precisely as planned. With so much autonomy embedded in our environment, the likelihood of unintended consequences amplifying into something unexpected becomes nearly guaranteed.

We may think the world is weird today, but once hundreds of billions of marginally intelligent and minimally autonomous systems start to have a go, that weirdness will begin to arc upwards exponentially.

October 1, 2017

When network security intersects teledildonics

Filed under: Technology — Tags: , , , , — Nicholas @ 05:00

At The Register, John Leyden warns anyone using an internet-of-things sex toy that their device can be easily detected and exploited by (I kid you not) “screwdrivers” (below the fold, just in case you’re extra-concerned for potentially NSFW content):

(more…)

July 3, 2017

QotD: Smartphones, the Internet-of-things, and social controls

Filed under: Government, Health, Quotations, Religion, Technology — Tags: , , , — Nicholas @ 01:00

It’d be interesting (in a gruesome sort of way) to see what Da’esh (or the government of Saudi Arabia) could do with a citizen score. Currently enforcement of public morality in hardcore Salafi Muslim states is carried out by the Committee for the Promotion of Virtue and the Prevention of Vice in Saudi Arabia, and other religious police in other states. As with all police forces, there is a cost associated with putting boots on the ground. If you have, for example, a modest dress code, you could go some way towards enforcement by feeding purchases of garments into the citizen’s score. (Buy too much of the wrong kind of underwear and you could be singled out for an in-person check by the mutaween. And heaven forbid they catch you streaming music from a western cloud service.) Signs of non-conformity could be punished indirectly: it’s a lot harder to resist ubiquitous peer pressure than it is to dodge external resource-limited law enforcement.

In The Handmaid’s Tale, Margaret Atwood’s Republic of Gilead subordinates women rapidly by taking control over the financial system. But that’s a comparatively crude mechanism. The more data you’ve got, the more tightly you can constrain your reward/punish metrics and the more accurately you can focus your oppression — and micro-focussed oppression minimizes the risk of generating wide-scale resistance. Everybody’s experience is different, isolated, locked inside an invisible cell with asymmetric walls that their neighbors can’t see. And if you can’t see the invisible walls locking your neighbours in, you can’t establish solidarity and exert collective pressure against them.

We are heading towards a situation where we all carry smartphones, all the time; where we need them to call a cab, or check a bus timetable, or unlock our cars, or pay for something. Your smartphone knows who you are, knows where you’ve been, reads all your correspondence, and hears everything you say. The discrete activity of placing a voice phone call is in the process of replaced by barking “phone, put me through to Sandy in Sales”, followed by rapid connectivity (unless Sandy is in do-not-disturb mode or talking to someone else, in which case their phone will take a message for you). With always-on recognition, your phone (without which you can’t really exist in an internet-of-things world) will track your mood and your pulse rate and possibly award you citizenship points or penalties if you respond to the wrong stimuli.

But that’s the nightmarish, dystopian grim-meathook-future version of citizenship scoring: a system that facilitates the pervasive enforcement of mandated behavioural standards and punishes quantifiable expressions of individuality. Nobody would vote for (or buy into) that! So it’s going to be even more gamified, to make it fun. You can see your score in real time, get helpful tips on what to do (or not to do) to grind for points, and if you’re thinking about doing something a bit naughty a handy app will give you a chance to exercise second thoughts and erase your sin before it is recorded. But that’s not all. Obviously you didn’t really want to date that manic pixie dream girl (she’ll murder your citizenship score with her quirky and unpredictable fun transgressions) but we can apply the magic of Affinity Analysis to look for someone more suitable for you — similar preferences, similar tastes, and most importantly a similar attitude to social improvement and good citizenship.

Now eat your greens; your phone says you haven’t been getting your five a day this week and if you keep it up we’re going to have to dock you a point.

Charles Stross, “It could be worse”, Charlie’s Diary, 2015-10-09.

April 9, 2017

The Internet-of-Things wants to invade your kitchen

Filed under: Business, Food, Technology — Tags: — Nicholas @ 04:00

Megan McArdle on the good and bad (mostly bad, IMO) of adding extra layers of technological sophistication to your kitchen appliances. If someone hasn’t already offered a hand-blender, can-opener, or soup tureen with Wi-Fi and/or Bluetooth built-in, just wait a bit … it’s bound to happen.

I don’t think of myself as having Luddite tendencies, but I confess that when I see refrigerators with screens set into their doors, my first thought is: “Why?”

No, don’t tell me that you can stream music or look inside the refrigerator. I already have technology for that — respectively, my Amazon Echo and this app called “opening the door.” Neither costs the thousands of extra dollars I would have to pay to get my hands on a Samsung Family Hub Refrigerator. And if my music streamer breaks, I can replace it without calling an appliance repair company and spending a fortune on parts.

I have similar sensations about many of the technologies on offer in today’s appliances. Every major appliance manufacturer seems to be looking for a way to stick wi-fi into their products, for example. And I confess, I have occasionally fantasized about starting a pie cooking in my oven, sauntering to the other side of my 5,400-square-foot home for a dip in the pool, and being able to use my phone to turn down the heat on the pie after 10 minutes. Alas, in the trim 1,700-square-foot rowhouse I actually live in, I am never far enough from my kitchen to actually justify resorting to my smartphone rather than my feet.

We are at a curious moment in cooking technology. The last decade or so has probably introduced more technology potential into the kitchen than any previous decade except the 1930s. Sous vide, electric pressure cookers, fuzzy logic rice machines, induction cooktops, food processors that also cook, wi-fi controls, web connections … these things are now common enough for ordinary cooking enthusiasts to have at least heard of them, if not tried them. It is an era of enormous potential. And yet, that potential is frequently not realized, because we can’t actually figure out what to do with all our new toys.

Don’t get me wrong: I’m not saying that all of this new technology is useless. Far from it! I am an enthusiast for many of them. And yet, almost all these whiz-bang technologies fall prey, to some extent, to one of two problems. Either they are not actually very useful, or they are so spectacularly revolutionary that the average home cook can’t figure out what to do with them.

And this doesn’t even dip in to the awesomely terrible security issues of so many Internet-of-Things devices, creating new, wide vistas for Ransomware scumbags…

December 7, 2016

QotD: Turning ordinary recycling into a vast revenue enhancement tool

Filed under: Economics, Government, Quotations, Technology — Tags: , , — Nicholas @ 01:00

… we know that ubiquitous RFID tags are coming to consumer products. They’ve been coming for years, now, and the applications are endless. More to the point they can be integrated with plastic products and packaging, and printed cheaply enough that they’re on course to replace bar codes.

Embedded microcontrollers are also getting dirt cheap; you can buy them in bulk for under US $0.49 each. Cheap enough to embed in recycling bins, perhaps? Along with a photovoltaic cell for power and a short-range radio transceiver for data. I’ve trampled all over this ground already; the point is, if it’s cheap enough to embed in paving stones, it’s certainly cheap enough to embed in bins, along with a short-range RFID reader and maybe a biosensor that can tell what sort of DNA is contaminating the items dumped in the bins.

The evil business plan of evil (and misery) posits the existence of smart municipality-provided household recycling bins. There’s an inductance device around it (probably a coil) to sense ferrous metals, a DNA sniffer to identify plant or animal biomass and SmartWater tagged items, and an RFID reader to scan any packaging. The bin has a PV powered microcontroller that can talk to a base station in the nearest wifi-enabled street lamp, and thence to the city government’s waste department. The householder sorts their waste into the various recycling bins, and when the bins are full they’re added to a pickup list for the waste truck on the nearest routing — so that rather than being collected at a set interval, they’re only collected when they’re full.

But that’s not all.

Householders are lazy or otherwise noncompliant and sometimes dump stuff in the wrong bin, just as drivers sometimes disobey the speed limit.

The overt value proposition for the municipality (who we are selling these bins and their support infrastructure to) is that the bins can sense the presence of the wrong kind of waste. This increases management costs by requiring hand-sorting, so the individual homeowner can be surcharged (or fined). More reasonably, households can be charged a high annual waste recycling and sorting fee, and given a discount for pre-sorting everything properly, before collection — which they forefeit if they screw up too often.

The covert value proposition … local town governments are under increasing pressure to cut their operating budgets. But by implementing increasingly elaborate waste-sorting requirements and imposing direct fines on households for non-compliance, they can turn the smart recycling bins into a new revenue enhancement channel, much like the speed cameras in Waldo. Churn the recycling criteria just a little bit and rely on tired and over-engaged citizens to accidentally toss a piece of plastic in the metal bin, or some food waste in the packaging bin: it’ll make a fine contribution to your city’s revenue!

Charles Stross, “The Evil Business Plan of Evil (and misery for all)”, Charlie’s Diary, 2015-05-21.

November 2, 2016

Online security theatre: “We sell biometric authentication systems to people who need a good password manager”

Filed under: Technology — Tags: , , , — Nicholas @ 09:06

Joey DeVilla linked to this discussion of the Mirai botnet and the distressing failures of online security … not for the brilliance and sophistication of the attack (it was neither), but the failure to address simple common-sense security issues:

I’ve written about 1988’s Morris worm, and I wanted to dig into the source of the Mirai botnet (helpfully published by the author) to see how far we’ve come along in the past 28 years.

Can you guess how Mirai spreads?

Was there new zeroday in the devices? Hey, maybe there was an old, unpatched vulnerability hanging — who has time to apply software updates to their toaster? Maybe it was HeartBleed 👻?

Nope.

Mirai does one, and only one thing in order to break into new devices: it cycles through a bunch of default username/password combinations over telnet, like “admin/admin” and “root/realtek”. For a laugh, “mother/fucker” is in there too.

Default credentials. Over telnet. That’s how you get hundreds of thousands of devices. The Morris worm from 1988 tried a dictionary password attack too, but only after its buffer overflow and sendmail backdoor exploits failed.

Oh, and Morris’ password dictionary was larger, too.

October 26, 2016

A primer on last week’s IoT DDos attacks

Filed under: Technology, USA — Tags: , , — Nicholas @ 09:18

Joey DeVilla provides a convenient layman’s terms description of last Friday’s denial of service attacks on Dyn:

A map of the parts of the internet affected by Friday’s attack. The redder an area is, the more heavily it was affected.

A map of the parts of the internet affected by Friday’s attack. The redder an area is, the more heavily it was affected.

If you’ve been reading about the cyberattack that took place last Friday and are confused by the jargon and technobabble, this primer was written for you! By the end of this article, you’ll have a better understanding of what happened, what caused it, and what can be done to prevent similar problems in the future.

[…]

Hackread’s animation of what happened last Friday. Click the image to see the source.

Hackread’s animation of what happened last Friday. Click the image to see the source.

On Friday, October 21, 2016 at around 6:00 a.m. EDT, a botnet made up of what could be up to tens of millions of machines — a large number of which were IoT devices — mounted a denial-of-service attack on Dyn, disrupting DNS over a large part of the internet in the U.S.. This in turn led to a large internet outage on the U.S. east coast, slowing down the internet for many users and rendered a number of big sites inaccessible, including Amazon, Netflix, Reddit, Spotify, Tumblr, and Twitter.

Flashpoint, a firm that detects and mitigates online threats, was the first to announce that the attack was carried out by a botnet of compromised IoT devices controlled by Mirai malware. Dyn later corroborated Flashpoint’s claim, stating that their servers were under attack from devices located at millions of IP addresses.

The animation above is a visualization of the attack based on the devices’ IP addresses and IP geolocation (a means of approximating the geographic location of an IP address; for more, see this explanation on Stack Overflow). Note that the majority of the devices were at IP addresses (and therefore, geographic locations) outside the United States.

October 18, 2016

This is really what the Internet of Things will be like

Filed under: Technology — Tags: , — Nicholas @ 02:00

A realistic view by joyoftech.com:

internet-of-things-by-joyoftech

H/T to The Arts Mechanical for the link.

July 27, 2016

Security concerns with the “Internet of things”

Filed under: Technology — Tags: , , — Nicholas @ 03:00

When it comes to computer security, you should always listen to what Bruce Schneier has to say, especially when it comes to the “Internet of things”:

Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).

So far, internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing, as in the theft of celebrity photos from Apple’s iCloud in 2014 or the Ashley Madison breach in 2015. They can be damaging, as when the government of North Korea stole tens of thousands of internal documents from Sony or when hackers stole data about 83 million customer accounts from JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office of Personnel Management data breach by — presumptively — China in 2015.

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door — or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location.

With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.

Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.

The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn

I’m usually a pretty tech-positive person, but I actively avoid anything that bills itself as being IoT-enabled … call me paranoid, but I don’t want to hand over local control of my environment, my heating or cooling system, or pretty much anything else on my property to an outside agency (whether government or corporate).

August 28, 2015

The insecurity of the “internet of things” is baked-in right from the start

Filed under: Technology — Tags: , — Nicholas @ 02:00

At The Register, Richard Chirgwin explains why every new “internet of things” release is pretty much certain to be lacking in the security department:

Let me introduce someone I’ll call the Junior VP of Embedded Systems Security, who wears the permanent pucker of chronic disappointment.

The reason he looks so disappointed is that he’s in charge of embedded Internet of Things security for a prominent Smart Home startup.

Everybody said “get into security, you’ll be employable forever on a good income”, so he did.

Because it’s a startup he has to live in the Valley. After his $10k per month take-home, the rent leaves him just enough to live on Soylent plus whatever’s on offer in the company canteen where every week is either vegan week or paleo week.

Nobody told him that as Junior VP for Embedded Systems Security (JVPESS), his job is to give advice that’s routinely ignored or overruled.

Meet the designer

“All we want to do is integrate the experience of the bedside A.M. clock-radio into a fully-social cloud platform to leverage its audience reach and maximise the effectiveness of converting advertising into a positive buying experience”, the Chief Design Officer said (the CDO dresses like Jony Ive, because they retired the Steve Jobs uniform like a football club retiring the Number 10 jumper when Pele quit).

For his implementation, the JVPESS chose a chip so stupid the Republicans want to field it as Trump’s running-mate, wrote a communications spec that did exactly and only what was in the requirements, and briefed the embedded software engineer.

The embedded software engineer only makes stuff actually work, so he earns about one-sixth that of the User Experience Ninja that reports to Jony Ive’s Style Slave and has to live in Detroit. But he’s boring and conscientious and delivers the code.

Eventually, the JVPESS hands over a design to Jony Ive’s Outfit knowing it’ll end in tears.

Two weeks later, Jony Ive’s Style Slave returns to request approval for “just a couple of last minute revisions. We have to press ‘go’ on the project by close-of-business today so if you could just look this over”.

August 2, 2015

Thinking about realistic security in the “internet of things”

Filed under: Technology — Tags: , , , , , — Nicholas @ 02:00

The Economist looks at the apparently unstoppable rush to internet-connect everything and why we should worry about security now:

Unfortunately, computer security is about to get trickier. Computers have already spread from people’s desktops into their pockets. Now they are embedding themselves in all sorts of gadgets, from cars and televisions to children’s toys, refrigerators and industrial kit. Cisco, a maker of networking equipment, reckons that there are 15 billion connected devices out there today. By 2020, it thinks, that number could climb to 50 billion. Boosters promise that a world of networked computers and sensors will be a place of unparalleled convenience and efficiency. They call it the “internet of things”.

Computer-security people call it a disaster in the making. They worry that, in their rush to bring cyber-widgets to market, the companies that produce them have not learned the lessons of the early years of the internet. The big computing firms of the 1980s and 1990s treated security as an afterthought. Only once the threats—in the forms of viruses, hacking attacks and so on—became apparent, did Microsoft, Apple and the rest start trying to fix things. But bolting on security after the fact is much harder than building it in from the start.

Of course, governments are desperate to prevent us from hiding our activities from them by way of cryptography or even moderately secure connections, so there’s the risk that any pre-rolled security option offered by a major corporation has already been riddled with convenient holes for government spooks … which makes it even more likely that others can also find and exploit those security holes.

… companies in all industries must heed the lessons that computing firms learned long ago. Writing completely secure code is almost impossible. As a consequence, a culture of openness is the best defence, because it helps spread fixes. When academic researchers contacted a chipmaker working for Volkswagen to tell it that they had found a vulnerability in a remote-car-key system, Volkswagen’s response included a court injunction. Shooting the messenger does not work. Indeed, firms such as Google now offer monetary rewards, or “bug bounties”, to hackers who contact them with details of flaws they have unearthed.

Thirty years ago, computer-makers that failed to take security seriously could claim ignorance as a defence. No longer. The internet of things will bring many benefits. The time to plan for its inevitable flaws is now.

Powered by WordPress