- If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing insecure IoT devices. Worse, such a quantity of insecure devices makes the Internet less secure for everyone. What botnet will use vulnerable webcams to launch DDoS attacks? What malware will use insecure webcams to infect smart homes? When 2008-era malware like Conficker.B affects police body cams in 2015, it threatens not just the reliability of recorded police activity but also serves as a transmission vector to attack other devices.
Back when Internet Cafes were a thing, my favorite had a script that watched all the traffic going over the network, collected images, made collages out of them and projected them on the wall. When people got freaked out the owner would give them a lecture on SSL. Eventually he had a very security conscious clientele.
That is both evil and beautiful. At LAN events I run security scans to help people lock their PCs down. I give people a list of files in their drives, and then show then how to disable those types of scans and attacks. We don't do public shaming or anything like that; we feel that the educational impact of a guy going back to his table and telling his friends that we can 'hack" his computer are worth it to us.
There are a ton of PEN testing tools, mostly on Linux. Run through the DHCP table at all the devices on your network, pull the MAC addresses. Everything that is a "computer" NIC and not a phone etc gets PEN tested. If that NIC shows up as something that should not be on the LAN network, say a switch, we can locate it to within 6-12 seats and deal with it. NIC MAC Addresses are allocated based on manufacturer and can be cross refrenced and isolated. One of the fun things is that if you see a PC running bittorrent traffic, you route that traffic to a bit bucket and wait for the 'victim' to come up and say his network is not working. Then we get to politely tell them to stop torrenting shit on our LAN. The amazing thing is that once people know they are being watched, the behavior gets better. This is also, as an aside, why indiscriminate surveillance is bad and why I am against it. I've been in the position of overseerer, and have to force myself to deal with the impact on my person. If I get a bit power trippy over a LAN, imagine what someone with life and death powers can do and feel.
Yeapers. I'm not a BOFH, honest! We have three days of gaming, and to make things run well, the 2x4's and ball bats come out. You do something that impacts other people's fun and enjoyment that they paid for, we have a chat. edit to add, in 15 plus years of LAN parties, I can number problem jackasses under 4-5 incidents. One of those was accidental, another was a fellow security IT guy testing to see what he could get away with. The actual real 'bad guys' don't go and stir shit at an event with 300 or more gamers all of whom now have access to your physical gear and person. We've not even had fist fights at any of our events that I am aware of. These guys talk smack online then duke it out in a game or dozen.Indefinite detention as LART? I don't think I've ever seen anyone make that connection.
Indefinite detention as LART? I don't think I've ever seen anyone make that connection. I think the problem with mass surveillance is more subtle than that though. I think I've recommended Discipline and Punish in threads about surveillance often enough to be tedious, but I think his analysis of the panopticon really is the definitive argument against mass surveillance. If you might be watched at any time you always act as if you are being watched. The effect being the watcher has on the watcher doesn't really matter; the harm is done even if the mechanism exist but no one is using it.
Haha, great. There's a convention I go to yearly where a guy brings over a computer lab of Linux machines. For years I was able to telnet from one to the other and issue commands to launch the web browser to whatever site I wanted, trolly images, turn up the volume all the way and play sound files found on the hard drive, etc. I emailed him anonymously about it the first year and it was never fixed for years, until he bought new hardware entirely. I could have captured almost whatever I wanted, lol.
Okay, so this is an interesting and useful juncture, as I have a Thing of the Internet. Having done an evaluation of the $40 delta between "decent smoke/CO detector" and "Nest Protect" I went with the talky glowy motion-sensory choice. I do not regret this purchase as having something say "Heads up! There's smoke in the hallway! Get over here and shut me up in ten seconds or I'll scream at you!" beats the shit out of instantaneous loud beeping. BUT I am conscious that it is an internet appliance, constantly hooked up to the Web, with more telemetry than I'm using (or allowed to use). I also know that the configuration utility presented to me cares precious little about security. So... how can I check what Mr. Nest is saying about my house? How can I check to see what it's putting on my network? As there's no camera on it and (so far as I know) no microphone, I do not believe it presents much of a security risk, but I also suspect it's sharing more than it's telling me.
You can sniff what it's sending with Wireshark, but I'd be surprised if someone hadn't already investigated it for you. Quick googling only found this; they don't know what it's sending back to the mothership, but think you can prevent it from sending whatever it is without preventing it from doing its smoke alarm thing.
Right. So this is advantageous because (A) I'm about to have a Windows machine up and functional for the first time in decades (B) The whole damn internet will be coming through this thing. Is there a clever way to get it to report to me what it's seeing from assorted internal IPs? 'cuz I discovered today that my friendly neighborhood smoke detector will gladly tell me over the internet how many times my toddler got up to pee last Wednesday night.
You can filter what it displays, including by source and destination. You can (and should!) also filter what it captures in the first place.
Some of the DD-WRT firmwares, Tomato etc have the ability to sniff everything crossing your network. I've played with them when I had roommates to keep them from downloading virus and illegal music programs. You can also play with DD-WRT and use it like a full commercial firewall and block adds at the network entry point. Mince will even block all Java applets if I am feeling extra paranoid. Link Only thing to be wary of is that you have to match the firmware of your router EXACTLY with the exact software loads.
Not even Navigation Systems are safe! This has been a thing for a while though, but just popped up on their site. The guys hacking cars via BluTooth were able to change the routing of the nav systems in a couple of the cars.
https://nest.com/support/article/Learn-more-about-Nest-Protect-s-microphone Your nest probably has a microphone.
No matter how smart or curious you are, someone out there has you beat by miles. using the nest to find out when you are home and on vacation and then you got the usual of using the Nest to break into your WiFi. How can you tell? Roll your own firewall and log every packet that goes in and out of the house. Using deep packet inspection, you can see exactly what every device is doing. Theoretically, Pull up to a house in a van marked with the local cable company logos, splice a sniffer into the wire (hell just ask to enter and 'check the equipment') and now you can monitor internet activity. If we were running a game on a high value individual, within 30 days we have that person's schedule, where they web surf (even if the data is encrypted the metadata has significant worth cue the NSA) when they are home, when they sleep, what sorts of devices they own (ie are they worth conning/robbing?) and can probably get their circle of friends and figure out their net worth based on what websites they go to. Is everything above possible? Right now, hell yes it is. Thanks to Snowden we know the NSA, FBI and UK governments do this to people they want to monitor. Our main advantage is that we are nobodies and below the radar. I'm not going to do anything more disruptive to the government other than write some campaign contribution checks and bitch about my tax bill this year. I'm much more worried about some Central European Bitcoin gangs who can sit in a room and figure this stuff out because stealing $4000 feeds and shelters them for three months. The risk/reward dynamic gets set all out of whack when you know the local PD don't care about "internet" crime overseas. For the record, I do not have any internet connected "smart" devices in the house other than the computers, cell phones, tablet et al I use to work and read. And with those devices alone the above scenario would be to my detriment, no smart devices needed. My lack of ownership of these devices is not due to paranoia but to my being a cheap bastard who can live with a $20 thermostat I got off Amazon when I got the house, and the fire alarms are all standard 10 year dumb devices because they are cheap, subsidized by the local fire department, and they work. If i had kids, I can see that changing. Is this something that 'normal' people should worry about? Worry, probably not. Freak out over? Definitely not. Have in the back of their heads? Absolutely. But I'm starting to see that there is good money to be made in helping the normals secure their stuff against the bad guys.I am conscious that it is an internet appliance, constantly hooked up to the Web, with more telemetry than I'm using (or allowed to use). I also know that the configuration utility presented to me cares precious little about security.
The internet of things is a little bit of a pervasive security nightmare. I feel like in a few years we're going to be back in a state similar to the early days of the internet with regard to IoT. If people are slow to patch web servers and mobile apps imagine how slow they will be to patch lightbulbs, cameras, door locks etc. They might be more a problem with consumer grade 'out-of-the-box' type products where ease-of-use is a massive priority, I imagine that use of IoT in corporate or industrial setting might be better. My company's head of technology frequently talks about IoT with massive enthusiasm and optimism, but that just scares me.
Within the last 12 months, I've been paid to fix Windows 95 machines. It seems to me that the people making the tech are decoupled from the actual people who use the stuff and the realities of budgets.I imagine that use of IoT in corporate or industrial setting might be better. My company's head of technology frequently talks about IoT with massive enthusiasm and optimism, but that just scares me.
I'm not surprised, exactly, but damn that's creepy.
There are dedicated Chan boards who keep lists of people's front door cameras, publicly available credit card readers and just about anything that you can connect to the internet. There was a report just this week that the Ring Cameras can be hacked to give full access to a house's internal network, including the wifi encryption keys. In 4-5 years this is going to be a big opportunity for security people, and for thieves.