SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Consumers Urged to Junk Insecure IoT Devices
A security researcher who disclosed flaws impacting 2 million IoT devices in April – and has yet to see a patch or even hear back from the manufacturers contacted – is sounding off on the dire state of IoT security.
More than 2 million connected security cameras, baby monitors and other IoT devices have serious vulnerabilities that have been publicly disclosed for more than two months – yet they are still without a patch or even any vendor response.
Security researcher Paul Marrapese, who disclosed the flaws in April and has yet to hear back from any impacted vendors, is sounding off that consumers throw the devices away. The flaws could enable an attacker to hijack the devices and spy on their owners – or further pivot into the network and carry out more malicious actions.
“I 100 percent suggest that people throw them out,” he told Threatpost in a podcast interview. “I really, I don’t think that there’s going to be any patch for this. The issues are very, very hard to fix, in part because, once a device is shipped with a serial number, you can’t really change that, you can’t really patch that, it’s a physical issue.”
Marrapese said that he sent an initial advisory to device vendors in January, and after coordinating with CERT eventually disclosed the flaws in April due to their severity. However, even in the months after disclosure he has yet to receive any responses from any impacted vendors despite multiple attempts at contact. The incident points to a dire outlook when it comes to security, vendor responsibility, and the IoT market in general, he told Threatpost.
b-b-b-b-but it is still working!
(Score: 2) by MostCynical on Wednesday June 19 2019, @10:54AM (1 child)
even when these things have already been shown to reveal information, real time video feeds and more to other people, they are still being bought...
https://soylentnews.org/submit.pl?op=viewsub&subid=33214 [soylentnews.org]
https://soylentnews.org/submit.pl?op=viewsub&subid=31314 [soylentnews.org]
"It won't happen to me"
or
"they must have done something wrong"
or
"they must have been dumb. I'm not dumb, so it won't happen to me"
is it a good thing these won't lead to Darwin awards?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 4, Insightful) by nobu_the_bard on Wednesday June 19 2019, @06:41PM
That's not why. It's because people don't do research like that. They are blinded by the possibilities - the rave reviews, the marketing push, the cool display in Home Depot, whatever. They don't look at the criticisms unless they are cautious or want to hate it.
I've known a fair number of people that would stop me from telling them about the latest ransomware tactic - they refused to hear it. They don't understand and its nothing but frightening to them. But they heard about people getting rich off this bitcoin thing, they'd love to hear about that...
IT and security people are pessimists by necessity and have to stare into the abyss; others tune out and turn back around and look to the fun parts of the technology.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @10:57AM
Well, how could we regulate the cyberspace by law?
(Score: 3, Insightful) by Bot on Wednesday June 19 2019, @11:03AM (12 children)
Working as intended.
Why should the consumer pay for defective items? write a one line law that allows the consumer to return a FAULTY item when the fault emerges, no matter the warranty. But ofc for all the spouting of principles no politician of whatever area is going to go against his masters this way.
In the meantime, any IOT device put on the public network is not good practice. A VPN solution as tinc is powerful and easy to set up.
Account abandoned.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @11:11AM (2 children)
No. VPN setups are technically difficult to tap into for ordinary enforcement. You cannot overload special task forces by boring daily operations on all over the landscape. Everything must be criminally transparent for any possible meaning of transparency. And let the consumer pay for that transparency, of course.
(Score: 2) by isostatic on Wednesday June 19 2019, @11:19AM (1 child)
No. VPN setups are technically difficult to tap into for ordinary enforcement.
The UK's porn block will dramatically increase the amount of VPN traffic in the UK, it's a great thing.
(Score: 2) by Webweasel on Thursday June 20 2019, @09:04AM
It won't happen. They pushed it back again today, no reason given.
We all know the real reasons. It won't work and its pointless if you don't include reddit.
Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
(Score: 1, Informative) by Anonymous Coward on Wednesday June 19 2019, @12:00PM (8 children)
Why write a law that already exists?
Consumers can return any items with defects within 2 years (or 1 if you live in the US). After those 2 years, you can still return items with defects and expect free fixes/refunds under certain conditions, which I think may be met in this case.
(I don't recall the exact conditions, but some of them: fault present during manufacturing, normal service life of the device is expected to exceed current time frame.)
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 19 2019, @12:21PM
I think is that these devices are relative cheap (they talk about $20 devices in the article), in that returning them isn't just worth it.
(Score: 3, Interesting) by Thexalon on Wednesday June 19 2019, @01:17PM (3 children)
Not really In the US at least.
That's part of the implied warranties that are part of the Universal Commercial Code, e.g. the warranty of merchantability. However, the boilerplate of any EULA you've ever accepted specifically says that those warranties do not apply to the product in question if you want it to do anything useful, which means that while in theory those rules apply, in practice they don't.
And to add insult to injury, again in the US, once you've signed any kind of consumer contract in the last 10 years or so, you have now agreed that you will not be able to sue the company for any reason whatsoever. Instead, if there's a dispute, you are required to go through binding arbitration where the company selected the arbitrator, and you can be certain that the arbitrator was not picked for their fairness to you. And they also maxed out damages at whatever you paid them for the service, so after a lot of time and hassle and possibly legal expenses you might win your $30 back. So even if the seller broke the rules, and the rules applied because no EULA was involved, you will be completely unable to do anything useful about it.
Don't you love late-stage capitalism?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @02:48PM (2 children)
I still wonder how such a clause can even be legal.
(Score: 4, Informative) by Thexalon on Wednesday June 19 2019, @03:14PM
Because SCOTUS has repeatedly said, in 5-4 decisions, that both no-class-action and binding-arbitration clauses are A-OK in all kinds of contracts, including consumer contracts and employee contracts. Those are among the most consequential Supreme Court cases you've never heard of, like Directv v. Imburgia which states that those binding arbitration clauses are valid even in states that passed laws saying they're not.
They're consequential, of course, because they effectively make it so the companies that write those contracts no longer have to obey the civil laws of the US. You should try to avoid signing those kinds of contracts as much as you can, but it's difficult when signing those kinds of contracts is necessary to get things like Internet access or electric power to your home.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Insightful) by fido_dogstoyevsky on Wednesday June 19 2019, @11:48PM
It isn't, in other parts of the world, where the consumer can't waive consumer protection legislation.
It's NOT a conspiracy... it's a plot.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @02:01PM
I'm not going to swear to this, but I think it's two minutes in the US. Buyer beware.
(Score: 2) by driverless on Thursday June 20 2019, @06:04AM (1 child)
How do you return an item to "Doorway 3, Alley #2, Yu-Shiang Whole Fish District, Shenzhen, China"?
(Score: 2) by krishnoid on Thursday June 20 2019, @11:42PM
By fish. Duh.
(Score: 2) by SomeGuy on Wednesday June 19 2019, @12:17PM (14 children)
A better question is what should consumertards do after they junk these IoT gadgets. They will refuse to go back to non-IoT devices "because old", and new IoT shit will just have the exact same problem.
Of course, manufacturers WANT people to wastefully throw out their old stuff and buy all new stuff, but they want it to be done on their schedule.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @01:17PM (12 children)
I'm probably not your typical consumer. I would really like some new high-quality dumb appliances. Could you point me at a quality (at least on par with Samsung) 75 inch 4K dumb TV with at least 4 HDMI inputs and a North American OTA TV tuner built in?
Once I find that we can talk about the fridge, stove, microwave, toaster, light bulbs, clock, radio, and garage door opener.
But you will have to pry my privacy violating always-on front door video monitor from my cold dead hands.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @01:36PM
You should build those devices yourself from scratch, and write the software too, if you wish to trust them in full spectrum of meaning of trust.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 19 2019, @02:51PM (8 children)
You get a dumb TV by taking a smart TV and not allowing it to connect to the internet.
(Score: 1, Interesting) by Anonymous Coward on Wednesday June 19 2019, @03:03PM (6 children)
You may not get that choice if they start coming with SIM modules that let them connect to wireless data networks.
(Score: 2) by RS3 on Wednesday June 19 2019, @07:37PM (5 children)
Just like cars.
If anything, including cars, tries that on me, I'll find and disable it.
But who's paying for the cell network data (air time)?
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @07:56PM (4 children)
The marketers of your data, of course. And no, it is not going to cost them $30 for unlimited data per person, per device, per month. They'll get volume pricing for something like $20 million for unlimited data, unlimited people, unlimited devices, per five years.
(Score: 2) by RS3 on Wednesday June 19 2019, @08:52PM (2 children)
And the fact is, the data they need to move would be in the low-ks of bytes, so it would phone in maybe once a day and take seconds to transfer the data.
Again, find that module.
(Score: 0) by Anonymous Coward on Thursday June 20 2019, @01:05AM (1 child)
Some car companies apparently let the owner obtain a hotspot, so thrifty use of bandwidth is probably not a necessity.
The modules are getting quite small, if I'm not mistaken they just have to be a blob on the circuit board, with an antenna possibly included. I'd be real interested how to continue defeating data exfiltration.
(Score: 2) by RS3 on Thursday June 20 2019, @04:52AM
Yes, I know several people who have cars with hotspots, including a Chevy Bolt.
Well, I have an automotive tracker module in my hand. It's made by Enfora. It plugs into the OBD-II connector in the car. It's about 5 cm x 5 cm x 2 cm. It's mostly empty space. There are 2 circuit boards with active circuits, including a SIM socket. 2 circuit boards are printed antennas. It has GPS and GSM cell network and possibly bluetooth or some other local communications, and also a micro-USB port.
Many (most?) cell phones are using ceramic antennas, which are quite tiny. https://www.johansontechnology.com/antennas [johansontechnology.com]
The point being the cell communication electronics can be quite small. So to find them in a car you might search the web for info from others who figured it out. Or someone would need an RF field detector with a small directional antenna. The RF won't be on all the time, but possibly when ignition is switched ON, or OFF.
I have a pair of wireless 900MHz headphones through which you can hear sounds from both cell phones and WiFi, so it might be good enough to locate the little bug. The antenna might have an accident at that point.
All that said, I worked on a friends 2007 Mercedes recently and under the rear seat we found fairly large electronics modules with antenna cables going to antennas in the rear window. So in some cases the bugger (literally) might be easy to find and disable.
I bet someone sells RF transmitter locators.
(Score: 3, Interesting) by fido_dogstoyevsky on Wednesday June 19 2019, @11:51PM
Which is a euphemism for "You, of course".
It's NOT a conspiracy... it's a plot.
(Score: 2) by Mykl on Thursday June 20 2019, @07:43AM
Better yet, enclose your TV in a Faraday cage!
(Score: 2) by legont on Wednesday June 19 2019, @04:09PM (1 child)
I am way less ambitious. I just want a dumb car. Any mid-range late last century will do.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Dr Spin on Thursday June 20 2019, @06:49AM
I just want a dumb car. Any mid-range late last century will do.
So do I.
But here in the UK, they are working hard on banning older cars completely.
Currently, cars prior to Euro6 (2015) are effectively banned from central London,
with plans to extend this to most of London in 2021. I believe other cities will
be drawn into the net because it is supposedly about pollution.
Unfortunately, while we know Euro6 engines are lower pollution in a Lab
there is no scientific data whatever that they are better on the road.
(Note that we are also told that electric cars produce less pollution - although
most of the bad pollution these days is particulates -which are produced by the tyres and
brakes - and, since electric cars are much heavier, they will produce a lot more
of these particulates).
And we are told that Diesels are bad because of NO2 - but older diesel engines did not
produce NO2 - it is only the more recent ones that run the engine extremely hot.
Euro6 engines use urea injection to neutralise the the NO2 - but who knows if they use
the right about of Urea on the road? You cannot measure how much is required,
since it depends on the amount of gas and temperature in the combustion chamber,
which is too hot for sensors to measure - so the microprocessor has to guess.
And, guess what, reports of asthma and other breathing problems have increased
enormously since Euro6 engines were introduced, although NO2 has gone down.
We have also seen car theft go up 50% because of keyless "locks" - which are
completely useless as security devices (unlike a mechanical key which is known
to work perfectly well, and cost less than 1/10 the price to replace).
I don't dispute that older diesel engines produce particulates - but they did not
have DPFs.
[Petrol engines produce masses of NO2, but allegedly the catalytic converters
are effective at removing it. Again, not much field data on petrol cars in real life
situations, either].
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by HiThere on Wednesday June 19 2019, @04:35PM
Don't junk them, return them to the seller as "defective" and "unfit for purpose". And don't buy an IoT replacement.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @01:11PM
Hmmm, maybe this plastic IoT junk could be regulated in a similar way to plastic packaging.
(Score: 3, Interesting) by DannyB on Wednesday June 19 2019, @01:50PM (16 children)
I've said this before. It is not always popular. But think it through.
Part of the solution is to make the vendors (or manufacturers?) of devices (fully or partly?) liable for the damage caused by their security problems.
If I buy a toaster, I expect it not to burn my house down.
Now don't misread or misinterpret what I am saying. I am NOT saying that there should be a government standard or government certification of devices. If manufacturers want to create something like "underwriters laboratories" that is fine, and upon them, and voluntary.
Putting the liability for damages where it belongs would fix the broken incentives. Right now there is every incentive to ignore security problems in devices. There needs to be a big incentive to invest in security. If everyone shared that common interest, then manufacturers would work together. Share the cost of securing things. Share the cost of more security research. I'm not suggesting socialism, just the same kind of incentives for why major corporations invest in developing and improving other major open source projects, including Linux.
When there is a clear common incentive for all industry players to cooperate on investing in something non proprietary, we seem to be able to achieve greatness. Just look at Linux and other major open source projects. So why wouldn't this principle work if everyone had a big incentive for everything to be very secure?
The only government action that I AM RECOMMENDING is to legally put the liability on the manufacturer. Just as it should be. Just like a vendor of toasters can't just get a free pass for making shoddy toasters that burn down people's homes. Why should it be any different?
It's not that some toaster, somewhere, might malfunction and cause a fire. And some security vulnerability somewhere might be exploited. But there would be major industry cooperation on preventing this from ever happening. A manufacturer could say with a straight face, that this one toaster was simply defective. Or this one vulnerability was an anomaly and that they invest serious resources into securing their systems. Also as part of that security incentive, manufacturers might make devices updatable with regular security updates in appropriate classes of devices.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @02:25PM (9 children)
Sounds like a good idea. Until taking into account that manufacturers are located in different countries, and one country's laws don't extend into another country. For example, if the United States passed the law you propose, how could it be enforced on manufacturers in China? Do you place the importers in a proxy position and charge them? Or the retailers that sell the products? No one but the manufacturer has any control over the devices, the flaws and any fixes to those flaws.
(Score: 2, Insightful) by Anonymous Coward on Wednesday June 19 2019, @02:58PM (1 child)
But the retailers have control over what devices they do and do not sell. So make them liable, but allow them to pass on the liability to the manufacturer. If a manufacturer does not agree beforehand to handle all possible liabilities, but the retailer decides to sell the item anyway, well, that's the retailer's decision to take the risk. But probably most retailers would simply not sell any device where they don't have a credible assurance that they can pass on all liabilities to the manufacturer. Which means that effectively, the manufacturers would be required to take the liabilities because otherwise nobody will sell their stuff.
(Score: 4, Interesting) by RS3 on Wednesday June 19 2019, @04:26PM
All of the above. Plus, as someone alluded to, there should be qualification / testing labs, similar to UL (maybe UL should do it) and wholesalers / retailers would only sell qualified IoT stuff if they're smart.
I hate to be pessimistic, but from what we're seeing coming out of court decisions, things are just going to get worse.
(Score: 2) by DannyB on Wednesday June 19 2019, @07:29PM (6 children)
If I buy a Chinese made toaster, there is still someone who is liable if it causes a fire because its design is clearly negligent and wreckless. (er... wreckful?)
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Touché) by RS3 on Wednesday June 19 2019, @07:40PM (5 children)
Are you saying there's another kind?
(Score: 2) by takyon on Wednesday June 19 2019, @08:54PM (4 children)
https://www.youtube.com/watch?v=1OfxlSG6q5Y [youtube.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Interesting) by RS3 on Wednesday June 19 2019, @09:11PM (3 children)
You're preaching to the choir brother! I occasionally get flack for keeping and fixing older things. I just like the way things were made "back in the day"- when people took pride in making quality, before the MBAs took over.
That video gives me a melancholy memory of an awesome toaster we (parents / family) had for 20+ years. Had to fix a few things in it. Even patched the heating elements when they broke. Someone eventually tossed it. Grrrrr.
It had a strong spring, but also had a "dashpot" to bring your toast up slowly. One late night a friend and I decided to disable the dashpot. The next day my mom wanted to know why her toast was on top of the refrigerator. When I finally stopped laughing I put the dashpot back in.
(Score: 2) by takyon on Wednesday June 19 2019, @09:35PM (1 child)
My toaster heats up subsequent toastings more, making them browner or burnt faster. And the toast does not peek out of the top, so I have to reach inside if I'm being lazy or get tongs. This is an example of a consumer appliance that has clearly regressed in functionality.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by RS3 on Wednesday June 19 2019, @10:17PM
Muahahaha, it's all part of a master plan to cull the herds.
But seriously (or was I), I've noticed the springs are so weak I have to lift up on the handle to get the toast (waffle, etc.) high enough to grab. But then it does this thing that almost seems intentional- the mechanism will jamb with the handle all the way at the top. I've taken it apart more than once, to discover there's some kind of mechanical catch, and some kind of handle motion will release it, but it rarely happens and I forget and it's infuriating. They just want you to buy a new IoT toaster. And now even newer ones.
(Score: 2) by Dr Spin on Thursday June 20 2019, @06:51AM
That video gives me a melancholy memory of an awesome toaster we (parents / family) had for 20+ years. Had to fix a few things in it.
But did you update the NetBSD release?
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by legont on Wednesday June 19 2019, @04:17PM
https://sivers.org/book/Antifragile [sivers.org]
Unfortunately, the success of capitalism is based on removing of liability (as well as providing cheap unlimited funding)
Having said that, removing certain folks from the gene pool would be nice to see.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by shortscreen on Wednesday June 19 2019, @07:30PM (3 children)
Then what happens when free or open source software/hardware has a security hole? If the creators of free stuff can disclaim liability in their legalese, won't commercial entities also do this?
If not that, how will you like it when everything is doubly locked down so that everybody can cover their ass? No more rooting/modifying the device that you bought, instead you'll be stuck forever with whatever shovelware/adware/spyware/DRM it came with and "Right to Repair" will be dead.
(Score: 2) by fido_dogstoyevsky on Thursday June 20 2019, @12:01AM (2 children)
Presumably if it isn't wirelessly connectable it won't be a problem? If it needs a malicious third party wired connection to cause harm that's the same as a malicious third party hacksaw to the brake line connection.
It's NOT a conspiracy... it's a plot.
(Score: 2) by Bot on Thursday June 20 2019, @11:01AM (1 child)
When I use FOSS it is like I got a car assembled from junkyard parts. It is all on me, I can't blame who produced the piece or who tossed it. As in the case of software, my junkyard car woul probably be more reliable in the long term than whatever commercial offering.
Account abandoned.
(Score: 0) by Anonymous Coward on Thursday June 20 2019, @11:05AM
https://www.youtube.com/watch?v=pmeVwYojB-s [youtube.com]
(Score: 3, Informative) by deimtee on Thursday June 20 2019, @01:15AM
This is how it is in Australia.
The merchant who sold it to you is fully responsible for what they sell. If they want to pass that responsibility back to the manufacturer that is their problem, it doesn't reduce their responsibility to the customer at all.
RMA's are almost unknown here*, you just carry it back to where you bought it and demand they fix/replace/refund depending on the problem. Every so often a store with US ideas tries "you have to send it back to the factory", and gets slapped down hard.
Mail/internet order complicate things a bit, but if they have a physical presence in Australia they generally follow the rules or get shut down. It is pretty much understood that if you order cheap shit from a dodgy overseas website, then you are on your own.
*The only time you will see a RMA is when the manufacturer offers a warranty that far exceeds the statutory minimum, and doesn't have a deal with the store to handle it. This is rare because if the warranty is a selling feature then the store is involved anyway. The store would have to explicitly claim they are not honouring manufacturers warranties at the time of sale, which is not something they like doing when they are trying to sell it.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 4, Interesting) by goodie on Wednesday June 19 2019, @01:53PM
I don't own any of these "smart" devices but was thinking about how it used to be. Let me give an example. Back in the late 1990s I wanted to be able to listen to my mp3 library from work. I had quite a few and portable HDDs, the cloud and all these things were either non existent or expensive. So anyway, I setup my linux box as a shoutcast server.
I remember how much "fun" (i.e., frustration) I had doing it. I learned a ton. But I had to figure out how to setup port forwarding, open ports etc. configs had to be done on the machine and on the router. As always back then, there were lots of cases of "works on the LAN, does not work from work. Tweak something, try again tomorrow when I get to work. Hope it works. Repeat..."
Now, you buy a thing and BOOM! everything works through straight HTTP or an app. It makes it VERY easy for consumer lambda to buy, plug, and use the device. But boy are you relying on the manufacturer's ability to secure things... I think it's helped democratize a lot of tech but at the same time, it has contributed greatly to the current mess I think.
Anyway, those were the good old days! :D
(Score: 2, Funny) by Anonymous Coward on Wednesday June 19 2019, @03:09PM (5 children)
Windows 95
Windows 98
Windows ME - Millennium Edition
Windows NT 31. - 4.0
Windows 2000
Windows XP
Windows Vista
Windows 7
Windows 8
Windows 10
Windows Server
Windows Home Server
Windows CE
Windows Mobile
Windows Phone 7-10
(Score: 3, Funny) by kazzie on Wednesday June 19 2019, @04:40PM (1 child)
You clearly have a higher opinion of Windows 3.11 than I do...
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @08:08PM
Because Win95SP1 was when spyware was added.
(Score: 2) by Freeman on Wednesday June 19 2019, @04:49PM
What about Windows 3.1 / DOS? Modems were around then too, you know.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Informative) by Freeman on Wednesday June 19 2019, @04:52PM (1 child)
Also, please note this much more interesting list:
https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms [wikipedia.org]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Dr Spin on Thursday June 20 2019, @06:57AM
So I can now get a ToaD*, but it is an IoT?
* The ToaD is a "Ten on a Desk" - a fantasy of most programmers in those days (1976),
given that a DEC 10 took up a LARGE room, and probably consumed at least 20kw,
even for the smallest one.
Warning: Opening your mouth may invalidate your brain!