SoylentNews is people
SoylentNews
Canonical, maker of Ubuntu Linux and its Internet of Things variant, has discovered the obvious – that people cannot be trusted to secure their connected devices.
Thibaut Rouffineau, evangelist for Ubuntu Core and the Internet of Things, admitted late last week that developers and IoT device makers know people seldom update the firmware of connected devices. But, he argues, they probably don't realize how bad the security situation has become.
The distro maker says it surveyed 2,000 folks about how they dealt with connected devices. It found that less than a third of respondents (31 per cent) installed updates as soon as they were available. Some 40 per cent never knowingly updated their devices.
"In other words, consumers are leaving their devices open to exploits and hacks, from DDoS attacks to invasions of personal privacy or theft of personal data," said Rouffineau.
Why such disinterest? According to Rouffineau, almost two thirds of respondents felt that keeping software updated – their security – was not their responsibility.
(Score: 2) by Hyperturtle on Thursday December 22 2016, @04:29PM
That's too bad that you learned this the hard way.
I've learned myself to never buy a cable modem or dsl router that has a combination of services. Only buy a direct connection that allows you to hook the internet, and something fancy on your side. You can go all out on what you have on your LAN; if the ISP controls the internet connection then don't let them control your fancy device. Get a less expensive/specific purpose device for that.
You will never control the firmware on the router or modem that provides you the internet connection with residential broadband. Never. You can always control network device you connect to it, unless you buy something specifically giving it up to the cloud anyway. Then it's just a matter of having split up your loyalties to different masters.
I have a cable modem that I bought, not because I wished to own a cable modem, but because the rental fee for 10 months of use exceeded the cost of the best "dumb" modem I could buy at the time. It's paid for itself in the savings; the lease costs per month have only gone up. (I did have to return the previous modem back to the ISP, and get a receipt demonstrating this so that I did not pay for it indefinitely.)
Connected to that I have other stuff that I control; I even recently used some of that to block automatic telemetry from video card and solid state disk drivers... by installing these I agree to be spied on and my info shared with valued business partners? Sure, let me watch it try to connect so I can block it, thanks. What are they going to do to me? Not download updates without asking? Sounds like a fair trade to me.
It's not enough to set such limits per PC; and if I did it on equipment someone else managed... MS ignores the host file and windows firewall rules for the telemetry to their own stuff. AMD opened ports on the windows firewall to let itself talk and the preferences ignored my settings to "dont check for updates dont nag me"--it only stopped when I blocked its access.
New stuff will continue to do this; to exert control, you need something on your network that not only you control, but isn't dependent on the ISP or running on top of your desktop (or even a server that might allow things out due to various wizards). IoT stuff likely should have its own network segment so you can just turn all that off or greatly limit it without thinking much about it, and be able to do so without impacting your regular use network.
It may sound like a bit much, but viable options include DD-WRT on old consumer hardware; if you get too cheap it'll slow you down (slow radios or interfaces or cpu), unless you have the device act on the network as an appliance/tiny server, rather than in-line like a router or firewall (use it like a proxy or DNS server for filtering, or as an access-point with the same features enabled as well on the wired side, so that you get some additional use out of it).
That can do the trick quite inexpensively. The real issue is learning how to do it, and it might take time... but the good news is that you dont have to do it all at once. You can keep using what you have and migrate away from it, then treat the modem as a dumb device beyond your firewall.
(Score: 2) by bzipitidoo on Friday December 23 2016, @04:26AM
It's not that I didn't know there were risks. It's a judgment call. Is it worth my time to thoroughly investigate networking hardware? I really do not want to spend time on that. Should I have to, to avoid corporate control of my LAN? I should also spend time backing up my data, setting up anonymous browsing and file transfer services, keeping Windows on a tight leash and scanning for viruses, blocking spam, jailbreaking my tablets and smartphones, flashing Rockbox to my music players, hacking around DRM on inkjet cartridges and copy protection on DVDs, etc. I've tried to find broadband Internet service that's not enrolled in one of the more recent abominations from Big Media, the Copyright Alert System, but so far, no luck.
I do most of that crap, and I get tired of the endless battling in these long wars. I don't want to be a reactionary system admin, I have more interesting and positive work I wish to do, like keep up with the latest in software engineering. I still feel confident that the people will eventually win these wars. But it's been over 30 years now, and many vendors are still bedazzled over the whole idea of intellectual property, still think they're within their rights to lock up information, accuse the whole world of wanting to pirate their works, spy on their customers, demand ridiculous legal protections at great public expense, run absurd and insulting propaganda campaigns, and whine about the very laws of nature making DRM impossible to successfully implement.
When will this attitude ever change? I'd like to see the law enforcement badges and the scare language and propaganda banned from rental DVDs and all other video products. Most definitely, I wish we'd sanction companies who write unenforceable and overreaching EULAs, put a permanent end to that practice. Maybe precedent could be the case over the billboard in a predominantly poor part of a city warning voters that it was a federal crime to cast a vote under a fake ID, punishable by up to 10 years in prison. It was so obviously designed to scare voters away, and the courts ordered the billboard taken down.
We've made great strides in product safety. Manufacturers used to be a lot more cavalier about the dangers of their more dangerous products, too quick to blame it all on the customers whenever someone got hurt. Automobiles in particular have made huge advances in safety since the 1950s. Yet they remain one of the leading causes of early death. There used to be all kinds of use of radioactive materials before we understood the dangers of radiation. Now we don't use it casually-- no more radioactive watch dials! So I have hope.