Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Thursday April 27 2017, @02:01PM   Printer-friendly
from the don't-you-believe-it dept.

Mass hacking seems to be all the rage currently. A vigilante hacker apparently slipped secure code into vulnerable cameras and other insecure networked objects in the "Internet of Things" so that bad guys can't corral those devices into an army of zombie computers, like what happened with the record-breaking Mirai denial-of-service botnet. The Homeland Security Department issued alerts with instructions for fending off similar "Brickerbot malware," so-named because it bricks IoT devices.

And perhaps most unusual, the FBI recently obtained a single warrant in Alaska to hack the computers of thousands of victims in a bid to free them from the global botnet, Kelihos.

On April 5, Deborah M. Smith, chief magistrate judge of the US District Court in Alaska, greenlighted this first use of a controversial court order. Critics have since likened it to a license for mass hacking.

General warrants were a key reason cited by the Founding Fathers for their rebellion against King George.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by kaszz on Thursday April 27 2017, @03:30PM (12 children)

    by kaszz (4211) on Thursday April 27 2017, @03:30PM (#500728) Journal

    If people actually bothered to secure their devices. This incident would not had happened in the first place. So the advice will go unread in most cases. Once these poor IoT devices are relieved from that evil botnet. They can happily again be infected by some party the powers that are, likes better.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Insightful) by DannyB on Thursday April 27 2017, @03:45PM (11 children)

    by DannyB (5839) Subscriber Badge on Thursday April 27 2017, @03:45PM (#500741) Journal

    People should not have to secure their devices.

    I should not have to secure my electrical wiring to be sure it doesn't burn my house down.

    I should not have to secure my car from suddenly accelerating out of control.

    I should not have to secure my TV.

    The manufacturer should be liable for damaged caused by botnets of their IoT devices. Yes, really. For the same reason I expect my toaster not to burn my house down. It will cost the manufacturer real money to pay attention to all of the possible best practices to secure their devices and deliver updates. That cost will be reflected, as it should be, in the retail price. That leads consumers to then consider whether every individual light bulb and toaster really needs an internet connection. Another effect of putting liability upon manufacturers is that it provides direct incentives for them to cooperate (imagine that!) on developing common, secure Linux distributions as a base for their IoT devices. Spread the cost and reap the benefit of open source.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 3, Touché) by kaszz on Thursday April 27 2017, @04:05PM (4 children)

      by kaszz (4211) on Thursday April 27 2017, @04:05PM (#500749) Journal

      Once you invite regulations, laws and courts. It will be a corporate owned domain that will keep anyone else out using even more regulation.

      • (Score: 3, Interesting) by Scruffy Beard 2 on Thursday April 27 2017, @04:16PM (1 child)

        by Scruffy Beard 2 (6030) on Thursday April 27 2017, @04:16PM (#500755)

        It is not even regulation. Just about every software house disclaims liability.

        And yes, you do have to secure your car (it is called a parking brake).

        • (Score: 2) by DannyB on Friday April 28 2017, @12:53PM

          by DannyB (5839) Subscriber Badge on Friday April 28 2017, @12:53PM (#501142) Journal

          If the car suddenly accelerates out of control that is a manufacturing defect. See Toyota. That is not something I should have to take care of. Other brands of cars don't suddenly accelerate out of control on their own without being commanded to accelerate.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 3, Interesting) by DannyB on Thursday April 27 2017, @04:42PM (1 child)

        by DannyB (5839) Subscriber Badge on Thursday April 27 2017, @04:42PM (#500781) Journal

        I'm not asking for regulations. Just liability to be imposed.

        I'm not asking for any kind of certification of IoT security. I'm not asking for any kind of recognized standard to be met. Just that if your IoT device gets hacked, the liability for damages is on the manufacturer.

        Nothing more.

        I think it would provide all right right incentives. You wouldn't believe how many best practices there are about security for systems that handle credit card information. I would love to see even half PCI compliance requirements applied to IoT devices.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 4, Insightful) by kaszz on Thursday April 27 2017, @05:19PM

          by kaszz (4211) on Thursday April 27 2017, @05:19PM (#500801) Journal

          I'm not asking for regulations. Just liability to be imposed.

          Liability is coded in law which means lawyers etc. And the circus will be on. What you think and wish has no automatic connection to the consequences of your actions.

          I'm not asking for any kind of certification of IoT security. I'm not asking for any kind of recognized standard to be met. Just that if your IoT device gets hacked, the liability for damages is on the manufacturer.

          Nothing more.

          Liabilities are encoded in law and this will instead line the coffers of insurance corporations that can then make use of their oligopoly.

          I think it would provide all right right incentives. You wouldn't believe how many best practices there are about security for systems that handle credit card information. I would love to see even half PCI compliance requirements applied to IoT devices.

          Incentives will be perverted. And credit cards are routinely cracked because their security sucks.

          Better have a specific checklist that must be adhered to before the device may be connected to a public network or any wireless mechanism. That will give manufacturers a clear target and give less space for lawyers and insurance corporations to screw people.

          Otoh, BrickerBot perhaps does the job with security compliance quite good ;)

    • (Score: 2) by tibman on Thursday April 27 2017, @04:18PM (4 children)

      by tibman (134) Subscriber Badge on Thursday April 27 2017, @04:18PM (#500756)

      If you plugged in your toaster and made it publicly accessible then i can guarantee it will catch fire at some point. Someone will be trying to smelt copper in it or something. InternetOfCrap is the same way. Do you really want anonymous people talking to your security cameras? No. You really don't. You are right though, manufacturers shouldn't be shipping insecure devices and should make security updates available.

      --
      SN won't survive on lurkers alone. Write comments.
      • (Score: 2) by DannyB on Thursday April 27 2017, @04:45PM (2 children)

        by DannyB (5839) Subscriber Badge on Thursday April 27 2017, @04:45PM (#500783) Journal

        They wouldn't be shipping known insecure devices, and they would be making updates available if the liability for damages were on them. That's why I think it is a perfect fix.

        The credit card industry has all kinds of security compliance requirements. (PCI) Because if their systems get hacked, guess who is liable? Clue: not the card holders.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 2) by kaszz on Thursday April 27 2017, @05:22PM (1 child)

          by kaszz (4211) on Thursday April 27 2017, @05:22PM (#500803) Journal

          Liability means lawyers and insurance corporations will line their pockets with your money. If said cameras had their software open sourced. There would be a lot more possibility to take control of the security issues.

          • (Score: 0) by Anonymous Coward on Friday April 28 2017, @09:03AM

            by Anonymous Coward on Friday April 28 2017, @09:03AM (#501082)

            No, they will get a share of the money that normally goes to the IoT company itself. Yes, this may bloat the original price a bit, but I don't see that as a big problem. As mentioned before, people will quickly realize, hm maybe I don't need a toaster that connects to the internet. Companies that are bad at securing their devices will see a much larger share of their customers cash going to lawyers and insurance corporations.

            I like the idea for open source, but that still doesn't give the IoT companies an incentive to install the latest patches/fixes, ... Whatever OS and packages they shipped 5 years ago are still fine to ship today, I mean, it's open source and all.
            And I know you will probably come back with, "but it's open source so I can upgrade and patch it myself" and that's true. But you'll also have to patch those of your parents, grandparents, ... And YOU will have to put in effort to secure the stuff you bought, are you going to ask for a refund for every hour you spent on it? After that, when your IoT devices still get hacked, it will be very easy to put all the blame on YOU, because you patched it and messed around with it. And that time it will definitely be your money to pay for your lawyers.

      • (Score: 3, Interesting) by urza9814 on Thursday April 27 2017, @06:20PM

        by urza9814 (3954) on Thursday April 27 2017, @06:20PM (#500825) Journal

        If you plugged in your toaster and made it publicly accessible then i can guarantee it will catch fire at some point.

        I know a LOT of companies with unattended appliances available to the public. Particularly those Kuerig machines. And while those things DO seem to commit suicide quite regularly, they DON'T usually destroy anything else along the way. And if they did I'm sure you'd win that lawsuit pretty easily.

        But our legal system thinks computers are magic and hackers are evil sorcerers or some shit that nobody can possibly defend against, so they give everyone a free pass. Ore more accurately, they give big companies a free pass, and screw the rest of us as always...

    • (Score: 3, Insightful) by sjames on Thursday April 27 2017, @09:02PM

      by sjames (2882) on Thursday April 27 2017, @09:02PM (#500877) Journal

      To be fair, if you don't secure your car, it may accellerate out of your control directly to the chop shop. Or it may coast into a tree.