Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Thursday October 27 2016, @04:29PM   Printer-friendly
from the in-Soviet-Russia-products-threaten-you dept.

The Chinese Ministry of Justice has threatened legal action against "organisations and individuals" making "false claims" about the security of Chinese-made devices.

It follows a product recall from the Chinese electronics firm Hangzhou after its web cameras were used in a massive web attack last week.

The attack knocked out sites such as Reddit, Twitter, Paypal and Spotify.

The Chinese government blamed customers for not changing their passwords.

Its legal warning was added to an online statement from the company Xiongmai, in which the firm said that it would recall products, mainly webcams, following the attack but denied that its devices made up the majority of the botnet used to launch it.

You will like Chinese products, or else.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by ikanreed on Thursday October 27 2016, @04:33PM

    by ikanreed (3164) Subscriber Badge on Thursday October 27 2016, @04:33PM (#419464) Journal

    American-made shitty webcams also have garbage security.

    • (Score: 3, Insightful) by FatPhil on Thursday October 27 2016, @06:17PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday October 27 2016, @06:17PM (#419513) Homepage
      American-made shitty webcams are chinese shitty webcams where the camera and its stand have been clipped together, sorry, I mean "assembled" in the US.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 2) by ikanreed on Thursday October 27 2016, @06:22PM

        by ikanreed (3164) Subscriber Badge on Thursday October 27 2016, @06:22PM (#419517) Journal

        Hey, that's not fair, sometimes they're Bangladeshi webcams clipped together in the US. And sometimes they're Vietnamese!

        • (Score: 4, Informative) by bob_super on Thursday October 27 2016, @06:51PM

          by bob_super (1357) on Thursday October 27 2016, @06:51PM (#419525)

          I used to support the designers at Arecont Vision, in Glendale CA. All their cameras are still manufactured and assembled in the building (for how long?).
          Good people as engineers don't mean no security holes, but if you want to buy "made in USA", they might be your last option. Not dirt cheap, but some really cool multi-sensor HD/4K tech.

    • (Score: 2) by driverless on Friday October 28 2016, @10:06AM

      by driverless (4770) on Friday October 28 2016, @10:06AM (#419782)

      In any case the headline is wrong, the Ministry of Justice had nothing to do with it, it was a bad translation from the Chinese original [krebsonsecurity.com].

  • (Score: 3, Informative) by DonkeyChan on Thursday October 27 2016, @04:37PM

    by DonkeyChan (5551) on Thursday October 27 2016, @04:37PM (#419467)

    These things don't even have passwords and the way they're compromised has to do with the lack of security in their firmware.
    Using hardcoded passwords (you know, unchangeable)
    Open obfuscated SSH ports

    • (Score: 2, Insightful) by Anonymous Coward on Thursday October 27 2016, @05:16PM

      by Anonymous Coward on Thursday October 27 2016, @05:16PM (#419490)

      Using hardcoded passwords (you know, unchangeable)

      A back door, just like Comey wanted.

      • (Score: 0) by Anonymous Coward on Thursday October 27 2016, @06:11PM

        by Anonymous Coward on Thursday October 27 2016, @06:11PM (#419509)

        Um, we're talking China here. Yes it's possible that said backdoors where ordered there by a state party, but it certainly wasn't Comey. Don't give him or wild conspiracies any more credit than due.

        • (Score: 4, Insightful) by tibman on Thursday October 27 2016, @06:23PM

          by tibman (134) Subscriber Badge on Thursday October 27 2016, @06:23PM (#419518)

          Small misunderstanding here i think. Comey has said he wants backdoors: https://www.theguardian.com/technology/2015/jul/08/fbi-chief-backdoor-access-encryption-isis [theguardian.com]

          AC's point is that this is what happens when there is a backdoor.

          --
          SN won't survive on lurkers alone. Write comments.
        • (Score: 4, Insightful) by Phoenix666 on Thursday October 27 2016, @07:29PM

          by Phoenix666 (552) on Thursday October 27 2016, @07:29PM (#419542) Journal

          "Wild conspiracies?" There is no such thing anymore. What we know for a fact, as in real and actually done, are beyond what conspiracy theorists feared in 2004.

          --
          Washington DC delenda est.
          • (Score: 2) by Gaaark on Thursday October 27 2016, @09:27PM

            by Gaaark (41) on Thursday October 27 2016, @09:27PM (#419573) Journal

            Absotutely fracking 'A'!
            Truth is stranger than fiction (and Hillary is Moby Dick!!!!!)

            About the only conspiracy not proven correct is.... wait for it....... wait for it.......

            ....yeah.....

            Do not go in there!!! Wheeeeewww!

            --
            --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
          • (Score: 0) by Anonymous Coward on Friday October 28 2016, @01:24AM

            by Anonymous Coward on Friday October 28 2016, @01:24AM (#419680)

            Just because some conspiracies are true doesn't make all conspiracy theories true.

            This one does not pass the laugh test because its so egregious. We know how the NSA likes to backdoor hardware and they certainly don't do it like this. These are the guys who deliberately weakened a random number generator algorithm to make it feasible to crack encryption that happens to use that RNG. That's subtle. This? Leaving hardcoded passwords for any dumbfuck to find? That's just the result of ultra-thin margins.

  • (Score: 2) by RedGreen on Thursday October 27 2016, @04:40PM

    by RedGreen (888) on Thursday October 27 2016, @04:40PM (#419469)

    All I can say is the first time I logged into the shitty router my ISP gave me before I replaced it with my own it forced me to set a new password other than the default before I could do anything else. So the chinese can sell that crock of shit to someone who is buying it and I don't think that will be a lot of people, they sold garbage that was not secured now they pay the price in bad publicity.

    --
    "I modded down, down, down, and the flames went higher." -- Sven Olsen
    • (Score: 2) by HiThere on Thursday October 27 2016, @11:36PM

      by HiThere (866) Subscriber Badge on Thursday October 27 2016, @11:36PM (#419621) Journal

      That doesn't sound like an IOT appliance to me. Perhaps one of us misunderstands something.

      --
      Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
  • (Score: 5, Interesting) by MrGuy on Thursday October 27 2016, @04:57PM

    by MrGuy (1007) on Thursday October 27 2016, @04:57PM (#419478)

    You will like Chinese products, or else.

    An alternative would be "We don't appreciate being singled out as the source of a widespread problem."

    There are LOTS of IoT devices out there with really crap security. Check out Shodan [shodan.io] to see how many devices are out there broadcasting their presence. Quite a few of these items (from all sorts of manufacturers) are known to have bad security, so if you know how to compromise one, you know how to compromise all of them.

    It's entirely possible the botnet for the recent attack was made up largely of compromised webcams of Chinese manufacture. It's also possible the botnet was from all over the spectrum of manufacturers, and the webcams that are getting all the press were one small piece of a very large pie. Maybe it's somewhere in between. Without seeing actual stats on which devices were involved, it's hard to know. I haven't seen anything other than anecdotes in the press - if someone has a link to some real breakdown data of the attack, I'd appreciate a link.

    It's possible that journalists are accurately placing blame for the problem, and China is being unreasonable to take exception to being criticized.

    It's also possible that journalists are jumping on the "Chinese devices are bad!" bandwagon with little evidence, because it sells (both because of fierce criticism in the US and elsewhere that China is exploitative in their trade practices, and shadowy ominous statements that maybe the government of China has deliberately compromised all devices made in the country).

    • (Score: 4, Informative) by edIII on Thursday October 27 2016, @06:06PM

      by edIII (791) on Thursday October 27 2016, @06:06PM (#419506)

      You're correct about the widespread nature of the problem. Not just IoT or consumer devices, but industrial ones too. A major manufacturer of industrial wireless (gigabit wireless links for 20+ miles that are near $10k per pair) completely boned their security for the web interface. With the exploit you could literally walk right in and run code as root. So hackers created a worm and let it loose across the entire infrastructure (multiple, multiple WISPS). Any WISP that had public IPs found their entire network compromised within hours, and this worm was nasty. Not even designed to make a profit or anything, just to destroy the whole network.

      A few months after that, I noticed Panasonic said fuck it and turned off the web interface on some new products entirely. You need to use a remote control (DECT phone) to physically press a button to open the web port back up for 30 minutes. SSH disabled by default. So perhaps somebody is finally learning.

      I'd give the Chinese a bit of a break though too. The fuckups are globally distributed and exist beyond politics. Meaning, it's not politicians causing it, but greedy executives who refuse to pay for adequate security until something like this happens. So personally, I want to see China take a HUGE MASSIVE fucking hit over this. So big, that corporations around the world simply out of fear of loss profits start taking security just a little bit more seriously.

      At this point I'm looking into ssh tunneling all web traffic from the devices. That way there is no open web port at all, and you need to get through well implemented SSH keys before you can establish a tunnel to hit a *local* port. Then run a cron job to randomize the SSH port every 12 hours and report it back to the network management platform. Of course that only works with devices you can get root on in the first place.

      From a security standpoint, most devices are DOA and entirely dependent upon something at the network edge to defend them. Internally, they're like tasty sheep or chicken just hoping the foxes and wolves don't get inside.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 0) by Anonymous Coward on Thursday October 27 2016, @10:07PM

      by Anonymous Coward on Thursday October 27 2016, @10:07PM (#419589)

      My bloody kogan tv does this
      Not buying another "smart" tv

  • (Score: 2, Insightful) by Anonymous Coward on Thursday October 27 2016, @04:59PM

    by Anonymous Coward on Thursday October 27 2016, @04:59PM (#419479)

    INTENTIONAL! Its a brilliant scheme, get users around the world to pay for and maintain a massive botnet.

    Please don't pull out Hanlon's razor, at this point in time we should all realize that there are huge efforts being made across the world to spy on citizens and undermine political opposition. Often these efforts are well concealed behind plausible deniability, specifically so any opponents will be divided into "crazy conspiracy theorists" and "worried skeptics". In this day and age anyone who has "reason" on their side has the high ground, so if you believe something without concrete evidence then you are a heretic. The deep irony in this situation could be funny if the consequences weren't so damned important.

    Regarding spying and complicity of the telco / tech giants, someone said "What do you expect them to do? Just shut down? Cause that's what the government will do if they don't comply." It plays into the power game, using power to define the rules of engagement. Only when someone changes the rules, says no when told to do something, is change actually possible.

  • (Score: 0) by Anonymous Coward on Thursday October 27 2016, @05:06PM

    by Anonymous Coward on Thursday October 27 2016, @05:06PM (#419482)

    Fuck you and your cheap good-for-nothing Chinese junks.

    I am AC, the Chicom destroyer.

  • (Score: 1, Insightful) by Anonymous Coward on Thursday October 27 2016, @05:58PM

    by Anonymous Coward on Thursday October 27 2016, @05:58PM (#419503)

    The master of the Reality Distortion Field never threatened to sue individual customers.

    Instead, he claimed those having problems were "holding it wrong".

    Watch and learn.

  • (Score: -1, Offtopic) by Anonymous Coward on Thursday October 27 2016, @07:14PM

    by Anonymous Coward on Thursday October 27 2016, @07:14PM (#419534)

    Come on and ride the Trump train! We will re-negotiate our trade deals and stop China from dumping garbage like this into our country.

    • (Score: 0) by Anonymous Coward on Friday October 28 2016, @03:11PM

      by Anonymous Coward on Friday October 28 2016, @03:11PM (#419862)

      At least it runs on time.

  • (Score: 3, Insightful) by RamiK on Thursday October 27 2016, @07:48PM

    by RamiK (1813) on Thursday October 27 2016, @07:48PM (#419548)

    American smartphone yesterday. Chinese webcams today. Your IoT fridge tomorrow... It doesn't matter. All these devices use outdated kernels and packages with insecure defaults.

    --
    compiling...
    • (Score: 2) by HiThere on Thursday October 27 2016, @11:43PM

      by HiThere (866) Subscriber Badge on Thursday October 27 2016, @11:43PM (#419626) Journal

      I don't think smartphones count as IOT devices. As for the rest of your comment...you left out lots of possibilities. Washers, refrigerators, and TVs are ones that I've heard of recently. I think someone mentioned air conditioners a month or so back. Basically anything that uses electric power is a possible vector, but things like computers and smartphones, where the communication is essential to the purpose, don't really count as IOT devices.

      --
      Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
      • (Score: 0) by Anonymous Coward on Friday October 28 2016, @12:15AM

        by Anonymous Coward on Friday October 28 2016, @12:15AM (#419646)

        When you think about how easy it is for any government to get into them while online and crack their security.

        Hint: If you haven't powered them off they are susceptable to attack, airplane mode or not.

        • (Score: 1) by Scruffy Beard 2 on Friday October 28 2016, @12:47AM

          by Scruffy Beard 2 (6030) on Friday October 28 2016, @12:47AM (#419662)

          I think you should be reasonably safe from remote attack if you disable both radios.

          Modern smart-phones have plenty of storage to record audio and upload later though.

  • (Score: 3, Insightful) by jdavidb on Thursday October 27 2016, @08:19PM

    by jdavidb (5690) on Thursday October 27 2016, @08:19PM (#419550) Homepage Journal

    So there's jokes in the article summary about totalitarian regimes like the Soviet Union and communist China punishing people for the free speech of maligning products ... but here in America most people I know think it's perfectly fine for a company to sue for things like "slander", so I'm not sure we're exactly on the moral high ground.

    --
    ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
    • (Score: 2) by archfeld on Thursday October 27 2016, @08:55PM

      by archfeld (4650) <treboreel@live.com> on Thursday October 27 2016, @08:55PM (#419561) Journal

      Slander implies you are speaking something other than the truth.

      http://legal-dictionary.thefreedictionary.com/slander [thefreedictionary.com]

      --
      For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
      • (Score: 2) by HiThere on Thursday October 27 2016, @11:46PM

        by HiThere (866) Subscriber Badge on Thursday October 27 2016, @11:46PM (#419629) Journal

        In the US, yes. In Britain, I don't think so. Laws change from country to country, so If you're in Canada or Mexico, you'd better check the local definition before you mention unkind truths.

        P.S.: In the US it's not unknown for companies to file suits against people that are saying unkind truths, and may them pay to defend themselves. Sometimes repeatedly in different states. That they'll lose isn't the point. The point is to cost critics so much they'll shut up.

        --
        Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
        • (Score: 0) by Anonymous Coward on Friday October 28 2016, @01:26AM

          by Anonymous Coward on Friday October 28 2016, @01:26AM (#419682)

          We have anti-SLAPP [anti-slapp.org] laws for that.

        • (Score: 3, Informative) by archfeld on Friday October 28 2016, @05:23AM

          by archfeld (4650) <treboreel@live.com> on Friday October 28 2016, @05:23AM (#419738) Journal

          In GB you cannot just say someone is a lousy Doctor without some proof other than your opinion. You can say however that you did not like someone as a Doctor, but you cannot impugn their ability/skill without some supporting facts. Not sure myself where Canada fits in on this scale myself though.

          --
          For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
  • (Score: 2) by Bogsnoticus on Friday October 28 2016, @05:03AM

    by Bogsnoticus (3982) on Friday October 28 2016, @05:03AM (#419733)

    I'm sure some people would like to change the default password, if only the instructions were actually translated into something approximating English.
    Not Engrish, not Chinglish, but English.
    If that means having to hire one translator to take the manual from Chinese to Chinglish, and then hiring another to take it from Chinglish to Engrish, and then a third to go from Engrish to English, then so be it. It'll add what, another $5 to the cost of the device?

    --
    Genius by birth. Evil by choice.
    • (Score: 1, Troll) by gnuman on Friday October 28 2016, @06:26AM

      by gnuman (5013) on Friday October 28 2016, @06:26AM (#419749)

      Bullshit. If you want to change the password, you can change the password. If your excuse is a poor troll of laziness and covert bigotry, then well, that's what it is.