Canonical, maker of Ubuntu Linux and its Internet of Things variant, has discovered the obvious – that people cannot be trusted to secure their connected devices.
Thibaut Rouffineau, evangelist for Ubuntu Core and the Internet of Things, admitted late last week that developers and IoT device makers know people seldom update the firmware of connected devices. But, he argues, they probably don't realize how bad the security situation has become.
The distro maker says it surveyed 2,000 folks about how they dealt with connected devices. It found that less than a third of respondents (31 per cent) installed updates as soon as they were available. Some 40 per cent never knowingly updated their devices.
"In other words, consumers are leaving their devices open to exploits and hacks, from DDoS attacks to invasions of personal privacy or theft of personal data," said Rouffineau.
Why such disinterest? According to Rouffineau, almost two thirds of respondents felt that keeping software updated – their security – was not their responsibility.
(Score: 5, Insightful) by Anonymous Coward on Thursday December 22 2016, @09:30AM
These appliances replaced things in most homes that did not require further maintenence before. People (rightfully) expect replacements to be a drop-in solution.
(Score: 2) by Lagg on Thursday December 22 2016, @03:09PM
Well when you abstract and centralize the everloving shit out of things for long enough things like KISS and air gaps just start looking like a band and a shoe. Also I notice people expect things to "just work" more often now. Which still seems interesting and amusing to me when a lot of this stuff uses linux as a base kernel.
Not that I'm without guilt when it comes to contributing to this ecosystem clusterfuck in work and side projects alike. And I use Windows 10 for anything non-dev now. But yeah. I'm never going to have an IoT appliance for reasons stated. We still occasionally mess up on drop in software let alone this.
http://lagg.me [lagg.me] 🗿
(Score: 4, Insightful) by mcgrew on Thursday December 22 2016, @04:04PM
Also I notice people expect things to "just work" more often now.
We've always expected things to "just work", although some things have always needed some maintenance, like cars, you expect the fridge to keep your beer cold and your toaster to toast bread. The trouble is we expect certain things, like furnace thermostats, refrigerators, toasters, ovens, and other household appliances to work without much maintenance (e.g., changing the furnace filter).
We're not used to having to apply software updates to TVs, ovens, fridges, and so forth. It annoys me to no end when the thermostat flashes "change battery", because thermostats didn't used to have batteries.
No one born who could always afford anything he wanted can have a clue what "affordability" means.
(Score: 2) by tangomargarine on Thursday December 22 2016, @04:54PM
Back in the old days we just had a strip of metal that bent based on temperature! Damn kids, get off my lawn! :)
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1, Informative) by Anonymous Coward on Thursday December 22 2016, @06:00PM
I still have one of those for my thermostat. Works like a charm.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @10:49PM
In my day there was just a damper we opened or closed to control how much air the fire got.
(Score: 4, Insightful) by meustrus on Thursday December 22 2016, @03:30PM
They don't just expect it to be a drop-in solution because of history. That's how these devices were marketed.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 5, Insightful) by Runaway1956 on Thursday December 22 2016, @09:30AM
I buy an appliance. Dishwasher, clotheswasher, refrigerator, thermostatic control - it's a THING. It has one purpose - to perform the task for which it was designed. Chill food, wash things, control my home temperature. The damned thing doesn't have a screen on it, from which I can browse the web. It doesn't display a calculator on which I can compute math. It's a dumb gadget. Unless I read the owner's manual, cover to cover, I'm probably not going to be aware that the stupid thing ever needs to be updated.
The failure here, is not with the end user, the consumer. The failure is that idiots are selling products with built in, totally unecessary vulnerabilities.
Sell me a refrigerator, please. Do NOT sell me a "smart" refrigerator with which you can spy on me and my household.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 4, Insightful) by r1348 on Thursday December 22 2016, @09:38AM
It becomes your problem once you connect it to your network.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @10:02AM
Ugh. I knew it was trouble when my new sex doll asked for my WiFi password.
(Score: 4, Funny) by Anonymous Coward on Thursday December 22 2016, @10:17AM
Sex Doll will leave you as soon as she gets her online degree in feminist studies.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @01:57PM
Hahahaha a feminist degree? That bot will leave you once she finds a man with deeper pockets on some hook up site. She don't need a fucking degree to that out!
(Score: 5, Funny) by MostCynical on Thursday December 22 2016, @10:34AM
She's cheating on you (with the toaster, the fridge, and likely helping a DDOS even when you're keeping her... "busy").
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Insightful) by Anonymous Coward on Thursday December 22 2016, @06:07PM
It *is* your problem. However, lets say you actually *WANT* to update the thing.
Take for example my TV. 2011 state of the art neato LED 55 inch TV. Still works very nicely. 0 firmware updates in the past 4 years after 3 right when I first bought it. Despite the number of known high profile root exploits that have come out for linux. Oh did I mention that? The thing has a ssh port, some sort of web server, and a proprietary command port, all open. It is running a 2010 busybox distro under the covers. There are no updates for that TV and there never will be. Then for icing on the cake. The thing reports back to the manufacture every time I push any button on the thing.
Then lets say for the sake of argument it DOES get some sort of malware/virus on it. How do I get rid of it? Will a firmware reinstall work? Can I actually get one? What if the malware borked the GUI/command to get at it? No company is going to RMA a 6 year old TV.
We can continue to pretend that manufactures actual give a damn and make these magical patches. Is there a built in update system? Does it work 100% of the time. Do I as an end user have any control over it or will it just update randomly (like my ps3/ps4) right when I want to use it. If I do have any control does it nag me all the time? If it does not how do I as an end user find out about the new patches?
I did the only sane thing. I unplugged it from my network.
(Score: 2) by skater on Thursday December 22 2016, @02:05PM
Relax - you can still buy non-smart refrigerators. We just bought a set of non-smart washer and dryer.
(Score: 2) by tangomargarine on Thursday December 22 2016, @03:11PM
The failure here, is not with the end user, the consumer. The failure is that idiots are selling products with built in, totally unecessary vulnerabilities.
If nobody was buying them, they wouldn't bother to make them. So the consumer does bear some responsibility.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @03:34PM
Not to mention supplying them with the wireless password. This shit doesn't happen to innocent victims. It happens to negligent idiots with too much money thinking it's all magic.
(Score: 3, Insightful) by tangomargarine on Thursday December 22 2016, @04:51PM
To be fair, that's very much something computer companies are encouraging these days. "Just put the CD in and MAGIC!" No, it's not magic; it's a bunch of code that tries to plan for various contingencies, but it's not psychic, or magic, and it doesn't know perfectly what you want every time.
You'd think it would be a better idea to have the thing prompt you for a password out of the box before it's usable. But impatient people would probably bitch about that, so instead we have thousands of people wide open to hacking.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by TheRaven on Thursday December 22 2016, @05:34PM
sudo mod me up
(Score: 2) by tangomargarine on Thursday December 22 2016, @05:38PM
Are they buying them because the shop doesn't have any dumb variants in stock?
Yeah, I wonder how much this is a factor. Like the last time I was looking to buy a car: huge lot and they had IIRC 4 manuals.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by LoRdTAW on Thursday December 22 2016, @06:59PM
Hey! How are they going to monetize your washing/eating/hvac/etc habits? The nerve of some people. I mean, without knowing how often you wash your clothes or how dirty they are, how else would they target you for Tide and Clorox ads? Or the fact that you enjoy dairy maybe you should invest more in buying dannon yogurt? Or your dishwasher would perform better with new and improved cascade or some shit? For fucks sake, they NEED a perpetual revenue stream even after they sold you the damn thing.
(Score: 2, Insightful) by Vokbain on Thursday December 22 2016, @10:02AM
To be honest I'm more concerned about the security of the shitty PVR and TV receiver boxes I get from my provider than I am about my Philips Hue lights and other automation swag.
Apparently they update themselves periodically, but they're still running some version of Windows CE.
Fortunately the Hue app lets me know when it's time to update, but I have no idea what changes are made on the PVR updates, or even when it happens (unless I'm watching at the time and it jacks up my shows).
(Score: 4, Insightful) by MostCynical on Thursday December 22 2016, @10:37AM
Worse is that you have no idea if an update is patching a vulnerability or opening up some new spy/tracking functions, or even just bricking your device ("oops, dodgy code, please return to supplier for replacement, sorry you lost your recordings"; who am I kidding, they are never sorry)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 4, Interesting) by Zinho on Thursday December 22 2016, @01:14PM
Worse is that you have no idea if an update is patching a vulnerability or opening up some new spy/tracking functions, or even just bricking your device ("oops, dodgy code, please return to supplier for replacement, sorry you lost your recordings"; who am I kidding, they are never sorry)
If only this were a hypothetical risk, as opposed to something that actually happened, recently, with Philips Hue systems specifically. [duckduckgo.com] Bonus: it was intentional, not a bug. No, they weren't sorry. [meethue.com]
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
(Score: 2) by butthurt on Thursday December 22 2016, @10:58PM
This is linked from the top of the page you linked (emphasis mine):
We would like to let you know that we’ve rolled out worldwide software that replaces the previous 1.11 software update of Philips Hue. This means that lights from other brands will work as before with the Philips Hue system using interoperability provided by ZigBee Light Link.
-- https://developers.meethue.com/documentation/3rd-parties-and-homekithttps://developers.meethue.com/documentation/3rd-parties-and-homekit [meethue.com]
It goes on to say (if I understand correctly) that the compatibility with Apple HomeKit will remain disabled. At least, though, they did reverse part of what they'd done (assuming they're not lying).
(Score: 2) by Zinho on Friday December 23 2016, @03:02PM
Yes, they did roll back the change that bricked 3rd party lights.
No, Philips doesn't think that was the best solution. They are convinced that blocking 3rd party/non-"friends of Hue" products is the best solution and their corporate non-apology is very clear about that. They rolled it back after a wave of sharp, vocal criticism from first adopters with lots of social media influence called them out. Philips is on my "do not buy" list, right next to Sony, due to this shenanigan. Advertizing yourself as being an implementation of an open standard (ZigBee, in this case) and then transforming into an incompatible walled garden with no warning via software update is a Wheaton's Law violation.
That said, I don't really fault Philips for excluding the Apple products. Apple is also attempting to build a walled-garden lighting ecosystem, intentionally incompatible with off-the-shelf components. And they'll get away with it, because they're Apple. Philips has no responsibility, neither to their own customers nor to Apple's, to interoperate with a system that isn't even trying to implement the same standard.
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @04:33PM
Worse is that you have no idea if an update is patching a vulnerability or opening up some new spy/tracking functions...
Welcome to the world of Android updates. Sure, there is a patch to fix the terrible vulnerability in the system or that app. But before you can get it, you now have to agree to let it snoop on your calls, location, and contact list.
(Score: 2) by tangomargarine on Thursday December 22 2016, @04:59PM
If you're lucky enough to get updates for your Android device that's more than a year old at all. Very lucky.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by Francis on Thursday December 22 2016, @06:01PM
That's why Google has been moving more and more Android functionality into the playstore.
It's definitely not an appropriate solution, but it's far better than it used to be where 100% of the patching had to be done by the carrier who mostly wouldn't do any because they've got waivers for any responsibility on file.
(Score: 2) by butthurt on Thursday December 22 2016, @11:15PM
Hasn't Google been creating proprietary apps to supplant more and more Android functionality? Open-source apps are possible (witness F-Droid) but that's not what Google is doing:
Google's update setup has the odd stipulation that easily updatable code must also be proprietary Google code. There's no reason Google can't use this "app-style distribution" to ship open source code just as easily [...]
--
http://arstechnica.com/gadgets/2016/11/android-extensions-could-be-googles-plan-to-make-android-updates-suck-less/ [arstechnica.com]
Google's licencing arrangement for those apps provides that all of them must be included--one cannot pick and choose. It smells like anti-competitive bundling.
(Score: 2) by mmcmonster on Thursday December 22 2016, @01:45PM
Frankly, I'm not concerned about IoT devices ... so long as I had better router software.
Currently my router default has a single zone for all devices attached. Would be nice for the software to default to two zones: Trusted and nontrusted. Trusted devices get access to each other and shares on the network. Untrusted get a separate zone with access to other devices on that zone and internet only.
It would be nice for some way for a phone to be on the trusted network but the phone apps able to control the IoT devices.
Router updates would solve a big part of this.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @04:03PM
Router updates would solve a big part of this.
Yes, they would. The manufacturer of my router hasn't published a firmware update in almost 2 years. 2 years. I can't start to imaging all the vulnerabilities that haven't been fixed. As with most people here, I'm going to a self-managed router using opensource firmware, so I at least have a choice to upgrade or not.
(Score: 2) by HiThere on Thursday December 22 2016, @09:07PM
I don't know about most people, but for me a router *should* be a dumb switch, the way it used to be. The multiple zones in one router is a nice suggestion, but I tend to think of using two routers to achieve that. And I've got to admit I don't update my router software, but the only things on it are my computer and my printer. So far I've avoided all IoT gadgets. And whenever I read one of these articles I congratulate myself for doing so. For that matter, I don't store financial information on my computer, or do internet banking. It just seems too risky an activity. But I can't avoid all risks. I *do* use a credit card. So every time I use it I know I'm exposing myself to risk. But you can't avoid risk. Storing money in the bank involves trusting the bank and the government (to certain extents). Carrying cash around involves trusting passing strangers. Etc. You decide where your payoff is, and for me the payoff of IoT has never seemed positive.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @09:08PM
Default firmware on routers is pretty universally awful. Luckily installong something usable is pretty simple for a techie. I like Tomato but DD-WRT supports a lot more devices. They allow making multiple networks. Of course, ny solution that requires the user to be knowledgeable doesn't scale.
(Score: 5, Insightful) by bzipitidoo on Thursday December 22 2016, @01:49PM
That we have to jailbreak our own property is bull. That there are reasons to want to jailbreak devices is more bull. The walls of the walled gardens are insidious.
For example, my "smart" TV is corporate controlled and restricted to the max. The TV can surf the Internet, but has been artificially limited to only a few major websites such as YouTube, Hulu, Netflix, Amazon Prime, and about a dozen others all related to corporate controlled video. Definitely no Pirate Bay. Then it has "features" such as not only not blocking ads on YouTube, it does not allow the user to skip the first several seconds of an ad. The TV manufacturer controls firmware updates. Thing is programmed to download and install updates automatically if you have it hooked up to the Internet.
For another example, I have a Netgear router/modem (model N450), which I recently learned I do not control. I own the thing, I do not rent it. The firmware can be updated, but guess what? The owner can't update the firmware, only the owner's ISP can do that. Can the owner simply prevent updates? No. Recently, the ISP I'm with merged with another. As part of this merger, they switched to the other ISP's firmware for my device, and this caused problems. Since that firmware update that I was not so much as informed happened, the thing has to be reset every few hours, or the WiFi drops out and packets get delayed longer and longer, making Internet telephony unusable. That was 2 months ago, and they have done nothing to fix the problem they caused, haven't even acknowledged that they screwed it up. You know how corporate bureaucracies are.
Secure our Iot gadgets? Haha, they aren't even really our property! For those few of us who want to be "responsible", we first have to pry them loose from corporate control. First secure them from the kind of negligence monopolistic behemoths are wont to practice. To update is to risk them slipping back into corporate control. Never know when an "update" will actually be further restrictions. Remember that Sony removed Linux support from their Playstation 3 with an "update". Microsoft is another who has repeatedly abused the trust of their users in similar fashion. Remember how hard they made users work to stop Windows 7 and 8 from being forcefully updated to Windows 10.
I love these articles that blame us on the assumption that we actually control our own property.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @03:20PM
But that is what you are buying, a device that adds streaming capability to selected services. You are not buying a general purpose computer with a TV screen attached. If you want that, there are other solutions. The problem, with at least this specific example, is your expectation of what you think you should get. I doubt you would make the same criticisms of your "smart" refrigerator, but since your "smart" TV looks and acts a lot like a computer, you extend expectations onto it that you probably shouldn't.
(Score: 2) by bzipitidoo on Thursday December 22 2016, @04:15PM
> But that is what you are buying
It is not clear that the smart TV is crippled. It is obvious (to me and many others) that the smart TV is in fact a general purpose computer, preloaded with software/firmware. So why shouldn't it be able to view any website? Run any browser? I suppose it's possible that it has dedicated hardware decoders for various compressed video formats such as H.264, and only just enough memory to stream video and run a very limited interface. But I doubt that. I should think a smart TV has more hardware resources than dedicated firewall or router hardware, and it is possible to install Linux on them. It's definitely not lack of capability. Is the buyer supposed to believe and accept that the TV isn't capable, that it's a special purpose gadget, which is not true, and not even ask questions about why it isn't programmed with the ability to surf the entire Internet? That it's like an old dumb TV, only an incremental enhancement of those? Evidently so, or maybe they'd call it by some other name than "smart TV." A video cassette player can't play a DVD, as it simply lacks the physical interface, and everyone understands that. But this smart TV?
They don't make it clear just what is meant by "smart TV". Not the first time they've made a confusing mess of consumer electronics for entertainment.
(Score: 1, Interesting) by Anonymous Coward on Thursday December 22 2016, @07:24PM
Yeah, the "you know what you're buying" is such a crappy line of defense. It is the same line of thinking that initially had tethering your laptop to your phone costing $10 for the privilege (with no extra data), or selling $500 routers that simply had some software enabled. There is no logistical reason for such moves, just greedy profiteering.
(Score: 2) by Hyperturtle on Thursday December 22 2016, @04:29PM
That's too bad that you learned this the hard way.
I've learned myself to never buy a cable modem or dsl router that has a combination of services. Only buy a direct connection that allows you to hook the internet, and something fancy on your side. You can go all out on what you have on your LAN; if the ISP controls the internet connection then don't let them control your fancy device. Get a less expensive/specific purpose device for that.
You will never control the firmware on the router or modem that provides you the internet connection with residential broadband. Never. You can always control network device you connect to it, unless you buy something specifically giving it up to the cloud anyway. Then it's just a matter of having split up your loyalties to different masters.
I have a cable modem that I bought, not because I wished to own a cable modem, but because the rental fee for 10 months of use exceeded the cost of the best "dumb" modem I could buy at the time. It's paid for itself in the savings; the lease costs per month have only gone up. (I did have to return the previous modem back to the ISP, and get a receipt demonstrating this so that I did not pay for it indefinitely.)
Connected to that I have other stuff that I control; I even recently used some of that to block automatic telemetry from video card and solid state disk drivers... by installing these I agree to be spied on and my info shared with valued business partners? Sure, let me watch it try to connect so I can block it, thanks. What are they going to do to me? Not download updates without asking? Sounds like a fair trade to me.
It's not enough to set such limits per PC; and if I did it on equipment someone else managed... MS ignores the host file and windows firewall rules for the telemetry to their own stuff. AMD opened ports on the windows firewall to let itself talk and the preferences ignored my settings to "dont check for updates dont nag me"--it only stopped when I blocked its access.
New stuff will continue to do this; to exert control, you need something on your network that not only you control, but isn't dependent on the ISP or running on top of your desktop (or even a server that might allow things out due to various wizards). IoT stuff likely should have its own network segment so you can just turn all that off or greatly limit it without thinking much about it, and be able to do so without impacting your regular use network.
It may sound like a bit much, but viable options include DD-WRT on old consumer hardware; if you get too cheap it'll slow you down (slow radios or interfaces or cpu), unless you have the device act on the network as an appliance/tiny server, rather than in-line like a router or firewall (use it like a proxy or DNS server for filtering, or as an access-point with the same features enabled as well on the wired side, so that you get some additional use out of it).
That can do the trick quite inexpensively. The real issue is learning how to do it, and it might take time... but the good news is that you dont have to do it all at once. You can keep using what you have and migrate away from it, then treat the modem as a dumb device beyond your firewall.
(Score: 2) by bzipitidoo on Friday December 23 2016, @04:26AM
It's not that I didn't know there were risks. It's a judgment call. Is it worth my time to thoroughly investigate networking hardware? I really do not want to spend time on that. Should I have to, to avoid corporate control of my LAN? I should also spend time backing up my data, setting up anonymous browsing and file transfer services, keeping Windows on a tight leash and scanning for viruses, blocking spam, jailbreaking my tablets and smartphones, flashing Rockbox to my music players, hacking around DRM on inkjet cartridges and copy protection on DVDs, etc. I've tried to find broadband Internet service that's not enrolled in one of the more recent abominations from Big Media, the Copyright Alert System, but so far, no luck.
I do most of that crap, and I get tired of the endless battling in these long wars. I don't want to be a reactionary system admin, I have more interesting and positive work I wish to do, like keep up with the latest in software engineering. I still feel confident that the people will eventually win these wars. But it's been over 30 years now, and many vendors are still bedazzled over the whole idea of intellectual property, still think they're within their rights to lock up information, accuse the whole world of wanting to pirate their works, spy on their customers, demand ridiculous legal protections at great public expense, run absurd and insulting propaganda campaigns, and whine about the very laws of nature making DRM impossible to successfully implement.
When will this attitude ever change? I'd like to see the law enforcement badges and the scare language and propaganda banned from rental DVDs and all other video products. Most definitely, I wish we'd sanction companies who write unenforceable and overreaching EULAs, put a permanent end to that practice. Maybe precedent could be the case over the billboard in a predominantly poor part of a city warning voters that it was a federal crime to cast a vote under a fake ID, punishable by up to 10 years in prison. It was so obviously designed to scare voters away, and the courts ordered the billboard taken down.
We've made great strides in product safety. Manufacturers used to be a lot more cavalier about the dangers of their more dangerous products, too quick to blame it all on the customers whenever someone got hurt. Automobiles in particular have made huge advances in safety since the 1950s. Yet they remain one of the leading causes of early death. There used to be all kinds of use of radioactive materials before we understood the dangers of radiation. Now we don't use it casually-- no more radioactive watch dials! So I have hope.
(Score: 3, Insightful) by Snotnose on Thursday December 22 2016, @02:14PM
My understanding is a lot of the problems are "secret" logins that the consumer doesn't even know about. The other issue is default passwords that can't be changed.
I'll buy an IoT device when I'm satisfied they have their secure act together. I'll probably die first.
Every time a Christian defends Trump an angel loses it's lunch.
(Score: 4, Interesting) by Immerman on Thursday December 22 2016, @03:05PM
And for that class of vulnerability it seems like something that would be so easy to make virtually iron-clad. Most such devices rarely need to be reconfigured, so just require pushing a physical button on the device to permit logins.
Heck, most probably already have a "hold to reset" button to debork a bad configuration, so it should be relatively easy to just add an idiot-friendly multistage login that pops up a message saying "Please tap the reset button (Briefly!) within 1 minute to finish logging in". You could even add a nice photo of the device showing exactly where the button is located for convenience.
For maximum flexibility, make it something that can be disabled with a setting somewhere that only people who know what they are doing are ever likely to mess with.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @03:27PM
*Pshaw* IoT (Internet-of-Things) is so passee.
The GoT (Grid-of-Things) is the new wave and my solar panels are feeding it daily ^_^
caveat: the barrier to entry for IoT is much much lower then for GoT.
Nobody cares if your IoT device becomes a node in a gigantic botnet that takes down medical equipment in a hospital or crashes an airport.
just buy and plug-and-go. like a dishwasher or fridge or washing machine or hairdryer or lamp or microwave-oven or water-heater or ...
To connect your GoT however, a ton of permits and certificates and permissions are required else your GoT might destabilize the Grid and then ... oh wait.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @04:09PM
I'm not well sited for solar (too many big trees in the yard), but if I ever decide to add panels, I'm inclined to set up a non-grid connected system. For example, enough panels to keep some batteries charged on average, and an inverter to run the constant loads in the house like computers and the cable box that is always on.
Your experience with hooking to the grid reinforces this train of thought...
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @07:59PM
I'm not well sited for solar (too many big trees in the yard), but if I ever decide to add panels, I'm inclined to set up a non-grid connected system.
That's how you multiply the costs a few-fold. There is a reason why storage, not production, is the problem for solar and wind.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @04:32PM
the fact that canonical/ubuntu is acting surprised is ridiculous. they have been asked by users to fully automate ubuntu updates for years now. . they've also been asked to make it a rolling release so that distribution upgrades can go away as well. They've responded like many here will want to respond concerning stability, etc. FFS, just b/c you have a rolling release doesn't mean you have to only have a bleeding edge track. you could have two or three tracks for users to choose from. bleeding edge, normal and dinosaur. the work for devs would be the same. it's all the same packages; just later more fixed versions go into the slower tracks. All of that could be automated too. fully automate package updates and just let users pick their stability/safety level. users could also choose to do their updates themselves, if they wanted but i would suggest that auto be default for distros like ubuntu . this should have been obvious and implemented (if you're a commercial entity like canonical) for years now.
(Score: 1, Insightful) by Anonymous Coward on Thursday December 22 2016, @07:26PM
you could have two or three tracks for users to choose from. bleeding edge, normal and dinosaur.
Unstable, Testing, Stable.
Oh, right... NIH!
Sorry, I thought we wanted to actually do something right and not just hipster-new.
(Score: 2) by tibman on Thursday December 22 2016, @08:58PM
The problem is when you have a box that has been offline or unable to get updates and it tries to go from very old to current. Rolling releases are stable when upgraded on schedule. But when you leap updates you can get unpredictable behavior. Gentoo, i'm looking at you. An IoT device probably shouldn't be running individual updates at all. The entire rom should be updated in one shot. That way if a device has been rooted (by an external hostile party) it gets fixed. Just upgrading the vulnerable package wouldn't perform any device cleanup.
SN won't survive on lurkers alone. Write comments.
(Score: 5, Insightful) by DannyB on Thursday December 22 2016, @04:33PM
I suggest that the fix is to place financial liability for damages caused upon the manufacturer of the product that participated in a DDOS botnet causing damages.
Think about it.
When I buy a toaster, I don't expect it to burn my house down. There are even labs that test products for such safety so those products can earn a certification that either increases the consumer's trust, or meets some regulatory requirement.
Similarly when I buy a printer, or a webcam, or a Telescreen (Smart TV with built in webcam and mic), I don't expect it to get hacked and participate in a DDOS botnet.
If the manufacturer is incapable of making is secure, then don't put a computer in it. Or if it has a computer, don't connect it to the net.
The manufacturer would have to spend more on making products as secure as possible. No more sloppy practices. Back doors. Default admin passwords. Etc They would need to be as sure as they can possibly be that their product is unlikely to get hacked. This will increase the cost of smart products. But this is a good thing because it removes the cost from the increasing numbers of victims of the attacks. The cost of the security is probably also smaller than the cost of not having it will be in the long run.
It will probably become an industry cooperative effort. When companies aren't looking to cut as many corners as possible, but instead are looking to be as secure as possible, they will probably work together towards better security, which will help all of them be better at it.
Just to head this off: I'm not proposing some form of government regulation, other than placing the liability for damages caused on the manufacturer. No government technical standard, or testing labs.
Q. How much did Santa's sled cost?
A. Nothing. It was on the house.
(Score: 2) by sjames on Saturday December 24 2016, @06:51PM
It'll take more than that. To get people to actually let the updates happen, we'll have to actually make corporations pay when they sneak a new limitation in with the update or where they break existing functionality in any way. Feature removal must equal a big fat refund. Not a coupon for a free stick of gum with your next $1000 purchase, an actual full refund. People bought the thing based on the features of the product. If it no longer has them, why shouldn't they have their money back?
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @11:44PM
Why should the user need to track updates, download an apply the firmware ?
IoT objects are connected to the internet, and so they should automatically query updates from the vendor and apply them immediately.
Maybe also provide a manual update path for people who want to be "in control" of their objects, or when vendor ends support after a few years.
The Botnet of cheap chinese IP-cameras that made a Ddos a few weeks ago did not even the *capability* to be upgraded, and had to be physically recalled. At the current point of technology and internet connectivy, upgrades should be mandatory.