Mass hacking seems to be all the rage currently. A vigilante hacker apparently slipped secure code into vulnerable cameras and other insecure networked objects in the "Internet of Things" so that bad guys can't corral those devices into an army of zombie computers, like what happened with the record-breaking Mirai denial-of-service botnet. The Homeland Security Department issued alerts with instructions for fending off similar "Brickerbot malware," so-named because it bricks IoT devices.
And perhaps most unusual, the FBI recently obtained a single warrant in Alaska to hack the computers of thousands of victims in a bid to free them from the global botnet, Kelihos.
On April 5, Deborah M. Smith, chief magistrate judge of the US District Court in Alaska, greenlighted this first use of a controversial court order. Critics have since likened it to a license for mass hacking.
General warrants were a key reason cited by the Founding Fathers for their rebellion against King George.
(Score: 4, Funny) by physicsmajor on Thursday April 27, @03:11PM (7 children)
I, for one, love the precedent where we can now justify hacking to "cure" devices from dangerous and/or insecure code. Surely we're only a few steps now from removing Windows from the world!
Not entirely sarcasm, though seriously this is a dangerous precedent. Could just as easily be wielded to remotely wipe 'commonly used hacker operating systems' via something like a malicious systemd backdoor.
(Score: 0) by Anonymous Coward on Thursday April 27, @03:13PM (2 children)
RMS predicted this day would come. Government will change your root password and refuse to tell you what it is.
Parent
(Score: 2) by DannyB on Thursday April 27, @03:30PM
Many people have predicted bad things in one form or another. I still think our government is broken and cannot be fixed. General Warrants are just another symptom.
Parent
(Score: 0) by Anonymous Coward on Thursday April 27, @03:30PM
Root password? Hopefully nobody tells them about sudo! ;-)
Parent
(Score: 3, Insightful) by fyngyrz on Thursday April 27, @03:31PM (2 children)
I read the constitution, particularly the bill of rights, as a document that made many things which would have otherwise make it easier to govern, much harder, along a consistent rationale that favored the privacy, liberty and security of the citizen far over the convenience of the government. One of the things that becomes more difficult, obviously, is the government's efforts to protect the citizens from each other.
I read the fourth, in particular, as requiring some very specific and orderly objectives be accomplished before a warrant may be issued. I see no sign that this was done. In fact I see no possibility this could have been done, given the nature of the operation.
So I'm of a mind that this is just another complete end-run around the constitution by rouge elements (FBI, judiciary) of a government that habitually operates far out of its duly authorized bounds.
I can't say I'm surprised. These particular criminals are habituated as to doing end-runs around the law. The examples are many.
Parent
(Score: 1) by fyngyrz on Thursday April 27, @03:40PM
rouges/h/b rogue." Sigh.
OS X / macOS is just merciless about correcting typos, and, as in the parent, it has often taken my screwups and makes them into new screwups.
I just turned the whole thing off and at least now will suffer only my own slings, arrows, and pinpricks. Too bad it's not more configurable. I wouldn't mind if it could be set up so that only hitting a distant, non-alpha/punctuation key would trigger replacement, but the indication it was thought to be needed was blatant.
<sarcasm>But Apple knows best.</sarcasm>
Parent
(Score: 2) by DannyB on Thursday April 27, @04:47PM
The fourth is now a joke. Policing has always been easy in a police state.
Parent
(Score: 2) by kaszz on Thursday April 27, @03:35PM
It's called Intel Backd^H^HManagement Engine!
Forgotten the name of the AMD equivalent.
Parent
(Score: 1, Offtopic) by c0lo on Thursday April 27, @03:15PM (3 children)
So... they should try first with sergeant warrants, or even private warrants, right?
'Cause if this isn't working, the only solution would be to colonize England and rebel against US government (a pity, though, for all the wasted tea).
('ave a grin tea cuppa)
(Score: 4, Insightful) by DannyB on Thursday April 27, @03:39PM (2 children)
General warrants, like every other abuse of power will start out as something acceptable to most people. Something that is for everyone's good. Like RICO. Like militarized police departments. Like the war on some drugs when used by certain classes of people.
Parent
(Score: 2, Insightful) by Ethanol-fueled on Thursday April 27, @05:00PM (1 child)
1. NSA mass-plants "Russian" malware on anything they can, particularly those who have been flagged as political enemies.
2. FBI mass-hacks all computers with malware, and oh lookie-here what did we find, let's pay them a visit.
3. ???
4. Profit!
Because, son, American laws, and the physical and mental gymnastics used to get around them, are just weird like that. You wouldn't believe the shit people go through to justify their budgets.
Parent
(Score: 2) by kaszz on Thursday April 27, @05:24PM
A budget is always looking for expenses to justify next years budget. ;-)
Parent
(Score: 2) by kaszz on Thursday April 27, @03:30PM (10 children)
If people actually bothered to secure their devices. This incident would not had happened in the first place. So the advice will go unread in most cases. Once these poor IoT devices are relieved from that evil botnet. They can happily again be infected by some party the powers that are, likes better.
(Score: 3, Insightful) by DannyB on Thursday April 27, @03:45PM (9 children)
People should not have to secure their devices.
I should not have to secure my electrical wiring to be sure it doesn't burn my house down.
I should not have to secure my car from suddenly accelerating out of control.
I should not have to secure my TV.
The manufacturer should be liable for damaged caused by botnets of their IoT devices. Yes, really. For the same reason I expect my toaster not to burn my house down. It will cost the manufacturer real money to pay attention to all of the possible best practices to secure their devices and deliver updates. That cost will be reflected, as it should be, in the retail price. That leads consumers to then consider whether every individual light bulb and toaster really needs an internet connection. Another effect of putting liability upon manufacturers is that it provides direct incentives for them to cooperate (imagine that!) on developing common, secure Linux distributions as a base for their IoT devices. Spread the cost and reap the benefit of open source.
Parent
(Score: 3, Touché) by kaszz on Thursday April 27, @04:05PM (3 children)
Once you invite regulations, laws and courts. It will be a corporate owned domain that will keep anyone else out using even more regulation.
Parent
(Score: 3, Interesting) by Scruffy Beard 2 on Thursday April 27, @04:16PM
It is not even regulation. Just about every software house disclaims liability.
And yes, you do have to secure your car (it is called a parking brake).
Parent
(Score: 3, Interesting) by DannyB on Thursday April 27, @04:42PM (1 child)
I'm not asking for regulations. Just liability to be imposed.
I'm not asking for any kind of certification of IoT security. I'm not asking for any kind of recognized standard to be met. Just that if your IoT device gets hacked, the liability for damages is on the manufacturer.
Nothing more.
I think it would provide all right right incentives. You wouldn't believe how many best practices there are about security for systems that handle credit card information. I would love to see even half PCI compliance requirements applied to IoT devices.
Parent
(Score: 3, Interesting) by kaszz on Thursday April 27, @05:19PM
I'm not asking for regulations. Just liability to be imposed.
Liability is coded in law which means lawyers etc. And the circus will be on. What you think and wish has no automatic connection to the consequences of your actions.
I'm not asking for any kind of certification of IoT security. I'm not asking for any kind of recognized standard to be met. Just that if your IoT device gets hacked, the liability for damages is on the manufacturer.
Nothing more.
Liabilities are encoded in law and this will instead line the coffers of insurance corporations that can then make use of their oligopoly.
I think it would provide all right right incentives. You wouldn't believe how many best practices there are about security for systems that handle credit card information. I would love to see even half PCI compliance requirements applied to IoT devices.
Incentives will be perverted. And credit cards are routinely cracked because their security sucks.
Better have a specific checklist that must be adhered to before the device may be connected to a public network or any wireless mechanism. That will give manufacturers a clear target and give less space for lawyers and insurance corporations to screw people.
Otoh, BrickerBot perhaps does the job with security compliance quite good ;)
Reply to This
Parent
(Score: 2) by tibman on Thursday April 27, @04:18PM (3 children)
If you plugged in your toaster and made it publicly accessible then i can guarantee it will catch fire at some point. Someone will be trying to smelt copper in it or something. InternetOfCrap is the same way. Do you really want anonymous people talking to your security cameras? No. You really don't. You are right though, manufacturers shouldn't be shipping insecure devices and should make security updates available.
Parent
(Score: 2) by DannyB on Thursday April 27, @04:45PM (1 child)
They wouldn't be shipping known insecure devices, and they would be making updates available if the liability for damages were on them. That's why I think it is a perfect fix.
The credit card industry has all kinds of security compliance requirements. (PCI) Because if their systems get hacked, guess who is liable? Clue: not the card holders.
Parent
(Score: 2) by kaszz on Thursday April 27, @05:22PM
Liability means lawyers and insurance corporations will line their pockets with your money. If said cameras had their software open sourced. There would be a lot more possibility to take control of the security issues.
Reply to This
Parent
(Score: 3, Interesting) by urza9814 on Thursday April 27, @06:20PM
I know a LOT of companies with unattended appliances available to the public. Particularly those Kuerig machines. And while those things DO seem to commit suicide quite regularly, they DON'T usually destroy anything else along the way. And if they did I'm sure you'd win that lawsuit pretty easily.
But our legal system thinks computers are magic and hackers are evil sorcerers or some shit that nobody can possibly defend against, so they give everyone a free pass. Ore more accurately, they give big companies a free pass, and screw the rest of us as always...
Reply to This
Parent
(Score: 2) by sjames on Thursday April 27, @09:02PM
To be fair, if you don't secure your car, it may accellerate out of your control directly to the chop shop. Or it may coast into a tree.
Parent
(Score: 5, Informative) by requerdanos on Thursday April 27, @04:26PM
General warrants were a key reason cited by the Founding Fathers for their rebellion against King George.
While certainly a point of contention [britannica.com], and certainly a Very Bad Thing, it's notable that general warrants do not appear in the specified list of grievances [patriotsline.com] against the King that the American colonies' Declaration of Independence [ushistory.org] specified as "the causes which impel them to... separation."
(Score: 1, Interesting) by Anonymous Coward on Thursday April 27, @04:34PM
botnets are interfering with some big company or gov service so instead of going after the manufacturers they hack people's shit? fuck the fbi. bullies and traitors.
