from the but-I-can't-remember-more-than-one-password dept.
the Washington Post reports another story about hacked Nest devices.
Hackers, whose voices could be heard faintly in the background, were playing the pornography through the Nest Cam, which had been used for years as a baby monitor in a Novato, California home.
The method used to get access to the intercom feature is one of the oldest tricks on the Internet.
Hackers essentially look for email addresses and passwords that have been dumped online after being stolen from one website or service and then check to see whether the same credentials work on another site. Like the vast majority of Internet users, the family used similar passwords on more than one account. While their Nest account had not been hacked, their password had essentially become public knowledge, thanks to other data breaches.
The article continues:
But Nest's defenses were not good enough to stop several high-profile incidents throughout last year in which hackers used credential stuffing to break into Nest cameras for kicks. Hackers told a family in a San Francisco suburb, using the family's Nest Cam, that there was an imminent missile attack from North Korea. Someone hurled racial epithets at a family in Illinois through a Nest Cam. There were also reports of hackers changing the temperature on Nest thermostats. And while only a handful of hacks became public, other users may not even be aware their cameras are compromised.
The company was forced to respond. "Nest was not breached," it said in a January statement. "These recent reports are based on customers using compromised passwords," it said, urging its customers to use two-factor authentication. Nest started forcing some users to change their passwords.
This was a big step for Nest because it created the kind of friction that technology companies usually try to avoid. "As we saw the threat evolve, we put more explicit measures in place," Sathe said. Nest says only a small percentage of its millions of customers are vulnerable to this type of attack.
So, how much should a company pander to laziness? Can 'good' security be forced on lazy people?
Is anyone going to take responsibility for their own data? (although this is already almost impossible for all but the most paranoid/vigilant types, not re-using passwords shouldn't be this hard...)
(Score: 2, Interesting) by realDonaldTrump on Thursday April 25 2019, @04:02PM
But, Rejected Sub. So fortunate that Jeff Bozo's Amazon Washington Post heard the news & finally it can go on Soylent ( old) News. Thank you Editors!!! foxnews.com/tech/nest-security-cameras-watch-illinois-family-as-company-blames-compromised-passwords [foxnews.com]
(Score: 3, Insightful) by Anonymous Coward on Thursday April 25 2019, @04:21PM (6 children)
It is said that the "S" in IoT stands for "Security".
This IoT thing is going to bring hordes of unsecured devices into hundreds of millions of homes. Someone needs to pump the breaks on this movement by making manufacturers liable for shipping insecure devices.
(Score: 4, Interesting) by Thexalon on Thursday April 25 2019, @05:23PM (5 children)
And if the government won't, at the very least let's encourage people to not buy the friggin' things. What's with the efforts to make an Internet-connected toaster anyways?
Also, did they say this was a baby monitor? If you need to monitor your baby from any further away than "elsewhere in your house", you're a terrible parent. And given that, why would this device accept any connections at all outside of the local /24?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Interesting) by sjames on Thursday April 25 2019, @05:32PM (1 child)
That's the big issue. Most IoT devices should confine themselves to the local LAN behind at least a minimal firewall dor security. But most manufacturers want to make their devices phone home, and just to make sure they do, they make them depend on phoning home in order to function properly. So, instead of a simple interaction behind a firewall, your command to turn on a light bulb goes across the country to an all too public server, then back across the country, through your firewall to the 'smart' lightbulb.
(Score: 4, Interesting) by digitalaudiorock on Thursday April 25 2019, @09:36PM
Exactly. Correct me if I'm wrong, but this I believe is the case with the Sonos speakers that everyone's so enamored with. Maybe I'm mistaken about that, but that's the impression I get from everything I read. Even if it's not, requiring a smartphone app is bad enough to keep me away (still no smart phone here).
(Score: 1) by khallow on Friday April 26 2019, @12:56PM (2 children)
Or using a babysitter.
(Score: 2) by Thexalon on Friday April 26 2019, @02:27PM (1 child)
Who apparently you're both simultaneously trusting and not trusting with your kid.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1) by khallow on Friday April 26 2019, @02:51PM
Indeed, which is typical of human interactions. So your point is?
(Score: 4, Insightful) by iamjacksusername on Thursday April 25 2019, @05:07PM
Data surveillance companies rely on human laziness and decision fatigue to gather data. Effective security requires active participation by the end-users and that directly contradicts the goals of data collection. People allow data collection because it is easier. The only thing Google and Amazon are afraid of is someone creating the impression with their surveillance targets that the product is making them unsafe.
(Score: 3, Funny) by DannyB on Thursday April 25 2019, @05:22PM (3 children)
I would get right on it, to get it fixed, if I weren't so lazy.
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 3, Interesting) by bzipitidoo on Thursday April 25 2019, @05:26PM (2 children)
I'm too lazy to install IoT stuff to begin with.
(Score: 4, Insightful) by DannyB on Thursday April 25 2019, @08:47PM (1 child)
The three greatest virtues of all great programmers are: laziness, impatience, and antisocial behavior.
Laziness is the first step towards efficiency.
Impatience is the first step towards optimizing performance.
Antisocial behavior avoids distraction and improves hyper focus.
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 2) by maxwell demon on Friday April 26 2019, @06:42AM
In other words, a good programmer makes a terrible boss.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @05:25PM (5 children)
Not so much lazy as, people have outsourced the mgmt of their data to said IoT company.
For sure bad password choices are on the users shoulders. But enforcing good practice should be on company, even if that has some pressure on sales revenue. Making shit secure and educating good practices, is all on the company. Now if a user chooses to still be lazy, then so be it, but if company does not make the effort up front, that is lazy providing.
(Score: 4, Insightful) by bzipitidoo on Thursday April 25 2019, @05:51PM (4 children)
The thing is, that generally accepted security practices are very much out of step with the actual risks and costs. And people know this.
Security police were out of step decades ago when they screamed that writing down passwords was Very Bad, and we should all memorize them. Also took them too long to figure out that forcing users to change passwords every 30 days actually lowered security. And again with the stupid rules that your password must contain at least one number, capital letter, lower case letter, and special character except slash, hash, and bang, star, and quote mark-- which always made me wonder how the f was their system storing passwords that it couldn't handle all the ASCII characters. Smells like their system is vulnerable to SQL injection when they forbid some of the special characters.
There was no moderation of such rules tailored to the value of the access that was being protected, no, it was one size fits all. Often the security was like using a bank vault with a 3 meter high door that weighs a ton to secure two cents. Or at the other extreme, security is like a Big Beautiful Wall with a big beautiful hole fit for a truck that somehow the security "experts" think or hope no one can see. DRM, anyone? And security professionals think people are too stupid to notice such incongruities? The lack of respect is mutual.
Another problem is that security is for sale. Gee, it's too bad you didn't pay for POP or IMAP access to your online email account so you could download your valuable emails and have your own copy in case our servers are ever breached, your password leaked by us or you, or a malfunction happens and you lose everything.
(Score: 2) by maxwell demon on Friday April 26 2019, @06:49AM (3 children)
And at the same time enforcing a maximal length. How would a 20 character password be less secure than a 10 character password?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by AthanasiusKircher on Friday April 26 2019, @11:54AM
I don't think the logic is that a longer password is less secure. I think those enforcing such rules are either ensuring compatibility with really old systems where password length was limited to save in storage capacity (banks for years seemed wedded to this, though in recent years they finally realized this was bad practice), or they are run by some idiot who still thinks they need to limit password length significantly to save on storage.
The worst systems I've encountered a few times are those that silently truncate your password when you set it, but then don't truncate entries when you enter the password for a check.
Seriously -- this has happened to me on at least two systems. I enter a password that's, say, 15 characters. The system accepts it as a new password, but it only stores the first 12. Now I go to login a day later, and my password is rejected. Eventually after resetting my password on the site three times, I read the password restrictions again and realize it says "passwords limited to 12 characters"! I then try entering the first 12 characters of my password, and then I can log in.
What kind of idiotic system accepts a password that's too long and silently truncates it, but then takes the WHOLE password you enter when you try to login and simply displays "incorrect password"?? But I've seen that. More than once.
(Score: 2) by bzipitidoo on Friday April 26 2019, @12:02PM (1 child)
Even worse is faking the user out about the length. Let the user make and use a 20 character password, accept the input, but silently truncate it to 8 characters. I found a system was doing that to me when I had made a 9 character password, and hit the last character and enter at about the same time. Enter went in first, and the system accepted the login attempt! The 9th character of my password then appeared in the clear on the next line.
You really have to wonder what the heck the system designers were thinking. Yes, there's lots of security theater, but that one is some serious security fail. Talk about undermining your own password rules to pull a stunt like that. No justification whatsoever for it. Even in the 1980s, memory wasn't that short.
(Score: 0) by Anonymous Coward on Friday April 26 2019, @12:18PM
Of course if you properly hash your passwords, the amount of data you store is completely independent of the length of the password itself.
(Score: 3, Interesting) by SomeGuy on Thursday April 25 2019, @05:34PM (1 child)
Oh, lets see, you put a camera in your home point it at stuff you would not normally show anyone else, and then connect it to THE INTERNET. Well duh, is going to get owned/hacked or just mis-used by the vendor itself.
You have to be a real consumertard to not understand this, unfortunately most of the people on this plant are brain dead consumetards.
If you think anyone is going to "fix" this and keep it "fixed" you are delusional. These are worthless consumer toys and those who make them are not going to spend an extra dollar "securing" them. Especially when they can make money collecting your personal information themselves.
"Whaaaaaa but me want to control fancy thingy from my cell phone!!11!1"
Idiots.
(Score: 2) by bzipitidoo on Friday April 26 2019, @12:16PM
Ironic that the consumertards were sold the items on the basis of more security. Get an Internet ready nanny cam so you can watch your baby remotely, through the app on your smartphone! So many places to hack in-- the camera, the smartphone, the app, the WiFi connections, the cheap commodity grade router/firewall, etc.
(Score: 3, Touché) by sjames on Thursday April 25 2019, @05:35PM
When I first saw the headline, I thought this would be like the "exposé" on the old Paul Hogan Show about people losing the use of their legs after getting a remote control television.
(Score: 1, Funny) by Anonymous Coward on Thursday April 25 2019, @05:36PM
Shit, too late.
https://www.digitaltrends.com/home/lavviebot-cat-box-ces-2019/ [digitaltrends.com]
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @06:06PM (4 children)
As long these cloud require you to create an account of NOT YOUR CHOICE. They should pay for full life lock for ever member of the family and give a fidofortwo factor. Anything else is rap office just turned of two factor because what is two factor when both are on the same phone???
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @09:42PM (1 child)
English please.
(Score: 2) by FatPhil on Thursday April 25 2019, @09:47PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by FatPhil on Thursday April 25 2019, @09:45PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by maxwell demon on Friday April 26 2019, @06:55AM
Well, the name is a dead giveaway, isn't it? They'll lock you in for your life.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by DrkShadow on Friday April 26 2019, @01:33AM (2 children)
How many passwords do you have, then? You remember all of them? Oh, you have a password manager, you say. That password manager is available on _all_ of your devices, whether you're at home, work, or vacation in Cuba? Ah, yes, the online ones that store your passwords securely (https://www.skyhighnetworks.com/cloud-security-blog/lastpass-breach-by-the-numbers-91-enterprises-exposed/)...
Password algorithms go a good way, but it has to be unique enough to you. Password managers work too, but there are some passwords you _need_ to remember. (Banks -- if your credit card gets disabled mid-trip, what are you going to do? never go on a trip?)
Password tiers help more, I think. Limit it to six or ten passwords -- unique for each bank, they're your livelyhood. Unique for your e-mail -- with that, they can reset any of the others. The things that you care about come next, perhaps a few passwords for Faceplant and other services that it would be really inconvenient if you (permanently?) lost access.
Then there's the crap tier. There's a forum for which I have used the password "1". The single character. In fact, it's so short it's probably perfectly secure, not in any dictionary -- because this account just doesn't matter. Consider the slew of forums that require membership to post (or even just view attachments). Why should I care at all about those? "abcdef". Oh the account got "hacked" and my account was used to spam their forum? heh, I logged in once, six years ago, and it's your problem not mine -- you required signup. Oh, my Newegg account was "hacked" and someone looked at my order history? Aww shucks, I don't save my credit card for a slew of reasons.
You _should_ reuse passwords -- it's the only way to be secure (in your livelyhood). If you have too many, there will be no way to retain the ones that are rarely-used but really-important (banks). Porn playing on the Neighbor's Nest? (I wouldn't give Google that access to my life.) Too bad, so sad, time to change another meaningless password. Or not. Lock the account, I don't use it anyway.
(Score: 3, Insightful) by darkfeline on Friday April 26 2019, @02:23AM (1 child)
> That password manager is available on _all_ of your devices, whether you're at home, work, or vacation in Cuba?
Yes, all 2-3 of them (phone, laptop, workstation). You should only be logging in to sites from a trusted device. You should keep your trusted devices physically and digitally secure. In practice this means you can't afford to manage too many of them. So getting your password manager on 2 or 3 devices is not a problem. You could sync them with Syncthing which is P2P, so your passwords will only be stored on trusted devices.
Join the SDF Public Access UNIX System today!
(Score: 2) by PiMuNu on Friday April 26 2019, @03:31PM
> Yes, all 2-3 of them
Curious, is there a password manager that can deal with multiple OSes and browsers? E.g. many (most?) people have a windows PC running IE and an Android phone running chrome.
(Score: 1) by khallow on Friday April 26 2019, @02:54PM (1 child)
(Score: 2) by etherscythe on Friday April 26 2019, @05:55PM
Same. I'm flabbergasted by the otherwise intelligent people I know who build their lives on this foundation of sand (silicon) and trust it without any further protective measures.
"Fake News: anything reported outside of my own personally chosen echo chamber"