Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
How ’bout that Mirai Botnet
Do you remember that thing? It was the panic of the week last fall. Some jerks took large portions of the internet down for a couple hours. Everyone was in a tizzy for a bit. Well, the problem is still there. At least now nobody’s in a flail-your-arms panic over it, so maybe it’s worth discussing solutions.
Since there’s very little reason to remember the panic of the day even a week later, let me remind you how this works. A couple years back “Internet of Things” became the fashionable buzzword, so we all went out and bought WiFi enabled toasters. Now you can start toasting automatically when your alarm clock goes off. The fact that your toast will be ice cold by your seventh snooze is a small price to pay for living in The Future! But when you got your FutureToast, you didn’t bother to change the default password (it’s a hassle and if you did you’d forget the new one and what’s the worst that could happen anyway?) Mr. Nefarious Hacker sees that you’ve got a FutureToast, and he can log into it too. With your toaster and the 13,000 other ones that nobody’s changed the passwords on (and the 3300 GarageNoMores, and 4200 BlindsWithScience, and 132 HubCapConnects) he’s got access to a massive number internet connected devices. Mr. Nefarious Hacker can then use them to form punishing denial of service attacks, making the internet useless to the rest of us.
How do we solve this problem? It seems resistant to market forces. From FutureToast Inc.’s perspective adding security to their toasters makes them cost more and makes them less user friendly. That translates to less toaster sales. The Customer doesn’t care; the fact that his toaster is a tool for world domination doesn’t stop it from providing toast on demand.
If you ask the computer security industry, they tend to tell you “Government Regulation.” Every FutureToast variant has to have a password change on first boot up, mandated by law. This solves the problem in the future, but there’s still a heck of a lot of unsecured devices in existence today. The government is also a good way to take all the vitality out of an industry. Maybe there are better solutions.
You could educate the public. As a rule that never works. Take me as an example. I know this is a thing, and I think it’s a big enough problem to post about it on Ricochet. Now ask me what my password is for my Raspberry Pi. It’s not hard to guess.
You could hack back. If you go into my FutureToast and change the passwords then Mr. Nefarious Hacker can’t use it. But then I can’t use it anymore, either. That approach amounts to the destruction of property. This is also not a good solution.
You could, and I can’t overstate the general applicability of this solution, actively wait for your problem to go away. We haven’t seen Mirai in the news much at all even though nobody’s fixed the problem. Maybe the world wakes up and realizes their fridge really shouldn’t have anything to say to their toilet and they stop buying IoT devices. Maybe we figure out a better way to catch the people behind these attacks and launching them becomes a much riskier proposition. Maybe Russia gets into a war with China and the world’s supply of hackers gets busy fighting one another. Maybe none of those happen and we’re still stuck with the problem.
What do you think, Ricochet? Got any brilliant ideas?
Published in Technology
I saw a promo for a new cable show where the girl is on the sofa with a guy after their date. He asks if she has plans for Thursday night, and she looks coquettishly up at the ceiling and says, “Hmmmm. Plans for Thursday night?” and Alexa (or Siri or whatever it is) says in her mechanical voice: “Plans. For. Thursday. Dinner with Big D–ck Tony.” The guy gets up and leaves. That is where we are headed, my friends.
You obviously have discovered one of my aliases.
I don’t care where she thinks we’re headed, I ain’t going to dinner with Tony.
Not if the refrigerator IoT finks on her and tell em she has 4 stick of butter in the lower left draw…..
I would rip the heart right out of that BMW and dashing to the garage floor, because you know the next step will be to email the local enforcement folks so they can just sending you the violations ticket in the mail and save the capital outlay on the stationary photo money maker they are already employing.
They already do that in some places. Illinois, I think for one.
Worse, it will tell your doc what you are eating and will lock itself once it thinks you have had enough for the day.
Ever see The Island? Urinalysis in your toilet with corresponding automatic dietary restrictions.
Just a toaster, “rabbit ears”, legal pads/pens/pencils….The list never ends. And I love it! :-D
Wow, and I thought the worst was when I caught the sexbot making the laundrybot a sandwich.
My sandwich!
This has quickly become one of my favorite Ricochet threads.
Wanna get in on the ground floor of the next big thing? Figure out how to jailbreak cars.
Being a Luddite is a perfectly reasonable reaction. I think there’s potential in the whole IoT nonsense, but until the stuff actually makes your life better your analogue toaster is going to be just fine.
Hm… are toasters naturally digital? With the presence and absence of bread you can represent the numbers 0 through 3 in binary.
You know what really worries me about the future?
This. This worries. me.
It’s a totally reversible process.
Unless you’ve got a four-slice toaster, in which case up to 7.
From what I’ve heard from the many fine ladies of Ricochet (very few of whom I suspect to be rogue sex-bots), the deficiency in a lot of modern washing machines is their unwillingness to use much water. Do your custom wash cycles allow you to add enough water? Cause that could be useful.
My smartphone has a radio app, which requires you to have your earbuds in. It uses the wires on the headphones as an antenna.
If you could induce enough current in that wire…
Just when I get used to hexadecimal you expect me to switch to octal? I’m going to need more toasters.
Not “on the verge”, that’s definitionally IoT. You’re adding a processor and networking capabilities to something which was getting along perfectly well without it.
In that case though, he’s getting something useful out of it. And I’m guessing your security expert changed his password. To WhippedCream.
Some one has way to much time on there hands at the rectory office…
(had to wait until after work to play this, too many ears in our little confined control room).
Really? You mean hyperbolic like the global warming crisis?
This might help, but middleware defenses aren’t terribly effective on their own. Manufacturers of consumer devices won’t give a darn until consumers give a darn. And even if they do give a darn and start building them right, who’s going to write patches for 12 year old systems that only cost $30 to start with? I can’t get an update for my 1-year old $200 wireless router.
Some sort of light-weight, reliable, hardware-independent identity and trust model will be required to keep these things from talking to stuff that they should not. Then we still need to keep our fingers crossed that the trusted systems don’t get compromised.
I’ll give even odds whether or not we have a catastrophic global meltdown before we get these issues worked out.
Would it be pedantic to point out that 4 bits will get you to 15?
But if you have one of those toasters that can fit four slices in two slots does that constitute fuzzy logic?
I’ve got $10 on getting these issues worked out first.
Sucker. Good luck on collecting mid meltdown.
More seriously though, it’s fine to say that building things more securely now won’t fix everything that’s already been built. But that’s a sunk cost; whatever solution we could adopt would still have all those devices in existence. Unless we’re bricking them all like Mr. Balzer’s BMW.
Now that I’m counting on my fingers, dangit dangit dangit he’s right!
What am I going to do with all these toasters now?
The thing is that when u write the standard, somebody is going to start the project on github. When that happens consumer product companies will adopt it because half the development work is done.
The issue of maintenance is real though. Solid point.
About 10 years ago I was doing a hardware upgrade on a store-bought PC and couldn’t get it to work. So I put everything back the way it was and the thing wouldn’t even turn on. I fussed with it for about 2 hours, troubleshooting everything I could think of. I got so desperate that I called the manufacturer’s tech support.
After 45 minutes of auto-attendants and hold music, I finally get a person. Hoping against hope that I got the one guy there who knows what he’s doing, I tell him my problem and everything I’ve done so far. Much to my dismay, it’s clear that he’s going to stick to the script and waste a couple hours of my time with pointless attempts to fix it. The conversation went like this:
At least we both had a good laugh.
Don’t get me wrong. I’m all for trying to fix it, and I’m disinclined to let the perfect be the enemy of the good. I’m just less optimistic than most on this particular problem.
Hard to say. I don’t know that particular system, but I’ve researched a number of networked physical security products made for the enterprise. In general, access control systems are pretty well designed. Everything else sucks. The only way to protect it is not to let it talk to anything, and that only keeps it from being hacked. It’s extremely hard to protect against targeted denial of service attacks, which is as good as disabling something like a surveillance system. We rely on obscurity to protect these systems. On a large network this can be sufficient to stump a novice. It won’t work with a determined expert though.
I take advantage of this feature start my car a few minutes early on really cold winter days.