|
|
Subscribe / Log in / New account

Security quotes of the week

[Posted January 13, 2016 by jake]

SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones pick up the signals, and then use cookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer.

Your computerized things are talking about you behind your back, and for the most part you can't stop them­ -- or even learn what they're saying.

Bruce Schneier

The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.
Michael J. Assante of SANS on an attack on the Ukrainian power grid

But your networked devices will be on a network together. They’ll be designed to try and sense and act together. One of the things they could – and should – sense is whether any of their colleagues is doing something unexpected and bad, and then let you know about it.

That’s the shape of the solution: the future of the Internet of Things should involve constant sensing by devices of other devices, looking for evidence of badness, making reports up the chain to humans or other authorities to do something about it.

The devil is in the details: we don’t want a system that makes it easy for your prankish neighbors to make the police think you’re harboring a massive radio-disrupter, driving like a madman, or tailpipe-spewing more than the rest of the city combined. You don’t want your devices to be tricked into tripping spurious alarms every night at 2AM. We also need to have a robust debate about what kind of radio-energy, driving maneuvers, network traf­fic, and engine emissions are permissible, and who enforces the limits, and what the rule of law looks like for those guidelines.

Cory Doctorow
to post comments

Security quotes of the week

Posted Jan 14, 2016 23:24 UTC (Thu) by gerdesj (subscriber, #5446) [Link] (1 responses)

"It embeds inaudible sounds into the webpages you read and the television commercials you watch."

Now if only I kept the speakers on my computers un-muted, then this would work. Apart from my telly, then surely cookies and all the other usual things would do the trick. Do I really have to read the article to find out whether this is yet another app I can't run due being a member of an OS minority? Bloody OSists.

OK, I jest. However this piece of tinfoil-hattery is from Mr Schneier, whom I respect. I think his central point about ever more pervasive surveillance is spot on but this looks to me as simply another form of cookie. I suspect that Google et al have way more info on me than that lot will ever manage with their sound cookies.

Incidentally, Mr Samsung's finest goggle box on my wall is connected to its very own SSID and VLAN and is closely monitored. Must get around to analyzing the traffic to see what it gets up to. Sadly someone broke its ears, err microphone shortly after purchase 8)

Security quotes of the week

Posted Jan 15, 2016 9:16 UTC (Fri) by jezuch (subscriber, #52988) [Link]

> I suspect that Google et al have way more info on me than that lot will ever manage with their sound cookies.

Yes, they already have a lot, but they still want more. You know how the saying goes: the first step of getting out of a hole is to stop digging.

Security quotes of the week

Posted Jan 21, 2016 14:32 UTC (Thu) by hitmark (guest, #34609) [Link] (1 responses)

While i enjoy Doctorow's books, i think what he suggests in the quote is naive.

Badness defined by who? By the owners? Sorry, but those "owners" have already enough to deal with. It would be much easier for them to basically forgo IoT completely.

The basic problem with using tech to detect "bad" tech is how to define "bad". This because "bad" is in the intent, not the actions. If i was to bit fiddle a file, the act itself says nothing about my intent. Yes, doing so may crash something or leave a massive leaking root hole. but it may well be that i did so to fix an issue i was having that the "bad" sensing software is blind to, because it is not a human operator, rather than trying to intentionally (<- hello!) break the security of the system.

Security quotes of the week

Posted Jan 22, 2016 9:11 UTC (Fri) by jezuch (subscriber, #52988) [Link]

> The basic problem with using tech to detect "bad" tech is how to define "bad". This because "bad" is in the intent, not the actions.

I think "badness" here means "behaving outside of spec/regulation/other_rules_that_prohibit_devices_from_peeing_into_the_common_pool", not detecting maliciousness. The latter we have to handle anyway, today.


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds