Lousy IoT Security

DTEN makes smart screens and whiteboards for videoconferencing systems. Forescout found that their security is terrible:

In total, our researchers discovered five vulnerabilities of four different kinds:

  • Data exposure: PDF files of shared whiteboards (e.g. meeting notes) and other sensitive files (e.g., OTA -- over-the-air updates) were stored in a publicly accessible AWS S3 bucket that also lacked TLS encryption (CVE-2019-16270, CVE-2019-16274).
  • Unauthenticated web server: a web server running Android OS on port 8080 discloses all whiteboards stored locally on the device (CVE-2019-16271).

  • Arbitrary code execution: unauthenticated root shell access through Android Debug Bridge (ADB) leads to arbitrary code execution and system administration (CVE-2019-16273).

  • Access to Factory Settings: provides full administrative access and thus a covert ability to capture Windows host data from Android, including the Zoom meeting content (audio, video, screenshare) (CVE-2019-16272).

These aren't subtle vulnerabilities. These are stupid design decisions made by engineers who had no idea how to create a secure system. And this, in a nutshell, is the problem with the Internet of Things.

From a Wired article:

One issue that jumped out at the researchers: The DTEN system stored notes and annotations written through the whiteboard feature in an Amazon Web Services bucket that was exposed on the open internet. This means that customers could have accessed PDFs of each others' slides, screenshots, and notes just by changing the numbers in the URL they used to view their own. Or anyone could have remotely nabbed the entire trove of customers' data. Additionally, DTEN hadn't set up HTTPS web encryption on the customer web server to protect connections from prying eyes. DTEN fixed both of these issues on October 7. A few weeks later, the company also fixed a similar whiteboard PDF access issue that would have allowed anyone on a company's network to access all of its stored whiteboard data.

[...]

The researchers also discovered two ways that an attacker on the same network as DTEN devices could manipulate the video conferencing units to monitor all video and audio feeds and, in one case, to take full control. DTEN hardware runs Android primarily, but uses Microsoft Windows for Zoom. The researchers found that they can access a development tool known as "Android Debug Bridge," either wirelessly or through USB ports or ethernet, to take over a unit. The other bug also relates to exposed Android factory settings. The researchers note that attempting to implement both operating systems creates more opportunities for misconfigurations and exposure. DTEN says that it will push patches for both bugs by the end of the year.

Boing Boing article.

Posted on December 19, 2019 at 6:31 AM • 50 Comments

Comments

Ross SniderDecember 19, 2019 8:45 AM

I've often dreamed about an IoT "security nutrition label" that's independently audited and added to these devices without politics, deals, or leverage from the sales departments of the companies that are trying to ship them.

These are kinds of serious oversights in design that would have the nutrition label basically say: this is made of transfats, the Twinkie of SmartBoards. Get it if you want, but your IoT diet is going to really suffer.

Of course security doesn't work that way, but we also haven't figured out human digestion and metabolism yet and traditional nutrition labels seem to work.

SwashbucklingCowboyDecember 19, 2019 9:49 AM

"These are stupid design decisions made by engineers who had no idea how to create a secure system. And this, in a nutshell, is the problem with the Internet-of-Things."

I'd say it's a problem with today's technology in general, not just IoT. And it's not just the engineers, it's the company's management that just doesn't care about security.



"The geography we have created is all about speed, convenience, and scale; Security is an afterthought."

--- General Michael Hayden, retired head of CIA, NSA

Impossibly StupidDecember 19, 2019 10:36 AM

These are stupid design decisions made by engineers who had no idea how to create a secure system.

I know that there's an old saying about not attributing to malice what can be explained by stupidity, but there's also a saying that 3 times is enemy action. Given the world we now live in, the most conservative analysis should be that DTEN is, wittingly or unwittingly, actively engaged in industrial espionage. If they as a company are not involved, I would expect some very public terminations of the managers who were in charge of these systems and any engineers who did not speak up regarding the poor security practices. Otherwise, I don't see why any company would buy and use DTEN products with any level of trust that their data is in good hands.

JonKnowsNothingDecember 19, 2019 11:19 AM

It's really difficult to distinguish between "uninformed", "unintentional",
"intentionally omitted" and "oopsies".

The output is the same.

  • RING intentionally misleads people about their "security" devices.
  • IOT-IDIOT devices omits basic "concepts".
  • APPLE forgets to tell customers that Location Tracking is ON All The Time, even when you set it to OFF at the top level and OFF for every app listed. Apple just forgot to tell you about the apps they don't list and that OFF isn't OFF.

Recently, a non-techie friend was considering buying a RING for their door. I about blew my over-priced coffee conconction through my nose....

The good news on the horizon is that Splinter-Net is de facto now. Yep that's the good news.

Electron 007December 19, 2019 11:19 AM

https://www.darkreading.com/vulnerabilities---threats/your-first-month-as-a-ciso-forming-an-information-security-program/a/d-id/1336594

First month as CISO? What is this?

Are you new here? They went corporate with the whole computer security "thing."

It's "management-only" just for the top bosses. The MBA frat-boy type.

If you are deemed to cause problems, or become targeted by too many attacks, they decline your card, kick you out of the club, and confiscate your bank accounts and any other assets in your name.

It's very much a human rights problem. Little people must submit to constant law enforcement spying and arbitrary property seizure. There's a vicious Las Vegas casino bouncer aspect to the whole security "thing."

La Cosa Nostra, and "outsiders" are not welcome.

David RudlingDecember 19, 2019 12:28 PM

I think this almost passes as being on topic.

htt ps://www.apple.com/newsroom/2019/12/amazon-apple-google-and-the-zigbee-alliance-to-develop-connectivity-standard/

(fractured to prevent autorun)

Another MouseDecember 19, 2019 1:52 PM

It's not only iot. Bombardier got an ethernet based automation protocol standardised through iec and cenelec which has in its standard flavour absolutely no authentication neither any cryptographic data integrity verification. Our client now requires us to fix the connectors with bracketry inorder they cant be unplugged from the plc, as they are worried someone could plug in a pc instead.

Mathew BinkleyDecember 19, 2019 4:34 PM

Dumb engineers is the *proximate* cause. The root cause is usually dumb/cheap management. Incompetent engineers are cheaper than competent ones, at least on the front end.

Ross SniderDecember 19, 2019 4:56 PM

@Bruce Schneier

Whaddyaknow? Thanks for the pointer Bruce.

One of the biggest problems with security is that it is often ignored in the marketplace, which places incentives on companies to consider security cost centers rather than one of the many constraints facing their engineering trade-offs and product quality. This in turn reinforces "built on" security vs "built in".

In my experience the current system of certifications (SOC, PCI, FISMA, you name it) as a proxy for regulation and business-to-business deals has some very undesirable features and avenues for corruption. When its working at its best, it temporarily empowers internal security teams to get a few major projects/programs funded. When its working at its worst, it can sabotage internal security teams and strip them of their ability to prioritize and invest where its needed.

CMU's security labels (more of a consumer market use case) look carefully considered and designed. Lots more to say here, but overall I'd be supportive of a regulatory experiment to see whether this changes the market dynamic and security industry.

Electron 007December 19, 2019 5:22 PM

incentives on companies to consider security cost centers rather than one of the many constraints facing their engineering trade-offs and product quality. This in turn reinforces "built on" security vs "built in".

The problem lies with all that pretty glass on the storefront facing Main Street USA.

Management has security cameras galore and keeps up on the heating bill and insurance, but the fragile glass is viewed as a cost of doing business and a necessity of attracting customers. The trade-off yields to a Kristallnacht waiting to happen ... https://www.dw.com/en/germany-activists-apologize-for-holocaust-memorial-with-victim-ashes/a-51535624 ... ashes of Nazi victims. The memorial was erected by the group in front of the German parliament on Monday, as a warning to Chancellor Angela Merkel about the dangers of cooperating with far-right parties. "We would like to apologize to all those affected, relatives and survivors, whose feelings we have hurt," the ZPS announced in a statement on its website, admitting it had "made mistakes." "We would like to apologize, especially to Jewish institutions, societies or individuals who believe that our work disturbed the peace required for the dead under Jewish law," ...

Bloody Germans and Europeans are out of their freaking minds.

WeatherDecember 19, 2019 5:27 PM

@Ross?
There's a lot of moment on the table, if @bruce I can help? But what I'm repeating now took place 10-20 depending on what you ask

Ross SniderDecember 19, 2019 6:04 PM

@Weather

I do not understand the meaning of your comment. Can you say/ask it another way?

Clive RobinsonDecember 19, 2019 8:29 PM

@ Bruce,

These aren't subtle vulnerabilities. These are stupid design decisions made by engineers who had no idea how to create a secure system. And this, in a nutshell, is the problem with the Internet of Things.

Whilst I might mildly disagree with calling them "engineers" yes there is a significant problem in the "software and firmware" design.

The main problem is actually "patch mentality" in managment. There is a simple correlation between the perceived ability to correct faults in a sold product and the number of faults that on average products get shipped with.

But a simple question for you, it's fairly clear you as others do think that in by far the majority of cases the quality of shipped products is falling.

Would it not be simpler just to come out with a simple statment such as,

    The majority of software related products on the market are significantly harmfull to their users.

Then perhaps when that got accepted --it is a truthfull statement-- we could move the conversation as to how we are going to remedy it with respect to culpability in an International market setting.

That is we are now way beyond what national legislation can do, we are now well into treaties and UN style mandates. Whilst the WTO could move in that direction, we have to be cautious about dispute resolution. As the PPT and similar have shown dispute resolution procedures can be manipulated to be used as both a sanctions tool and a way to make money without actually showing valid claims.

To show how ludicrous it can get, it is entirely possible for big distillers and big hog producers to start a dispute with many nations with certain religious beliefs, and get awarded millions if not billions in compensation from a foreign state.

Ways of stopping such behaviours would need to be rather more solid than the likes of SLAP legislation.

Clive RobinsonDecember 20, 2019 3:07 AM

@ Ismar,

Anyone who buys these deserves what they get.

You could say that of those that purchased Ford Pintos or other non obviously dangerous to your health machines/technology.

However in all honesty can you asses say a family car properly, or a mobile phone?

I know I can not these days, and I don't know any individual who would say they can, because it takes large teams of people skilled in quite different disciplines.

The real problem is technology and it's complexity is now beyond the point where any individual can posses the knowledge to identify the faults and failing of products. Or even know how to test for them, some of which might have been deliberately hidden, with testing now being considered a criminal act in some countries.

In effect "Buyer Beware" has now turned into "Victim Blaiming".

The question is where do we go from here, it's an international problem driven on the wrong direction by transnational corporate money...

LarryDecember 20, 2019 4:25 AM

@JonKnowsNothing
"Recently, a non-techie friend was considering buying a RING for their door. I about blew my over-priced coffee conconction through my nose...."
I presume that's means you laughed at them? If so, why not educate them instead?
I myself don't trust any IOT. That's because of reading blogs like this one(I also read Krebs) I'm not a professional Tech guy, I'm a wannabe with a little bit of knowledge so I need to read the experts to know what's going on.

Clive RobinsonDecember 20, 2019 5:08 AM

@ JohnKnows...,

The good news on the horizon is that Splinter-Net is de facto now. Yep that's the good news.

In which sense do you mean "splinternet"?

The term was coined around 18years ago and was originaly ment in a positive sense of planes of networks each bringing benifits in different ways.

However as with many terms journalists and orhers have turned into a negative meaning, and have confounded it with "Cyber-Balkanization".

But others in what apears to be the "techno-markating" vein have looked at it like not Web 2.0 bit Internet tech 3000. That is they refere to ages of protocols being gestated, birthed, aged, and "End of Lifed" (inception to cremation life cycle). As such the half life of protocols appears related to how far up the computing stack they are. That is those at the physical layer have 25-50year half lives, but at the presentation layer 18months is pushing it.

The problem of course is protocols are children of the next generation of hardware and it's standards. For four decades atleast protocols in the general sense including the likes of file formats have been battle grounds in bitter corporate and now national wars to in effect enslave the ordanary person. We might call some of the more obvious attempts "patent trolls" but lesser levels "tied in" or "walled gardens".

It reminds me of a joke that must be half a century old,

    At an international science conference a small group are sitting at a table, an American and a Russian are going at it hammer and tonges about their nations differences. After some time the two protagonists pause to draw breath and marshal their thoughts, and in the quiet, a small old Jewish man who had not spoken befor coughed apologeticly and spoke,

    "Gentlemen, I have listened to both of your arguments, and they are both very similar, infact I would venture they are the same except for one small detail"

    This caused the two protagonists to stare at him with askance. So he went on,

    "Gentlemen, it is very clear you are very passionate about what you and your nations love the most."

    This produced blank looks from the two protagonists as clearly they did not comprehend what he was saying. So he went on,

    "Gentlemen, you care so much about what you love, you lock them away, for you in the West it's money, in the East it's your countrymen."

The difference over fifty years appears the roles are revolving...

So for now both the East and West are lovking up both their citizrns and their money

Each time mankind finds a way to try and rise above the cesspool that is money and politics, those few who chose to wallow in that pit with glee reach out and pull the rest of us down.

As has been noted,

    "When it occurs to a man that nature does not regard him as important, and that she feels she would not maim the universe by disposing of him, he at first wishes to throw bricks at the temple, and he hates deeply the fact that there are no bricks and no temples."

So man instead invents them, to build not temples but prisons and chains to bind man and his fellows down in a dystopian hell that even Dante could not conjure up for his Divine Comedy...

Cyber-Balkanization is but one pebble on that road to purgatory.

JonKnowsNothingDecember 20, 2019 10:09 AM

@ Larry @ Clive Robinson

@ Larry

"Recently, a non-techie friend was considering buying a RING for their door. I about blew my over-priced coffee concoction through my nose...."

I presume that's means you laughed at them? If so, why not educate them instead?

I did not laugh at them because I spend a lot of time explaining to the complete boredom of nearly everyone I meet why such devices are bad-news in spite of the slick (or sick) marketing ads.

That the person was still considering buying such a device even after numerous "don't do that because..." chats and told me while I was imbibing my hot drink created the nasal congestion.


@ Clive Robinson

The good news on the horizon is that Splinter-Net is de facto now. Yep that's the good news.

In which sense do you mean "splinternet"?

However as with many terms journalists and orhers have turned into a negative meaning, and have confounded it with "Cyber-Balkanization".

In the terms of Cyber-Balkanization but I can't spell that; I had to make do with copy and paste from your post.


From a news report 12 19 2019 (summary)

The suspension of data services, phone calls and texting to curb protests ... is becoming an increasingly common tool for authoritarian governments...

attempts to switch off the flow of information. [a report] recorded 75 internet outages around the world in 2016; the figure more than doubled to 196 last year.

... [a] Chinese state media outlet ... did not miss the opportunity to highlight the message .... “It means that shutting down the internet in a state of emergency should be standard practice for sovereign countries”.

ht tps://www.theguardian.com/technology/2019/dec/19/india-internet-curbs-are-part-of-growing-global-trend

(url fractured to prevent autorun)

Electron 007December 20, 2019 1:58 PM

Cops ain't givin' up yet. They gotta warrant straight outta city hall to d'crip that sex offender's phone right now! For the safety and protection of innocent women and children everywhere! Who could possibly object?

Encryption scheme lets police access your phone, but there's a catch

https://www.newscientist.com/article/2125895-why-breaking-encryption-is-a-bad-idea-that-could-never-work/

https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf

Now, Sacha Servan-Schreiber at the Massachusetts Institute of Technology and Archer Wheeler at Brown University in Rhode Island have proposed a potential compromise: backdoors with steps that would make them costly for law enforcement agencies to …

Continue reading

Subscribe now for unlimited access

Electron 007December 20, 2019 3:55 PM

Scientists Develop ‘Absolutely Unbreakable’ Encryption Chip Using Chaos Theory

And that's the hysterical science behind the cheek swabs, DNA matches, and rape kit backlogs at the police station.

They've got all this evidence and expert testimony in court, although the stories of what happened where, when, why, and whodunit remain inconsistent and inconclusive.

Oh, the privileged ladies of the court are definitely pressing charges, we know that, and the private/corporate Christian sheriff is putting the bad guys in jail, we know that, too.

But criminal law never was about details and niceties or fine distinctions of logical points, was it? No, there are 12 good men and true who happen to own quite a bit of property in the district themselves.

LarryDecember 20, 2019 4:19 PM

@JonKnowsNothing
I stand corrected sir! Sounds somewhat similar to family members I have told that they need stronger passwords than kids' names or dogs name!
I suggested Lastpass which I use & generally like. They did use it briefly,but had some issue with it. I suggested a couple of others I've heard of, but as far as I know, still use very weak(easy to remember) passwords; ugg!
Larry

Clive RobinsonDecember 21, 2019 1:11 AM

@ Wael, Ross Snider, Bruce Schneier,

With regards the multiplicity of workers on what in effect will be the same result as a standard.

I am reminded of the old caution nearly every engineer knows about standards being like toothbrushes,

Every one agrees that you should

1, have one,
2, and use it all the time,

Which is all good sense, but... also,

3, Nobody want's to use anyone elses...

Is always told as a little joke.

But like all jokes, one day sombody took it to far, and International Organization for Standardization (ISO) issued,

    Standard, ISO 20126:2012, Dentistry - Manual toothbrushes - General requirements and test methods.

Proving if ever a proof was needed that "if it ain't nailed down, or even if it is, someone will sneak up and measure it and then say that yours is 'non-standard'". Worse they will simplify the standard for "clarity" and you will get "cubic eggs"[1] and "straight bananas" as the standard you have to conform to...

[1] Oddly mad as cubic eggs might sound I can actually explain it and it does make sense, even when you find the reality is the standards a "square" not a "cube"...

WaelDecember 21, 2019 2:18 AM

@Clive Robinson, @Ross Snider, @Bruce Schneier,

Nobody want's to use anyone elses...

That has historically proven to be true. There's some form of collaboration between some of the groups, so hopefully it'll be different.

Oh, there are such things as cubic eggs, if you search :)

Clive RobinsonDecember 21, 2019 3:41 AM

@ Larry, ALL,

I'm a wannabe with a little bit of knowledge so I need to read the experts to know what's going on.

I'm going to sound like the actor[1] giving a pushy woman career advice about her ambitions for her daughter...

When it comes to information security the field of endevor lacks suitable measurands. Which makes the industry problematic and full of assumptions, most unprovable but also not disprovable that hang there like a nightmare piñata waiting to be whacked appart. The downside is that whilst hanging they make "Marketing fodder" the claims of which as you've probably worked out lies some distance beyond "lies, damm lies, and statistics", hence the old "Snake Oil" postings our host used to put up quite regularly.

Much real security be it physical or informational comes about via a highly developed sense of what is not aesthetic in multi-dimensions, which our host likes to call "Thinking Hinky". It's possibly an inate skill that you either have or have not, but it can be refined with a lot of time with your nose at the right grindstone. You quite literally develop a sense of something not being right, and it nags at your subconscious, giving what some call "a back of the neck" feeling. In the military it's seen as a refined "situational awareness" ability.

Unfortunately somebody thought you could some how distill the essence of "thinking hinky" out and package it up and make it available to all hence our main tools are "reactive" rarely "proactive". Which is good for the tool makers as it gives them longterm employment.

But it also gave rise to "tiger team" or "red and blue team" activities which gives us the notion of "Pen-Testing" which can be a bit of a charlatans game.

Because in ICTSec you are playing in a very target rich vulnerability environment. So rich in fact that there is no reactive system you can put in place that can not be defeated, often trivially so. Thus if you don't have the thinking hinky ability, you can still be a Pen-Tester, by being almost a "one trick pony", as long as your trick is not yet in somebody elses tool kit. This means you get the same scam that the "Big Four Accounting" firms pull with their highly over priced business consultants. You employ those that can think hinky or buy in the exploits they find. You then weaponise these and teach them to your very many Pen-Test teams to use against their clients... So one weaponised exploit can be used highly profitably by many teams that are not realy more than Stanislavsky "method" actors in suits going through the motions of a play for different audiences every day. The more tricks you learn the better you look. But at the end of the day it's not "Original" or "Creative" work, but it can pay well if you have some inate acting or marketing skill.

The thing is, that those who realy can think hinky are not the people you want on Pen-Teams. Not just because they often have the wrong personality type, but more importantly original and creative work is neither smooth nor urbane and full of failures for the few successes and as with mathmatics you do your most original work befor you are thirty. You then move into training the next generation then if your personality is not to bad managment. Alternatively you found a "start-up" and get it to the point where an Angel takes it off your hands befor you destroy it. A serial entrepreneur is often one with a personality type issue, they can do unencumbered "start-up" but they can not do constrained "continuity", kind of "ideas" people not "managment" (you can look up the Myers-Briggs Type indicators and similar if you believe in such things as they don't work as predictors on the more interesting people).

Anyway the real problem you will face is "Certificate Madness", remember the lack of measurands... That means there are no appropriate courses in the conventional academic mould for scientific research or mathmatics. Which is a problem on many fronts. But the big one is employers and Human Resources, they for various reasons demanded a way to grade people, thus a vacuum was created and all those computer tested proficiency courses quickly became a major business in their own right. As many actual engineers and team leaders have found those courses realy only prove you can learn the answers to a bunch of known questions...

Some Universities got into that game as well and yes I did a masters in "Information Systems Design" and the only maths I remember being used in course work was at the Student Union bar (unlike the crypto I did under the ERASMUS Program). The mastets did have some funny points though, when they tried to demonstrate entropy by practical demonstration to someone who is not just practicing but at heart a communications engineer. Oh and when they asked us to split into teams to develop an "information model" for team dynamics as an excercise... I got to present last and unknown to my team who I'd gently led, I'd based my work on various "filters and processes" that anyone doing DSP or SDR would have familiarity with likewise those doing error correcting coding. When working with the team I'd used pretty pictures, but for the presentation I actually wrote up the equations and solved them, on the viewfoil just about as fast as I could write without getting cramp. The totally shocked and gobsmacked look on everyone elses faces was worth every moment of it, it was like they had "Discovered an alien amoungst them".

Which sadly makes the point that in ICTSec, you have to take your fun where you can take it, because by and large it's duller than the dried up mess Canadian Geese leave around your water feature. So much so it can make "death by view foil" look a good way to go in what feels like an eternity of meatings about "tools", that you will get to find out are a much poorer investment than betting on horses with nice names, because atleast you occasionaly get a winner...

[1] Actually Noël Coward with a spoken song called "Mrs Worthington" from the mid 1930's,

https://www.youtube.com/watch?v=Lt7FvKkgl7o

The song had to be cleaned up from the original to be "publishable". However it has managed to spawn a veritable myriad of copies with various deviations away from acting into other professions.

Clive RobinsonDecember 21, 2019 4:14 AM

@ Wael, Ross Snider, Bruce,

Oh, there are such things as cubic eggs, if you search :)

Yup, they appear in a piece of science research that I like to mention from time to time, along with the guy that solved the "rat in a maze" issue and over night rendered usless thousands of behaviour science research projects and published papers[1].

Whilst the finding of the information about the experiments on the "tool using" Egyptian Vulture is generally fairly dry. The author Esther Inglis-Arkell[2] of this article,

https://io9.gizmodo.com/scientists-learn-a-bird-uses-tools-and-promptly-decide-1696944785

Gets the essence of the problem, distills it and sets it in an appropriate light...

[1] Whilst these research failures are funny, they also show up a major problem with the underlying asspects of security and engineering failures as well. Though generally the latter are very far from fun because people get hurt, unfortunately the same is becoming true for security failures.

[2] Her other writings about proffessional humans not getting it can be quite fun as well,

https://kinja.com/estheringlis-arkell

One for those who have a thing about cats,

https://gizmodo.com/behold-the-best-designed-cat-house-any-cat-will-still-c-1768117533

Wael December 21, 2019 5:22 AM

@Clive Robinson,

I like the cat house. I only have one cat left out of seven, and he's about to expire (he has about 1.5 lives left out of 9.) Otherwise, I would've bought the house :)

Clive RobinsonDecember 21, 2019 7:13 AM

@ Wael,

A friend of mine's parents had a "family cat" now long departed that had it's own favourite "home" type place.

If you parked a car up in the street it used to scoot along under the other parked cars and climb up the tire of the newley parked car and sleep on top of the wheel resting against the engine compartment. For some reason we never found out it never got hurt doing this for fifteen odd years. What finally put paid to him was a fight with a fox, that the vets could not stich back up :-(

Whilst I would not have a cat as a pet (as Terry Pratchet used to observe they realy are mean nasty bug33rs under the cute fur) I can understand why people like them especialy those that could enter the purring olympics.

What I always wanted was a border collie dog which supprisingly can be "cat tolerant" even when not raised with cats.

This liking of the breed was confirmed when I had to look after one for an extended period whilst a friend was in hospital and then converlessing with a badly broken leg from falling down a mountain she was climbing.

But it taught me my life style was not fair to them. Now it looks like I'm permantly on sticks, I could not give a border collie the ten miles a day walk it would need or the mental stimulation of several hours of energetic games etc to keep it content. But they are realy good make friends dogs due to the way they look at people and are very friendly even to toddlers and above. However they are not exactly indoors dogs unless well excercised, and the whole household is tolerent of them "joining in" in nearly all activites including as I found out sneaking up on you when showering, but also quite content with "bath time" after a realy muddy day out, as long as the hairdryer and a good brushing followed.

WaelDecember 21, 2019 7:23 AM

@Clive Robinson,

I'm done with pets. No more after this one goes. But if I ever get another pet, it'd be something that doesn't make me sad when it dies (or eaten by an owl.) It would have to be a snake or a scorpion.

SpaceLifeFormDecember 21, 2019 2:31 PM

@ Clive

Sorry to hear about the sticks. But keep moving as much as possible.

"The good thing about standards is that there are so many to choose from."

-- Andrew S. Tanenbaum

SpaceLifeFormDecember 21, 2019 3:00 PM

@ Clive

Oddly mad as cubic eggs might sound I can actually explain it and it does make sense, even when you find the reality is the standards a "square" not a "cube"...

RSA vs ECC.

Either egg form may taste alike when scrambled.

With proper random seasoning of course.


Electron 007December 21, 2019 6:41 PM

RSA vs ECC

RSA is based on the difficulty of factoring the product of two very large primes, which are kept secret. The math is relatively simple.

N=pq

ϕ(N) = (p-1)(q-1) = the number of natural numbers which are less than N and relatively prime to N. If C is the ciphertext, P is the plaintext (encoded as very large integers <N), e is the public key, and d is the private key, then

C == P^e (mod N)
P == C^d (mod N)

If ed == 1 (mod ϕ(N)), then the encryption and decryption will both work, and if both e and d are known, it is easy to factor N and recover the two primes p and q.

Often e is taken to be 3 or 65537, and the private key d is computed as the multiplicative inverse of e modulo N.

Sometimes it is suggested to find primes p and q such that (p-1)/2 and (q-1)/2 are either themselves prime or difficult to factor, but opinions vary on techniques for avoiding "weak keys."

ECC is much more involved and related to the (in)famous Birch and Swinnerton-Dyer Conjecture among other deep and poorly understood phenomena.

WaelDecember 21, 2019 7:53 PM

@Electron 007,

RSA is based on the difficulty of factoring the product of two very large primes, which are kept secret. The math is relatively simple.

Not necessarily two and not necessarily very large. Enter Multi-Prime RSA, which research shows it's more robust under current known attacks.

We* have shown that as the numbers of primes factors in the modulus increases, the attacks become more complex, which results in that the attacks apply in fewer instances, or become totally ineffective, or do not seem to extend at all.

* I'm not part of the "We", but I know where Multi-Prime came from.

WaelDecember 21, 2019 8:29 PM

@Clive Robinson, @SpaceLifeForm et all,

Oddly mad as cubic eggs might sound I can actually explain it and it does make sense,

Allow me to take a stab at explaining:
When chickens lay eggs, Cuban chickens suffer most. ;-)

LarryDecember 21, 2019 8:47 PM

@Clive
Well, thanks for the discourse.
Have no fear though. I will always be a "wannabe". I've been a tech geek for most of my life, but I'm far too late to the party.
After getting the Comptia ITF certificate(not the newest,the previous one) last year, which doesn't make me think I'm any kind of "expert", it dawned on me I'm too late. I started following the security end of computers/IT a few years ago watching Security Now(not sure how I found out about that). I learned about our host & Brian Krebs from Steve Gibson on SN & have been reading them most every day since. I find it most interesting & can understand around 90% of the things they talk about even with my lack of background.
Anyways, while security interests me & it would be nice to fill some sort of spot in the industry, I realized at 57 I'm far too old!
No one would hire me when they can hire a young grad with a tech degree(I have no degree).
So,no I won't be like Mrs. Worthington.
I'll just continue to read these blogs(along with some others like Bleeping Computer also found out about from Steve G) as long as the real experts don't chase me away for asking dumb questions!
Thanks for your time.Larry

WaelDecember 21, 2019 9:04 PM

@Larry, CC: @Clive Robinson,

Anyways, while security interests me & it would be nice to fill some sort of spot in the industry, I realized at 57 I'm far too old!

As I told @name.withheld.for.obvious.reasons: age is just a number. Hasn't stopped @Clive Robinson, who happens to be 737 years old :)

Never too late. Learning is a life-long experience. I'll spare you the links for late bloomers in Mathematics and other fields of science (partially because I am too old to look for them.)

Clive RobinsonDecember 21, 2019 10:56 PM

@ Wael,

Clive Robinson, who happens to be 737 years old :)

It's supposed to be in "moons" not years

So 737moons would be around 56.5years which makes me feel a whole smidgen better... Ah the joys of being young again ;-)

WaelDecember 21, 2019 11:09 PM

@Clive Robinson,

So 737moons would be around 56.5years

Exactly! So you took the lower bound [1] -- the optimistic view, which happens to be around your real age, give or take 5% ;)

[1] Divided by 13, instead of 12 with the occasional 13

Clive RobinsonDecember 21, 2019 11:30 PM

@ Larry,

as long as the real experts don't chase me away for asking dumb questions!

Even supposadly "dumb questions" need answers, and even experts can not always give them.

The most awkward to answer are the so called "childish question" like,

    Why is the sky blue and clouds white?

That is a real tough one to answer honestly in a way that both children and adults get to understand.

Mind you my son did understand entropy (a measure of possability) when I explained it to him with lego bricks... His teachers at primary school were not, impressed because "entropy" was not even in their teaching books ;-)

Worse was to come when he asked about "orbits" and I explained with a hoop, some cardboard triangles and squared paper. Apparently that's not in the secondary school teaching books...

The thing is when I was that age the schools had not been mucked about with by politicians (who probably got "double swirlies" every day and just want revenge). Back then the teachers had smaller classes thus took the time with lots of cans string and other household items to show kids how to measure things and then get approximations to Pi and other essential geometry.

Oddly for most parents their kids are a lot smarter than they think they are. All you normally have to do is find a way relatable to there every day lives to get it over to them as they don't have preconceived notions about maths and science being difficult.

In my experience even those well beyond retirment can pick things up that are new to them fairly easily with the right explanation. The only real problem generally is the "this is going to be too difficult" voice in their heads...

Importantly for longevity is still learning things everyday. Because it keeps your brain alive that then keeps the body alive. Some research suggests it could add between 10 and 20 years to your healthy life expectancy...

So keep on learning...

WaelDecember 21, 2019 11:44 PM

@Clive Robinson, @Larry,

Why is the sky blue and clouds white? [...] That is a real tough one to answer honestly in a way that both children and adults get to understand.

Why are clouds white is a more difficult question to answer... apparently

PS: I had a link to the same video a while back... can't recall when.

Clive RobinsonDecember 22, 2019 11:50 AM

@ Wael,

Divided by 13, instead of 12 with the occasional 13

Err no, I went with,

737 x 28 / 365.25

As you know the Moon has an orbit relative to the stars of ~27.3 days which gives a "sidereal month". But... When refrenced to the Sun for the "synodic month" it's ~29.5 days, and the earths "sidereal year" is aproximately 365.25 days (good for just about 400 Gregorian years if you don't cross one of the correction points). However the moon has pertibations in it's orbit and other issues with around an eight year cycle. I have worked it all out in the past from first principles to quite some accuracy when writing a satellite tracking program (satellites are effected by the moon as well as the earth and doing a threebody solution is not the easiest way to do it). But I don't currently have certain bits of information to hand.

So rather than spend three days or so on it again, I used a four week month of 28days knowing that whilst it was wrong, things averaged out a bit and gave a nice simple but importantly quick answer.

Feel free to look up the respective orbital moments and build a 100th harmonic DFT model to work it out more accurately, but don't forget to post your workings so we can check you've taken every thing into account ;-)

But trust me if you do you will think not,

    Ah the joys of being young again

More like,

    Agggh, the pains of being old occure again

Oh and whilst,

Why are clouds white is a more difficult question to answer...

Has a degree of truth in it, it's going to be darn few parents who can answer either of the top of their head. And even fewer in a way a ptactical experiment a child can easily grasp.

But if you want too a fishtank of tap water, a flash light and a dark room and a teaspoon of powdered milk works for the "sky is blue" experiment. You need to add an electric kettle for the "clouds are white" or more correctly photo neutral grey.

Oh and watch out for the "what colour is steam" question (raw or true steam is not visable to the human eye except by turbulance it's why it's so bloody dangerous).


LarryDecember 22, 2019 4:30 PM

@Clive & Wael,
Thanks guys! I don't plan to give up learning, it's just I'm too old to be hired in a tech job.
I should have left my physical taxing job a LONG time ago. I allowed myself to get in a rut. I figure the PHB will give me the boot any day now.

Hannes TschofenigJanuary 12, 2020 9:25 AM

I noticed a trend that every security problem is now re-branded as an IoT security problem. Since when is a video conferencing system an IoT device. When I was working on video conferencing about 10 years ago it was just ... a video conference system. Of course, those have problems too (and, of course, still have problems today).

A more substantive remark regarding this statement "These are stupid design decisions made by engineers who had no idea how to create a secure system"

It is by no way obvious that these are the result of design decisions made by engineers (and the term 'engineer' is pretty broad here too). We actually don't know why design mistakes in IoT devices are made. Are they the result of being uneducated about security, a wrong assessment of the threats, the result of a (configuration) mistake, a management decision, etc.

These details actually matter because education helps when someone is uninformed. Education helps little if the decision has been made intentional.

JonKnowsNothingJanuary 12, 2020 10:25 AM

@Hannes Tschofenig
re:

I noticed a trend that every security problem is now re-branded as an IoT security problem

IoT (IdiOT) is a standard (well supposed to be one). It has evolved to encompass anything that the Marketing Department can stick the tag-line in.

It's a bit like Blockchain that way. Makes money.

Of privacy there is none by design. When there is a "breach" like RING or WYZE or outing of SiriusXM, the Usual Suspects have to be named so that sales can continue unimpeded.

Education is something not-wanted. It interferes with the Time To Market.


The Evolving Definition of the Internet of Things:

The definition of the Internet of Things has evolved due to the convergence of multiple technologies, real-time analytics, machine learning, commodity sensors, and embedded systems. Traditional fields of embedded systems, wireless sensor networks, control systems, automation (including home and building automation), and others all contribute to enabling the Internet of Things. In the consumer market, IoT technology is most synonymous with products pertaining to the concept of the "smart home", covering devices and appliances (such as lighting fixtures, thermostats, home security systems and cameras, and other home appliances) that support one or more common ecosystems, and can be controlled via devices associated with that ecosystem, such as smartphones and smart speakers.

ht tps://en.wikipedia.org/wiki/Internet_of_things
ht tps://en.wikipedia.org/wiki/Blockchain
(url fractured to prevent autorun)

Mushroom CloudJanuary 12, 2020 11:14 AM

@JonKnowsNothing

IoT (IdiOT) is a standard (well supposed to be one).

IPv6 (as IPv4) is a standard, but it is not the same concept as "Internet of Things" except inasmuch as computers are "things" and they need IP addresses to communicate with other computers, if their users wish to go "online" with them.

the Usual Suspects have to be named so that sales can continue unimpeded.

By any chance do you own a business or work for a business in the U.S. or some other country? Then you depend on "unimpeded sales" for your own living.

Education is something not-wanted. It interferes with the Time To Market.

Communist Party political indoctrination on the college campus is not wanted by those of us who want to live independently or earn or keep any money or property of our own in any sense.

The Evolving Definition of the Internet of Things:

People get educated nonetheless and standards evolve. There is good and evil, virtue and vice. People say one thing and mean another, and other people have to sort out the truth from the lies.

MarkHJanuary 12, 2020 11:56 AM

@Hannes:

It's a distinction that corresponds to a meaningful difference.

Desktop computers, notebook computers, and to varying degrees tablets and phones typically

• are thought of as "computers"
• are widely understood to be vulnerable to attack
• pose some reputation risk to vendors when they behave badly
• receive automatic software updates supposed to resolve security problems
• are taken care of by InfoTech departments in organizations.

None of these apply to the same degree to IoT gadgets. By way of contrast

• most users don't think of them as computers
• most people don't know that they are vulnerable to hacking
• vast numbers of them come from "no-name" Chinese vendors who might not exist (in any identifiable form) in a year or two
• most of them don't get regular security updates
• IT departments have less awareness of them, and less resources for managing their security risks

I also worked on networked embedded systems before the term was invented ... that doesn't mean that they aren't IoT.

JonKnowsNothingJanuary 12, 2020 4:13 PM

@Mushroom Cloud re:

IPv6 (as IPv4) is a standard, but it is not the same concept as "Internet of Things" except inasmuch as computers are "things" and they need IP addresses to communicate with other computers, if their users wish to go "online" with them.

There are standards and then there are standards.

  • Some standards come from Up High.
  • Some standards come from Behind Closed Doors.
  • Some standards are conventional.
  • Some stanards are non-conventional.

It all depends on what you want to label as "standard", or not, depending on which end of the legal spectrum you are looking at.

Like UWB (Ultra-wideband) lots of folks with fingers in that pie and while some of it is hard science, some of it is by gentleperson's agreement.

Whether a standard is a hard science one or by mutual disagreement (VHS vs Betamax), if you are in one camp or the other you will follow The Directives as Issued.


UWB:
ht tps://en.wikipedia.org/wiki/Ultra-wideband

Ultra-wideband (also known as UWB, ultra-wide band and ultraband) is a radio technology that can use a very low energy level for short-range, high-bandwidth communications over a large portion of the radio spectrum.
Ultra-wideband is also used in "see-through-the-wall" precision radar-imaging technology,[13][14][15] precision locating and tracking (using distance measurements between radios), and precision time-of-arrival-based localization approaches.[16] It is efficient, with a spatial capacity of approximately 1013 bit/s/m².
China allowed 24 GHz UWB Automotive Short Range Radar in Nov 2012

Apple launched the first three phones with ultra-wideband capabilities in September 2019, namely, the iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.