Fixing the IoT isn't going to be easy

Oct. 21st, 2016 11:35 pm
[personal profile] mjg59
A large part of the internet became inaccessible today after a botnet made up of IP cameras and digital video recorders was used to DoS a major DNS provider. This highlighted a bunch of things including how maybe having all your DNS handled by a single provider is not the best of plans, but in the long run there's no real amount of diversification that can fix this - malicious actors have control of a sufficiently large number of hosts that they could easily take out multiple providers simultaneously.

To fix this properly we need to get rid of the compromised systems. The question is how. Many of these devices are sold by resellers who have no resources to handle any kind of recall. The manufacturer may not have any kind of legal presence in many of the countries where their products are sold. There's no way anybody can compel a recall, and even if they could it probably wouldn't help. If I've paid a contractor to install a security camera in my office, and if I get a notification that my camera is being used to take down Twitter, what do I do? Pay someone to come and take the camera down again, wait for a fixed one and pay to get that put up? That's probably not going to happen. As long as the device carries on working, many users are going to ignore any voluntary request.

We're left with more aggressive remedies. If ISPs threaten to cut off customers who host compromised devices, we might get somewhere. But, inevitably, a number of small businesses and unskilled users will get cut off. Probably a large number. The economic damage is still going to be significant. And it doesn't necessarily help that much - if the US were to compel ISPs to do this, but nobody else did, public outcry would be massive, the botnet would not be much smaller and the attacks would continue. Do we start cutting off countries that fail to police their internet?

Ok, so maybe we just chalk this one up as a loss and have everyone build out enough infrastructure that we're able to withstand attacks from this botnet and take steps to ensure that nobody is ever able to build a bigger one. To do that, we'd need to ensure that all IoT devices are secure, all the time. So, uh, how do we do that?

These devices had trivial vulnerabilities in the form of hardcoded passwords and open telnet. It wouldn't take terribly strong skills to identify this at import time and block a shipment, so the "obvious" answer is to set up forces in customs who do a security analysis of each device. We'll ignore the fact that this would be a pretty huge set of people to keep up with the sheer quantity of crap being developed and skip straight to the explanation for why this wouldn't work.

Yeah, sure, this vulnerability was obvious. But what about the product from a well-known vendor that included a debug app listening on a high numbered UDP port that accepted a packet of the form "BackdoorPacketCmdLine_Req" and then executed the rest of the payload as root? A portscan's not going to show that up[1]. Finding this kind of thing involves pulling the device apart, dumping the firmware and reverse engineering the binaries. It typically takes me about a day to do that. Amazon has over 30,000 listings that match "IP camera" right now, so you're going to need 99 more of me and a year just to examine the cameras. And that's assuming nobody ships any new ones.

Even that's insufficient. Ok, with luck we've identified all the cases where the vendor has left an explicit backdoor in the code[2]. But these devices are still running software that's going to be full of bugs and which is almost certainly still vulnerable to at least half a dozen buffer overflows[3]. Who's going to audit that? All it takes is one attacker to find one flaw in one popular device line, and that's another botnet built.

If we can't stop the vulnerabilities getting into people's homes in the first place, can we at least fix them afterwards? From an economic perspective, demanding that vendors ship security updates whenever a vulnerability is discovered no matter how old the device is is just not going to work. Many of these vendors are small enough that it'd be more cost effective for them to simply fold the company and reopen under a new name than it would be to put the engineering work into fixing a decade old codebase. And how does this actually help? So far the attackers building these networks haven't been terribly competent. The first thing a competent attacker would do would be to silently disable the firmware update mechanism.

We can't easily fix the already broken devices, we can't easily stop more broken devices from being shipped and we can't easily guarantee that we can fix future devices that end up broken. The only solution I see working at all is to require ISPs to cut people off, and that's going to involve a great deal of pain. The harsh reality is that this is almost certainly just the tip of the iceberg, and things are going to get much worse before they get any better.

Right. I'm off to portscan another smart socket.

[1] UDP connection refused messages are typically ratelimited to one per second, so it'll take almost a day to do a full UDP portscan, and even then you have no idea what the service actually does.

[2] It's worth noting that this is usually leftover test or debug code, not an overtly malicious act. Vendors should have processes in place to ensure that this isn't left in release builds, but ha well.

[3] My vacuum cleaner crashes if I send certain malformed HTTP requests to the local API endpoint, which isn't a good sign

Follow Friday: xkcd

Oct. 21st, 2016 05:35 pm
purplecat: Hand Drawn picture of a Toy Cat (Default)
[personal profile] purplecat
I tend to assume that everyone I know who spends any amount of time on the Internet is aware of xkcd but then every so often I will bump into someone who doesn't know it, so I'm mentioning it here on the off chance...

xkcd is a web comic with a minimalistic style and exceptionally wide-ranging content. Its comics tend to be just a few panels with a gag built in, and often with a computer, science or nerdy theme (and sometimes they are really obscure, I'd be surprised if there was anyone out there who has "got" every xkcd joke without some googling) however there are many many exceptions to that format from comics where the gag is only apparent from the "alt text" that pops up when you hover your mouse over the comic image to comics that are stories, games or serious infographics.

A representative sample:

Duty Calls:

Probably my favourite straight gag comic

Movie Narrative Charts:

An infographic showing the interactions of groups of people over time in several popular blockbuster movies

Time - Time was an animated story that updated slowly over nearly 6 months. I'm fairly sure when this first appeared I saw only the first frame, assumed it was an xkcd joke I didn't get and moved on, only to discover later that it was telling a story. The link her goes not to xkcd (which now only displays the final few frames of the animation) but to a separate site which lets you play the animation at the speed of your choice.

Hoverboard: Hoverboard appears to be a fairly simple, collect the coins game. By the time this appeared I was fairly wise to some of the tricks xkcd plays and so realised it was possible to escape from the initial simple space into a much larger world. It must be said I explored it a little and then moved on, but G. saw me doing it and she explored the whole game thoroughly managing to collect all but one of the coins.

This week in cosmology

Oct. 21st, 2016 12:52 pm
ars_belli: Abell 2744 (Abell 2744)
[personal profile] ars_belli posting in [community profile] science
Long-time lurker, first-time poster here...
Every week (most) astrophysics papers (amongst other fields) go up as pre-prints in a site called arXiv, which enables the community to see who is doing what and which topics are hot now, etc. etc. There's no better way to check that one's understood a paper than to explain it to a non-specialist audience. So I thought I would take a small collection (not more than half-a-dozen) of the hundred-plus papers which appear in General Relativity and Quantum Cosmology and Cosmology and Nongalactic Astrophysics and summarize them in a paragraph for a non-astrophysics audience. Is this the sort of thing in which [community profile] science would be interested?

Edit: Apologies for the earlier HTML fail...

(no subject)

Oct. 21st, 2016 08:20 pm
jeshyr: Blessed are the broken. Harry Potter. (Default)
[personal profile] jeshyr
Help needed! I've been working on a project around self-care for the severely sick folk like me. Most self-care says stuff like "Take a walk, go see a movie, go to a restaurant, take a swim" or similar stuff - none of which I can do as a bedridden person... so I've been making cards with things I *can* do.

I'd love to start a Facebook page to put up what I've been working on but the project needs a name. Originally in my head I've been saying "Spoonie Self-Care" but I'd like to stay away from the "spoon" idea because not everybody who's chronically its identifies with the spoon theory idea. There's a fairly limited set of options, given that it has to be fairly short and fairly self-evident what it means. I don't want to, for example, call them 'Penguin Cards' because nobody can tell what that means unless they already know.

Current favourite idea is "Low-energy self care", partially because Trump thinks that "low energy" is an insult so it must be good. Any better ideas?

#26: Carlos Bueno, Lauren Ipsum

Oct. 20th, 2016 11:26 pm
kareila: hidden between stacks of books (books)
[personal profile] kareila posting in [community profile] kareila_books
I loved reading this book with my kids. It inevitably reminded me of the Phantom Tollbooth - a young girl finds herself on a quest in a land of whimsical encounters based on abstract concepts. Instead of a watchdog or a humbug, her companion on this quest is a chameleon named Xor who changes color to stand out from his surroundings instead of blending in. Along the way they have to decrypt messages, crack passwords, design algorithms, and more! Many of the concepts Laurie and Xor encountered were already familiar to my kids from assignments in school, and there's an excellent guide at the back of the book that provides more detailed summaries of each concept. It's both a fun story and a gentle introduction to big ideas.
ursamajor: people on the beach watching the ocean (Default)
[personal profile] ursamajor
Apparently I managed to find and bring the San Francisco summer back to New England. 84F in Boston on October 19; cherishing the likely-last bare-legged day of the year.

Office Hours: Oct 21-27, 2016

Oct. 19th, 2016 01:45 pm
karzilla: a green fist above the word SMASH! (Default)
[staff profile] karzilla
As an experiment and in response to inquiries, I've moved my weekday time slots next week from 10-11:30am to 1-2:30pm. I am also open to other alternatives if needed; just let me know!

The medium that I've chosen for scheduling office hours is a site called Sign Up Genius. It is pretty easy to use in my experience, and all of my kids' teachers use it for conferences, parties and such. You don't have to have an account on the site to sign up for time slots, which is pretty great - just give them your email address. They will send you a confirmation and a reminder, and nothing else. But if for whatever reason you have trouble claiming a time slot using that site, you can also comment here and I can take care of it for you.

I am only doing signups for a week at a time, because that's about how far in advance I can be fairly confident of my availability. Each week will start on Friday, and I'll post the signups for the following week on Tuesday or Wednesday.

Each signup slot is scheduled to run 90 minutes, but since they're non-adjacent, it's OK if we need to go longer. Anything Dreamwidth-related is fair game: we can talk about code you're writing, code you want to write but don't know how to proceed, code someone else wrote, or things that don't involve code at all (I hear such things exist). My only request is that you don't take more than two slots in a single week, to make sure there is enough of my time to go around. Of course, you're still welcome to catch me on IRC at other times if I seem to be around, and PMs are open 24/7. :)

Here's the link for my available meeting times for the seven-day period starting October 21:
kareila: hidden between stacks of books (books)
[personal profile] kareila posting in [community profile] kareila_books
I had seen positive reviews of this book online, but I was disappointed. The story wasn't very compelling, and the characters were too derivative to be terribly interesting. The only aspect of the book that I enjoyed was the worldbuilding, but that wasn't enough to keep me engaged past the first few chapters. I skimmed the rest and moved on.

What Kind of D&D Character are you

Oct. 19th, 2016 01:34 pm
purplecat: (roleplaying)
[personal profile] purplecat
Via [ profile] philmophlegm. Very bizarre, am I very, very certain that I'm not an Elf. I definitely put "Very Short" when it asked me my height.

I Am A: Lawful Good Elf Wizard/Sorcerer (3rd/3rd Level)

Ability Scores:







Lawful Good A lawful good character acts as a good person is expected or required to act. He combines a commitment to oppose evil with the discipline to fight relentlessly. He tells the truth, keeps his word, helps those in need, and speaks out against injustice. A lawful good character hates to see the guilty go unpunished. Lawful good is the best alignment you can be because it combines honor and compassion. However, lawful good can be a dangerous alignment when it restricts freedom and criminalizes self-interest.

Elves are known for their poetry, song, and magical arts, but when danger threatens they show great skill with weapons and strategy. Elves can live to be over 700 years old and, by human standards, are slow to make friends and enemies, and even slower to forget them. Elves are slim and stand 4.5 to 5.5 feet tall. They have no facial or body hair, prefer comfortable clothes, and possess unearthly grace. Many others races find them hauntingly beautiful.

Primary Class:
Wizards are arcane spellcasters who depend on intensive study to create their magic. To wizards, magic is not a talent but a difficult, rewarding art. When they are prepared for battle, wizards can use their spells to devastating effect. When caught by surprise, they are vulnerable. The wizard's strength is her spells, everything else is secondary. She learns new spells as she experiments and grows in experience, and she can also learn them from other wizards. In addition, over time a wizard learns to manipulate her spells so they go farther, work better, or are improved in some other way. A wizard can call a familiar- a small, magical, animal companion that serves her. With a high Intelligence, wizards are capable of casting very high levels of spells.

Secondary Class:
Sorcerers are arcane spellcasters who manipulate magic energy with imagination and talent rather than studious discipline. They have no books, no mentors, no theories just raw power that they direct at will. Sorcerers know fewer spells than wizards do and acquire them more slowly, but they can cast individual spells more often and have no need to prepare their incantations ahead of time. Also unlike wizards, sorcerers cannot specialize in a school of magic. Since sorcerers gain their powers without undergoing the years of rigorous study that wizards go through, they have more time to learn fighting skills and are proficient with simple weapons. Charisma is very important for sorcerers; the higher their value in this ability, the higher the spell level they can cast.

Find out What Kind of Dungeons and Dragons Character Would You Be?, courtesy of Easydamus (e-mail)

(no subject)

Oct. 19th, 2016 08:07 pm
jeshyr: Blessed are the broken. Harry Potter. (Default)
[personal profile] jeshyr
Hanging out for the day I can ask the internets whether 6-way individually switched power boards with 5m cords (and preferably, wide-spacing of plugs) exist, rather than slogging through fifty gazillion google searches ...

On the other hand if you want a 6 way individually switched powerboard or a 6 way powerboard with a 5m lead and wide spacing of plugs I know exactly where they are! I just haven't figured out how to convince those two to have babies ...
jadelennox: rainbow flag and American flag: this land was made for you and me (politics: ssm optimism)
[personal profile] jadelennox
great, detail-rich post from [personal profile] jekesta:

Hillary Clinton is the very best.

They're keeping all of these articles on why people are enthusiastic about Donald Trump (they are divided between "hey, it's not fair to say Trump enthusiasts are all racist," and "um, Trump enthusiasm is pretty goddamn racist"). Or, as [ profile] adamserwer puts it, "This economic anxiety is getting out of control."

But perhaps because it's less alien to the journalists, I never see articles about people who are enthusiastic about Hillary Clinton. There's tons of thinkpieces about the enthusiasm gap or about the weird nature of Trump enthusiasts, but nobody ever talks about Clinton enthusiasts. Which ends up being self fulfilling--no one hears about the reasons to be actively excited by Hillary Clinton.

So thanks, [personal profile] jekesta.
ursamajor: people on the beach watching the ocean (Default)
[personal profile] ursamajor
Now you see it, now you don't. Hide and seek with the Sutro Tower and @karlthefog.
kareila: hidden between stacks of books (books)
[personal profile] kareila posting in [community profile] kareila_books
This would seem to be the start of a third Percy Jackson series. The first focused on Greek demigods, the second on Roman demigods, and now our protagonist is the god Apollo himself, cast into teenaged mortal form as punishment by Zeus. Whether he actually deserved the punishment is another question, but this much is immediately clear: Apollo is a brat, and having to perceive events from his narcissistic point of view isn't very enjoyable, especially since as the god of poetry he decides to start every chapter with a terrible haiku.

Only a few months have passed since the defeat of Gaea, after which Apollo went missing, only to now show up on Percy's doorstep looking for assistance. Percy's mom is pregnant, and Annabeth is off in Boston looking for her cousin Magnus Chase, so Percy doesn't want to get involved in any new quests, but he agrees to escort Apollo and his new companion, a feral demigod named Meg, to Camp Half Blood.

Once they arrive at camp, they discover that the Oracle still lacks the power of prophecy, communications have been cut off, campers have gone missing, and Will Solace is dating Nico di Angelo. (At least it's not ALL bad news.) A new villain seems to be planning to destroy the demigods, and Apollo realizes it's up to him and Meg to try to save the day in the usual way: by blundering around attacking things that want to kill them.

#Twilight under the dome.

Oct. 17th, 2016 03:22 am
ursamajor: people on the beach watching the ocean (Default)
[personal profile] ursamajor
#Twilight under the dome.


denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

July 2015

26272829 3031 

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 22nd, 2016 04:04 pm
Powered by Dreamwidth Studios