Bruce Schneier, 3 Nov 2016, *The Washington Post*, 3 Nov 2016 The government has to get involved in the "Internet of Things." https://www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-connected-thermostat-can-take-down-the-whole-internet-we-need-new-regulations/?utm_term=.284c3ae330c1&tid=sm_tw Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World." Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the Internet of Things—and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when. First, the facts. Those websites went down because their domain name provider—a company named Dyn—was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers—possibly millions—of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites. Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security. The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades. An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don't care. They wanted a webcam -- or thermostat, or refrigerator—with nice features at a good price. Even after they were recruited into this botnet, they still work fine—you can't even tell they were used in the attack. The sellers of those devices don't care: They've already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It's a form of invisible pollution. And, like pollution, the only solution is to regulate. The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure. It's true that this is a domestic solution to an international problem and that there's no U.S. regulation that will affect, say, an Asian-made product sold in South America, even though that product could still be used to take down U.S. websites. But the main costs in making software come from development. If the United States and perhaps a few other major markets implement strong Internet-security regulations on IoT devices, manufacturers will be forced to upgrade their security if they want to sell to those markets. And any improvements they make in their software will be available in their products wherever they are sold, simply because it makes no sense to maintain two different versions of the software. This is truly an area where the actions of a few countries can drive worldwide change. Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high. Computers are now able to affect our world in a direct and physical manner. Security researchers have demonstrated the ability to remotely take control of Internet-enabled cars. They've demonstrated ransomware against home thermostats and exposed vulnerabilities in implanted medical devices. They've hacked voting machines and power plants. In one recent paper, researchers showed how a vulnerability in smart lightbulbs could be used to start a chain reaction, resulting in them all being controlled by the attackers—that;s every one in a city. Security flaws in these things could mean people dying and property being destroyed. Nothing motivates the U.S. government like fear. Remember 2001? A small-government Republican president created the Department of Homeland Security in the wake of the Sept. 11 terrorist attacks: a rushed and ill-thought-out decision that we've been trying to fix for more than a decade. A fatal IoT disaster will similarly spur our government into action, and it's unlikely to be well-considered and thoughtful action. Our choice isn't between government involvement and no government involvement. Our choice is between smarter government involvement and stupider government involvement. We have to start thinking about this now. Regulations are necessary, important and complex—and they're coming. We can't afford to ignore these issues until it's too late. In general, the software market demands that products be fast and cheap and that security be a secondary consideration. That was okay when software didn't matter—it was okay that your spreadsheet crashed once in a while. But a software bug that literally crashes your car is another thing altogether. The security vulnerabilities in the Internet of Things are deep and pervasive, and they won't get fixed if the market is left to sort it out for itself. We need to proactively discuss good regulatory solutions; otherwise, a disaster will impose bad ones on us.
You may own your car, but you don't own the software that makes it work -- that still belongs to your car's manufacturer. You're allowed to use the software, but in the past, trying to alter it in any way (including fixing it by yourself when it breaks or patching security holes) was a form of copyright infringement. iFixit, Repair.org, the Electronic Frontier Foundation (EFF), and many others think this is ridiculous, <http://ifixit.org/blog/8510/car-repair-illegal-dmca/> and they've been lobbying the government to try to change things. A year ago, the U.S. Copyright Office agreed that people should be able to modify the software that runs cars that they own, and as of last Friday [Oct 28], that ruling came into effect. It's good for only two years, though, so get hacking. <https://www.gpo.gov/fdsys/pkg/FR-2015-10-28/pdf/2015-27212.pdf#page=10> The legal and technical distinction between physical ownership and digital ownership is perhaps most familiar in the context of DVD movies. You can go to the store and buy a DVD, and when you do, you own that DVD. You don't, however, own the movie that comes on it: Instead, it's more like you own limited rights to watch the movie, which is a very different thing. If the DVD is protected by Digital Rights Management (DRM) software, the Digital Millennium Copyright Act (DMCA) says that you are not allowed to circumvent that software, even if you're just trying to watch the movie on a different device, change the region restriction so that you can watch it in a different country, or do any number of other things that it really seems like you should be able to do with a piece of media that you paid 20 bucks for. Cars work in a similar way. You own the car as a physical object, but you only have limited rights to the software that controls it, because the car's manufacturer holds the copyright on that software. This prevents you from making changes to the software, even if those changes are to fix problems or counter obsolescence, as well as preventing you from investigating the security of the software, which can have very serious and direct consequences for you as the owner and driver. <http://spectrum.ieee.org/cars-that-think/transportation/self-driving/hacker s-take-control-of-a-moving-jeep> It's also worth pointing out that (especially in older vehicles like the 1995 Volvo 940 Turbo belonging to a certain anonymous journalist) relatively simple computerized parts can cost a ridiculous amount of money to replace because there is no legal alternative besides buying a new one from the manufacturer, who hasn't made them in 20 years and would much rather you just bought an entirely new car anyway. [...] This comes with a few caveats, You still can't mess with the vehicle entertainment system, since you could hypothetically use it to commit copyright infringement. You can't screw around with any kind of telematics that you might find, either. And you're definitely not allowed to make modifications that break other laws, including emissions laws. <http://spectrum.ieee.org/cars-that-think/transportation/advanced-cars/vws-slow-agony-illustrates-carmakers-problem-with-software> http://spectrum.ieee.org/cars-that-think/transportation/systems/its-now-temporarily-legal-to-hack-your-own-car [Spectrum article also noted by Steven Cheung. See also *WiReD*: https://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal/ PGN]
[This item contains some uninformed "journalism". See Al Mac's comments below before you respond. PGN] Detroit has a new airport 'security' thing called "CLEAR", wherein they [try to] take all 10 fingerprints, an iris scan, a high res photo of the face... That is an incredible amount of information. They also charge $ 179 a year for this alleged high speed path thru airport security. CLEAR is now in operation at the Detroit Metro Airport's McNamara Terminal. Certified as a "qualified anti-terrorism technology" by the U.S. Department of Homeland Security (DHS), CLEAR has been used more than five million times to move travelers quickly through airport security lines at 16 other airports. "They validate their identity using a knowledge-based quiz, they use a government identification that's validated using technology, and then we link it to their biometrics—we take 10 fingerprints with a digital reader, we take a scan of their iris, and we take a high-res photo of their face," said CLEAR spokesperson David Cohen. Cohen said the initial sign-up process takes about five minutes and after that, getting through security lines should be a breeze. He said there are special lines for CLEAR customers that can be a great time-saver for travelers, who will still have to pass through X-Rays and body scans. "Our customers go through the TSA security process in minutes. They come to a CLEAR lane, that lane is going to be open and available for them to validate their identity on the spot, a process in itself that takes less than a second," he said. Membership to use CLEAR costs $179 per year. New members who enroll at the airport receive a one-month free trial and can use CLEAR immediately. http://detroit.cbslocal.com/2016/10/27/new-system-at-detroit-metro-airport-allows-travelers-to-move-through-airport-security-in-a-flash/ What can go wrong? Well, TSA previously has had schemes to expedite people through airport security, which have allegedly not worked out so well, at all airports. There are now several such systems in operation, where a frequent traveler needs to evaluate what's involved in each, to decide which combination to get. Comments, on the above link, include: CLEAR is "new" only to Detroit. Other Airports have been using it for years. * TSA has many cheaper alternatives, which allegedly perform the same service, and are much less intrusive. * This is another security measure which would not have stopped 9/11.. https://www.clearme.com/where-is-clear/ http://thepointsguy.com/2015/03/clear-expedited-airport-security-program-is-it-worthwhile/ As explained by the above link, there are several different versions of CLEAR. I am a senior (age 72). When I have to have my fingerprints taken, the process takes at least an hour, because fingerprints fade on older people. We wait in line to have this done. Younger people zip through, 5 minutes or less. Then one of us older people arrive, and the people behind us have to wait an extra hour, per senior, because the digital scan has to be redone scores of times, before they are able to get the desired info. [I first heard about Detroit CLEAR from V.]
Fahmida Y. Rashid, InfoWorld, 3 Nov 2016 A researcher found a cross-site scripting flaw in Wix templates that a worm could have used to infect all Wix-hosted sites, but couldn't find a way to report the vulnerability http://www.infoworld.com/article/3137956/security/xss-flaw-on-wix-leaves-the-door-open-to-worms.html [selected text:] "Austin claimed he repeatedly tried to contact Wix to get the vulnerability fixed, but despite creating a support ticket and directly emailing firstname.lastname@example.org, never received a response. When he emailed email@example.com with details of the flaw, he received an automated reply stating that firstname.lastname@example.org "may not exist, or you may not have permission to post messages to the group." Austin decided to publicly disclose the flaw because it could be exploited by a worm. "The debate between private and public disclosure is never-ending, and it usually boils down to the organization's responsiveness. It appears Wix quietly closed the vulnerability after Austin's public disclosure since the proof of concept no longer works, which indicates Wix could have responded and fixed the issue swiftly and avoided Austin going public in the first place." I have had the issue of not being able to report a problem in other areas. Goggle Maps was one. It was confusing NE (Northeast) and SE (Southeast) streets in Salmon Arm, British Columbia, Canada. I could not find a way to report the problem. Then, there are full voice mailboxes and the like.
Alex Tapscott at TEDxSanFrancisco (via Dave Farber) TED recently asked Alex Tapscott to deliver the first TED talk about how blockchain is transforming the global financial system. Alex is co-author (with father Don) of the Globe and Mail #1 bestselling book Blockchain Revolution: How the Technology Behind Bitcoin is Changing Money, Business, and the World. In the talk, which was given live to a full-house in TEDx in SanFrancisco, Alex argues that blockchain gives us another kick at the can to reinvent financial services for a new era of trust and legitimacy. Titled Blockchain is Eating Wall Street, Alex calls on the industry's leaders to step up and join the blockchain revolution.
http://ktla.com/2016/11/01/new-york-woman-denied-43-million-jackpot-by-casino-is-offered-steak-dinner-2-25-instead/ Jackpot that the casino says is a malfunction: $42,949,672 Magic number stuck in my head: 0xffffffff == 4294967295 I'm going to go out on a limb and say it probably is a malfunction.
There has been much discussion of self-driving car software ethics vs. human real-life ethics, with questions whether there have been any real life events that resemble the trolley choices.. Near where I reside, a car was going too fast for local conditions, came around a curve and found 35 students crossing the road, in the path of the car, so the driver deliberately crashed into the school bus, to avoid hitting the kids. http://www.14news.com/story/33628281/evansville-school-bus-unloading-students-hit-by-car
This art project shows just how easy it is to build your own Stingray. (Hat tip to November 2nd hackaday.com) https://julianoliver.com/output/stealth-cell-tower Stealth Cell Tower is an antagonistic GSM base station in the form of an innocuous office printer. It brings the covert design practice of disguising cellular infrastructure as other things - like trees and lamp-posts - indoors, while mimicking technology used by police and intelligence agencies to surveil mobile phone users. And to think, previously I only worried about Internet-connectedness of printers...
Two among the most popular topics in RISKS are squirrels and voting, and now we have both here: Following a squirrel incident, polling station had to resort to paper. http://www.cnn.com/2016/11/03/politics/squirrel-voting-outage/index.html [A squirrel is "a kind of arboreal rodent having a long bushy tail". It might be coincidental that we had "bushy" candidates. PGN]
The United States can't simply go to a paper ballot, counted by hand. The problem is actually counting ballots when you may have many offices and even ballot initiatives on a single ballot. In Canada, the same simple plain paper ballot as in Germany are used in provincial and federal elections when you are voting for only one office. They are counted by hand. It works fine. I've counted them. For local elections, I once counted by hand a ballot with more than 5 offices on one ballot. They were a nightmare to count by hand. That's why for local elections where I live, a large plain paper ballot is used, but the ballot is counted using an OCR scanner. That's how some ballots are counted in the US. Almost everyone marks the ballot by hand, however there are machines for those with disabilities who want to mark their ballots themselves, the machine takes the voter input in many different ways and outputs the same paper ballot everyone else uses marked so it can be counted by the OCR scanner.
> "I suspect cyber security is poorer on similar machines in convenience > stores & gas pumps, than bank ATMs. Who maintains those machines & do > they need any relevant qualifications to be hired?" I was handed the keys to one based on nothing but being "the computer guy," so I'd say no, no qualifications whatsoever. Mind you, I wasn't expected to do any configuration—mostly I was expected to extract $20 bills that had gotten wadded up in the feed mechanism—but I did have physical access to everything except the interior of the safe.
> As for accuracy, I have occasionally got an extra bill. like I asked for > three (3 @ $ 20), but actually got 4. Interesting. Have you, or any of the other people, ever asked for 4 and got 3 instead? Being a professional paranoiac, I generally count my bills when I go to the ATM. I say "generally," because, having never found an error in at least 30 years, my paranoia is weakening. I also say "when I go to the ATM" because we are using less and less cash as time goes by. Banks are making their money off us in other ways than exchanging cash. So I suspect that a) Canadian banks may use more robust machines than American banks (per our very weak anecdotal study, here) and b) all banks are less concerned about giving away extra cash out of ATMs given the small volume of cash business they conduct. Cost/benefit, and all that.
I wonder how many of those people don't even know it happened. It never happened to me—as far as I know. I always take my daily limit, some 15 bills, but a vague sense of threat stops me from standing there counting my money in public (with a nod to Kenny Rogers), even inside a branch of my bank. I suppose I could have been shortchanged, too. The people supplying the ATMs probably know all too well how much is lost, if not to whom. Anyone got stats?
> The AEC does not automatically enroll voters but the states do. At least > VIC and NSW that I know of. Thanks for that â€” I didn't know that. At this stage the offspring are all politically engaged and can't wait to vote, so they won't be too fussed by the automatic enrollment. Checked with a mate of mine who works for the VEC, and he confirmed that the staff member at the ballot box is within their rights to not allow a vote to be submitted if that staff member concludes that no effort has been made to complete the ballot. He was quite vague on exactly what happened after that (does the voter have to get a fresh ballot? Do they get unmarked as having voted, etc.) although to be fair he's an IT dude at the VEC and not front of house. So, a person wishing to avoid a fine would still have to go to the booth, get their name marked off, fiddle around in a cubicle and then drop the ballot box in the receptacle.
I have seen several other people try to gain insight into the character of the Mirai perpetrator based on the choice of handle—but none have gone much farther than this, and perhaps miss the point entirely. Anna-senpai is a character in manga and anime series "Shimoneta to Iu Gainen ga Sonzai Shinai Taikutsu na Sekai", usually abbreviated as "Shimoneta". The usual English translation of this title is "A Boring World Where the Concept of 'Dirty Jokes' Does Not Exist" I could attempt to describe what sort of person the character of Anna is in this franchise, but this 48-second youtube clip does a much better job than my poor powers of description: <https://www.youtube.com/watch?v=cz4U2TvXkqw> Sometimes, in the world of computer security, or anywhere else, instead of speculating about something we're not familiar with, it's helpful to ask a person with expertise in that field. Or maybe ask Google. [Derek, Thanks for your "expertise", senpai! RISKS has always relied on knowledgeable readers to help. That's why I have continued to run it for thirty years. I have never pretended to be an oracle. PGN]
Please report problems with the web pages to the maintainer