Slashdot Mirror
Always-Listening IoT Devices Raise Security Policy Questions For the Workplace (securityweek.com)
wiredmikey writes: Rafal Los raises an interesting point about new Internet of Things (IoT) devices that may be coming into the office after Christmas, and the possible security risks associated. He uses an example of the Amazon Echo which is "always listening" and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent. "How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn't be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
You don't allow it.......
You're messin' with my Zen Thing, man.....
And not asking if they should
Work in the workplace. Leave your toys at home. Go home to your toys. Get a life. Have a work/life balance.
Don't worry, brah. We all already know you have a micropeen.
Internet Tough Guy Status: Confirmed.
I don't get all of this, and frankly it's a little creepy.
From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?
You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.
I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.
You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.
Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.
Lost at C:>. Found at C.
Phones already include 100% of the issue. If the year is 2002 then you have probably already already handled the IoT-in-the-workplace case.
For the camera: http://www.jerrysartarama.com/... Sticks to gorilla glass like an octopus.
Dear Microlimp: I give you 2 valid product keys for win7 and you reject both of them. Piss off you wankers!!!
it's very simple, don't buy such devices and don't allow them near you. it's been trumpeted for years and idiots don't care. the real question is, when will security get the authority to override what some dumbass manager demands?
Anons need not reply. Questions end with a question mark.
Unless something changed in 2016, a thing like a Smartwatch or the Echo is still a "device" thus should be covered under the BYOD policy. The D means "Device".
BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If someone is waving a talking gadget around in the workplace then maybe you can do something about getting it removed. What about their smart nose stud or some other thing that does not look like a threat? The only way would be airport-style security on your office door and I suspect nobody wants the expense or inconvenience.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
for each other & on our felonious crown royal overlords with almost everyone on at once,, & free range access to all the millions of streams etc,, & cctv & satellites (which we paid for it all many times over already) we can become aware if even one of us is being treated poorly almost anywhere? what a gig?
Slashdot only allows anonymous users to post 10 times per day (more or less, depending on moderation). A user from your IP has already shared his or her thoughts with us that many times. Take a breather, and come back and see us in 24 hours or so. If you think this is unfair, please email posting@slashdot.org with your particulars...
I keep hearing this concept repeated like a tocsin by "internet experts" (that I've never heard of) but seriously, who is going to buy this crap? Who really wants their coffeemaker or refrigerator attached to the internet at all, much less be willing to pay one cent more to add what amounts to zero functionality but additional points of failure and additional ability for corporate America to grab some other details about our personal lives?
Is there any actual, normal person out there even faintly interested in this crap?
-Styopa
Back in 1999 the NSA banned Furbies as they felt they might pick up on National Secrets and repeat them.
http://io9.gizmodo.com/the-nsa-once-banned-furbies-as-a-threat-to-national-sec-1526908210
WTF, white tape?!? I have a Rose Gold iPhone 6s you insensitive clod!
Any work wifi network should be secured with WPA2ENT using id/pw or certificates for access to the wifi LAN. I seriously doubt these devices will have support for anything more than PSK or the auto-configure 'thing' that consumer routers are coming with now.
Seriously.... what kind of IT would let that happen?
It has been a long time since I've seen an appropriately used quote from Jurassic Park!
It's gone too far, and all in the name of the mighty dollar. Technilogy and orogress are great, but there are useful applications gor it in our lives, and useless ones. There is no reason for a device to be listening all the time unless it is hoping to collect something from it.
I don't talk to people
-- Thou hast strayed far from the path of the Avatar.
Good point and maybe it should be BYOT ... but I just don't think switching to a BYOT (Bring Your Own Thing) policy is going to work though. :p
Smart watches, etc
Anywhere that cares about security will have a bunch of cubbyholes or lockers at the front door, and you'll be checking your personal electronics when you walk in.
Amazon Echo and the like are *consumer* devices, aka "toys for your home", and have no place in business environments, unless someone has actually done the analysis for security. (and assuming that the vendor has actually provided sufficient information and configuration control).
yes, a pain, and "that's why we can't have nice things"
We have a byod wifi network for any non-approved wireless devices.
The network is completely separate from the LAN and normal WIFI network and is subject to some bandwidth throttling.
A user can plug in a device to the network, but I do monitor the DHCP logs. This hasn't been a real problem since we gave the users a sandbox to play in though.
My eyes reflect the stars and a smile lights up my face.
Good point and maybe it should be BYOT
The point is that all those 'things' are also 'devices', so there's no need to change the acronym or, in many cases, even the IT policies.
Where I work it's pretty simple- you don't get to connect anything to the network which hasn't been pre-approved by Corporate IT. There's a Guest Wireless network, which is apart from the regular company network, which can be used for your Smartphone or fitness watch, etc.
Anything which can or does record audio or video of any sort, may only be used for Official work purposes. This means that technically no, you can't ask Siri anything unless you step outside the building.
This policy pretty much covers the entire "IoT".
No. Just no.
Anyone that is stupid enough to let an internet connected device transmit everything it hears in a non-public location is just asking to be screwed.
Once you do this, the feds no longer need a warrant to bug your home. They can just ask the company.
Once you do this, Anonymous or any other hacker can p@wn you like the fool you are. Expect to be blackmailed.
Once you do this, you basically are giving up all privacy, and let the Facebooks of the world sell things you own for massive amounts of money.
Remember when Furbies first came out? Everyone was super paranoid that they were actually hidden spying devices. IIRC they were banned from military installations, gov't offices, etc..
Fast forward 10 years later, and actual devices that we all know are always on listening, we know they collect our data - and we love it! Who doesn't like having better autocorrection on their phone keyboard? (even though it means everything you type is on someone else's server?)
And not asking if they should
Sadly, this quote basically sums up a lot of current-generation Silicon Valley thinking.
Hire a Linux system administrator, systems engineer,
Plenty of places don't allow smartwatches, cellphones, or anything with radio. This will become more common as everything magically needs an internet connection to give even basic functionality.
Why is "record audio, broadcast to mothership" a basic design tenet of all the new voice things? This has a very real cost in privacy, security, bandwidth, and reliability.
Most things can trivially turn off their voice addon. But once that gets better, will some Design Jackass come in and say "voice is just superior, fuck the rest"? We'll have to listen to that asshole in eight years if we don't provide the needed pushback now.
I'm glad y'all are discussing this, but it's obvious too many don't actually understand the problem. Google's latest Android OS update as well as the new iOS both have "always listening" functionality. They listen for their trigger word, but they're always listening. What's worse is that some of these things have their own Internet connectivity (cellular data) and don't need your permission. Putting them on a "separate guest network" accomplishes next to nothing since it's not only their network presence but physical presence as well you need to worry about. Point being - dismissing as "It's stupid. I don't allow it. People are dumb." reply demonstrates exactly why security folks are marginalized. It's unfortunate, because this is both a technology and psychology/sociology issue Failure to understand that, means you continue to be irrelevant in the "real world" where people can't wait to buy a fridge that keeps track of when their milk will spoil and sends them text-message alerts while simultaneously re-ordering new milk. Thanks for reading.
I did a PC refresh job at a Fortune 500 company where the engineers were allowed to hang on to their old workstation for a week before turning them in for decommissioning and recycling. Most found clever excuses to keep them indefinitely, as having more processing power was a status symbol. Not all the cubicles had multiple network ports that were open. So the engineers brought in old network switches from home. That's when the real fun started. They didn't realize that their network switch also had a DHCP server with private network addresses that cut every workstation on the segment off from the corporate network and the Internet. A network technician spent a day tracking them all down..
If anything, that would make things easier. You could just block them. No, IoT will bring their own network. We've talked a lot about internet-enabled TVs spying on their users, and the reflex is always the same: Don't give your TV internet access and you're good. No, you are not good. The TV will soon come with its own network builtin, where you can't just unplug it or pull the Wifi stick or refuse to give it the WPA key. If you don't give it access to your Wifi, then it will talk to the neighbors' TVs and to their neighbors' TVs until it finds one that has an uplink. Or maybe M2M mobile cards will get cheap enough to just put one into every TV. A computer with Wifi costs less than $5. Mesh networks have been built with less capable hardware. The time of "airgapping" computers is coming to an end. The "Internet of things" is not the Internet. It's the "Evernet", where a disconnected state is a malfunction. And these devices listen to confidential information. Do you see the problem now?
Satire and snark is so under-appreciated on /. these days.
Not.
Don't try bring any of this junk in a SCIF.
I always thought there would be a mine of information based on a company's searches too. Engineer is reading a spec and googles an acronym, finance google a company they are planning to merge with, HR google potential candidates, R&D google research terms, etc. Not too much of an issue if you have no other interaction with google, but if your company competes with google or otherwise has a business relationship with them, then it may be a good idea not to google anything!
just allow people to plug in shit as they feel like it.
hmmm.
"allow"
that's cute.
quaint, even.
that fantasy of yours lasts until the fancy-ass cunt in a suit wants their fucking new toy to work, and doesn't give a flying fuck about anything except "shiny!".
a number of steps you can take to not let unauthorized devices on your company network.
it's not your network, you clueless wageslave.
it's their network.
the only step you can take to escape your orders to dance on command, is seppuku.
learn it. live it. love it.
Right, as water utilities are. But the service provider gives you rules (in order to provide a fair and maintable service) and you choose to do what you want... well be responsible to handle any issue arises from your free will choice.
Doing otherwise is just plain an immature way of thinking.
Got that message first message of the day. Got to wonder how 24 hrs is calculated
Our workplace is simple. Wired (fast, secure) network is for work. Wireless network (throttled, less secure) is for everything else. It's pretty simple and it works.
I don't respond to AC's.
I just watched this classic "Outer Limits" episode again last night, about a machine called the "Outer Band Individuated Teletracer" (or OBIT) that spies on everyone. At one point, the man running the program to distribute the machines everywhere says, "People with nothing to hide have nothing to fear from O.B.I.T."
At the end of the episode, the Control Voice says, "Agents from the Justice Department are rounding up the machines now . . . In the final analysis, dear friends, whether O.B.I.T. lives up to its name will depend on you."
And this was from 1963.
Strict IT policies work every bit as well as abstinence-only sex ed.
Accessorize your tinfoil hats with crinkly mylar, and launch a blizzard of elven breakfast cereal noises upon the IoT.
Well there are some places where things like that happen. I had a coworker lose his phone (at the time it was a new iPhone 4s) to an electronics shredder at a customer site where he had been told not to bring it into specific places. He didn't listen and then when he pulled it out the armed guard came took it from him and fed it to the shredder. So it does happen, the sad part was that he wanted the company to reimburse him for it even though he had been told several times by several people to not bring it.
Time to offend someone
Yes. It's DONT.
If you do bring it, don't plug it into the network.
If it doesn't have an ethernet socket and needs a wifi connection, you need to contact IT with it's MAC address and your written authorisation from your line manager instructing IT to provide you with connectivity. The IT will probably tell you or your manager to fuck off.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"