Slashdot Mirror
Always-Listening IoT Devices Raise Security Policy Questions For the Workplace (securityweek.com)
wiredmikey writes: Rafal Los raises an interesting point about new Internet of Things (IoT) devices that may be coming into the office after Christmas, and the possible security risks associated. He uses an example of the Amazon Echo which is "always listening" and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent. "How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn't be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
You don't allow it.......
You're messin' with my Zen Thing, man.....
And not asking if they should
Work in the workplace. Leave your toys at home. Go home to your toys. Get a life. Have a work/life balance.
Internet Tough Guy Status: Confirmed.
I don't get all of this, and frankly it's a little creepy.
From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?
You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.
I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.
You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.
Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.
Lost at C:>. Found at C.
For the camera: http://www.jerrysartarama.com/... Sticks to gorilla glass like an octopus.
Dear Microlimp: I give you 2 valid product keys for win7 and you reject both of them. Piss off you wankers!!!
it's very simple, don't buy such devices and don't allow them near you. it's been trumpeted for years and idiots don't care. the real question is, when will security get the authority to override what some dumbass manager demands?
Anons need not reply. Questions end with a question mark.
Unless something changed in 2016, a thing like a Smartwatch or the Echo is still a "device" thus should be covered under the BYOD policy. The D means "Device".
BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If someone is waving a talking gadget around in the workplace then maybe you can do something about getting it removed. What about their smart nose stud or some other thing that does not look like a threat? The only way would be airport-style security on your office door and I suspect nobody wants the expense or inconvenience.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
I keep hearing this concept repeated like a tocsin by "internet experts" (that I've never heard of) but seriously, who is going to buy this crap? Who really wants their coffeemaker or refrigerator attached to the internet at all, much less be willing to pay one cent more to add what amounts to zero functionality but additional points of failure and additional ability for corporate America to grab some other details about our personal lives?
Is there any actual, normal person out there even faintly interested in this crap?
-Styopa
Back in 1999 the NSA banned Furbies as they felt they might pick up on National Secrets and repeat them.
http://io9.gizmodo.com/the-nsa-once-banned-furbies-as-a-threat-to-national-sec-1526908210
Any work wifi network should be secured with WPA2ENT using id/pw or certificates for access to the wifi LAN. I seriously doubt these devices will have support for anything more than PSK or the auto-configure 'thing' that consumer routers are coming with now.
Seriously.... what kind of IT would let that happen?
I don't talk to people
-- Thou hast strayed far from the path of the Avatar.
We have a byod wifi network for any non-approved wireless devices.
The network is completely separate from the LAN and normal WIFI network and is subject to some bandwidth throttling.
A user can plug in a device to the network, but I do monitor the DHCP logs. This hasn't been a real problem since we gave the users a sandbox to play in though.
My eyes reflect the stars and a smile lights up my face.
And not asking if they should
Sadly, this quote basically sums up a lot of current-generation Silicon Valley thinking.
Hire a Linux system administrator, systems engineer,
Anywhere that cares about security will have a bunch of cubbyholes or lockers at the front door, and you'll be checking your personal electronics when you walk in.
From 2005 to 2010, I worked for a fed government contractor in a fed government facility, and that is precisely what we had.. Certain areas of the building were secure areas and ALL personal electronics were placed in those lockers when entering the secure area. Other areas you *could* carry your personal cellphone, so long as it didn't have a camera, otherwise you had to leave in your car. Before I left in 2010, it got so *secure* that you had to declare to the armed guards at the front gate as you drove in, what you had in your car. I often carried my personal laptop in the trunk of my car, to use before and after work, and I had to get special dispensation from security to allow that..
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
Plenty of places don't allow smartwatches, cellphones, or anything with radio. This will become more common as everything magically needs an internet connection to give even basic functionality.
Why is "record audio, broadcast to mothership" a basic design tenet of all the new voice things? This has a very real cost in privacy, security, bandwidth, and reliability.
Most things can trivially turn off their voice addon. But once that gets better, will some Design Jackass come in and say "voice is just superior, fuck the rest"? We'll have to listen to that asshole in eight years if we don't provide the needed pushback now.
I'm glad y'all are discussing this, but it's obvious too many don't actually understand the problem. Google's latest Android OS update as well as the new iOS both have "always listening" functionality. They listen for their trigger word, but they're always listening. What's worse is that some of these things have their own Internet connectivity (cellular data) and don't need your permission. Putting them on a "separate guest network" accomplishes next to nothing since it's not only their network presence but physical presence as well you need to worry about. Point being - dismissing as "It's stupid. I don't allow it. People are dumb." reply demonstrates exactly why security folks are marginalized. It's unfortunate, because this is both a technology and psychology/sociology issue Failure to understand that, means you continue to be irrelevant in the "real world" where people can't wait to buy a fridge that keeps track of when their milk will spoil and sends them text-message alerts while simultaneously re-ordering new milk. Thanks for reading.
I did a PC refresh job at a Fortune 500 company where the engineers were allowed to hang on to their old workstation for a week before turning them in for decommissioning and recycling. Most found clever excuses to keep them indefinitely, as having more processing power was a status symbol. Not all the cubicles had multiple network ports that were open. So the engineers brought in old network switches from home. That's when the real fun started. They didn't realize that their network switch also had a DHCP server with private network addresses that cut every workstation on the segment off from the corporate network and the Internet. A network technician spent a day tracking them all down..
If anything, that would make things easier. You could just block them. No, IoT will bring their own network. We've talked a lot about internet-enabled TVs spying on their users, and the reflex is always the same: Don't give your TV internet access and you're good. No, you are not good. The TV will soon come with its own network builtin, where you can't just unplug it or pull the Wifi stick or refuse to give it the WPA key. If you don't give it access to your Wifi, then it will talk to the neighbors' TVs and to their neighbors' TVs until it finds one that has an uplink. Or maybe M2M mobile cards will get cheap enough to just put one into every TV. A computer with Wifi costs less than $5. Mesh networks have been built with less capable hardware. The time of "airgapping" computers is coming to an end. The "Internet of things" is not the Internet. It's the "Evernet", where a disconnected state is a malfunction. And these devices listen to confidential information. Do you see the problem now?
Not.
Don't try bring any of this junk in a SCIF.
I always thought there would be a mine of information based on a company's searches too. Engineer is reading a spec and googles an acronym, finance google a company they are planning to merge with, HR google potential candidates, R&D google research terms, etc. Not too much of an issue if you have no other interaction with google, but if your company competes with google or otherwise has a business relationship with them, then it may be a good idea not to google anything!
No. You've probably already ignored the IoT-in-the-workplace case. Just *try* telling your boss to leave his phone at home.
I think we've pushed this "anyone can grow up to be president" thing too far.
Our workplace is simple. Wired (fast, secure) network is for work. Wireless network (throttled, less secure) is for everything else. It's pretty simple and it works.
I don't respond to AC's.
Well there are some places where things like that happen. I had a coworker lose his phone (at the time it was a new iPhone 4s) to an electronics shredder at a customer site where he had been told not to bring it into specific places. He didn't listen and then when he pulled it out the armed guard came took it from him and fed it to the shredder. So it does happen, the sad part was that he wanted the company to reimburse him for it even though he had been told several times by several people to not bring it.
Time to offend someone
Yes. It's DONT.
If you do bring it, don't plug it into the network.
If it doesn't have an ethernet socket and needs a wifi connection, you need to contact IT with it's MAC address and your written authorisation from your line manager instructing IT to provide you with connectivity. The IT will probably tell you or your manager to fuck off.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"