Slashdot Mirror

← Back to Stories (view on slashdot.org)

IoT Security Is So Bad, There's a Search Engine For Sleeping Kids (arstechnica.com)

Posted by timothy on from the what-about-for-active-coffee-makers? dept.

An anonymous reader writes: Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams. The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores. While IoT manufacturers are to blame, this also highlights the creepy stuff you can do with Shodan these days. At the start of January, Check Point recommended companies to block Shodan's crawlers. The infosec community came to defend Shodan, and even its founder said that Shodan is uselessly branded as a tool of evil, saying that attackers have their own scanning tools.

127 comments

  1. Oh well by Anonymous Coward · · Score: 0, Funny

    These are some of the same terrified idiots who support things like the TSA and NSA spying. You know, to win the war against terror...

    1. Re:Oh well by Anonymous Coward · · Score: 0

      I feel disrespected... you mean the NSA can tap your Internet traffic but I can't watch your wife do sit-ups in the living room? #outrage

    2. Re: Oh well by Anonymous Coward · · Score: 0

      I'd pay $5/month to see unsuspecting wives doing sit-ups in their living room.

      We need a startup!

    3. Re: Oh well by CanadianMacFan · · Score: 1

      Yeah, but the wives that you would want to see doing sit-ups in their living room are usually the ones that you would see. It's usually the ones that you wouldn't want to see.

  2. FBI by Anonymous Coward · · Score: 0

    Now that the FBI's kiddie porn site got shutdown, that task-force needed a new project that exploits children.

  3. It's a search engine for webcams by Anonymous Coward · · Score: 0

    I'm not a member of the site, but I don't think it's specifically for certain types of images as far as I can tell.

    1. Re:It's a search engine for webcams by rudy_wayne · · Score: 4, Informative

      According to TFA, which of course no one has bothered to read:

      Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the script takes a snap and moves on. The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter "port:554 has_screenshot:true."

    2. Re:It's a search engine for webcams by arth1 · · Score: 1

      Free Shodan accounts can also search using the filter "port:554 has_screenshot:true."

      That doesn't refute what the GP said - you still need to "be a member", even if an unpaid member.

      (I also believe there's a limit to the number of search results returned.)

    3. Re:It's a search engine for webcams by Anonymous Coward · · Score: 0

      I'm not a member of the site, but I don't think it's specifically for certain types of images as far as I can tell.

      Correct. shodan.io is a web site for security research into what is accessible over the Internet. I see it attempting to "crawl" my firewall many times a day on different port numbers. There is nothing outright illegal about "webcrawling" or "port scanning" in this case, but what it can find is creepy.

    4. Re: It's a search engine for webcams by Anonymous Coward · · Score: 0

      And where do you put the "sleeping baby" part in that search string?

      The title is misleading. It's like saying: there's a search engne for bad poetry written by Asian albinos. And the link points to google.com

  4. Only three comments so far? by Anonymous Coward · · Score: 0

    This must not be an article about ad-blockers.

    1. Re:Only three comments so far? by mikael · · Score: 1

      You could always point a webcam at a TV tuned to a telesales channel

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  5. Johnny can't encrypt by dfn5 · · Score: 3, Interesting

    Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install. Frankly I'm not surprised. Nor do I have a solution. As someone who has to provide tech support to family and friends I realize how hard it is to "just make it work" for those who couldn't care less about the technical details.

    --
    -- Thou hast strayed far from the path of the Avatar.
    1. Re:Johnny can't encrypt by penguinoid · · Score: 1, Offtopic

      Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install.

      Or for someone who can't spell the most popular sport in the world.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    2. Re:Johnny can't encrypt by __aaclcg7560 · · Score: 3, Interesting

      As someone who has to provide tech support to family and friends I realize how hard it is to "just make it work" for those who couldn't care less about the technical details.

      If you're not charging your relatives for tech support, you're doing it wrong. The fastest way to discourage relatives is to quote the hourly rate of your local mechanic ($100 in my area). If your relatives won't pay to have a mechanic fix the car, you can bet that they won't pay to have you fix the computer.

    3. Re:Johnny can't encrypt by 93+Escort+Wagon · · Score: 2, Funny

      He was actually referring to an abusive woman.

      --
      #DeleteChrome
    4. Re:Johnny can't encrypt by omglolbah · · Score: 4, Insightful

      Yet, for wireless routers encryption is enabled by default for most, and a sticker with the password is put on the physical device.
      Why not the same for a camera?
      Not a perfect solution, but a hell of a lot better than the current situation.

    5. Re:Johnny can't encrypt by Anonymous Coward · · Score: 0

      i demand any cash i have to pay for parts and that actually runs mine off.

    6. Re:Johnny can't encrypt by Anonymous Coward · · Score: -1, Flamebait

      Hey moron, brilliant people make spelling mistakes, grammar mistakes, and type-os all the time. Their brains have more important things to do than obsess over minutia that are of secondary importance. Pointing such a trivial mistake in no way negates the point, nor does it make you look impressive.

      It makes you look like a petty little snot that is trying to compensate for his own limitations by fixating on some valueless thing that makes an easy target.

      Grow up.

    7. Re:Johnny can't encrypt by invictusvoyd · · Score: 1

      Username : admin
      Password : admin

      Phew , now i'm safe.

    8. Re:Johnny can't encrypt by Anonymous Coward · · Score: 1

      Exactly, and if she gets too uppity you should soccer out.

    9. Re:Johnny can't encrypt by Dutch+Gun · · Score: 4, Insightful

      Generally speaking, implementing correct security is extremely difficult, but a company that puts security as a priority can design systems that are secure by default, and strike a reasonable balance between customer ease of use and effectiveness. It doesn't have to be impossible for a soccer mom to use a device securely.

      You can see the difference in two competing chat apps: Threema vs iChat. Threema is a "trust no-one" model, and requires you to actually meet face to face with a person to pre-exchange keys before you can chat with the maximum security protocol. iChat, on the other hand, "just works", relying on Apple to manage the key exchange. You're giving up a small amount of security for the convenience of a seamless experience, and trusting Apple to keep it the channel secure on your behalf.

      I think most people would be fine with trusting the company they bought their devices from to actively manage the security aspects so they don't have to think too much about it, but in many cases, it's not that the security is flawed... it's completely non-existent. Anyone complaining about Shodan is simply blaming the messenger. The blame lies squarely on the companies that are selling these products with zero security in mind.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    10. Re:Johnny can't encrypt by Bert64 · · Score: 2

      iMessage is aimed more as a replacement for SMS, which worked in the same way - you had to trust your telco and that of the recipient. For casual chat both systems are more than adequate.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    11. Re:Johnny can't encrypt by Anonymous Coward · · Score: 0

      Hey moron, brilliant people make spelling mistakes, grammar mistakes, and type-os all the time.

      Hey people, morons make spelling mistakes, grammar mistakes, and typos all the time. (and yet they still believe they are brilliant programmers) TFTFY

    12. Re:Johnny can't encrypt by Opportunist · · Score: 2

      Security can be implemented fully transparently to the user. This does of course take quite a bit of effort, and it can be costly since you need a few things on your system that take the workload off the user.

      Since both mean more cost for the device, this is not an option. Those gadgets are supposed to be cheap, security is not a selling point so to hell with it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    13. Re:Johnny can't encrypt by Anonymous Coward · · Score: 0

      The solution is really simple. Someone other than the end user needs to be responsible for security and get paid for it. If a data breach occurs, the responsible party pays for the damages. How much are you willing to pay to ensure your baby cam doesn't end up on the internet?

    14. Re:Johnny can't encrypt by AmiMoJo · · Score: 4, Insightful

      Problem with charging your relatives for support is that they will then start charging you for the same. Need a lift to the airport? Help moving house? Look after your cat for the weekend? Childcare?

      Rather than becoming the black sheep of the family, just be more assertive at calling in those favours. Start the conversation with "how is your computer doing?" and end it with "so I need help moving this grand piano I bought..." You can even cash in while doing the tech support. When the call up, say you will come over, and then casually ask if they have any of that meatloaf they served the other day you could grab a slice or two of.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    15. Re:Johnny can't encrypt by Chris+Mattern · · Score: 1

      Do they also make type As, type Bs and type ABs?

      Also, minutiae. Minutia is the singular.

    16. Re:Johnny can't encrypt by AchilleTalon · · Score: 1

      Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install.

      Didn't you mean sucking moms instead?

      --
      Achille Talon
      Hop!
    17. Re:Johnny can't encrypt by AchilleTalon · · Score: 1

      And it is not that expensive. Encryption is done on hardware and the chip in quantities sells for a buck or less.

      --
      Achille Talon
      Hop!
    18. Re:Johnny can't encrypt by gstoddart · · Score: 1

      I have a solution: until companies carry a legal penalty for being do damned incompetent at security, and they have to give a damn ... stop buying this shit.

      I know, it's a wacky idea, and people can't survive without something connected to their smart phone.

      But on behalf of those of us who have been saying this shit is defective by design for years, what the hell do you expect? This stuff is entirely predictable.

      I've simply ran out of the ability to feel any sympathy for this.

      --
      Lost at C:>. Found at C.
    19. Re:Johnny can't encrypt by Anonymous Coward · · Score: 0

      Even bluetooth headsets (with very limited range) has better security - you have to pair devices by pressing a button. That approach could work for a soccer mom too.

      Entering a password is not hard either - the default password could be the device's serial number which is printed on it. (With an option to change it for those 'home experts.'

      Somehow I don't think a soccer mom is impressed with "Install this device, enabling any perv on the net to watch your kids. And if he likes them, he can trace the IP address later". Which is exactly what you get with those unprotected webcams.

    20. Re: Johnny can't encrypt by Anonymous Coward · · Score: -1

      Hay more-on, brilyunt peeple mayk speling mustayks, gramer mustayks, un type-ohs awl thu tiem. Thur brayns hav mor impordunt thengs tu du thun ubses oh-ver munoosha thet ar uv sekendarry importuns. Poynteen owt suj uh trivvy-ul mistayk en noe whey nugayts thu poynd, nohr dos ut mayk yu luk empressuv.
      It makes you look like a petty little snot that is trying to compensate for his own limitations by fixating on some valueless thing that makes an easy target.
      Grow up.

    21. Re: Johnny can't encrypt by Anonymous Coward · · Score: 0

      Har har, I forgot about misspelling the mean part at the end. But you know what, it kind of works.

    22. Re:Johnny can't encrypt by Dutch+Gun · · Score: 1

      Don't get too hung up on the analogy. The point I was trying to make is that there's a security vs convenience tradeoff, but it's certainly not impossible to make reasonably secure products accessible to the masses. These IoT companies aren't even trying.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    23. Re:Johnny can't encrypt by Anonymous Coward · · Score: 0

      If you're not charging your relatives for tech support, you're doing it wrong.

      Are you really this much of an asshole in real life?

    24. Re:Johnny can't encrypt by __aaclcg7560 · · Score: 1

      Are you really this much of an asshole in real life?

      Yes. Next question.

    25. Re: Johnny can't encrypt by FuzzNugget · · Score: 1

      Baloney. Have a unique default password generated for each device, print it on a sticker and paste it to the device. They've been doing that with routers for years already.

    26. Re: Johnny can't encrypt by Anonymous Coward · · Score: 0

      Computer nerds are not "brilliant". Quite the opposite in fact. Aerospace engineers can be brilliant, but keyboard jockeys? Never. They're mediocre at best.

    27. Re:Johnny can't encrypt by Anonymous Coward · · Score: 0

      a petty little snot that is trying

      a petty little snot who is trying

    28. Re:Johnny can't encrypt by OffTheWallSoccer · · Score: 1

      I'm okay with most typos, but that one rubbed me the wrong way, for some reason.

  6. Let me get this straight... by Anonymous Coward · · Score: -1

    If I were to create a device that can be hacked by someone else, then my customers and I are to blame for the act of someone hacking it?
    If I were to create a service to freely see inside said devices, thus enabling people to eavesdrop (which is illegal in most states!), then I am not to blame?

    People who don't secure their systems and devices are to blame for someone breaking into them? Go fuck yourself, if that's how fucking much of a dick you are for believing that shit. And here's why:

    Anyone can take a hammer and break into someone's home. I don't see anyone blaming architects, glass blowers, window manufactuers, installers, washers, etc., or the owner of the property, for the fact that glass can be broken by a hammer. I don't see anyone blaming Craftsman for making said hammer. Nor do I see anyone blaming automobile manufactuers for the vehicle the burglar drove. Nor do I see anyone blaming the textile factories for making the ski mask he wore.

    But, we have no problem blaming software and hardware developers and their companies for making an insecure system we put our stuff into, and EXPECT them to secure it? That's like saying all you need is a lock and key on your front door, and your home is secure.

    Again, do we blame the company who create the door? The doorknob?

    No, we blame the person who broke in. Therefore... this constant B.S. articles like this, where we blame device manufacturers, for making cameras insecure and shit, is a complete and total jab at the wrong problem. The problem is simple: the people perpetrating these acts. And fucking researchers doing it. And the businesses giving them a direct path to it.

    You can be sure if a business offered home invasion robbery instruction manuals they'd be on their sorry ass and in jail real fucking quick.

    1. Re:Let me get this straight... by Anonymous Coward · · Score: 5, Insightful

      Calm yourself and then understand one thing: there is no breaking in going on, here. These cameras are broadcasting this shit directly to all comers, wide open to the world. No one is "tak[ing] a hammer and break[ing] into someone's home," they're standing on the sidewalk looking into the front windows where the home builder didn't bother to install any blinds.

    2. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      People who don't secure their systems and devices are to blame for someone breaking into them? Go fuck yourself, if that's how fucking much of a dick you are for believing that shit. And here's why:

      Anyone can take a hammer and break into someone's home. I don't see anyone blaming architects, glass blowers, window manufactuers, installers, washers, etc., or the owner of the property

      These are, conceptually and practically, completely different acts.

      If I break into a home, I am forcing myself past a lock - i.e. destroying property - and ending up in else's property. (N.B. If there's no lock, entering a home is not illegal in many countries, although it is trespassing and you must leave when asked.)

      If I "break into" a computer, I'm not actually intruding on property - which is why crimes tend to be defined in terms of "unauthorised access". Unauthorised access involves making a request from a computer which the computer responds to, because its owner has willingly installed it AND provided a method to communicate with it. No force is involved - I'm just saying, "Hey, computer, will you please give me XYZ?" and the computer says, "Sure here you go." It just happens that the owner decides at some point that they don't want the computer to be accessed in that way, even though they provided that method of access.

      The solutions? Well, here are some I propose:

      1) Unenforceability of disclaimer of liability clauses. If the user has read the manual and something still goes wrong, the manufacturer is responsible for clearing up the mess.

      2) Stop putting everything on the Internet, asshats. It's not needed. Capitalism may have an insatiable desire to shovel ever more shit at people, rather than allow people to live in peaceful luxury, but not every trend is necessary to follow!

    3. Re:Let me get this straight... by Narcocide · · Score: 1

      The only thing broken here is your analogy. If a company sold locks that couldn't be locked or were too trivially pickable, and advertised them as locks, you can guarantee there would be (and historically has been) more or less equivalent blowback. The only real difference being that if you forget to lock your car or don't even fucking try, nobody would be surprised to get their shit stolen.

    4. Re:Let me get this straight... by AK+Marc · · Score: 2

      If I were to create a device that can be hacked by someone else, then my customers and I are to blame for the act of someone hacking it?

      If you make a house that opens the door and throws the owner's jewelry at the person who rang the bell, damn straight you are at fault for making the stupid thing in the first place, and the owner for not locking the door when he goes out.

      Nobody is "hacking". The act of a port screen is more like door knock or doorbell ring than walking through a parking lot trying every door handle for one that's unlocked.

      --
      Learn to love Alaska
    5. Re:Let me get this straight... by Mashiki · · Score: 2

      If a company sold locks that couldn't be locked or were too trivially pickable, and advertised them as locks, you can guarantee there would be (and historically has been) more or less equivalent blowback.

      Electronic locks used on hotels? Or the programmable key locks that a lot of people use on their house? You can still bust them open with $50 of off the shelf hardware. That's been going on for 4 or 5 years now, and the amount of blowback has been minimal.

      --
      Om, nomnomnom...
    6. Re:Let me get this straight... by Anonymous Coward · · Score: -1

      But people are still beign held responsible for theft these days, last I heard, if you can prove it. Shouldn't we hold responsible the people who actually spend the time to watch said cameras?

      Correct me if I'm wrong (and I know you will, 'cause you're always right and I'm always wrong, according to your POV): Isn't an IP address purchased by ISPs the property of the ISP, and thus, anyone who violates the trust of contract between the ISP and the consumer someone considered liable for violating that contract?

      Of course, I know your counter argument: "They left it wide open, so they're responsible."

      I guess you agree with the analogy that if a woman dresses sexy and is raped, "She was askin' for it," right?

      GFY.

    7. Re:Let me get this straight... by Duhavid · · Score: 1

      You are quite right, the makers of the items throwing valuable stuff around unsecured are doing wrong.

      But, someone taking advantage of this problem is still doing wrong.
      I don't think you are arguing that it is ethical to take that which is thrown at you, but that the owner had no intention of you having.
      I understand that this is a "technicality", that it isn't expected to stop this wrong.

      And someone publishing a directory ( or web site ) with directions on how to get to such ill secured items, especially to encourage, even allow viewing something like sleeping kids is doing wrong, verging on evil.
      Chorus of above.

      --
      emt 377 emt 4
    8. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      Correct me if I'm wrong (and I know you will, 'cause you're always right and I'm always wrong, according to your POV): Isn't an IP address purchased by ISPs the property of the ISP, and thus, anyone who violates the trust of contract between the ISP and the consumer someone considered liable for violating that contract?

      What are you even talking about? If I open my browser and tell it to go to slashdot.org, a web page comes up. I don't have a contract with Slashdot, and I don't have a contract with Slashdot's ISP. I don't really care what contract Slashdot has with its ISP. I'm not violating any contracts by loading slashdot.org in my web browser.

      If I open my browser and tell it to go to 12.34.56.78 and up pops a webcam showing the break room in a convenience store, how is this any different? I don't have a contract with the convenience store and I don't have a contract with their ISP. I don't care what contract they have with each other. My web browser asked a server to display some content, and it did. Nobody violated any contracts.

      I guess you agree with the analogy that if a woman dresses sexy and is raped, "She was askin' for it," right?

      No. I do agree with the analogy that if I ask a woman for sex and she says "OK, let's do it" then everything is fine.

    9. Re:Let me get this straight... by AK+Marc · · Score: 1

      Publicizing these problems would hopefully convince the owners to turn on the security features of their non-IoT items.

      I hate how these are called IoT. IoT is for things talking to things. Not people talking to servers. That's just the Internet. The camera only talks to people or things pretending to be people.

      The current trend is the Internet of tiny servers. The IoT refrigerator is a server. You connect to it via an app. Or it's a client device in a 3rd party network, where your LG appliances talk to an LG server that your app connects to. Your things *never* talk to your other things. When that happens, that's an IoT. Until then, it's more client-server apps, with the clients and servers getting smaller and more interchangeable.

      --
      Learn to love Alaska
    10. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      Of course, I know your counter argument: "They left it wide open, so they're responsible."

      Please think about this carefully:

      The webcam
      delivers
      the pictures.

      One more time:

      The client says, "May I watch you?"

      And the webcam server says, "Sure, here are the pictures."

      A suitable analogy is me asking, "May I watch you?" and you saying, "Yeah, go ahead."

    11. Re:Let me get this straight... by cyclomedia · · Score: -1

      Jesus, this again. No. You are wrong. Unless I lock my daughter in her room for her entire life does that mean someone has the right to rape her? I mean, technically, nothing would be being taken from her.

      This webcam search is no different. Just because something is present in the universe and not physically hidden, locked, encrypted doesn't mean anyone can (legally or morally) dick about with it

      --
      If you don't risk failure you don't risk success.
    12. Re: Let me get this straight... by Anonymous Coward · · Score: 0

      If you take Ä'own the blinds and curtains and someone can stand on the sidewalk and watch your dauhhter undress there is nothing illegal about it and you are at fault, not the guy watching and not the guy who told him.

      These cameras broadcast their video to the internet, just like leaving the blinds off.

    13. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      Closer akin to you posting her pictures to facebook but don't give anyone her name, then someone finds the page and tells other people. I put up a webpage with a webcam using a raspberry pi with an open port on my cable router and it took google less than two days to find it.

    14. Re:Let me get this straight... by Bert64 · · Score: 2

      A service like shodan only increases public awareness, anyone who actually has malicious intent will have their own method of discovering insecure devices and no intention of publicising their activity. Publicity does not benefit those with malicious intent, as the publicity will cause at least some people to improve the configuration of their devices.

      If you keep this information out of the public eye, it gets forgotten and overlooked and then the number of vulnerable devices only increases to the benefit of the actually malicious people who want to take advantage of them.

      And yes often the device manufacturer is at fault, some devices cannot be reasonably secured and for others the manufacturer provides weak defaults and doesnt do enough to force users to change them.
      Some devices these days come with a random password printed on the device, that's perfectly reasonable and prevents casual attackers using blank or default passwords.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    15. Re:Let me get this straight... by Opportunist · · Score: 1

      The problem is that hacking isn't even involved.

      To stay in your house analogy, the current situation is more like every door in your home being unlocked with a butler at the door greeting people and handing them whatever they ask him for. They're not even "illegally entering" your home. They ask your butler "may I take a look at little Cindy?" and he delightedly says "But of course!" without even asking who they are or why they want to take a look at your child.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    16. Re:Let me get this straight... by CCarrot · · Score: 1

      Of course, I know your counter argument: "They left it wide open, so they're responsible."

      Please think about this carefully:

      The webcam
      delivers
      the pictures.

      One more time:

      The client says, "May I watch you?"

      And the webcam server says, "Sure, here are the pictures."

      A suitable analogy is me asking, "May I watch you?" and you saying, "Yeah, go ahead."

      An even more suitable analogy is me asking a Magic 8-Ball "May I watch this guy?"...but all other responses in the 8-ball other than "Yes, definitely" have been removed by the manufacturer.

      The person who should be giving the consent is not consulted, or is not aware that consent is being automatically provided by a third party.

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    17. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      If you run a webserver on your computer, visible to the internet at large, and someone else accesses that webserver, you literally have nothing to complain about. That's what webservers are FOR. If you put pictures of your daughter on that webserver, and Google comes along and indexes them, how is that different than anyone else putting any other pictures on any other webserver and Google indexing them? Google can't read minds; neither can Shodan.

      In this case it's a webserver being run on a shitty internet-connected webcam, but I can run a webserver on my Raspberry Pi and hook it up to a camera just as well and make that available to the internet at large if I want. The problem is shitty internet-connected cameras, not search engines.

    18. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      The analogy is not broken, companies DO make and sell locks that are trivially pickable with as little as a pen. These locks are sold for indoor use only, such as bathrooms and bedrooms with the expectation that you put a more secure lock on your external doors. Cameras sold with little to no security are similarly expected to be used on a LAN on which the external gateway is secured (such as a firewall and/or NAT).

    19. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      Don't these webcam servers ask 'What's the password?'?
      That to me is a lock, no matter how trivial the password may be. Meaning someone is sticking hairpins into doorknobs to see how good the locks are, which is wrong. Sure there's some onus on the purchaser to choose a good lock, but that doesn't mean the intruder isn't in the wrong.

    20. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      Giving the default password a try is indeed hacking. Any password barrier at all says "not welcome" - the exact opposite of throwing valuables out.

    21. Re:Let me get this straight... by AK+Marc · · Score: 1

      And when there's no password set at all?

      --
      Learn to love Alaska
    22. Re:Let me get this straight... by minchazo · · Score: 1

      Here's a car analogy for you: This is like having a car that automatically starts up for you and opens the doors when you walk by. The manufacturer, however, neglected to require the key fob to be anywhere nearby, so any time ANYONE walks by, the car door opens and the car starts up.

  7. You've made your point...now shut it down. by westlake · · Score: 2

    The infosec community came to defend Shodan, and even its founder said that Shodan is uselessly branded as a tool of evil, saying that attackers have their own scanning tools.

    It won't matter to the families of the children you have exposed that other scanning tools are available. Yours is public and visible --- and it has a deliberately provocative name. You can't search Google for Shodan and miss the connection.

    1. Re:You've made your point...now shut it down. by Anonymous Coward · · Score: 1

      Yours is public and visible --- and it has a deliberately provocative name.

      That's the point, Shodan is selling a service, and they want publicity.

      Hopefully this will make the mainstream news and people who have their cameras connected to the internet will learn and take them down.

    2. Re:You've made your point...now shut it down. by Anonymous Coward · · Score: 1

      It won't matter to the families of the children you have exposed that other scanning tools are available. Yours is public and visible --- and it has a deliberately provocative name. You can't search Google for Shodan and miss the connection.

      The device manufacturers are clearly to blame here.....this isn't a Shodan problem. Any reasonable timeline for a response to responsible disclosure has long since passed.

    3. Re:You've made your point...now shut it down. by Lunix+Nutcase · · Score: 5, Insightful

      Because sweeping this under the rug means bad guys won't ever attack these devices. *rolls eyes* Their point won't have been made until these *groan* IoT *groan* device making shitheads secure their crapware.

    4. Re:You've made your point...now shut it down. by tlambert · · Score: 2

      Yours is public and visible --- and it has a deliberately provocative name. You can't search Google for Shodan and miss the connection.

      The malevolent AI villain in System Shock 2? I fail to see the connection...

      You've made your point...now shut it down.

      Yes. They've made their point. Now it's the job of the manufacturer to shut it down, since people anywhere on the planet can run a similar service, and there's not dick you can do about it without a policing treaty, and extradition treaty, and a willingness to spend a lot of money following up the events.

    5. Re:You've made your point...now shut it down. by excelsior_gr · · Score: 3, Insightful

      I'm afraid I have to agree. This search engine needs to receive as much publicity as possible, not get swept under the rug. Only then, I hope, will the people become aware of how orwellian the IoT really is.

    6. Re:You've made your point...now shut it down. by Duhavid · · Score: 0

      The device manufacturers *are* to blame.

      And so is Shodan.

      --
      emt 377 emt 4
    7. Re:You've made your point...now shut it down. by Bite+The+Pillow · · Score: 1

      I did the impossible. I searched Google and came up with martial arts, Go, and this article. And similar articles from back when this was news. The connection you claim is obvious is clearly missing.

      I'm more interested in this having been news for years, and devices aren't even using minimal security via obscurity. A normal ISP might knock you off for port scanning, but hitting random addresses on a single port might not trigger the same response, making it trivial to replicate this search engine.

    8. Re:You've made your point...now shut it down. by grimJester · · Score: 1

      SHODAN is an artificial intelligence whose moral restraints were removed from her programming by a hacker in order for Edward Diego, station chief of Citadel Station, on which SHODAN was installed, to delete compromising files regarding illegal experiments and his corruption. She is a megalomaniac with a god complex and sees humans as little better than insects, something which she constantly reminds the player of.

      No moral restraints, megalomaniac?

    9. Re:You've made your point...now shut it down. by Anonymous Coward · · Score: 0

      Wait, why would you want to film you sleeping children in the first place? I find that terribly creepy, borderline perverse and sure as shit stinks, a violation of their privacy! Laissez-faire parenting gone amok. Stop it at once.

    10. Re:You've made your point...now shut it down. by Opportunist · · Score: 1

      So killing the messenger it is again? Let's hush it up, when nobody talks about it, maybe it just goes away.

      You know the old saying, if you make Shodan a criminal, only criminals will go onto the orbital station and fight her. Or something like that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    11. Re:You've made your point...now shut it down. by AmiMoJo · · Score: 1

      You can search Google for unsecured webcams. They periodically remove them from their database, but if you stay ahead of the curve with new models they are easily accessible via google.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re:You've made your point...now shut it down. by AchilleTalon · · Score: 1

      IoT is not orwellian, what turns orwellian when people don't care about security issues: users and manufacturers. This has nothing to do with Big Brother. Enable the security on your webcam and no one will sneak at you.

      --
      Achille Talon
      Hop!
    13. Re:You've made your point...now shut it down. by Anonymous Coward · · Score: 0

      That seems like the exact opposite of laissez faire to me.

    14. Re:You've made your point...now shut it down. by Anonymous Coward · · Score: 0

      There is a reference to "Shodan Armada" in the movie "The Last Starfighter" Go watch it sometime. It was released in 1984 and that predates the release date for "System Shock 2" by 15 years according to Wikipedia.

    15. Re:You've made your point...now shut it down. by Anonymous Coward · · Score: 0

      I like how TFA suggests that cam makers block the web crawler vs. you know actually closing the security hole.

    16. Re:You've made your point...now shut it down. by anyGould · · Score: 1

      And realistically, Shodan is offering a more useful service for free - showing people that their webcam is broadcasting to the entire world.

      The fact that the "solution" is "hey, block this one provider" and not "holy crap, unplug that thing NOW and get one that isn't broadcasting our cash register to anyone with half a brain.

      I suspect this will get fixed when someone gets hurt or robbed, and decides to take it out on the manufacturer. (I'm guessing there's a (media) case to be made in "hey, the webcam you sold me isn't secure, so the crooks watched my register to pick the perfect time to rob us")

  8. Shodan *started* as a webcam search engine by kriston · · Score: 2

    I'm not sure if everyone already knew this but Shodan *started* as an non-secured webcam search engine back in 2009.

    --

    Kriston

    1. Re:Shodan *started* as a webcam search engine by Anonymous Coward · · Score: 5, Informative

      That's actually incorrect. I launched the search engine with the idea of it being used to empirically gather market intelligence ("Netcraft for everything"). And the first search queries that the infosec community ran were for printers. Webcams only came around much later.

    2. Re:Shodan *started* as a webcam search engine by Burz · · Score: 1

      According to Youtube the webcams are much more entertaining than printers:

      https://www.youtube.com/watch?...

      Here is one where the victim calls cam tech support, and tech is clueless:

      https://www.youtube.com/watch?...

  9. The feds will shut it down in a couple of weeks by davidwr · · Score: 1

    The feds will shut down the sleeping-kids search engine in a couple of weeks, after they infect a bunch of computers with phone-home-ware.

    What's that you say? I'm posting in the wrong thread? Sorry, saw "kids" and "cameras" and "creepy" and they sort of blended together there for a minute.

    Strange but true: My captcha is warrants. Now THAT is creepy!

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  10. Offering data to the public Internet by Morgaine · · Score: 5, Insightful

    An AC wrote:

    People who don't secure their systems and devices are to blame for someone breaking into them?

    There was no breaking in.

    If you provide data to the public Internet without any form of restriction, you can't then validly complain when the Internet public sees that data. You offered it publicly, and the public took you up on your offer.

    This isn't anything like breaking and entering, nor even like someone walking through a door which you left wide open. It's much more intentional on your part than that:-- you offered data to the public by creating an unrestricted access port on the Internet, your offer was accepted when someone opened that port, and then you deliberately sent your data out to that recipient. It was your choice, before and after you made the offer to the public. Nobody can force you to send your data if you don't want to. Your system wasn't hacked to change its code to something that you did not intend.

    The closest analogy I can make is to imagine yourself standing on the sidewalk in the high street, an open sweet jar in one hand, and the other hand outstretched offering sweets to passers by. The highstreet is the public Internet, and your invitingly outstretched hand is the open port. If someone takes hold of the sweet, you can still prevent it from being taken by holding tightly onto the wrapper (an access restriction, perhaps you want to check that recipients are smiling first).

    But if you first offer a sweet and then release it, you don't get to complain --- it was your visible intention to hand out sweets to passers by, and nobody can read your mind, only your actions. If you don't understand this then perhaps you don't grasp how Internet protocols work, and you would be best advised to stay well clear of the Internet.

    You may wish that Internet protocols worked some other way, perhaps using ESP, but they don't. They work as they were defined.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
    1. Re:Offering data to the public Internet by Anonymous Coward · · Score: 0

      Ok so how about somebody standing on a public street and peeping into a house through a window that has a small opening and person getting undressed on the other side. Im fairly sure you can get arrested for that, so why not be arrested for peeping through an open internet port?

    2. Re:Offering data to the public Internet by Anonymous Coward · · Score: -1

      I was that AC. The point I'm making, and clearly nobody understands, is this: stop blaming the victims. Blame the people who are doing shit like watching a three year old get naked because mom forgot to turn the camera off or turn the security settings on.

      It's the same principle as the argument on rape: "She was askin' for it," doesn't qualify as a reason to say, "she was offering herself up to the public."

      Again, I ask, why do we blame the manufacturers of devices and consumers for things people shouldn't be doing? Eavesdropping is still eavesdropping, no matter how you obtained that access. You're still doing something that's against the social contract.

      If you can't understand that BASIC, SIMPLE, PRINCIPLE of behavior, than seriously... you've got to question yourself.

      I'm fully aware of how an IP address needs to be public in order for the Internet to work. It wouldn't if it wasn't. I'm also fully aware of this culture of everyone trying to be a hero by exposing other people's flaws, by violating them, showing that they're insecure, and giving people instructions and pathways to do such things.

      A) You need to know the IP address to my device, just like you need to know my home address.
      B) You need to know HOW to access my device, just like you need to know how to open a window from the outside, break a window, or break a lock... that may or may not even be locked!
      C) You're still doing something against the social moral contract -- ie, the law.

      AGAIN. For FUCK's sake... it's NOT the manufacturer's fault, NOR the victim's fault, if someone deliberately GOES to MY IP ADDRESS and looks at MY Camera. They are USING A DEVICE to get in. THEIR computer. THEY issued the instructions to ACCESS something that was PUBLICLY ACCESSIBLE. Every home can be REACHED by the public, and every DOOR can be opened by someone, some HOW, through some WAY.

      Regardless, you're still DOING the thing you shouldn't be DOING. And this website is ENABLING people to do that. They are RECORDING it.

      This is NOT port scanning. Port scanning doesn't say, "OMG, this device is looking at this content." Some asshole had to look at that content and report it as THAT content. They are doing WAY more than port scanning if they know WHAT is on the camera image.

      IT IS NOT THE VICTIM's FAULT.

    3. Re:Offering data to the public Internet by jones_supa · · Score: 2

      If you provide data to the public Internet without any form of restriction, you can't then validly complain when the Internet public sees that data. You offered it publicly, and the public took you up on your offer.

      Was it their choice though? Were they aware that the device is exposed?

      Part of the blame lies on the manufacturer if they make it too easy for an uninformed person to leave the device in an unwanted state. Bad design.

    4. Re: Offering data to the public Internet by Anonymous Coward · · Score: 2, Insightful

      You are so beyond wrong here, and very emotional about your response as well.

      People are putting private data on a public medium, in many cases without so much as a login password. Completely open. There's a certain level of personal responsibility here. Framing this is some sort of crime ignores the reality that people are doing things like this out of ignorance, but ignorance does not remove people from being responsible for their actions.

    5. Re:Offering data to the public Internet by Anonymous Coward · · Score: 0

      > stop blaming the victims

      I don't see anyone blaming the victims, only blaming technical incompetence of the installer. If you don't have the competence to secure a device on the internet, don't put your device on the internet.

      If you don't have the competence to pack your own parachute, don't pack your own parachute. Get an expert to pack it for you. If you pack your own and it fails to open, you have nobody to blame but yourself. Trying to avoid your responsibility in the matter by saying that it's "blaming the victim" won't get you anywhere, because you were clearly to blame by exceeding the limits of your competence. The internet is no different.

      It's not only a problem with technical incompetence of users, but also that of providers. If a company is knowingly selling webcams to the mass public (hence knowingly to non-technical users), you have every right to expect that the products provide access protection out of the box. Alas, many IoT companies are not acting responsibly in that respect.

      Despite that though, you do NOT get to shed your own responsibility in the matter and only to blame others. It is you who put an open viewport on the internet after all, nobody else.

      Note also that victim and incompetent technician are two entirely separate parties, except by coincidence. If you incompetently installed an open webcam and a child became a victim, or if you incompetently packed a parachute for another and he plummeted to his death, then they are the victims but you are the party to blame, in both cases. The victims would not be blamed because the responsibility would lie with someone else who performed a technical task while lacking the necessary competence to do so.

    6. Re:Offering data to the public Internet by NotQuiteReal · · Score: 1

      Ok so how about somebody standing on a public street and looking into a house through a window that has a large opening and a person getting undressed on the other side. I'm fairly sure you can't get arrested for that, nor can the "exhibitionist". So why is there a problem for consuming data from an open internet service?

      --
      This issue is a bit more complicated than you think.
    7. Re:Offering data to the public Internet by Anonymous Coward · · Score: 0

      Regardless, you're still DOING the thing you shouldn't be DOING

      The day that you shouldn't be asking a system at the other end of an IP address whether or not they have a service listening at such and such a port is the day the entire Internet is a thing of the past.

      And this website is ENABLING people to do that.

      Okay.

      They are RECORDING it.

      Maybe try suing for copyright infringement, then. Going to be a hard sell, given you're intentionally offering data to the public, though.

    8. Re: Offering data to the public Internet by Anonymous Coward · · Score: 1

      If you leave the blinds and curtains off your windows and do aerobics in the nude in front of them its YOUR fault, not the passerby that sees it or the person that told him about it or even the person with the camera recording it.

      When you install one of these cameras and connect it to the net you are the one that put up a live video feed broadcasting to everyone, that makes it your fault just like failing to put up curtains does. You have a responsiblity to protect your privacy and if you abdicate that responsibility it makes the result YOUR fault.

    9. Re:Offering data to the public Internet by Anonymous Coward · · Score: 0

      Regardless, you're still DOING the thing you shouldn't be DOING.

      Why shouldn't they view what you provide? You gave them permission to view that data when you provided it as an open service on the public Internet.

      It appears that you don't understand how network services are created on the Internet, and the role and responsibility of the administrator of an Internet-connected device. It's quite simple, so I'll explain.

      Webcam images or video stay on the webcam and aren't going anywhere without administrator action. When an admin connects a device properly to the Internet, a path becomes available from anywhere on the Internet to the device., but a mere path is not enough to make the device usable or even detectable. The admin also has to set up a network listener port, without which a webcam will not send its feed despite being reachable. Setting up the listener port on a reachable IP address constitutes "offering a service" in Internet networking terms.

      Accesses to your new service will begin almost immediately if you attach a device to the open Internet, whether you advertise it or not. It is the role of an administrator to impose any desired restrictions on the service that they have just offered to the Internet, because in the absence of configured restrictions it will be an open public service. This may be fine and intentional, or it may be unwanted and very bad.

      The billions on the Internet cannot know what your intentions are. If a service is made accessible by you, then they will use it. By making it accessible, you have given them implicit permission to use it, because if you had not wanted them to use it then you would not have made it accessible. That is how all Internet services work. There is no paperwork, contract, or any other red tape involved, just the mere enabling of a service creates an invitation to use it, and the service is available to everyone unless you configure access restrictions either within the device or in a separate firewall. Internet services wouldn't have gained billions of users if there had been red tape involved.

      That's all there is to it. You said that nobody understands the point that you're making, but that stems from the fact that you are ignoring the cause of the problem and trying to cure a symptom. Access restrictions are under your control, and if you have not imposed any restrictions then you have offered an open public service. You can't validly blame anyone for using a service which you have offered. You have given them implicit permission to use it by making it open and public.

      Of course you may have given this implicit permission by accident, quite possibly through lacking technical competence in networking, but the Internet billions cannot possibly know that. The power to provide or restrict a service lies with you, and you must exercise it. Blaming the Internet public for the consequences of your failure to do so is misplaced, and moreover, it is ineffective.

    10. Re:Offering data to the public Internet by Anonymous Coward · · Score: 0

      Go fuck yourself and get the fuck off the Internet. You're clearly too stupid.

    11. Re:Offering data to the public Internet by Anonymous Coward · · Score: 0

      Ok so how about somebody standing on a public street and peeping into a house through a window that has a small opening and person getting undressed on the other side. Im fairly sure you can get arrested for that,

      Not where I live you don't, and I wager nowhere in the civilized free world either. Just by definition.
      The one doing the stripping down in front of the window might be reprimanded, but I doubt it would go as far as fines.

    12. Re: Offering data to the public Internet by Anonymous Coward · · Score: 0

      The thing is that all these devices are designed to be placed behind a statefull firewall.

    13. Re:Offering data to the public Internet by Opportunist · · Score: 1

      It's considered impolite where I'm from. And it's considered indecent to undress in front of open windows. I fail to see the illegal part, though, on either side. Well, maybe the one undressing could be in for indecent exposure, but that would have to be like a shopping window in a well frequented street where you pretty much have to assume someone would be looking in.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    14. Re:Offering data to the public Internet by Opportunist · · Score: 0

      How is it my fault when someone looks into my bedroom when I fail to close the blinds? It's THEIR fault for looking in. They go toy MY STREET, look in MY WINDOW. They use THEIR FEET to get there. THEY decided to look in MY DIRECTION to a window that was facing a PUBLIC STREET. Every home can e reached by the public.

      So why the fuck do I get nailed with indecent exposure just for this window being the big panorama window to the main street? It's THEIR FAULT for looking in! Not mine for not closing the blinds. How am I supposed to be responsible for my privacy?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    15. Re: Offering data to the public Internet by Chris+Mattern · · Score: 1

      The thing is that all these devices are designed to be placed behind a statefull [sic] firewall.

      Of course, they don't bother telling that to consumers who don't even know what a firewall is.

    16. Re:Offering data to the public Internet by Anonymous Coward · · Score: 0

      If the window has a "small opening" then it sounds like whoever lives there tried to put up curtains, blinds, or some other access control device to keep you from looking in. Nobody put any access control in front of these cameras. Your analogy would only work if the window was wide open, with no window treatments.

  11. Gardens by jones_supa · · Score: 2

    ...front gardens, back gardens...

    Aha! But not side gardens! Those have better privacy...

    1. Re:Gardens by Anonymous Coward · · Score: 0

      Over under sideways down

  12. You're talking to the wrong guy. by westlake · · Score: 1

    Because sweeping this under the rug means bad guys won't ever attack these devices. *rolls eyes* Their point won't have been made until these *groan* IoT *groan* device making shitheads secure their crapware.

    The geek makes this argument whenever one of his pet "white hat" hacking projects is clearly open to abuse.

    The problem here is that the argument appeals only to other geeks --- not to those who see only an invasion of privacy made possible --- made easier --- by a search engine like Shodan. That a door was unlocked or the lock was broken does not imply a right to enter.

    The geek needs to learn that others see him as the shithead whether he is wearing the white hat or the black.

    1. Re:You're talking to the wrong guy. by Anonymous Coward · · Score: 0

      Then "the others" need to learn that without the white hats bringing things to attention, the criminal scum would already be abusing them left, right, and center.
      If you prefer your security by obscurity, good luck.

    2. Re:You're talking to the wrong guy. by westlake · · Score: 0

      Then "the others" need to learn that without the white hats bringing things to attention, the criminal scum would already be abusing them left, right, and center. If you prefer your security by obscurity, good luck.

      You still don't get it. This isn't about "security through obscurity." It is about Shodan.

      It is about how the geek is perceived by others. It is about how he undermines relationships with those outside his own community for what he perceives to be the greater good.

    3. Re: You're talking to the wrong guy. by Anonymous Coward · · Score: 0

      Bringing insecure devices to people's attention is undermining their relationships? What fucking planet do you live on?

      So essentially what you are saying is that it's A-OK for criminals and "black hats" to have access to the information in question under the table as long as the owners of the cameras don't have to have the fact that anyone can watch their cameras brought to their attention?

      That's weapons-grade idiocy right there.

  13. License for installation!! by Anonymous Coward · · Score: 0

    Like electricians who need a license to work (atleast where I live), IoT devices should require a license to install.

    1. Re:License for installation!! by thinkwaitfast · · Score: 1

      Does that include DIY?

    2. Re:License for installation!! by gweihir · · Score: 1

      And that makes the devices more secure how?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:License for installation!! by Anonymous Coward · · Score: 0

      Hey, at least we would have someone to blame, that we can agree on!

    4. Re:License for installation!! by Opportunist · · Score: 1

      I think you're more thinking of some kind of "seal of security" that such a IoT device needs to be put into circulation, like that seal on electronic devices saying that it doesn't cause any interference and that it can deal with any interference that might happen (forgot the name).

      That would actually be a pretty good idea.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:License for installation!! by gweihir · · Score: 1

      Can't argue with that ;-)

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. IF THEY AREN'T DOING ANYTHING WRONG... by gavron · · Score: 2

    ...they they don't need to worry about the surveillance.

    And the parents who put these protections in place, that's just like our big brother the NSA and GCHQ putting protections in place for us. No encryption necessary. Hope no bad guys get a hold of this.

    But if you're doing nothing wrong... ...you have no reason to worry.

    E

    1. Re:IF THEY AREN'T DOING ANYTHING WRONG... by Opportunist · · Score: 1

      With the ever changing laws and more and more insane laws springing into existence, do you even know anymore whether you do anything wrong? Worse, are you sure that what you enjoy doing today would not be considered "wrong" tomorrow? And that the powers that are might wonder whether you stopped with that "habit" you had that used to be legal before?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:IF THEY AREN'T DOING ANYTHING WRONG... by Anonymous Coward · · Score: 0

      go back and read the parent post and think of the NSA.
      See, there you go.

  15. All the same stupid mistakes being made again by gweihir · · Score: 1

    It is as the IoT people never even have heard of the, by now, 30+ years of history of Internet security fails. These must be the dumbest, most arrogant and most clueless developers, lead by managers of the same quality. It is high time that we get legally actionable gross negligence for manufacturers that ignore Internet security best practices.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:All the same stupid mistakes being made again by Opportunist · · Score: 1

      That last part of your statement is pretty much the reason right there.

      Business decisions are driven by simple considerations. Whether some feature is added is decided by basically 3 questions?

      1. Is it going to increase revenue?
      2. Is it going to increase sales?
      3. Do we have to do it to avoid fines?

      If none of the 3 apply, it will not be done. Security is "neither of the three". So to hell with it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:All the same stupid mistakes being made again by AchilleTalon · · Score: 1

      Don't tell me, you haven't RTFA no?

      --
      Achille Talon
      Hop!
    3. Re:All the same stupid mistakes being made again by gweihir · · Score: 1

      Indeed. And hence bad security must be made a significant cost factor for those making devices with it.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:All the same stupid mistakes being made again by gweihir · · Score: 1

      Don't tell me, you like to blame victims, no?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. UK uh... by Anonymous Coward · · Score: 0

    .io domains are british, so I just concluded that 99% of the pedophiles are living there. (UK includes US too... it's like... a big transcontinental isle full of shitty people anyways)

  17. Really, the name should've warned them by Chris+Mattern · · Score: 1

    "Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors."

  18. Threat model by Anonymous Coward · · Score: 0

    'I am the Calvery' criteria for Secure by Design includes some good stuff, but to compensate then says:
    All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.

    I'm not sure what their threat model is for a consumer device.
    Are they worried about somebody in the supply chain compromising the device?

    It seems like the first thing for putting a camera on the Internet is to give it a strong, unique password out of the box and not have any bugs that let folks in in other ways. The above might be useful for hiding any such bugs, but ultimately it seems like security thru obscurity. Just put really simple s/w in the camera that has a good chance of being safe, provide the above debug interfaces, and provide a bug bounty.

    If the Calvery wanted to fix this, they could publish open source camera s/w with the above bug bounty. Then the race to the bottom vendors would not have to sacrifice security fro cost.

  19. IoT by JustAnotherOldGuy · · Score: 2

    IoT: Internet of Trouble

    Lets see....cheaply-made products produced and sold with barely a nod to security, installed by users who are likely to be as clueless as they could possibly be, all connected to a worldwide network easily accessible by lots and lots and lots and lots of malicious people with too much time on their hands.

    What could possibly go wrong??

    Trust me, you ain't seen nothin' yet. I'd wager that 98% of all of these consumer-grade gadgets are going to be easily hackable in their default configuration. It's only a matter of time- eventually one of them will cause a serious injury or death, or at the very least some kind of significant property damage.

    You want your refrigerator to be internet enabled? Great! But should it also have the unfettered ability to turn the temperature down and spoil all the food?

    You want door locks you can control from the other side of the world? Great! But should any Joe Blow with a free hacking kit be able to unlock your doors at will?

    You want to be able to remotely turn on your stove and start heating some water? Great! But should it blindly start "heating" a cardboard box left sitting on the burner because some dickhead in Moldavia can bypass your login?

    You want an internet-enabled thermostat? Great! But should some malicious asshole be able to turn off your heat in the dead of winter when you're on vacation, freezing your house and causing your water pipes to burst?

    Don't get me wrong- I think the overall idea of IoT is fascinating and holds great promise, but mark my words... like anything else it's gonna be abused too. Unfortunately I think it's going to take some major-league lawsuits before manufacturers start taking the security aspect of it seriously.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  20. In unrelated news... by hyperar · · Score: 1

    Internet traffic on the Vatican City grew 500% in 15 minutes.