Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Spoke To Baby and Hurled Obscenities At Couple Using Nest Camera, Dad Says (cbsnews.com)

Posted by BeauHD on from the unseen-intruders dept.

pgmrdlm shares a report from CBS News: An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."

106 comments

  1. I may be a luddite by Major_Disorder · · Score: 5, Interesting

    But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

    --
    First law of people: People are generally stupid.
    1. Re:I may be a luddite by 110010001000 · · Score: 3, Funny

      Luddite!

    2. Re:I may be a luddite by TigerPlish · · Score: 1

      But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.
      --
      First law of people: People are generally stupid.

      (emphasis on your sig added by me.)

      You may not, and I do not, and I suspect many others here won't either.. ..but as your sig so fortuitously put it... well, people are stupid.

      I can't wait until this ends up like Maximum Overdrive... only it won't be Comet Magical Bullshit, it'll be script kiddies and worse.

      --
      The "Civilized World" jumped the shark ca. 1973.
    3. Re:I may be a luddite by lazarus · · Score: 1

      Hacking stories are about to get MUCH more interesting!

      --
      I am not interested in articles about life extension advancements.
    4. Re:I may be a luddite by barc0001 · · Score: 1

      I might one day get a smart thermostat, but I'm definitely drawing the line at cameras. It sounds like the people in the article have *multiple* cameras inside their house. WHY? The baby monitor one, OK. The rest? WTF? Cameras go OUTSIDE if you're wanting security.

    5. Re:I may be a luddite by stephanruby · · Score: 4, Interesting

      ..but as your sig so fortuitously put it... well, people are stupid.

      Yes, it could be that.

      But let's remember, Uber gave the exact same excuse.

      We haven't been hacked. It's our users who have been re-using the same passwords.

      And two years later, it turns out that Uber did have a massive breach that they knew about, but that they didn't want to admit to anybody.

    6. Re:I may be a luddite by TigerPlish · · Score: 4, Insightful

      But let's remember, Uber gave the exact same excuse.

      We haven't been hacked. It's our users who have been re-using the same passwords.

      Oh, the stupid I was thinking of wasn't the reuse of passwords, it was the mere act of inviting these insecure iot contraptions into the home.

      --
      The "Civilized World" jumped the shark ca. 1973.
    7. Re:I may be a luddite by Narcocide · · Score: 1

      That's more along the lines of how I feel. But there's still plenty of blame to go around. Google/Nest owes at the very least an apology to the public for misrepresenting their ability to enforce any security for these devices they sell.

    8. Re:I may be a luddite by Xenx · · Score: 1

      As someone that does dispatch for security, rich(or even decently well off) people like to keep an eye on their stuff and can afford to do so. Also, the police will also often charge for repeated false dispatches. A lot of the ones I deal with will check the cameras when we call on an alarm. The newer ones get the notification when we do and are checking them before we even get them on the phone.

    9. Re:I may be a luddite by jythie · · Score: 1

      Earlier this month I was paying my power bill and discovered I could control my heat/AC right the power company's website. I... think I'm gonna have another thermostat installed.

    10. Re:I may be a luddite by GrumpySteen · · Score: 4, Funny

      You'll never make a living as a cam whore with that attitude.

    11. Re:I may be a luddite by 93+Escort+Wagon · · Score: 1

      But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

      That's quite some slog from the couch all the way to the control unit on the wall, though. Who wants to walk 10-15 feet just to adjust the temperature? What is this, the Middle Ages? You might miss out on a funny cat video that's gone viral!

      --
      #DeleteChrome
    12. Re: I may be a luddite by Anonymous Coward · · Score: 0

      As if you have any say in the matter commie!

    13. Re:I may be a luddite by grep+-v+'.*'+* · · Score: 2

      But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.

      Agree completely. OTOH, if you DO access my home cams, then my revenge is that there are some things you can never unsee.

      My Eyes! The Goggles Do Nothing!

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    14. Re: I may be a luddite by Anonymous Coward · · Score: 0

      Video ... meh, I have a cat to actually supply all the fun

    15. Re:I may be a luddite by Howitzer86 · · Score: 2

      If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ can be pretty useful. It alerts you if your passwords are found in that never ending stream of hacker data dumps. A new feature was added recently where you can enter the it directly to determine if it's been compromised. Whether or not you trust that is another matter. But for the attentive, it's a good service overall for knowing when to retire a password.

    16. Re:I may be a luddite by Askmum · · Score: 5, Informative

      If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ can be pretty useful.

      It's only marginaly usefull. Yes, I have been pwned, my email address is listed in the "Anti Public Combo List".
      So? With what password? I have to use my email address at many sites to log on and of course I do not reuse my passwords, so one of them is compromised. It doesn't tell me which. So I don't know which password to change.

    17. Re:I may be a luddite by Anonymous Coward · · Score: 0

      Yeah, but you have these people with cams inside their home??

      I work for a CCTV manufactuerr. I have access to the code.
      I control the access to them, it's not "cloud" based but they can be remoted.

      I have cams all over the outside of my house and property.
      But no way in hell am I putting them inside.

    18. Re:I may be a luddite by Anonymous Coward · · Score: 0

      This is why you have kids to do it for you in exchange for food.

      Kids these days are lazy.
      I blame IR remotes.

    19. Re:I may be a luddite by ArsenneLupin · · Score: 1

      Mine too was listed, but it didn't even say which list. How do you find out? Can these lists be downloaded from anywhere?

    20. Re:I may be a luddite by stealth_finger · · Score: 1

      Yeah, but you have these people with cams inside their home??

      I work for a CCTV manufactuerr. I have access to the code. I control the access to them, it's not "cloud" based but they can be remoted.

      I have cams all over the outside of my house and property. But no way in hell am I putting them inside.

      Just don't put the feed on the internet. Easy peasy.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    21. Re:I may be a luddite by ArsenneLupin · · Score: 1

      That's quite some slog from the couch all the way to the control unit on the wall, though.

      Smart thermostats have other uses:

      • Timers. Set it up so that it turns off when you're off to work, and back on just before you come home
      • Controlling it from somewhat further away than from the couch. For instance, if you unexpectedly finish work early, you can remotely turn on your thermostat at home just before leaving the office, so that it's warm and cosy by the time you arrive
    22. Re:I may be a luddite by nospam007 · · Score: 1

      "But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either."

      Then don't use 1234 as password.

    23. Re: I may be a luddite by Anonymous Coward · · Score: 0

      I caught my ex wife fucking two black guys on cam.

      Oh. So she's fat.

    24. Re: I may be a luddite by Anonymous Coward · · Score: 0

      What you are saying is, she needed some BBC to make up for your "shortcomings." Just remember this, while you think justice may have been served, your old lady thought you were such a wimp of a man she went and found a real man, well two of them in fact.

      Maybe if you wiped the cheetos out of your giant neckbeard, she wouldn't have left you. Damn incels posting their drivel on /.

    25. Re:I may be a luddite by Anonymous Coward · · Score: 1

      you can remotely turn on your thermostat at home just before leaving the office, so that it's warm and cosy by the time you arrive

      God forbid you might be "uncomfortable" at home for 20-30 minutes. What's going to happen are your testicles going to fall off?

      Is that trade off really worth your house getting pwned and controlled by strangers? I think not.

    26. Re: I may be a luddite by Anonymous Coward · · Score: 0

      The guys at haveibeenpwned don't keep passwords for the lists they observe.

      They do keep hashes, so you can check if your password appears anywhere in the wild, but not which email address or list it was seen in
      https://haveibeenpwned.com/Passwords
      That page calculates the hash in browser, but if that's still too insecure for you, they have an API you can send your own hash to.

    27. Re:I may be a luddite by jm007 · · Score: 1

      "What is this, the Middle Ages?"
      -- Bender

    28. Re:I may be a luddite by Anonymous Coward · · Score: 0

      You don't have a houseboy? Just don't give them a sock.

    29. Re:I may be a luddite by Ihlosi · · Score: 1
      So I don't know which password to change

      All of them. At least twice. And then nuke the entire site from orbit. It's the only way to be sure.

    30. Re:I may be a luddite by Altus · · Score: 1

      Alerts that the temp has fallen more than X degrees below the current settings allowing you to know if your heater has crapped out on you. I came home from a vacation last winter and it was 30 degrees F in my house. My cat had nearly frozen to death. If I had known when it dropped 5 degrees below what was expected I could have called my neighbor to have him check on it, maybe even let a technician into the house to fix it if necessary well before it got to the point where my pipes had frozen (making it very difficult to refill the boiler and get my heat running again).

      --

      "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

    31. Re:I may be a luddite by Anonymous Coward · · Score: 0

      "But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either."

      Then don't use 1234 as password.

      Can I use 12345 instead? It's the same combination as my luggage.

    32. Re: I may be a luddite by Anonymous Coward · · Score: 0

      How often has this sort of thing happend? I'm assuming it's happend one time in your life and will probably never happen again.

  2. Anal probes! by Anonymous Coward · · Score: 0

    I can't wait for internet connected anal probes!

    1. Re:Anal probes! by UncleTogie · · Score: 1

      I can't wait for internet connected anal probes!

      I have good news for you: Teledildonics is a thing now!

      https://www.glamour.com/story/...

      --
      Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    2. Re:Anal probes! by Scarletdown · · Score: 1

      Who else but Anonymous Coward!?

      o/~ It's A-C, A-C. There's no knowing what he'll say next... o/~

      --
      This space unintentionally left blank.
  3. This is funny as hell by Anonymous Coward · · Score: 0

    All of it is funny. Some random fatso neck beard using cred dumps to log into gmail accounts and curse at babies, some idiot millennial crying because he reused password123 in every site crying about his blood running cold, the breathless media reporting about, Google asking wtf they can do if their customer insist on using password123 and their gmail address for every sketchy site they create logins on, all of it

    Funny as hell

    Still laughing thinking about some random fat nerd discovering he has access to a baby cam and just going all Tourette syndrome and cursing

    1. Re:This is funny as hell by Tablizer · · Score: 3, Funny

      He blew an opportunity:

      1. Make the baby "cry" when it's not really crying to mess with the parents.

      2. Make the baby say phrases that borderline actual English and random baby gibberish. "I make doody shaped like Daddy's head" and the like. The parents will look at each other and go, "Did I hear what I think I heard?"

      3. Have the baby fart loudly when guests are over.

      --
      Table-ized A.I.
    2. Re:This is funny as hell by Anonymous Coward · · Score: 0

      Make the baby say phrases that borderline actual English and random baby gibberish. "I make doody shaped like Daddy's head" and the like. The parents will look at each other and go, "Did I hear what I think I heard?"

      I was thinking baby gibberish more along the lines of, "Fake News!! Fake News!! This whole Russier thing is a total WITCH HUNT!! You can't have border security without a WALL!!"

    3. Re:This is funny as hell by Anonymous Coward · · Score: 0

      For that particular "baby", they wouldn't notice anything different.

  4. Password Reuse by GavrielPlotke · · Score: 5, Funny

    https://xkcd.com/792/

    1. Re:Password Reuse by Anonymous Coward · · Score: 0

      Oh boy, the bit with Google at the end hasn't aged well. It turns out all the people who were ethical got bored and left, and unethical people with a power gleam in their eye walked in behind them.

  5. god playing silly games again! by Anonymous Coward · · Score: 0

    Not to worry, it is just god dicking with ya! He hates techno shit! U gotta keep peeple stoopid in order for religious BS to work!

  6. Gotta lock it down by Anonymous Coward · · Score: 0

    Oh you know exactly why they are in there. He wants to "secure" his wife's vagina. It's like you didn't even notice what the guy's name was...

  7. So the guy had a weak password by PhrostyMcByte · · Score: 3, Insightful

    Yea, this is a bit of the owner's fault, but it seems like Nest could be a doing better job helping their customers secure their systems. Something like this happening wasn't an if, but a when.

    Considering how sensitive this kind of system is, I would expect Nest to have some really simple security features like basic access logs, notifying you of (and maybe blocking) unknown IPs, required 2FA, etc.

    This is why I'd never opt for some 3rd party managed system in my own home.

    1. Re:So the guy had a weak password by Highdude702 · · Score: 1

      Honestly they should get a copy of every info breach and just not allow them to be used. Its google, its not like they cant get that shit already.

    2. Re:So the guy had a weak password by Moridineas · · Score: 1

      Nest doesn’t offer 2FA. Not mandatory. I don’t know of any access logs.

    3. Re:So the guy had a weak password by Anonymous Coward · · Score: 0

      Or they could just integrate their system with Pwned Passwords, which is a service set up for this very purpose already.

    4. Re:So the guy had a weak password by ArsenneLupin · · Score: 1

      Or they could just integrate their system with Pwned Passwords [haveibeenpwned.com], which is a service set up for this very purpose already.

      Honestly, how would this work? Send every single one of their passwords to haveibeenpwned.com to have it verified? Then what if haveibeenpwned.com abuses this to build a nice database of passwords to attempt on each participating domain?

    5. Re:So the guy had a weak password by thegarbz · · Score: 1

      but it seems like Nest could be a doing better job helping their customers secure their systems

      I'm wondering just what you think would be "better"? I mean Nest already offers 2FA, sends emails to customers encouraging the use of 2FA, and warns you about suspicious access (found this one out while on holiday in another country when I remembered we turned the heating off despite having a housesitter).

      This is why I'd never opt for some 3rd party managed system in my own home.

      All your criteria are already offered by Nest, so no this is not the reason you refuse to use it. There must be something else as well.

    6. Re:So the guy had a weak password by thegarbz · · Score: 1

      Honestly they should get a copy of every info breach

      Why? They offer and encourage the use of 2FA. If users won't go to basic lengths to protect themselves why should Nest go out of their way to do it?

      My login and password were reused and are in the Collection #1 leak. I'm not worried about my Nest.

    7. Re:So the guy had a weak password by Highdude702 · · Score: 1

      Because 2FA has been thwarted in the past, so might as well take all of the chance out. As I said its not like they cant afford it. I would almost bet Project Zero has most of them already...

    8. Re:So the guy had a weak password by thegarbz · · Score: 1

      Because 2FA has been thwarted in the past

      Every security system in the world has been thwarted in the past. Just because locks can be picked doesn't mean I don't have a lock on my front door.

      My point still stands, the users affected here did not put even put in basic precautions into their own protection. Why should Nest be responsible for improving their security when the users don't even use the tools at hand?

    9. Re:So the guy had a weak password by Highdude702 · · Score: 1

      I'm not disagreeing with you. I'm just saying eliminate the possibility of passwords from breachs should be eliminated. And possibly force 2FA for something like that. But those passwords should never be used because they are going to be in every current password list that is used by hackers. I don't think you realize how quick shit like that makes it around the underworld of the internet. So I personally think they should take multiple avenues for protection, but at the same time I couldn't care less because I would never allow someone else to control the "security" of my home. Not when its so easy to build your own system that is secure if you have any knowledge of computers.

    10. Re:So the guy had a weak password by Highdude702 · · Score: 1

      I'm just saying eliminate the possibility of passwords from breachs should be eliminated

      I guess for redundancy, oops. Too early, not enough rockstar yet.

  8. Never by AndyKron · · Score: 0

    My X10 system never did that.

    1. Re:Never by Highdude702 · · Score: 1

      That's comparing apples to motorcycles. Also X10 fucking sucks ass.

      --Electrician with experience dealing with X10

    2. Re:Never by drinkypoo · · Score: 1

      That's comparing apples to motorcycles. Also X10 fucking sucks ass.

      If X10 had an ass-sucking peripheral, not only would it not turn on when you wanted to, but it would also turn itself on in the middle of the night and suck every ass in town.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Never by Highdude702 · · Score: 1

      Actually some of the most common service calls I had with them back in the day was "it wont turn on" or "it just turns on randomly" Hence my comment about it sucking ass. And they were even made here in wonderful Las Vegas.. Well really in scummy North Las Vegas(like all of vegas isnt ghetto lol)

    4. Re:Never by q4Fry · · Score: 1

      I have it on good authority that motorcycles are much better than apples.

    5. Re:Never by Highdude702 · · Score: 1

      I was gonna try to say something funny back. But I was too stoned to think of anything but "If you like motorcycles". Some peoples children...

  9. Negligence by zlives · · Score: 1

    Negligence or bad parenting for not securing the network... Child Services is on the way.

  10. Re:MOD UP by wolfheart111 · · Score: 1

    for this baby :P

    --
    [($)]
  11. Simple Password Rule by crow · · Score: 1

    Sites could implement a simple password rule: You may not use the same password and email address at other sites. To enforce this, you agree to allow the site to attempt to log in to other sites using the same information, and if successful, your account will be disabled.

    I would prefer it if that weren't necessary, but it looks like that's where we're heading.

    1. Re:Simple Password Rule by Cmdln+Daco · · Score: 2

      You think site B is going to say 'yes, we don't mind if site A sends it's bot over here to try to log onto our user's accounts'.

      Is it a race for Site A and Site B to determine which one disables the account first? One or the other would be first, obviously.

    2. Re:Simple Password Rule by Anonymous Coward · · Score: 0

      both sites block both accounts and block each others IP address.

    3. Re:Simple Password Rule by Anonymous Coward · · Score: 1

      It's a stupid idea in general. What if one of the sites decided to keep a history of failed login attempts with the passwords in clear text. Now another site - perhaps one I don't have an account on could potentially have harvested my login & password for the site I was signing up to. Does that sound like a security improvement? This is why security should be left the the experts and not some Slashdot armchair experts.

    4. Re:Simple Password Rule by Anonymous Coward · · Score: 0

      Thereby compromising all credentials as at least one site will log failed login attempts thus gaining a list of everyone's credentials from otehr sites.

  12. Experience with 3 Nest cameras by Camembert · · Score: 1

    We have 3 Nest cameras as well. Chosen mainly because they seem to work very well without network hassles. Plus htey have a wide angle lens, no need for a cam that needs to swivel around. Use case is remote checking on or twin toddlers and their day caretaker. Also handy is that if she calls us about an issue then we can immediately see it. Finally it is cool that it has support for many devices. Like, giving a tap warning on the apple watch when movement occurs - handy to be alerted when they come back home after playing outside for example.
    Anyway, while I think that the devices are wonderful, the lesson in the post is simply to use non-trivial passwords that you have not used anywhere else. Then it should be safe.

    1. Re:Experience with 3 Nest cameras by pgmrdlm · · Score: 1

      I just moved into a new apartment, and I will be placing cameras outside on my side. The inside camera will be watching my basement(storage).

      I do know one guy at work that has an attention deficit son who he has to constantly monitor. So, he has one on his front door in case the kid takes off without telling people.

      In the house/apartment in rooms other then a babies. Only storage.

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    2. Re:Experience with 3 Nest cameras by n3r0.m4dski11z · · Score: 1

      what a depressing hellscape society has become when turning video cameras on your family for the purposes of monitoring is considered normal.

      --
      -
    3. Re:Experience with 3 Nest cameras by Anonymous Coward · · Score: 0

      You're a boring faggot of no value, nobody cares bitch.

    4. Re:Experience with 3 Nest cameras by Camembert · · Score: 1

      Context, dude. We are talking about babys-toddlers that we leave alone during the day with a daycare lady. We have the cameras since they were born and they are now exactly 2 years old. In a few years we won't need the cameras anymore.

    5. Re:Experience with 3 Nest cameras by pgmrdlm · · Score: 1

      Has your mother let you out of the basement recently coward? Afraid someone will rid the world of pussies like you? Beat you up, take your toys? I enjoy watching pussies like you die.

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    6. Re:Experience with 3 Nest cameras by Anonymous Coward · · Score: 0

      You're the only one interested in basements, go back to watching your basement cam you god damn misogynist.

    7. Re: Experience with 3 Nest cameras by Anonymous Coward · · Score: 0

      No, that is not the lesson. The lesson is do not connect your house to the internet. While most people see the advantages you describe, almost none seem to remember that connecting a device to the net means opening a door to the world.

      Handy for your computer or smartphone... But when people can actually stalk your life and love ones... It's not tgat handy. And the pnly reason they knew it was happening it's because the hacker decided to speak. Otherwise it would have been some pervert's private big brother.

    8. Re: Experience with 3 Nest cameras by Camembert · · Score: 1

      Well, why use the internet at all then? For us the cameras are very useful, not a gadget. What other solution would there be? One of us not working and staying home? It looks to me that Nest’s security implementation is good, we use an an absolutely cryptic password that is not used anywhere else.

    9. Re:Experience with 3 Nest cameras by Anonymous Coward · · Score: 0

      You trust the person that you leave your kids with so little?
      Maybe may more than minimum wage. Your kids, important? /me
      Have kids. Left them with people responsible.
      Partner works in child care, has never worked in front of a camera.

    10. Re:Experience with 3 Nest cameras by Anonymous Coward · · Score: 0

      A part of our garden isn't visible from the house, and a family member asked if I was going to put up a camera so I could see what the kids were up to there. My answer was "no, I don't want my kids under surveillance". Even if I'm the one doing the surveillance, it still doesn't seem like a good message for kids to grow up knowing that their every move was watched by their parents.

  13. Hacking or Social engineering ? by OppMan29 · · Score: 1

    Most of these users provide anyone with their password via stupid social tricks and then they think the software was hacked!

  14. internet passwords and people by n3r0.m4dski11z · · Score: 1

    Look, its stupid ok, giving people internet connected things, with one of the main selling points being how easy it is to use, and then not expecting normal simple folk to use them.

    People are in so many databases. Databases will all be leaked eventually. People do not give a fuck about passwords, except that they are annoying. All these stories are an opportunity for engineers to solve the password problem. Its real, its multiplying, and you cant really blame the users that much for reusing the odd password (or 10) when they may have 100 password protected accounts of some sort these days.

    --
    -
  15. Why do we still send passwords to web sites? by aberglas · · Score: 1

    It is the number one hack. And largely address by browsers 20 years ago.

    We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.

    Secure Remote Password.

    1. Re:Why do we still send passwords to web sites? by swillden · · Score: 2

      We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.

      This is false. I wish it were true, and I'd love it if you could explain what crypto can achieve this magic, but it can't be done.

      There are lots of ways to verify a password without sending a copy, but only when the server has a copy of the password, or something deterministically derived from, it to verify against. I can think of several ways to diversify passwords so as to automatically create a unique password per site, derived from the "real" password and information about the site (e.g. host or domain name)... but since the process will have to be deterministic it will be easy to recover the source password with a brute force search, and from there to generate the derived versions for all other sites.

      There is no crypto magic that allows you to remember only one password for all accounts and keeps someone who compromises one account database (or owns one, as in the XKCD) from discovering that password. To achieve security, it's necessary to have a unique, high-entropy secret per account, with no relationship between the secrets. Ideally, each secret should be an asymmetric private key, but since keeping track of a bunch of non-memorizable private keys requires a database, that's really not much better than just having a database of unique passwords. It's a little better, but not much, and really not in any significant ways.

      No, the solution to this problem is one we have already in hand: the lowly password keeper, i.e. lastpass et al. For web site passwords, I highly recommend the password databases integrated into most (all?) modern web browsers. Most (all?) of them offer the ability to automatically store a copy of the encrypted database in the cloud and automatically sync it to your browser on all devices you use. Most (all?) of them will also generate high-entropy random passwords for you.

      Actually, a slightly better solution is web single sign on using OAuth (which is essentially a cloud-based password store), especially if sites were to actually support arbitrary OAuth providers so you could pick from one of many. From a security perspective, the current widespread variation (log in with Facebook or Google) is fairly good, but it's too centralized. Given universal OAuth support, you could pick your OAuth provider of choice, or run your own OAuth server.

      But, honestly, your browser's built-in password database is almost as good, and you already have it and it works with all web sites not run by idiots and most web sites that are run by idiots[*]. Use it. Personally, I use Chrome's password store. I let it generate all my passwords so I remember only two: my Google login password and my "Chrome sync" password. The latter is used to derive the encryption key used to protect my password store while it sits on Google's servers. Using it means I can't use passwords.google.com to manage my saved passwords, but that's okay.

      There is one big caveat if you use a password database: Someone who gets into your machine can get all of your passwords. If you use only a handful of passwords this is probably true even without a password database, and it's definitely true that if someone compromises your machine while it's still in your possession they can simply snarf your passwords as you enter them. Plus, there's all of the other data about you on your machine. This just highlights the fact that your computers need to be well-secured. Patched up, with disk encryption enabled and with strong login passwords. And don't leave them unlocked and unattended. And note that "computer" includes phone, tablet, etc.

      [*] Many bank web sites engage in a particularly obnoxious brand of idiocy, in which they actively attempt to prevent the use of browser password stores. Their theory is that your password to their web site is so critically important that y

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:Why do we still send passwords to web sites? by Anonymous Coward · · Score: 0

      Nope.

      Google it. Secure Remote Password. (SRP)

      Public keys can do it easily, the client just signs a proof of possession request. Server only needs public key.

      But SRP is much better because they work with short passwords.

    3. Re:Why do we still send passwords to web sites? by swillden · · Score: 1

      Google it. Secure Remote Password. (SRP)

      Sigh. You didn't read the post you responded to. That still requires the server to have a copy of the password.

      Public keys can do it easily, the client just signs a proof of possession request. Server only needs public key.

      Yep. From the post you replied to:

      To achieve security, it's necessary to have a unique, high-entropy secret per account, with no relationship between the secrets. Ideally, each secret should be an asymmetric private key, but since keeping track of a bunch of non-memorizable private keys requires a database, that's really not much better than just having a database of unique passwords. It's a little better, but not much, and really not in any significant way.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:Why do we still send passwords to web sites? by jbmartin6 · · Score: 1

      I understand SRP is "resistant" to attacks against the information held on the server. But I don't know more about what that means. I suspect it just forces the server to use a decent hash/salt approach rather than leave the window open to using a weak or no hash

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    5. Re:Why do we still send passwords to web sites? by houghi · · Score: 1

      Many bank web sites engage in a particularly obnoxious brand of idiocy

      At this moment I have to drag around 4 key generators to use during a login process. Each one uses a different process to log in.

      One bank asks me to put in the card in the reader, so I can enter a pin, so I can enter a code that I can enter on the website.
      That same bank also owns a different brand where all this is not needed. I just log in, they send me the code via SMS and be done. The amounts I can handle on the second are much larger than the first.

      And at work, where I have yet another key maker, I can not even install or reach a key manager. And it is there where I would need it, if anything else but remember the logins I was not allowed to select myself.

      --
      Don't fight for your country, if your country does not fight for you.
    6. Re:Why do we still send passwords to web sites? by swillden · · Score: 1

      I understand SRP is "resistant" to attacks against the information held on the server. But I don't know more about what that means. I suspect it just forces the server to use a decent hash/salt approach rather than leave the window open to using a weak or no hash

      In SRP, the server stores a value computed from the password. The computation involves a salted hash and then a modular exponentiation, but it's not particularly slow/expensive. Good SRP implementations should use a proper password-based key derivation function in place of the hash, to increase the computation required to recover the password via brute force search... but "increase the difficulty" is all that can be done, and if you put your password into Black Hat's server, none of that even matters.

      Even with SRP, you still need strong, unique passwords. Which means you need a password database.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:Why do we still send passwords to web sites? by Anonymous Coward · · Score: 0

      It's easily done. When you sign up, your browser generates a key pair and sends the site the public key. You can later on sign nonces to verify you own the private half. If the key pair is generated from a password and the site's domain or a special http header, then you keep all the benefits of password authentication with the only drawback being the typical: Don't use a short password.

      Extra benefits:
      It's dead simple.
      No need to do expensive hashing operations like bcrypt to slow down a brute force attacker.
      You have a public key for your user! This is awesome and could be leveraged for all kinds of things.
      Key generation and storage doesn't have to be password based, you can use any local method you want. You could even use just one key everywhere if you protect it well enough.

      Cons:
      Requires browsers to actually implement something useful.
      Hashes are only 32/64 bytes, but keys are 128/256 bytes and the server has to store a key per user.

    8. Re:Why do we still send passwords to web sites? by swillden · · Score: 1

      You didn't read the post you replied to.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  16. I had this walkie talkie... by Anonymous Coward · · Score: 0

    ...that could pick up a baby monitor. So I started responding back, making scary threats and all. Never knew if the parents heard it, but I like to imagine they did.

  17. "I was shocked to hear a deep, manly voice talkin by Anonymous Coward · · Score: 0

    Seems like you got what you wanted, a surveillance device. Hope you learned your lesson otherwise no sympathies here

  18. Cloud services by Bert64 · · Score: 3, Informative

    Devices like this should be standalone, not tied into an external cloud service...
    You the owner of the device should decide exactly who has access, and be ultimately responsible if you choose weak passwords or fail to further protect the system with an additional layer such as a VPN.

    I have CCTV at home, it requires that i first connect to a VPN in order to access it from outside. The cameras themselves are probably horrendously insecure, but they don't connect directly to the internet and are only accessed through a VPN which is actively maintained and gives me a reasonable level of confidence that noone other than myself has access.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Cloud services by thegarbz · · Score: 1

      You the owner of the device should decide exactly who has access, and be ultimately responsible if you choose weak passwords or fail to further protect the system with an additional layer such as a VPN.

      You're talking about a device which offers 2FA which users don't bother using, where users are also clearly reused passwords.

      What makes you think giving the user more control would in any way make the system safer? I'll wager you the result would be the exact opposite.

  19. Lullabies by Anonymous Coward · · Score: 0

    I'm sure the hacker just song some lullabies to the baby to compensate his own lack of family. Then those annoyingly protective parents came to deprive him this fundamental biological driver and the touch of his feminine side. No wonder he hurled obscenities to the parents.

  20. That's IoT for you. by Qbertino · · Score: 1

    You're welcome.

    --
    We suffer more in our imagination than in reality. - Seneca
  21. Everything is "hacking"... by Anonymous Coward · · Score: 0

    ... when BeauHD or msmash are involved.

    Because clickbait. You "hacking"-clicking shmuck, you.

  22. Goatse.cx by ArthurVandelay9092 · · Score: 1

    Why is he looking back at me?

  23. rofllll by Anonymous Coward · · Score: 0

    How is babby formed?

  24. hacking services by Anonymous Coward · · Score: 0

            Hello, we offer hacking services for everyone. Some of which are:
            - Hacking into your Governmental Informations
            - Mining of Bitcoin
            - Get any password from any Email Address.
            - Get any password from any Facebook, Twitter or Instagram account.
            - Cell phone hacking (whatsapp, viber, line, wechat, etc)
            - Grades changes (institutes and universities)
            - Websites hacking, pentesting.
            - IP addresses and people tracking.
            - Hacking courses and classes.
            Our services are the best on the market and 100% secure and discreet guaranteed.

    Email ... Theredhackergroup@gmail.com
    Whatsapp...+17867089974 or TEXT:571 318 9498
    Best Online hacker with 100% guarantee and money back return policy for 48hours.

  25. DO YOU NEED A HACKER? by Anonymous Coward · · Score: 0

    I am Albert a hacker who has built a very good reputation and undeniably one of the best hackers you can come across.i have got access to hack into any account and also get to generate passwords for accounts like Facebook,Instagram,Twitter,gmail,yahoo mail,whats-app,we-chat,etc.Retrieving hacked social media accounts,clearing criminal records,increase credit scores,CC hack,hack bank accounts for transfers and credit card top ups,application hacking.We do custom software and web development in php, java, asp.net etc.hacking computer systems,Website hack,Catch hacker scammers,Phishing emails, that's to mention a few.You can contact me on.
    Email ... Theredhackergroup@gmail.com
    Whatsapp...+17867089974 or TEXT:571 318 9498
    Best Online hacker with 100% guarantee and money back return policy for 48hours.

  26. hacking services by Anonymous Coward · · Score: 0

    Hello, we offer hacking services for everyone.
    Some of which are:

    - Hacking into your Governmental Informations
            - Mining of Bitcoin
            - Get any password from any Email Address.
            - Get any password from any Facebook, Twitter or Instagram account.
            - Cell phone hacking (whatsapp, viber, line, wechat, etc)
            - Grades changes (institutes and universities)
            - Websites hacking, pentesting.
            - IP addresses and people tracking.
            - Hacking courses and classes.
            Our services are the best on the market and 100% secure and discreet guaranteed.

    Email:Theredhackergroup@gmail.com

    Whatsapp:+17867089974 or TEXT:571 318 9498

    Best Online hacker with 100% guarantee and money back return policy for 48hours.