Slashdot Mirror
Hacker Spoke To Baby and Hurled Obscenities At Couple Using Nest Camera, Dad Says (cbsnews.com)
pgmrdlm shares a report from CBS News: An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."
But I am sure as hell not letting anyone adjust my thermostat over the internet, or watch me (WHATEVER) either.
First law of people: People are generally stupid.
https://xkcd.com/792/
Yea, this is a bit of the owner's fault, but it seems like Nest could be a doing better job helping their customers secure their systems. Something like this happening wasn't an if, but a when.
Considering how sensitive this kind of system is, I would expect Nest to have some really simple security features like basic access logs, notifying you of (and maybe blocking) unknown IPs, required 2FA, etc.
This is why I'd never opt for some 3rd party managed system in my own home.
He blew an opportunity:
1. Make the baby "cry" when it's not really crying to mess with the parents.
2. Make the baby say phrases that borderline actual English and random baby gibberish. "I make doody shaped like Daddy's head" and the like. The parents will look at each other and go, "Did I hear what I think I heard?"
3. Have the baby fart loudly when guests are over.
Table-ized A.I.
You think site B is going to say 'yes, we don't mind if site A sends it's bot over here to try to log onto our user's accounts'.
Is it a race for Site A and Site B to determine which one disables the account first? One or the other would be first, obviously.
Devices like this should be standalone, not tied into an external cloud service...
You the owner of the device should decide exactly who has access, and be ultimately responsible if you choose weak passwords or fail to further protect the system with an additional layer such as a VPN.
I have CCTV at home, it requires that i first connect to a VPN in order to access it from outside. The cameras themselves are probably horrendously insecure, but they don't connect directly to the internet and are only accessed through a VPN which is actively maintained and gives me a reasonable level of confidence that noone other than myself has access.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.
This is false. I wish it were true, and I'd love it if you could explain what crypto can achieve this magic, but it can't be done.
There are lots of ways to verify a password without sending a copy, but only when the server has a copy of the password, or something deterministically derived from, it to verify against. I can think of several ways to diversify passwords so as to automatically create a unique password per site, derived from the "real" password and information about the site (e.g. host or domain name)... but since the process will have to be deterministic it will be easy to recover the source password with a brute force search, and from there to generate the derived versions for all other sites.
There is no crypto magic that allows you to remember only one password for all accounts and keeps someone who compromises one account database (or owns one, as in the XKCD) from discovering that password. To achieve security, it's necessary to have a unique, high-entropy secret per account, with no relationship between the secrets. Ideally, each secret should be an asymmetric private key, but since keeping track of a bunch of non-memorizable private keys requires a database, that's really not much better than just having a database of unique passwords. It's a little better, but not much, and really not in any significant ways.
No, the solution to this problem is one we have already in hand: the lowly password keeper, i.e. lastpass et al. For web site passwords, I highly recommend the password databases integrated into most (all?) modern web browsers. Most (all?) of them offer the ability to automatically store a copy of the encrypted database in the cloud and automatically sync it to your browser on all devices you use. Most (all?) of them will also generate high-entropy random passwords for you.
Actually, a slightly better solution is web single sign on using OAuth (which is essentially a cloud-based password store), especially if sites were to actually support arbitrary OAuth providers so you could pick from one of many. From a security perspective, the current widespread variation (log in with Facebook or Google) is fairly good, but it's too centralized. Given universal OAuth support, you could pick your OAuth provider of choice, or run your own OAuth server.
But, honestly, your browser's built-in password database is almost as good, and you already have it and it works with all web sites not run by idiots and most web sites that are run by idiots[*]. Use it. Personally, I use Chrome's password store. I let it generate all my passwords so I remember only two: my Google login password and my "Chrome sync" password. The latter is used to derive the encryption key used to protect my password store while it sits on Google's servers. Using it means I can't use passwords.google.com to manage my saved passwords, but that's okay.
There is one big caveat if you use a password database: Someone who gets into your machine can get all of your passwords. If you use only a handful of passwords this is probably true even without a password database, and it's definitely true that if someone compromises your machine while it's still in your possession they can simply snarf your passwords as you enter them. Plus, there's all of the other data about you on your machine. This just highlights the fact that your computers need to be well-secured. Patched up, with disk encryption enabled and with strong login passwords. And don't leave them unlocked and unattended. And note that "computer" includes phone, tablet, etc.
[*] Many bank web sites engage in a particularly obnoxious brand of idiocy, in which they actively attempt to prevent the use of browser password stores. Their theory is that your password to their web site is so critically important that y
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.