It's a device that includes software. "Zero day" usually means bugs that are present and known about before release of a software version, usually a standalone software version rather than a hardware+software bundle. It's a blurry line though; I'd consider a smart phone to be a computer plus software, whereas a lock like this I'd normally consider to be a device (software is not readily upgradeable by the consumer).
How do we know the manufacturer is not contacting them privately, or is working on a fix, preparing a recall, etc? All we know is that they're not working under the same time line as the blogger.
But as soon as you disclose any vulnerabilities, burglars can bypass the lock before there is a chance to buy a replacement.
No one is sweeping this under the rug. However the blogger seems to think they should work under his own self imposed time table. He's not doing anyone any favor by releasing the info.
NYC also has NIMBYism that prevents solving a lot of the problems. They really have the worst solution to dealing with garbage than just about any other first world city: they ship it somewhere else.
You will piss of a lot of people though. "Zero day" is an amorphous term, and probably doesn't apply here anyway. This was an existing product already in use. And it's not a software product, you can't fix it by releasing patches. Doesn't matter if he's asking for money or not, he's threatening, indirectly, to damage their company and cause widespread damage to their customers. All so he can get a blog entry and impress some friends, not so that he can fix a bug.
I've been doing mesh stuff for over a decade, though I'm not the expert in it. This is not easy stuff. There's some of it that might work in this case though: assume everyone is near enough to each other for good connectivity, and waste power and bandwidth because you're constantly reevaluating your routes but that's ok because these are probably constantly powered laptops. Ie, a dorm room.
But it's not going to work well for longer and less reliable links. They'll need to do the sorts of things that wifi doesn't do (I'm assuming wifi because they don't sound like the people to design their own radios). Then there will be the mess of optimizing their network so someone isn't stuck with horrid latency because of all the hops necessary to reach them. Line of sight issues are messy and need optimization too, probably need repeater or bridge nodes. If the nodes are mobile then the constant updating of routing tables wil screw things up as you move from one internet bridge to another. Maybe better if you have immobile wifi hotspots which are then connected to a mesh, an idea that's been around awhile.
Why would the EFF get involved in unethical and probably illegal schemes?
The letter essentially states, paraphrased: "I'm going to write details on how to crack your locks and post it to the world in 30 days, do you have any comments before all your customers get screwed?" The blogger is going to be sued into ashes.
This is NOT security through obscurity, what a moronic idea. It is impossible to get a fix or replacements out to all of these locks in such a short time frame.
You think they can recall and replace all these locks in thirty days?
Ethics does suggest that you should notify the company if you find flaws. But there are no morals or ethics that require you to tell everyone in the world how to exploit these flaws, but that does actually fall very deeply into illegal territory instead. There's a huge difference between telling people that a device is not 100% secure versus telling them how to break in.
This is sort of like a bomb threat. You tell them about the bomb, give them an estimate of how long it should take to respond and disarm the bomb (an estimate pulled out of one's ass by the way), then when it explodes you claim it was all their fault for being slow.
In other words, if one party sucks, the other party can break federal and state laws on extortion? I'm sorry if I can't find this reasoning listed in the ethical hacker handbook.
This is not really the problem. These locks can not be upgraded over the network, there is no Tuesday patch day for them. It is not feasable to replace all locks from all customers within 30 days. Only a complete ass clown would post these details. It's like finding a bug that allows you to bypass security to get customer credit card numbers, then threatening to release all those numbers within 30 days.
You can not possibly assume that every company that makes a physical device needs to have a 100% perfect device for their first version, and yet that's what is sort of implied here, either have a perfect device or any bug will screw you over and all of your customers. Either that or all physical devices need to be on the internet for remote control upgrades, which sounds like an even worse scenario.
No, instead: find the bugs, report the bugs, and don't be a whale's tool by screwing them over.
My phone refuses to upgrade. It dies with an obscure error that google is no help with. So I'll stick with it until the next phone. Maybe in another 5 years or so.
I did for awhile. Then I went and bought a physical copy of a game, from a series that never had DRM or even really serious copy protection, only to find out when it showed up in the mail that it required Steam...
Since then I've gotten a few more. Usually when there's a really cheap summer sale and the price is low enough that the DRM is ok, because $3 for a game that is only "rented" and with forced upgrades seems a reasonable price.
In particular, Portal and especially Portal 2 are worth selling a pound of your soul. Skip Half Life 2 though, it will only destroy your fond nostalgia for Half Life 1.
I did pay full price for Wasteland 2 on Steam, pre-release. But I was foolishly thinking that it was not available on GOG.com, and maybe I was drinking a bit too. I still kick myself over that. There's no DRM for Wasteland 2 at least, but any patches have to come through Steam.
I have some games I would like to return, or at least give away for free, but I'm stuck with them. Oh well. (lego harry potter, someone said it was fun, but I can't figure it out, it's like it's designed for a minimum of 2 players and a console controller)
The older DOS games and many of the indie games are all on GOG anyway, usually for the same sales price as each other. So the line that Steam has the best sales and is the best supporter of indie is just wrong.
Yes, I've used it for that purpose. Though I tend to go for the $2.50 titles for things that tend to grind the DVD a lot while trying to install a game.
You don't have to use the launcher. Even with Steam you don't need their crappy launcher (you can't use the launcher for things like Skyrim if you want to use the script extender).
I'd rather being doing Ada (which I'm not) than doing some brand new language that every kid in the world thinks is the next best thing ever. Modern versions of Ada are pretty good, no reason not to do them other than the coolness factor.
The popular languages are not ones that will give you a strong and steady career. The popular languages are the ones where companies want to hire the cheapest programmers who claim to know it, no matter where in the world they live.
This is Microsoft. Vendor lock in is the one and only goal. Do not believe their marketing that they have changed their stripes and are now proud supporters of open source. Their track record says that they are not trustworthy. Trust must be earned.
You usually can not take any old Windows.NET application and run it under Mono without porting it. Therefore, as a "run everywhere" platform it is lacking. The entire goal of microsoft in creating.NET was to kill the cross platform applications, after they lost out in controlling/subverting Java.
But I presume it must be made public before it can be voted upon.
If the bill is created in secret, then that's ok. However it needs to be fully accessible before it is voted upon.
It's a device that includes software. "Zero day" usually means bugs that are present and known about before release of a software version, usually a standalone software version rather than a hardware+software bundle. It's a blurry line though; I'd consider a smart phone to be a computer plus software, whereas a lock like this I'd normally consider to be a device (software is not readily upgradeable by the consumer).
How do we know the manufacturer is not contacting them privately, or is working on a fix, preparing a recall, etc? All we know is that they're not working under the same time line as the blogger.
But as soon as you disclose any vulnerabilities, burglars can bypass the lock before there is a chance to buy a replacement.
No one is sweeping this under the rug. However the blogger seems to think they should work under his own self imposed time table. He's not doing anyone any favor by releasing the info.
NYC also has NIMBYism that prevents solving a lot of the problems. They really have the worst solution to dealing with garbage than just about any other first world city: they ship it somewhere else.
You will piss of a lot of people though. "Zero day" is an amorphous term, and probably doesn't apply here anyway. This was an existing product already in use. And it's not a software product, you can't fix it by releasing patches. Doesn't matter if he's asking for money or not, he's threatening, indirectly, to damage their company and cause widespread damage to their customers. All so he can get a blog entry and impress some friends, not so that he can fix a bug.
I've been doing mesh stuff for over a decade, though I'm not the expert in it. This is not easy stuff. There's some of it that might work in this case though: assume everyone is near enough to each other for good connectivity, and waste power and bandwidth because you're constantly reevaluating your routes but that's ok because these are probably constantly powered laptops. Ie, a dorm room.
But it's not going to work well for longer and less reliable links. They'll need to do the sorts of things that wifi doesn't do (I'm assuming wifi because they don't sound like the people to design their own radios). Then there will be the mess of optimizing their network so someone isn't stuck with horrid latency because of all the hops necessary to reach them. Line of sight issues are messy and need optimization too, probably need repeater or bridge nodes. If the nodes are mobile then the constant updating of routing tables wil screw things up as you move from one internet bridge to another. Maybe better if you have immobile wifi hotspots which are then connected to a mesh, an idea that's been around awhile.
Why would the EFF get involved in unethical and probably illegal schemes?
The letter essentially states, paraphrased: "I'm going to write details on how to crack your locks and post it to the world in 30 days, do you have any comments before all your customers get screwed?" The blogger is going to be sued into ashes.
This is NOT security through obscurity, what a moronic idea. It is impossible to get a fix or replacements out to all of these locks in such a short time frame.
"Researcher" is just like "journalist". Give yourself that title on the internet and plenty of fools will believe you.
You think they can recall and replace all these locks in thirty days?
Ethics does suggest that you should notify the company if you find flaws. But there are no morals or ethics that require you to tell everyone in the world how to exploit these flaws, but that does actually fall very deeply into illegal territory instead. There's a huge difference between telling people that a device is not 100% secure versus telling them how to break in.
This is sort of like a bomb threat. You tell them about the bomb, give them an estimate of how long it should take to respond and disarm the bomb (an estimate pulled out of one's ass by the way), then when it explodes you claim it was all their fault for being slow.
In other words, if one party sucks, the other party can break federal and state laws on extortion? I'm sorry if I can't find this reasoning listed in the ethical hacker handbook.
This is not really the problem. These locks can not be upgraded over the network, there is no Tuesday patch day for them. It is not feasable to replace all locks from all customers within 30 days. Only a complete ass clown would post these details. It's like finding a bug that allows you to bypass security to get customer credit card numbers, then threatening to release all those numbers within 30 days.
You can not possibly assume that every company that makes a physical device needs to have a 100% perfect device for their first version, and yet that's what is sort of implied here, either have a perfect device or any bug will screw you over and all of your customers. Either that or all physical devices need to be on the internet for remote control upgrades, which sounds like an even worse scenario.
No, instead: find the bugs, report the bugs, and don't be a whale's tool by screwing them over.
My phone refuses to upgrade. It dies with an obscure error that google is no help with. So I'll stick with it until the next phone. Maybe in another 5 years or so.
I did for awhile. Then I went and bought a physical copy of a game, from a series that never had DRM or even really serious copy protection, only to find out when it showed up in the mail that it required Steam...
Since then I've gotten a few more. Usually when there's a really cheap summer sale and the price is low enough that the DRM is ok, because $3 for a game that is only "rented" and with forced upgrades seems a reasonable price.
In particular, Portal and especially Portal 2 are worth selling a pound of your soul. Skip Half Life 2 though, it will only destroy your fond nostalgia for Half Life 1.
I did pay full price for Wasteland 2 on Steam, pre-release. But I was foolishly thinking that it was not available on GOG.com, and maybe I was drinking a bit too. I still kick myself over that. There's no DRM for Wasteland 2 at least, but any patches have to come through Steam.
I have some games I would like to return, or at least give away for free, but I'm stuck with them. Oh well. (lego harry potter, someone said it was fun, but I can't figure it out, it's like it's designed for a minimum of 2 players and a console controller)
The older DOS games and many of the indie games are all on GOG anyway, usually for the same sales price as each other. So the line that Steam has the best sales and is the best supporter of indie is just wrong.
Yes, I've used it for that purpose. Though I tend to go for the $2.50 titles for things that tend to grind the DVD a lot while trying to install a game.
Steam overlay is the first thing I turn off. I don't see the point of it at all.
True, GOG can't retroactively add DRM to games you already have purchased and downloaded.
You don't have to use the launcher. Even with Steam you don't need their crappy launcher (you can't use the launcher for things like Skyrim if you want to use the script extender).
I'd rather being doing Ada (which I'm not) than doing some brand new language that every kid in the world thinks is the next best thing ever. Modern versions of Ada are pretty good, no reason not to do them other than the coolness factor.
The popular languages are not ones that will give you a strong and steady career. The popular languages are the ones where companies want to hire the cheapest programmers who claim to know it, no matter where in the world they live.
We're treating them all the same because... Dice.
MUMPS is alive and well. Well, alive and not dead yet anyway.
This is Microsoft. Vendor lock in is the one and only goal. Do not believe their marketing that they have changed their stripes and are now proud supporters of open source. Their track record says that they are not trustworthy. Trust must be earned.
You usually can not take any old Windows .NET application and run it under Mono without porting it. Therefore, as a "run everywhere" platform it is lacking. The entire goal of microsoft in creating .NET was to kill the cross platform applications, after they lost out in controlling/subverting Java.
If you are optimizing for pay, learn ALL the languages, because whichever one you choose may become obsolete in a couple of years.