I don't think I've ever had a robo-call in my life in Australia, unless you count the ones that connect you to a call-centre operator a second or two after you answer.
Why wouldn't you count those? Those certainly are robocalls. Predictive dialers make the call and then pass you off to the first available human scam artist.
If you're thinking only of the "call and play a recorded message" abuses as "robocalls", then you ought to know that predictive dialers/human scum are even worse than recorded messages. Getting calls that immediately hang up on you because there wasn't a human ready to patch in is worse than the stock recorded message.
The best method to discourage sales or political calls is to engage them in useless time consuming discussion
So they push the button that says they weren't able to contact you and your number goes back into the pool to be called again (sometimes within five minutes or less), and they hang up. You've wasted your time answering the call and trying to talk to them. The predictive dialer has handed them another victim to talk to before you have time to hang up the phone.
Around here, they commandeer the cable systems to deliver emergency notifications, and this then imposes these warnings on every channel. Even the ones you aren't subscribed to.
If you aren't subscribed to it, how do you know the notification appears there? Hmm???
In fact, on modern systems, the notification appears on one channel (when it is a required cable system test and not just the local station) and your cable box is instructed remotely to tune to that channel. It is then supposed to be instructed to tune back when the test is over, but sometimes that fails. It seems to be a setting in the local system, because my HD Homerun system would switch to but not back from the notice until I called them and they contacted Comcast.
And IIRC, the law requires that channel to be available on a standard analog channel for people who don't have digital service in a system. That was CSPAN in our system. For a long time after Comcast went all-digital, the two analog channels you could still get on a standard old TV were the channel telling you that everything had moved to digital and you needed to call Comcast for a digital adapter, and CSPAN.
My TV doesn't do a good job of notifying me...
- when I'm at work. no live TV within view.
- when I'm driving to and from work. Radio? Not when I'm listening to streaming whatever.
And my telephone does absolutely nothing to notify me in either situation. It can ring and ring and ring all it wants, there's nobody home in either case to hear it. Just my poor, overworked answering machine.
Our county crowed about how it has paid a company to do robocalling for emergency events. I called the company and told them to remove my number from that list, as the law allows me to do. They said they could not. The county decided to test the system. During the day. About 2PM. Do you know how many people aren't home at 2PM on a weekday, but have answering machines? The county found out -- a very large number of them called the emergency dispatch center when they got home to find out what the message meant. The center was overloaded that night. Instead of learning from that problem, they tested it again. At 2PM on a weekday. But they solved the problem by bringing in volunteers to deal with the flood of calls. "911 what's your emergency?" followed by a quick forward to a volunteer to deal with the complaints. This has now taught the public that getting a call like that is meaningless and it can be ignored. Good job, county.
But outlawing robocallers would be tossing the baby with the bathwater.
The phrase "baby with the bathwater" assumes that there is something of precious value in with the valueless, even objectionable and polluted, surrounding media. That is an assumption that is not valid when it comes to "robocalling". Robocalling should be illegal, period, end of sentence. There is nothing of value that necessitates such abuse of the telephone system.
The closest to useful I've ever found these things are when my doctor's office uses one to call to remind me of an appointment. But since the robocall makes NO attempt to verify that it got the right number or that it is speaking to the patient involved. I consider that a clear violation of HIPAA laws. Suppose your husband answers the phone and hears a recording saying "this is a notice from XYZ clinic reminding Joan that she has an appointment with Doctor Schlub tomorrow at 2PM." "Dear, why are you seeing Doctor Schlub? I found him in the phone book, and he specializes in abortions..."
But politicians already had exemptions for "political" calls, and charities, and other common abuses. And the FCC and FTC have done NOTHING to stop the ceaseless "consider this your last notice concerning the stimulus act" credit card fraud. And I'm getting veiled threats from an alarm system company that tells me how often homes like mine are broken into. Not in so many words, but clearly "wouldn't it be a shame for sumptin bad to happen to your beautiful house?"
One of the recent robocallers was from a petition drive seeking to make voting records private in the state of Oregon. That's so bad people cannot get access to your name or other information. The irony that they almost certainly used the voter records to create their caller list was not lost.
As for not answering "numbers I don't recognize", these robocallers can spoof any number they want to. I've gotten calls from "US Government", the state of Florida, and from my own phone number. I don't answer ANY calls anymore. If the message isn't compelling enough to get me to call back, too bad for you.
The stupid robocallers can detect answering machines, and they still leave a message saying "it's important we speak to you", leaving no callback number, and telling the answering machine to "press 1" to speak to a representative. No, there is nothing of value in robocalling, it's vile, disgusting and unnecessary.
I genuinely don't understand why I can't get a power reading from every single light AND socket in the house... I understand it should cost more to do and it's more complicated but again, 2016!
There is nothing magic about 2016. Yes, I understand, "it's a modern world". But it will cost a lot more to do that, and it will require a lot of smarts to configure this all.
How do you manage four things plugged into a power strip? Does each thing report its data, does each socket on the strip report, or do you just monitor the socket in the wall and say that's good enough? How do you tell how much that cable set-top-box is using vs. the TV plugged into the same strip? And then you turn on the lamp plugged into the same strip and...
So, either you have fine-grained monitoring and a headache managing all the connections and data (which nobody is really going to want to do and nobody is going to want to pay for the ability to not bother doing). Or you monitor at the wall socket level with the headache of managing the data about what is plugged into each one. Or you monitor at the circuit level or house level, which is much easier.
I'm actually kind of glad I'm not well off enough to afford a house, because it would frustrate me to own my own place or build my own place and not be able to easily do that yet.
Oh, you can do it if you want to. You can put these or these all over the place and come up with a wireless mesh data collection network using $3 Arduino Nano knock-offs and a $2 wireless module connected to each. They're all plug-in devices, so you can even do it in the apartment you rent, or in the worst case, your parent's basement (kidding.)
And you are three years late, or one year late, with "it's 2016". Here's one from 2013, and one from 2015.
It will cost more and will be complicated, but yes, it's 2016 and it can be done if you want to do it.
My point is that now that you know this product phones home, you should not buy it.
You have yet to support your point. Why not buy it? It does the job I want, it does it well and reliably, and it is trivial not only to prevent it from "phoning home" but to actually configure it, and my network, so I can control it from anywhere in the world without that "phone home" feature.
Instead find on that doesn't phone home.
I think the point has been made rather clearly that you cannot determine this a-priori, and have to assume that it does whenever it is marketed as being controllable from anywhere in the world.
You think I should "find on[e]". That requires buying one and then watching the connections it tries to make. That includes differentiating between NTP connections, DNS connections, and "phoning home". It is SO much easier (and cheaper) to just block it at the router as routine.
You can block traffic just in case and still buy hardware that (as far as you know) doesn't open you up to huge security risks.
You just made my point. "As far as you know" doesn't mean "does not", it only means you have to block it at the router anyway, so who cares what it tries to connect to? And when it is blocked, exactly what is the "huge security hole" you claim exists?
I want something with a web interface and I can just remap a port on my router to present that (secure) web interface, then I can control it myself.
Here. It, too, wants to phone home for some reason, but blocking the device at the router stops that.
It's 2016 (!!) and most of us still have very little control or monitoring over the power sockets around our homes,
I'd suggest X10, but apparently it is an incredible "security hole" that people can actually control outlets around the house. The specific comment was about wireless X10 and how much fun it is to screw your friend by toggling his lights, but if you're standing on the front step of your friend's house you can plug in your wired X10 controller to an outside outlet and do the same thing with no need for wireless at all.
An easy-to-find security hole is still a security hole.
And we used to live in a world where people didn't try to be assholes to people they call their friends. It used to be that "security holes" were evaluated based on the risks and hazards involved instead of every security hole being "OMFG it's a SECURITY HOLE and the product and developers are crap because there is one."
I know, times have changed. Today, if you can visit a "friend's" house and get the house and device code for his bedroom lamp and set a wireless X10 remote to the same house, it's a "security hole" instead of being a reasonable risk that makes a system simple to use and operate. You know, as in, how many bad guys are war-driving with X10 remotes looking for things they can turn on and off in stranger's houses? Wow, you can turn on my bedroom lamp. I'm impressed by your leet haxor skills, and terrified by the potential catastrophe that could ensue.
Now, if that X10 system was controlling a relay that was connected to the nuclear missile launch buttons, or even controlled a coffee pot that could cause a fire if it was turned on inappropriately, there'd be some cause for concern. But you're stupid to have your coffee pot on X10 anyway given the problems it can have with interference. You may wind up turning it on and then you can't turn it off. Or you think you turned it off and didn't. But turning on a bedroom lamp? If someone turning on your bedroom lamp can create a catastrophic result (and not just an inconvenience) then you need a new bedroom lamp. UL would like to hear about it, too.
In this case, the device is SO easy to block that the fact that it wants to connect to a server in China is a ho-hum level of "security hole". You've already got sufficient security management in place to stop the problem, and it's something that you'd do anyway just because. Like I've said, I'm using four similar devices, and none of them are crap. They all work very well, are very reliable, and do the job they were intended to do. The closest to "crap" they come is the fixed NTP addresses, and that's not hard to fix, either. The fact that they want to talk to China? Doesn't matter because they can't do it anyway.
If I have to jump through hoops and block traffic from this device just so it's not a security risk, it's not reliable or secure.
Reliability is a different issue than security. And it's not a big hoop. It's a hoop that you should be jumping through whenever you add a device that you don't want talking to the outside world to your net. You have no reason to believe that any device you use isn't trying to talk to someone somewhere these days and especially if the device is advertised as "IoT" and controllable from a mobile device from anywhere in the world. It shouldn't take a bad review on Amazon to tell you this. If you do the blocking automatically, it won't matter if the device tries to phone home or not, you'll be covered.
If this device were free I wouldn't complain so much, but in this case you are paying for it.
Yeah, you usually have to pay for physical hardware. You don't have to pay for the network connection to China, though. You can block that for free.
As for Opportunist, who writes:
So a product being crap doesn't really matter that much if you can easily take care of it?
Being insecure in the manner this one is doesn't mean the product is crap. It means there is a security issue that can be trivially solved.
So glad you agree that VW shouldn't be required to pay that ridiculous fine.
So glad you're happy putting words in my mouth and trying to compare apples to oranges.
Then I guess you should have made a better product.
We don't know that the product isn't good. All we know is that there is a convenience option that has a security issue, but which is trivially eliminated by prudent network management. The device itself may function flawlessly and do exactly what you need it to do.
For example, this has a similar "call home to Momma" feature, but by simply blocking outbound connections from it at the router you solve the problem completely. You're left with a pretty reliable remote controllable power switch. I've got four of them in the field and they work great.
I assume you are talking about the X10 alarm controller that has a plug-in alarm that activates when the selected device is toggled on and off several times. How hackery of you to use this known function of a simple protocol to annoy your friend. You are a 733t haxor fer sur!
It's in the headline from Techcrunch, too, and I see no threats towards the author of any kind. Begging, yes. Attempts to guilt him into changing the review, yes. But no threats. It is the fault of the slashdot editors for passing along fearmongering, but not inventing it this time.
And if you read the Techcrunch article, you'll see what the brouhaha is about, and some pretty amazing statements by the product reviewer. He claims that all you need to know is the MAC address. "If anybody knows the MAC address of one of your sockets, they can control it from anywhere in the world." I'm guessing that the "access code" to control the device through the Chinese server is just the MAC address of the device, since the MAC address would never normally appear outside your gateway.
Then he says this: "and a normal home router configuration won't block this. You need to explicitly firewall off the server (it's 115.28.45.50) in order to protect yourself." No, actually, it is as simple as blocking the DEVICE, whose address you know, from the WAN, and every home router I've ever used has that capability. Probably for just such situations.
"and if you do this then you'll also entirely lose the ability to control the device from outside your home," If you can control it from your device while it's on your WiFi inside the gateway, then you can use a VPN from outside into your network and control it just like you were at home, if you even need to go that far. "Entirely" is hyperbole.
I've come across internet power switches like this* before, and all it took to stop the carnage and destruction of the known universe is to... block the device at the router. Did I "entirely lose the ability to control" them? Of course not. I put a port forwarding inbound rule in my router so that a port I know on the WAN forwards the control commands to the device, and I can control it from anywhere in the world. The control uses basic HTTP auth so bad guys can't just figure out that port X at address Y is an internet switch and turn it on and off. It just doesn't have the ability to create outbound connections to China anymore. This is such basic stuff that I can't imagine the author of the review didn't know this.
* 3gstore says that the connection was intended to allow remote control through some google interface, but it wasn't implemented. It doesn't matter, the device doesn't talk to China anyway. A much worse problem was that the NTP server addresses were not configurable so I could not tell the device to use the local stratum 1 server -- until I put the names of the hardwired NTP servers into the hosts table for the DNS server on that network and pointed them to it. Oila, another seemingly unsolvable problem resolved.
IANAL, but almost none of the original series or movies used "officially licensed" uniforms or props. They just used whatever the costume department or prop department came up with for an episode.
What you are saying here is that the copyright/trademark holder cannot authorize the production of props for production of their own intellectual property because it won't be "officially licensed". In other words, the Paramount props department cannot produce props for a Star Trek movie that Paramount is shooting because they don't have a license.
nobody is going to follow these rules unless they want too.
Nobody follows any rules unless they want to. It's the punishments that, in some cases, are the only reason some people want to. And some people don't want to follow the rules just because there are rules.
Do you have a receipt to prove where you got it?
I have no doubt that the "use officially licensed props" clause was put into the restrictions by the lawyers, as a nod to the officially licensed sources of props -- who pay money for the privilege of being able to sell officially licensed props. I think it is reasonably fair if someone is going to produce Star Trek fiction based on "official" permission, that they be expected to respect the other "official" limitations. And I don't think "show me your receipt" is going to be the way CBS attacks a bit of fanfic. I doubt that someone who ignores one part of the restrictions is going to bother with the others, and "show me your receipt" is going to be the least of the problems.
Because of how it uses HTTPS, I would be unable to block or filter the data it sends back!... A firewall is NOT always the solution!
I think the point was that the firewall will quite efficiently block HTTPS traffic of your dick pics, which does seem to be the solution to your dick pics being sent places you don't want them to be sent. And even just the status of what's in your fridge, when you don't want it to be sent to the cloud for scanning by Google etc., can be blocked by the same firewall.
So yes, the firewall solves your concern about what information is being sent out about you quite well. I don't know what magic you think HTTPS uses that would avoid a firewall block.
You do realize that "cloud" isn't the end-all and be-all of IoT operations, I hope. You can have devices that you can query from your cell phone without having to send the data off to "the cloud" for management. A simple web interface works wonders.
A better solution would be to create an IoT manager device that sits on your network and communicates with all the IoT devices you want to have communication with, and then provides one outside portal for your cell or other access. Perhaps using a VPN for security. You configure the manager to allow what you want, to disallow what you don't, and to manage the communications twixt thee and thine. But that, of course, isn't plug and play, so Joe Sixpack couldn't use it, and the IoT would be crippled if it was designed so that it had to.
So that's why IoT is designed with cell modems and LoPa so that all the data can go wherever the manufacturer of devices wants it to go and you cannot stop it in any trivial manner. (And if you could just disable the LoPa chip there is probably a watchdog that will shut down the device completely, assuming a serious system failure.)
but guess what, no one is going to roll out a nation wide network so that someone can read your thermostat.
Nobody rolled out the Internet so that someone can read your thermostat, but amazingly, that is one of the many security and privacy issues that have come up once thermostats started being connected to the Internet. I.e., it isn't the REASON for the IoT network, but that doesn't mean there isn't somebody ready to try doing it just to prove they can.
and all those fancy new technologies behind them are nothing more than reading those sensors in a way that consumes much less power than before.
Oh, ok. So it cannot be an invasion of privacy because whatever is watching you uses much less power than before.
Right now, today, there are concerns about privacy and security when Internet connectable things show up in people's houses. There are easily predicted issues of both for more advanced devices as they begin to show up. I hate to tell you, but none of those issues will be resolved just because the devices will use a lot less power than they did before.
And the issues will not be made better when the device you bought yesterday could be blocked by adding it's MAC address at your home router, but tomorrow there will be a ubiquitous wireless national network that you cannot block carrying the data the device creates to places you don't want it to go.
I didn't say they were. Don't lecture me on that topic.
The standard is whether or not the use is "likely to cause confusion".
No, the standard is if you are using someone else's trademark pretending to be them. That's what happened here.
If the use of the NRA and S&W trademarks by the Yes Men are "likely to cause confusion", then they have a bigger problem than their trademarks (see Poe's Law).
When the "parody" starts out by claiming that the NRA and S&W paid for the content, then there is a good likelyhood for confusion no matter who produces the material. Poe's statement -- not a law -- notwithstanding.
Listen, you can hate on the NRA all you want, but they aren't the guilty party here.
It is a rare and amazing world we live in where "stab you to death" is equated to "freedom of speech".
Do you have a cite from the US Constitution that enumerates the "freedom to stab people to death"? No? I can point to a "freedom of speech" reference. Do I need to?
A freedom is only a freedom if it doesn't have any government-imposed consequences.
The word "any", along with the hyperbolic "stab you to death" context that implies that "freedom of speech" means "freedom to say any damn thing I want to", makes that statement untrue.
We DO have freedom of speech, but that freedom is NOT unlimited. Slander and libel are prohibited. Copyright and trademark infringement are prohibited. Treason is prohibited. Child pornography is prohibited.
This contradicts what you just said about a freedom only being a freedom if there are no government-imposed consequences. Your comments about the limits are correct; the previous claim is not.
So, if this video is, as you seem to indicate, easily distinguishable from a real NRA video, then their takedown notices are nothing more than bullying.
This wasn't a DMCA takedown. It was a trademark complaint.
Protecting a trademark is REQUIRED by law, otherwise the trademark owner can lose it. If you don't want to be "bullied" by trademark owners, don't use their trademarks, and don't use their trademarks in a statement that the content YOU produced was paid for by them. It's pretty simple. It doesn't matter if anyone can tell that the content was not actually produced by the trademark owner.
l am not sure if it would be considered libel or slander. Videos are usually have "spoken" words but a video maybe considered as sort of a "written" record by the law.
It is a published, copyrightable form, therefore it meets the definition of libel.
I wonder how loud the complaints would be were someone to produce a Hillary ad containing a Hillary impersonator who says libelous things, and then has "her" saying "I'm Hillary Clinton and I approved this ad" at the end.
So, lemme get this straight.... If "Saturday Night Live" created the exact same video and broadcast it, we'd all laugh, and then go back to ignoring it.
Excepting the part about it being paid for by the NRA, yes, you're probably right. Why? Because the video would appear on SNL, it would have SNL actors, and have NBC/SNL copyright notices on it. The origin would be clear.
it's a takedown via the DMCA -- and 38,000 sites also suffer due to someone's fat finger mistake.
1. It wasn't DMCA, it was trademark. 2. It wasn't a 'fat finger', it was a quick and probably improper decision by an upstream network provider. But a deliberate decision nonetheless.
So once again, citizens have no rights,
You still have the right to hyperbole. You still don't have the right to claim that a video you produce is paid for by someone else when your goal is to defame them.
I hope you've got your gun, because you're going to need it real soon....
Good. I welcome the day that hyperbole becomes a shoot-on-sight offense.
I don't think I've ever had a robo-call in my life in Australia, unless you count the ones that connect you to a call-centre operator a second or two after you answer.
Why wouldn't you count those? Those certainly are robocalls. Predictive dialers make the call and then pass you off to the first available human scam artist.
If you're thinking only of the "call and play a recorded message" abuses as "robocalls", then you ought to know that predictive dialers/human scum are even worse than recorded messages. Getting calls that immediately hang up on you because there wasn't a human ready to patch in is worse than the stock recorded message.
why do they target unlisted cell phone numbers?
For the same reason they target random email addresses. The cost is essentially zero and any rate of success is a win for them.
The best method to discourage sales or political calls is to engage them in useless time consuming discussion
So they push the button that says they weren't able to contact you and your number goes back into the pool to be called again (sometimes within five minutes or less), and they hang up. You've wasted your time answering the call and trying to talk to them. The predictive dialer has handed them another victim to talk to before you have time to hang up the phone.
Congrats, they won that round.
Around here, they commandeer the cable systems to deliver emergency notifications, and this then imposes these warnings on every channel. Even the ones you aren't subscribed to.
If you aren't subscribed to it, how do you know the notification appears there? Hmm???
In fact, on modern systems, the notification appears on one channel (when it is a required cable system test and not just the local station) and your cable box is instructed remotely to tune to that channel. It is then supposed to be instructed to tune back when the test is over, but sometimes that fails. It seems to be a setting in the local system, because my HD Homerun system would switch to but not back from the notice until I called them and they contacted Comcast.
And IIRC, the law requires that channel to be available on a standard analog channel for people who don't have digital service in a system. That was CSPAN in our system. For a long time after Comcast went all-digital, the two analog channels you could still get on a standard old TV were the channel telling you that everything had moved to digital and you needed to call Comcast for a digital adapter, and CSPAN.
My TV doesn't do a good job of notifying me... - when I'm at work. no live TV within view. - when I'm driving to and from work. Radio? Not when I'm listening to streaming whatever.
And my telephone does absolutely nothing to notify me in either situation. It can ring and ring and ring all it wants, there's nobody home in either case to hear it. Just my poor, overworked answering machine.
Our county crowed about how it has paid a company to do robocalling for emergency events. I called the company and told them to remove my number from that list, as the law allows me to do. They said they could not. The county decided to test the system. During the day. About 2PM. Do you know how many people aren't home at 2PM on a weekday, but have answering machines? The county found out -- a very large number of them called the emergency dispatch center when they got home to find out what the message meant. The center was overloaded that night. Instead of learning from that problem, they tested it again. At 2PM on a weekday. But they solved the problem by bringing in volunteers to deal with the flood of calls. "911 what's your emergency?" followed by a quick forward to a volunteer to deal with the complaints. This has now taught the public that getting a call like that is meaningless and it can be ignored. Good job, county.
But outlawing robocallers would be tossing the baby with the bathwater.
The phrase "baby with the bathwater" assumes that there is something of precious value in with the valueless, even objectionable and polluted, surrounding media. That is an assumption that is not valid when it comes to "robocalling". Robocalling should be illegal, period, end of sentence. There is nothing of value that necessitates such abuse of the telephone system.
The closest to useful I've ever found these things are when my doctor's office uses one to call to remind me of an appointment. But since the robocall makes NO attempt to verify that it got the right number or that it is speaking to the patient involved. I consider that a clear violation of HIPAA laws. Suppose your husband answers the phone and hears a recording saying "this is a notice from XYZ clinic reminding Joan that she has an appointment with Doctor Schlub tomorrow at 2PM." "Dear, why are you seeing Doctor Schlub? I found him in the phone book, and he specializes in abortions ..."
But politicians already had exemptions for "political" calls, and charities, and other common abuses. And the FCC and FTC have done NOTHING to stop the ceaseless "consider this your last notice concerning the stimulus act" credit card fraud. And I'm getting veiled threats from an alarm system company that tells me how often homes like mine are broken into. Not in so many words, but clearly "wouldn't it be a shame for sumptin bad to happen to your beautiful house?"
One of the recent robocallers was from a petition drive seeking to make voting records private in the state of Oregon. That's so bad people cannot get access to your name or other information. The irony that they almost certainly used the voter records to create their caller list was not lost.
As for not answering "numbers I don't recognize", these robocallers can spoof any number they want to. I've gotten calls from "US Government", the state of Florida, and from my own phone number. I don't answer ANY calls anymore. If the message isn't compelling enough to get me to call back, too bad for you.
The stupid robocallers can detect answering machines, and they still leave a message saying "it's important we speak to you", leaving no callback number, and telling the answering machine to "press 1" to speak to a representative. No, there is nothing of value in robocalling, it's vile, disgusting and unnecessary.
I genuinely don't understand why I can't get a power reading from every single light AND socket in the house ... I understand it should cost more to do and it's more complicated but again, 2016!
There is nothing magic about 2016. Yes, I understand, "it's a modern world". But it will cost a lot more to do that, and it will require a lot of smarts to configure this all. How do you manage four things plugged into a power strip? Does each thing report its data, does each socket on the strip report, or do you just monitor the socket in the wall and say that's good enough? How do you tell how much that cable set-top-box is using vs. the TV plugged into the same strip? And then you turn on the lamp plugged into the same strip and ...
So, either you have fine-grained monitoring and a headache managing all the connections and data (which nobody is really going to want to do and nobody is going to want to pay for the ability to not bother doing). Or you monitor at the wall socket level with the headache of managing the data about what is plugged into each one. Or you monitor at the circuit level or house level, which is much easier.
I'm actually kind of glad I'm not well off enough to afford a house, because it would frustrate me to own my own place or build my own place and not be able to easily do that yet.
Oh, you can do it if you want to. You can put these or these all over the place and come up with a wireless mesh data collection network using $3 Arduino Nano knock-offs and a $2 wireless module connected to each. They're all plug-in devices, so you can even do it in the apartment you rent, or in the worst case, your parent's basement (kidding.)
And you are three years late, or one year late, with "it's 2016". Here's one from 2013, and one from 2015.
It will cost more and will be complicated, but yes, it's 2016 and it can be done if you want to do it.
My point is that now that you know this product phones home, you should not buy it.
You have yet to support your point. Why not buy it? It does the job I want, it does it well and reliably, and it is trivial not only to prevent it from "phoning home" but to actually configure it, and my network, so I can control it from anywhere in the world without that "phone home" feature.
Instead find on that doesn't phone home.
I think the point has been made rather clearly that you cannot determine this a-priori, and have to assume that it does whenever it is marketed as being controllable from anywhere in the world.
You think I should "find on[e]". That requires buying one and then watching the connections it tries to make. That includes differentiating between NTP connections, DNS connections, and "phoning home". It is SO much easier (and cheaper) to just block it at the router as routine.
You can block traffic just in case and still buy hardware that (as far as you know) doesn't open you up to huge security risks.
You just made my point. "As far as you know" doesn't mean "does not", it only means you have to block it at the router anyway, so who cares what it tries to connect to? And when it is blocked, exactly what is the "huge security hole" you claim exists?
I want something with a web interface and I can just remap a port on my router to present that (secure) web interface, then I can control it myself.
Here. It, too, wants to phone home for some reason, but blocking the device at the router stops that.
It's 2016 (!!) and most of us still have very little control or monitoring over the power sockets around our homes,
I'd suggest X10, but apparently it is an incredible "security hole" that people can actually control outlets around the house. The specific comment was about wireless X10 and how much fun it is to screw your friend by toggling his lights, but if you're standing on the front step of your friend's house you can plug in your wired X10 controller to an outside outlet and do the same thing with no need for wireless at all.
An easy-to-find security hole is still a security hole.
And we used to live in a world where people didn't try to be assholes to people they call their friends. It used to be that "security holes" were evaluated based on the risks and hazards involved instead of every security hole being "OMFG it's a SECURITY HOLE and the product and developers are crap because there is one."
I know, times have changed. Today, if you can visit a "friend's" house and get the house and device code for his bedroom lamp and set a wireless X10 remote to the same house, it's a "security hole" instead of being a reasonable risk that makes a system simple to use and operate. You know, as in, how many bad guys are war-driving with X10 remotes looking for things they can turn on and off in stranger's houses? Wow, you can turn on my bedroom lamp. I'm impressed by your leet haxor skills, and terrified by the potential catastrophe that could ensue.
Now, if that X10 system was controlling a relay that was connected to the nuclear missile launch buttons, or even controlled a coffee pot that could cause a fire if it was turned on inappropriately, there'd be some cause for concern. But you're stupid to have your coffee pot on X10 anyway given the problems it can have with interference. You may wind up turning it on and then you can't turn it off. Or you think you turned it off and didn't. But turning on a bedroom lamp? If someone turning on your bedroom lamp can create a catastrophic result (and not just an inconvenience) then you need a new bedroom lamp. UL would like to hear about it, too.
In this case, the device is SO easy to block that the fact that it wants to connect to a server in China is a ho-hum level of "security hole". You've already got sufficient security management in place to stop the problem, and it's something that you'd do anyway just because. Like I've said, I'm using four similar devices, and none of them are crap. They all work very well, are very reliable, and do the job they were intended to do. The closest to "crap" they come is the fixed NTP addresses, and that's not hard to fix, either. The fact that they want to talk to China? Doesn't matter because they can't do it anyway.
If I have to jump through hoops and block traffic from this device just so it's not a security risk, it's not reliable or secure.
Reliability is a different issue than security. And it's not a big hoop. It's a hoop that you should be jumping through whenever you add a device that you don't want talking to the outside world to your net. You have no reason to believe that any device you use isn't trying to talk to someone somewhere these days and especially if the device is advertised as "IoT" and controllable from a mobile device from anywhere in the world. It shouldn't take a bad review on Amazon to tell you this. If you do the blocking automatically, it won't matter if the device tries to phone home or not, you'll be covered.
If this device were free I wouldn't complain so much, but in this case you are paying for it.
Yeah, you usually have to pay for physical hardware. You don't have to pay for the network connection to China, though. You can block that for free.
As for Opportunist, who writes:
So a product being crap doesn't really matter that much if you can easily take care of it?
Being insecure in the manner this one is doesn't mean the product is crap. It means there is a security issue that can be trivially solved.
So glad you agree that VW shouldn't be required to pay that ridiculous fine.
So glad you're happy putting words in my mouth and trying to compare apples to oranges.
Then I guess you should have made a better product.
We don't know that the product isn't good. All we know is that there is a convenience option that has a security issue, but which is trivially eliminated by prudent network management. The device itself may function flawlessly and do exactly what you need it to do.
For example, this has a similar "call home to Momma" feature, but by simply blocking outbound connections from it at the router you solve the problem completely. You're left with a pretty reliable remote controllable power switch. I've got four of them in the field and they work great.
I assume you are talking about the X10 alarm controller that has a plug-in alarm that activates when the selected device is toggled on and off several times. How hackery of you to use this known function of a simple protocol to annoy your friend. You are a 733t haxor fer sur!
And if you read the Techcrunch article, you'll see what the brouhaha is about, and some pretty amazing statements by the product reviewer. He claims that all you need to know is the MAC address. "If anybody knows the MAC address of one of your sockets, they can control it from anywhere in the world." I'm guessing that the "access code" to control the device through the Chinese server is just the MAC address of the device, since the MAC address would never normally appear outside your gateway.
Then he says this: "and a normal home router configuration won't block this. You need to explicitly firewall off the server (it's 115.28.45.50) in order to protect yourself." No, actually, it is as simple as blocking the DEVICE, whose address you know, from the WAN, and every home router I've ever used has that capability. Probably for just such situations.
"and if you do this then you'll also entirely lose the ability to control the device from outside your home," If you can control it from your device while it's on your WiFi inside the gateway, then you can use a VPN from outside into your network and control it just like you were at home, if you even need to go that far. "Entirely" is hyperbole.
I've come across internet power switches like this* before, and all it took to stop the carnage and destruction of the known universe is to ... block the device at the router. Did I "entirely lose the ability to control" them? Of course not. I put a port forwarding inbound rule in my router so that a port I know on the WAN forwards the control commands to the device, and I can control it from anywhere in the world. The control uses basic HTTP auth so bad guys can't just figure out that port X at address Y is an internet switch and turn it on and off. It just doesn't have the ability to create outbound connections to China anymore. This is such basic stuff that I can't imagine the author of the review didn't know this.
* 3gstore says that the connection was intended to allow remote control through some google interface, but it wasn't implemented. It doesn't matter, the device doesn't talk to China anyway. A much worse problem was that the NTP server addresses were not configurable so I could not tell the device to use the local stratum 1 server -- until I put the names of the hardwired NTP servers into the hosts table for the DNS server on that network and pointed them to it. Oila, another seemingly unsolvable problem resolved.
The upstream provider had to react to the takedown demand or risk being held liable (since this isn't covered by the DMCA,
What makes him liable?
How easy would it have been for the upstream provider to shut down just the offending account of the downstream provider?
That's what they did. And the downstream account they shut off was a host to a lot of web sites. That took them all down.
IANAL, but almost none of the original series or movies used "officially licensed" uniforms or props. They just used whatever the costume department or prop department came up with for an episode.
What you are saying here is that the copyright/trademark holder cannot authorize the production of props for production of their own intellectual property because it won't be "officially licensed". In other words, the Paramount props department cannot produce props for a Star Trek movie that Paramount is shooting because they don't have a license.
I think you might be wrong about that.
nobody is going to follow these rules unless they want too.
Nobody follows any rules unless they want to. It's the punishments that, in some cases, are the only reason some people want to. And some people don't want to follow the rules just because there are rules.
Do you have a receipt to prove where you got it?
I have no doubt that the "use officially licensed props" clause was put into the restrictions by the lawyers, as a nod to the officially licensed sources of props -- who pay money for the privilege of being able to sell officially licensed props. I think it is reasonably fair if someone is going to produce Star Trek fiction based on "official" permission, that they be expected to respect the other "official" limitations. And I don't think "show me your receipt" is going to be the way CBS attacks a bit of fanfic. I doubt that someone who ignores one part of the restrictions is going to bother with the others, and "show me your receipt" is going to be the least of the problems.
Because of how it uses HTTPS, I would be unable to block or filter the data it sends back! ... A firewall is NOT always the solution!
I think the point was that the firewall will quite efficiently block HTTPS traffic of your dick pics, which does seem to be the solution to your dick pics being sent places you don't want them to be sent. And even just the status of what's in your fridge, when you don't want it to be sent to the cloud for scanning by Google etc., can be blocked by the same firewall.
So yes, the firewall solves your concern about what information is being sent out about you quite well. I don't know what magic you think HTTPS uses that would avoid a firewall block.
You do realize that "cloud" isn't the end-all and be-all of IoT operations, I hope. You can have devices that you can query from your cell phone without having to send the data off to "the cloud" for management. A simple web interface works wonders.
A better solution would be to create an IoT manager device that sits on your network and communicates with all the IoT devices you want to have communication with, and then provides one outside portal for your cell or other access. Perhaps using a VPN for security. You configure the manager to allow what you want, to disallow what you don't, and to manage the communications twixt thee and thine. But that, of course, isn't plug and play, so Joe Sixpack couldn't use it, and the IoT would be crippled if it was designed so that it had to.
So that's why IoT is designed with cell modems and LoPa so that all the data can go wherever the manufacturer of devices wants it to go and you cannot stop it in any trivial manner. (And if you could just disable the LoPa chip there is probably a watchdog that will shut down the device completely, assuming a serious system failure.)
but guess what, no one is going to roll out a nation wide network so that someone can read your thermostat.
Nobody rolled out the Internet so that someone can read your thermostat, but amazingly, that is one of the many security and privacy issues that have come up once thermostats started being connected to the Internet. I.e., it isn't the REASON for the IoT network, but that doesn't mean there isn't somebody ready to try doing it just to prove they can.
and all those fancy new technologies behind them are nothing more than reading those sensors in a way that consumes much less power than before.
Oh, ok. So it cannot be an invasion of privacy because whatever is watching you uses much less power than before.
Right now, today, there are concerns about privacy and security when Internet connectable things show up in people's houses. There are easily predicted issues of both for more advanced devices as they begin to show up. I hate to tell you, but none of those issues will be resolved just because the devices will use a lot less power than they did before.
And the issues will not be made better when the device you bought yesterday could be blocked by adding it's MAC address at your home router, but tomorrow there will be a ubiquitous wireless national network that you cannot block carrying the data the device creates to places you don't want it to go.
Trademarks are not protected from parody.
I didn't say they were. Don't lecture me on that topic.
The standard is whether or not the use is "likely to cause confusion".
No, the standard is if you are using someone else's trademark pretending to be them. That's what happened here.
If the use of the NRA and S&W trademarks by the Yes Men are "likely to cause confusion", then they have a bigger problem than their trademarks (see Poe's Law).
When the "parody" starts out by claiming that the NRA and S&W paid for the content, then there is a good likelyhood for confusion no matter who produces the material. Poe's statement -- not a law -- notwithstanding.
Listen, you can hate on the NRA all you want, but they aren't the guilty party here.
By that logic, I am free to stab you to death,
It is a rare and amazing world we live in where "stab you to death" is equated to "freedom of speech".
Do you have a cite from the US Constitution that enumerates the "freedom to stab people to death"? No? I can point to a "freedom of speech" reference. Do I need to?
A freedom is only a freedom if it doesn't have any government-imposed consequences.
The word "any", along with the hyperbolic "stab you to death" context that implies that "freedom of speech" means "freedom to say any damn thing I want to", makes that statement untrue.
We DO have freedom of speech, but that freedom is NOT unlimited. Slander and libel are prohibited. Copyright and trademark infringement are prohibited. Treason is prohibited. Child pornography is prohibited.
This contradicts what you just said about a freedom only being a freedom if there are no government-imposed consequences. Your comments about the limits are correct; the previous claim is not.
So, if this video is, as you seem to indicate, easily distinguishable from a real NRA video, then their takedown notices are nothing more than bullying.
This wasn't a DMCA takedown. It was a trademark complaint. Protecting a trademark is REQUIRED by law, otherwise the trademark owner can lose it. If you don't want to be "bullied" by trademark owners, don't use their trademarks, and don't use their trademarks in a statement that the content YOU produced was paid for by them. It's pretty simple. It doesn't matter if anyone can tell that the content was not actually produced by the trademark owner.
but don't confuse Liberals (a.k.a. Democrats or Libtards) with Libertarians.
I'm glad you explained that. I was wondering what the problem with Librarians was....
l am not sure if it would be considered libel or slander. Videos are usually have "spoken" words but a video maybe considered as sort of a "written" record by the law.
It is a published, copyrightable form, therefore it meets the definition of libel.
I wonder how loud the complaints would be were someone to produce a Hillary ad containing a Hillary impersonator who says libelous things, and then has "her" saying "I'm Hillary Clinton and I approved this ad" at the end.
So, lemme get this straight.... If "Saturday Night Live" created the exact same video and broadcast it, we'd all laugh, and then go back to ignoring it.
Excepting the part about it being paid for by the NRA, yes, you're probably right. Why? Because the video would appear on SNL, it would have SNL actors, and have NBC/SNL copyright notices on it. The origin would be clear.
it's a takedown via the DMCA -- and 38,000 sites also suffer due to someone's fat finger mistake.
1. It wasn't DMCA, it was trademark. 2. It wasn't a 'fat finger', it was a quick and probably improper decision by an upstream network provider. But a deliberate decision nonetheless.
So once again, citizens have no rights,
You still have the right to hyperbole. You still don't have the right to claim that a video you produce is paid for by someone else when your goal is to defame them.
I hope you've got your gun, because you're going to need it real soon....
Good. I welcome the day that hyperbole becomes a shoot-on-sight offense.