> Second, the device need's it's password changed before it works.
_Thank you_. I'd not put it in such terms, but that is a viable approach which I'd gladly support.
> The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
There is a similar situation now for cable modems. They print the default network and password names on the devices, partly to allow their own personnel to help set them up at installation time. Many patrons never bother to change them. I'd personally be willing to pay extra for such a feature.
> Producers of products ultimately aim to please their customers
Please forgive me, but this is a common misconception that I've had to address for a number of younger Libertarian advocates recently. There are many, many counterexamples of people and businesses who are purely interested in profit. Pleasing the customer is one means to encourage sales. But theft, fraud, and neglect of damage to customers are often more effective ways to increase profit in the short term, and they _are_ common place.
I appreciate that your reasoning that "and if customers don't want to pay for security, baring external regulation, they won't put security features in their products. Some day customers may demand security and when that happens manufacturers will oblige". But this puts the responsibility on the market, where slim profit margins and the "start-up" desire to ship product as quickly as possible interfere directly with investing in better security.
Personally, I think the market needs a strong set of sensible regulation, drafted by security conscious people who understand the tradeoffs and ramifications. I can picture a "fantasy security" team of experts who could be on such a panel to assist in setting standards. Would you care to start a thread about who would belong on such a group?
NaT covers most of it. One of the benefits of the lack of available address space for IPv4 is that many sites are using NaT. This provides an excellent opportunity filter connections _into_ your local environment, as well as data _leaving_ your local environment.
I'm seeing companies, partners, and clients entirely disable IPv6 entirely on their local network because the increased address space encourages every device to be routable and accessible from the Intenet at large. And I'm in full agreement, and it's an approach I encourage. There should be almost _no_ home or workspace working networks that are routable from the Internet at large. I've seen the consequences repeatedly, and they are _dangerous_.
Botnets taking control of machines inside your local network are only one of the dangers, and they are a surprisingly frequent danger. Fools or abusers inside your local network hosting popular traffic of which you were not aware and consuming _enormous_ amounts of your network resource and your paid for bandwidth are another.
Please excuse my lack of understanding, but what is the relevance of whether the "IoT" is the local hardware or the network over which the data is shared, or the services on which the data is stored and services provided by the vendor?
> I would say that if a user does not at least make a good faith effort to secure his things using the documentation available
I'm afraid that the documentation is _not_ available. Features are modified without notification, especially including how new "features" are designed and how the back end data is protect on the vendor's part. I'm afraid I recently attended a presentation on a new set of IoT devices, and had a quiet back room talk with several of the IT personnel about how they handle the data. It was _not_ safe. The individual devices could be tied to far too much personal and traceable information becuase selling that information was a critical part of the business model. The business model was revealed separately by their sales personnel, trying to establish their credibility as part of a growth business.
Securing the personal data published by such devices takes thought, and work, and is not part of what the business is directly selling, so it is often neglected.
If the data is being written via a "network" stack, it's vulnerable to root kits on either end of the communications. It's also useless against the "Great Firewall of China", which forces access to through Chinese government owned or controlled proxies to control or monitor specific content at whim.
The cookies are a pretty good giveaway. So is "Location Data" gathered by various Google apps and Google sharing apps on your cell phone and wifi-based devices, even without GPS information.
Why should they be distinct from other religions in that sense? Especially the Abrahamic religions, such as Christianity and Judaism, where righteous genocide is key to the oldest stories? I'm specifically mentioning the willingness of Abraham to slaughter his son for his god, the world flood of Noah, the slaughter of Jewish infants by the Egyptians and the slaughter of every first-born Egyptian child by the Jewish god, the slaughter of the Canaanites by Jews upon reaching the "Promised Land". It goes on to more modern, verifiable epics Abrahamic religious genocide in the Middle Ages, especially the Crusades against the Muslim controlled countries around Jerusalem. The African, pantheistic religious are hardly immune from this, nor are the faiths of Asia.
Muslim peoples and nations have declared war at various times. So have _many_ other nations, and faiths.
I'm afraid that seeking the "profit" from a spammer's records is much like seeking an artist's share of the profits from a movie or a concert tour. There may have been quite a lot of money involved, but somehow it would not show up as "profit" in any visible accounting.
> The F-35 took 26 years to go from contract to production, and will cost a trillion dollars.
Has there been a single use of an F-35 aircraft in any military missions whatsoever? So far, I'm only seeing test flights and many reports of faked tests.
Hands-on familiarity with toys built from a small number of similar components is invaluable. I'm not speaking of the completely specified, every detail spelled out Lego sets. I'm speaking of a big box of toys that is large enough to support some basic, well specified models but allows expansion to other models and other images. Learning that the same blocks can be used for several distinct complex structures is valuable. Learning that one can expand those simple, identical components into a more customized or sophisticated model is an invaluable lesson that many people who "study computers" never learned well.
It's no longer a technical problem to eradicate polio. It's a political one. There was a very strong effort to eradicate it which failed in 2006, because of rumors that the vaccine was actually a sterilization agent. Unfortunately, the fear was not entirely unjustified. There *have* been fraudulent vaccines used to force birth control on women in the middle east, so it was not an unthinkable rumor for people in a poor and information poor place like Nigeria. The fact that fake vaccines were used by a country seen by so much of the Middle East as a target of religious anger made it all the worse.
I'm afraid that in an area with poverty, war, and ethnic strife, getting vaccines to all is very difficult. The vaccines are also somewhat dangerous to make, expensive, and have a very limited shelf life, so the doses to eradicate polio _expired_ in the Nigerian effort in 2006.
I do hope that being able to manufacture vaccines less expensively, more safely, and where a native population can get a better view of the manufacture and assure its safety for their own concerns will help the population accept the vaccines enough to eradicate polio.
Viruses have traditionally been incubated by using the live virus in living creatures, allowing them to reproduce, and harvesting living samples. That meant keeping live, reproducing copies of the virus around, where they are fully capable of reproducing and even of mutating to a more dangerous form. By not actually creating a full virus that can reproduce, and never having to handle the full organism, it makes vaccine creation _far_ safer and cheaper.
> I have to disagree with that second point, if there was enough for an impeachable offense he would have been impeached.
Impeachment, and whether there are grounds for impeachment, are two different matters. FDR's medical issues, for example, did not lead to his impeachment despite his lack of physical fitness, his reliance on his wife to run his Cabinet, and his failure to inform Congress. Neither did Ronald Reagan's increasingly obvioius Alzheimer's Disease.
Not through lack of effort by some of us. The difficulty is a business model one: they want to charge more for certain types of traffic, as profit centers. Many small ISP's used to do their best to operate as common carriers, and follow policies consistent with that. It's become more difficult to compete with the larger, cell phone affiliated carriers who are not willing to treat all traffic equally.
> Perversely that only happens when you have a job.
I've noticed this. I think that one issue is that they are often unable to ask your previous employers or reliable references for the real reason you left your last position. And much like dating, the fact that you have a stable, long-term relationship means that you know _how_, and are thus immediately more desirable.
From what I see, it's not so simple as protecting the status of the party. From the first line of the Wikipedia article:
> Rape is a common crime in China. Marital rape is not illegal in China. Same-sex sexual assault between males was made illegal in late 2015. [1]
The article includes many relevant. It's been a longstanding accepted practice, as it was throughout history. The concealment of it and its frequency in china, compared to the more open investigations and reporting in the USA, makes comparing violence in the nations more difficult.
> ttach a band aid to the exterior of the car and the identification system will fail.
If it were that precise, even ordinary road dirt and shadows would obscure it beyond usefulness. I'd expect such a system to use broad categories to reduce the size of the search space: number of doors, rough color, rough shape of the rear end, and details of the bumpers would help narrow the search space tremendously and allow more meaningful comparison of the details of the car.
A simple measurement of how many crimes, of what type, are reported and prosecuted would be useful to assess its value. A similar report of its misuse and abuse would be useful, as well, but harder to gather from the agencies that collect the data.
> To counter such interesting people the UK had to surround its city areas with CCTV.
From experience in a visit to the UK: the paranoia about governments collecting personal informiton, described the novel "1984" was well justified. I'm afraid that the result of the enormous volumes of data is closer to that depicted in the movie "Brazil". They're not organized enough to use the data effectively, and the result is bureaucratic chaos. The chaos is funding efforts to scan the data for useful information, but each department and each manager in each bureaucracy has its own idea o the format, the relevant content, and the relevant analysis desired.
The result of the masses of data is frightening, it _is_ widespread and analyzable. Fortunately for ordinary citizens, they don't seem well enough organized to use it effectively for large scale political repression. Also fortunately, flexible coders and database experts are paid quite well to provide results, even if the actual data desired is ill-defined and unlikely to achieve the desired goals.
I was paid well for the work there, but the confusion about goals for the data analysis made the project useless in the long term. It was one of the contract tasks where I had to say "they're paying enough for our work, and the results will not be harmful because the goals are so very poorly organized".
Given the lack of understanding of most reporters, it might have been an SFTP server, or even a Kerberized FTPS server. I'd suggest not over-interpreting a casual reference in a news report as proof of incompetence on one party's part.
In reality, the mixed case and punctuation is more difficult to crack, according to experience with the old "crack" tool published by Alec Moffett in 1991. It did very well against single word passwords based on a dictionary attack. It had far more difficulty with multiple obscuring techniques applied against even a single word.
I'm afraid that similar vulnerabilities exist against even lengthy passphrases if the word or phrase is too common. The passphrase "correcthorsebatterystaple" is now vulnerable because exactly that phrase has been mentioned in public literature, and because people can and do use it for their own passphrase.
Checking that the passphrase is not identical to old passphrases is straightforward: you save the _hashed_ passwords, which are not susceptible to ordinary brute force attacks is your hashing algorith was good in the first place. And you compare the hashed version of the new password to _that_, not by saving the clear text passphrases. This was built into high security protocols like Kerberos from the very beginning.
Passwords that are "similar" are much more difficult to safely compare.
Slashdot Mirror
> First, the vendor provides a default password.
> Second, the device need's it's password changed before it works.
_Thank you_. I'd not put it in such terms, but that is a viable approach which I'd gladly support.
> The other option is for the default password to be the serial number of the device, which will probably cause vendors $0.01 more but save on customer support calls.
There is a similar situation now for cable modems. They print the default network and password names on the devices, partly to allow their own personnel to help set them up at installation time. Many patrons never bother to change them. I'd personally be willing to pay extra for such a feature.
> Producers of products ultimately aim to please their customers
Please forgive me, but this is a common misconception that I've had to address for a number of younger Libertarian advocates recently. There are many, many counterexamples of people and businesses who are purely interested in profit. Pleasing the customer is one means to encourage sales. But theft, fraud, and neglect of damage to customers are often more effective ways to increase profit in the short term, and they _are_ common place.
I appreciate that your reasoning that "and if customers don't want to pay for security, baring external regulation, they won't put security features in their products. Some day customers may demand security and when that happens manufacturers will oblige". But this puts the responsibility on the market, where slim profit margins and the "start-up" desire to ship product as quickly as possible interfere directly with investing in better security.
Personally, I think the market needs a strong set of sensible regulation, drafted by security conscious people who understand the tradeoffs and ramifications. I can picture a "fantasy security" team of experts who could be on such a panel to assist in setting standards. Would you care to start a thread about who would belong on such a group?
NaT covers most of it. One of the benefits of the lack of available address space for IPv4 is that many sites are using NaT. This provides an excellent opportunity filter connections _into_ your local environment, as well as data _leaving_ your local environment.
I'm seeing companies, partners, and clients entirely disable IPv6 entirely on their local network because the increased address space encourages every device to be routable and accessible from the Intenet at large. And I'm in full agreement, and it's an approach I encourage. There should be almost _no_ home or workspace working networks that are routable from the Internet at large. I've seen the consequences repeatedly, and they are _dangerous_.
Botnets taking control of machines inside your local network are only one of the dangers, and they are a surprisingly frequent danger. Fools or abusers inside your local network hosting popular traffic of which you were not aware and consuming _enormous_ amounts of your network resource and your paid for bandwidth are another.
Please excuse my lack of understanding, but what is the relevance of whether the "IoT" is the local hardware or the network over which the data is shared, or the services on which the data is stored and services provided by the vendor?
> I would say that if a user does not at least make a good faith effort to secure his things using the documentation available
I'm afraid that the documentation is _not_ available. Features are modified without notification, especially including how new "features" are designed and how the back end data is protect on the vendor's part. I'm afraid I recently attended a presentation on a new set of IoT devices, and had a quiet back room talk with several of the IT personnel about how they handle the data. It was _not_ safe. The individual devices could be tied to far too much personal and traceable information becuase selling that information was a critical part of the business model. The business model was revealed separately by their sales personnel, trying to establish their credibility as part of a growth business.
Securing the personal data published by such devices takes thought, and work, and is not part of what the business is directly selling, so it is often neglected.
If the data is being written via a "network" stack, it's vulnerable to root kits on either end of the communications. It's also useless against the "Great Firewall of China", which forces access to through Chinese government owned or controlled proxies to control or monitor specific content at whim.
> Through a VPN.
> Good luck Google figuring out who I am.
The cookies are a pretty good giveaway. So is "Location Data" gathered by various Google apps and Google sharing apps on your cell phone and wifi-based devices, even without GPS information.
Why should they be distinct from other religions in that sense? Especially the Abrahamic religions, such as Christianity and Judaism, where righteous genocide is key to the oldest stories? I'm specifically mentioning the willingness of Abraham to slaughter his son for his god, the world flood of Noah, the slaughter of Jewish infants by the Egyptians and the slaughter of every first-born Egyptian child by the Jewish god, the slaughter of the Canaanites by Jews upon reaching the "Promised Land". It goes on to more modern, verifiable epics Abrahamic religious genocide in the Middle Ages, especially the Crusades against the Muslim controlled countries around Jerusalem. The African, pantheistic religious are hardly immune from this, nor are the faiths of Asia.
Muslim peoples and nations have declared war at various times. So have _many_ other nations, and faiths.
I'm afraid that seeking the "profit" from a spammer's records is much like seeking an artist's share of the profits from a movie or a concert tour. There may have been quite a lot of money involved, but somehow it would not show up as "profit" in any visible accounting.
> The F-35 took 26 years to go from contract to production, and will cost a trillion dollars.
Has there been a single use of an F-35 aircraft in any military missions whatsoever? So far, I'm only seeing test flights and many reports of faked tests.
Hands-on familiarity with toys built from a small number of similar components is invaluable. I'm not speaking of the completely specified, every detail spelled out Lego sets. I'm speaking of a big box of toys that is large enough to support some basic, well specified models but allows expansion to other models and other images. Learning that the same blocks can be used for several distinct complex structures is valuable. Learning that one can expand those simple, identical components into a more customized or sophisticated model is an invaluable lesson that many people who "study computers" never learned well.
It's no longer a technical problem to eradicate polio. It's a political one. There was a very strong effort to eradicate it which failed in 2006, because of rumors that the vaccine was actually a sterilization agent. Unfortunately, the fear was not entirely unjustified. There *have* been fraudulent vaccines used to force birth control on women in the middle east, so it was not an unthinkable rumor for people in a poor and information poor place like Nigeria. The fact that fake vaccines were used by a country seen by so much of the Middle East as a target of religious anger made it all the worse.
* http://www.salon.com/2013/01/2...
I'm afraid that in an area with poverty, war, and ethnic strife, getting vaccines to all is very difficult. The vaccines are also somewhat dangerous to make, expensive, and have a very limited shelf life, so the doses to eradicate polio _expired_ in the Nigerian effort in 2006.
I do hope that being able to manufacture vaccines less expensively, more safely, and where a native population can get a better view of the manufacture and assure its safety for their own concerns will help the population accept the vaccines enough to eradicate polio.
Viruses have traditionally been incubated by using the live virus in living creatures, allowing them to reproduce, and harvesting living samples. That meant keeping live, reproducing copies of the virus around, where they are fully capable of reproducing and even of mutating to a more dangerous form. By not actually creating a full virus that can reproduce, and never having to handle the full organism, it makes vaccine creation _far_ safer and cheaper.
> I have to disagree with that second point, if there was enough for an impeachable offense he would have been impeached.
Impeachment, and whether there are grounds for impeachment, are two different matters. FDR's medical issues, for example, did not lead to his impeachment despite his lack of physical fitness, his reliance on his wife to run his Cabinet, and his failure to inform Congress. Neither did Ronald Reagan's increasingly obvioius Alzheimer's Disease.
> The internet is not. (a common carrier)
Not through lack of effort by some of us. The difficulty is a business model one: they want to charge more for certain types of traffic, as profit centers. Many small ISP's used to do their best to operate as common carriers, and follow policies consistent with that. It's become more difficult to compete with the larger, cell phone affiliated carriers who are not willing to treat all traffic equally.
> Perversely that only happens when you have a job.
I've noticed this. I think that one issue is that they are often unable to ask your previous employers or reliable references for the real reason you left your last position. And much like dating, the fact that you have a stable, long-term relationship means that you know _how_, and are thus immediately more desirable.
From what I see, it's not so simple as protecting the status of the party. From the first line of the Wikipedia article:
> Rape is a common crime in China. Marital rape is not illegal in China. Same-sex sexual assault between males was made illegal in late 2015. [1]
The article includes many relevant. It's been a longstanding accepted practice, as it was throughout history. The concealment of it and its frequency in china, compared to the more open investigations and reporting in the USA, makes comparing violence in the nations more difficult.
> ttach a band aid to the exterior of the car and the identification system will fail.
If it were that precise, even ordinary road dirt and shadows would obscure it beyond usefulness. I'd expect such a system to use broad categories to reduce the size of the search space: number of doors, rough color, rough shape of the rear end, and details of the bumpers would help narrow the search space tremendously and allow more meaningful comparison of the details of the car.
A simple measurement of how many crimes, of what type, are reported and prosecuted would be useful to assess its value. A similar report of its misuse and abuse would be useful, as well, but harder to gather from the agencies that collect the data.
Domestic violence, especially rape, is also vastly under-reported.
> To counter such interesting people the UK had to surround its city areas with CCTV.
From experience in a visit to the UK: the paranoia about governments collecting personal informiton, described the novel "1984" was well justified. I'm afraid that the result of the enormous volumes of data is closer to that depicted in the movie "Brazil". They're not organized enough to use the data effectively, and the result is bureaucratic chaos. The chaos is funding efforts to scan the data for useful information, but each department and each manager in each bureaucracy has its own idea o the format, the relevant content, and the relevant analysis desired.
The result of the masses of data is frightening, it _is_ widespread and analyzable. Fortunately for ordinary citizens, they don't seem well enough organized to use it effectively for large scale political repression. Also fortunately, flexible coders and database experts are paid quite well to provide results, even if the actual data desired is ill-defined and unlikely to achieve the desired goals.
I was paid well for the work there, but the confusion about goals for the data analysis made the project useless in the long term. It was one of the contract tasks where I had to say "they're paying enough for our work, and the results will not be harmful because the goals are so very poorly organized".
Given the lack of understanding of most reporters, it might have been an SFTP server, or even a Kerberized FTPS server. I'd suggest not over-interpreting a casual reference in a news report as proof of incompetence on one party's part.
I've seen the like. It was implemented so that managers could see the work, and the email, of their personnel.
In reality, the mixed case and punctuation is more difficult to crack, according to experience with the old "crack" tool published by Alec Moffett in 1991. It did very well against single word passwords based on a dictionary attack. It had far more difficulty with multiple obscuring techniques applied against even a single word.
I'm afraid that similar vulnerabilities exist against even lengthy passphrases if the word or phrase is too common. The passphrase "correcthorsebatterystaple" is now vulnerable because exactly that phrase has been mentioned in public literature, and because people can and do use it for their own passphrase.
Checking that the passphrase is not identical to old passphrases is straightforward: you save the _hashed_ passwords, which are not susceptible to ordinary brute force attacks is your hashing algorith was good in the first place. And you compare the hashed version of the new password to _that_, not by saving the clear text passphrases. This was built into high security protocols like Kerberos from the very beginning.
Passwords that are "similar" are much more difficult to safely compare.