Geese are scary as hell!! Wouldn’t want those coming after me!
I’m more surprised the malware was sending clear-text. I’m mean, if your bot-net isn’t secure…is it really your bot-net?
LOL, fair enough. Although I still say most of these IOT devices are solutions looking for a problem to solve and are about as useful as fucking chia pets.
IoT Chia Pet… I’ll be rich!
Ch-ch-ch-(not responding)-Chia!
But wait, there’s more! With every IoT Chia Pet, you’ll get the new, improved, IoT Pet Rock! Toss it away, you’ll always be able to find it because of it’s easily hackable wifi signal, and it will store the speed and impact force of your throw. Nice little Timmy down the street will know its you when you hit him upside the head with your Pet Rock!
By Ronco… when it absolutely doesn’t need to exist but does, it’s Ronco!
The point of industrial IOT is being able to manage your infrastructure, rather than just have an opaque layer of workers who keep the infrastructure going. Whether or not it actually costs less is only partly relevant, because the concept itself is catnip to the decision makers who decide to buy into this stuff.
It’s all about turning expensive arrays of inert objects into datacells on a spreadsheet or database. From one point of view, it’s another step on the path of stupidity that management has been going for decades, of trying to abstract away your annoying employees. From another point of view, it’s a game changer because instead of having to hope that your maintenance workers have done a good job, now you can know whether or not every single doodad is in proper working order, and know instantly whenever one of them goes out of order.
As for the security implications, that ship has sailed. Every router and modem, every networked vending machine and light bulb should not be running a full fledged copy of Linux just to deliver the one single thing that they need to do. But due to the fact that nobody has been interested in spending money and time making a limited purpose, locked down OS for networked appliances, that’s the world we have.
I do think there’s going to be a nasty reckoning and a bloodbath, and lots of companies are going to get sued out of existence over crap security. Then The IOT fad will recede for a while, before coming back with a new name and better security.
The Onion [2001]:
ST. LOUIS–Area resident Jim Shaffer avoided slight inconvenience Monday, thanks to Jhirmack’s new “upside-down” shampoo bottle. “If I’d been using a traditional shampoo bottle, I’d have had to turn the thing over and shake it when it started to run low,” Shaffer said. “But, with the Jhirmack bottle, the shampoo collects at the bottom, making shaking unnecessary.” Shaffer plans to use the time saved by the shampoo to “catch up on [his] reading.”
It sounds like they were noobs when it comes to botnet design: generating all those fishy DNS requests that were bogging the net down to the point that it couldn’t be ignored? Mistake.
Nazis?
Heinlein showed the folly of hooking all your systems into one central control almost sixty years ago in ":The Moon is a Harsh Mistress.
He gave them that great campfire singalong, “Springtime for Hitler”.
From a business perspective, why should they until the cost of not securing their network is higher than the cost to secure the network?
Some of the costs of not securing their network:
- cost of data being copied, deleted, manipulated, or shared with competitors that use it for a business advantage
- cost to defend lawsuits or pay judgments for injuries suffered as a result of the flawed network
- cost to repair or replace physical hardware damaged or destroyed (a light bulb burned out due to rapidly being turned on and off, spoiled food caused by manipulation of a “smart” refrigerator, pipes burst due to the HVAC system being disabled in the middle of winter, fires started by a “smart” stove, etc.)
- increased insurance costs because of claims related to the first three bullets
I think I read about this from the Internet of Shit Twitter account: a lot of this IoT crap can’t be secured (well, or even at all). The joke was, “How do you change the password in a light bulb?” The answer, of course, is “with the app”, but then what if the app doesn’t include this?
Okay, we know in this case there were passwords. What amount of security will the devices work from behind? The only IoT I have is a Fitbit, but a lot of stuff I got as far as checking out the app and deciding not to buy because they wanted access to freaking everything. It was, “Hi, I’m either a RAT it made by a vendor who doesn’t care about customers at all. One or the other.”
Really, since they are a university, they would have been better off making it a multidisciplinary student project.
True fact: Canadian’s aren’t really super polite – it’s just that all their suppressed anger gets channeled to their geese.
Good luck getting a student project maintained at the end of term
That’s why I said “multidisciplinary”. Too many student projects have the prime directive of “just make it work”, rather than “make it upgradable”. My students are always a little shocked that readability and commenting counted towards their mark.
And moose.
Does it send you a text when it is time to flip it?