e dot dot dot
a mostly about the Internet blog by

May 2018
Sun Mon Tue Wed Thu Fri Sat
   
   


Princeton Project Aims To Secure The Internet Of Broken, Shitty Things

Furnished content.


Year after year, we're installing millions upon millions of "internet of things" devices on home and business networks that have only a fleeting regard for security or privacy. The width and depth of manufacturer incompetence on display can't be understated. Thermostats that prevent you from actually heating your home. Smart door locks that make you less secure. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death.The list goes on and on, and it grows exponentially by the week, especially as such devices are quickly compromised and integrated into massive new botnets. And as several security experts have noted, nobody in this chain of dysfunction has the slightest interest in doing much about this massive rise in "invisible pollution":

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
One core part of the problem is that IOT device makers refuse to provide much control or transparency over what their internet-connected devices actually do once online. Often the tools and device interfaces provided to the end user are comically simple, providing you with virtually no data on how much bandwidth your devices are consuming, or what data they're transferring back to the cloud (frequently unencrypted). As a result, many normal people are participating in historically massive DDOS attacks or having their every behavior monitored without having the slightest idea it's actually occurring.To that end Princeton's computer science department has launched a research program called the IOT Inspector they hope will provide users with a little more insight into what IOT devices are actually up to. The researchers behind the project say they spent some time analyzing fifty different common IOT devices, and like previous studies found that security and privacy in these devices was a total shitshow. Sending private user data unencrypted back to the cloud was common:
Unfortunately, many of the devices we have examined lack even these basic security or privacy features. For example, the Withings Smart Blood Pressure Monitor included the brand of the device and the string blood pressure in unencrypted HTTP GET request headers. This allows a network eavesdropper to (1) learn that someone in a household owns a blood pressure monitor and (2) determine how frequently the monitor is used based on the frequency of requests. It would be simple to hide this information with SSL."
As were devices that immediately began chatting with all manner of partner services whether the user wants them to or not:
Samsung Smart TV: During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebookeven though we did not sign in or create accounts with any of them.
Again, user control and transparency is almost always an afterthought. Obviously, the creation of some unified standards is one solution. As is creating routers and hardware that alert users to when their devices have been compromised. Smarter networks and hardware are going to need to be a cornerstone of any proposed solution, the researchers note:
We are experimenting with machine learning-based DDoS detection using features using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets). Preliminary results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks with high accuracy using low-cost machine learning algorithms.
Of course better standards are going to need to be built on the backs of a joint collaboration between governments, companies, consumers and researchers. And while we've seen mixed results on that front so far, efforts like this (and the Consumer Reports' open source attempt to make privacy and security an integral part of product reviews) are definitely a step in the right direction.

Permalink | Comments | Email This Story


Read more here

posted at: 12:01am on 02-May-2018
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



Suburban Express Sued By Illinois Attorney General For Behaving Like Suburban Express

Furnished content.


We've talked quite a bit about Surban Express in these pages. The bus company chiefly works the Illinois university circuit, bussing students and others between the schools and transportation hubs like O'Hare Airport. In addition, the company also regularly sues any customers critical of its services, occasionally runs away from those suits, then refiles them, all while owner Dennis Toeppen harasses and publicly calls out these customers on the company website and its social media accounts. Also, the company has a deep history of treating non-white customers differently and poorly than others, culminating in a recent advertisement it sent out promising riders that they won't feel like they're in China when on its buses (the University of IL has a sizable Asian student population). After that advertisement, Illinois Attorney General Lisa Madigan announced an investigation into the company's practices, prompting Suburban Express to apologize several times for the ad.Well, if Toeppen had hoped those apologies would keep the AG at bay, it didn't work. Madigan has now sued the company in Chicago for discriminatory behavior and the mistreatment of its customers.

The lawsuit, filed in U.S. District Court in Chicago, seeks a restraining order against the company to stop it from publishing customers’ financial information, halt harassment and prevent the company from forcing riders to accept unfair contract terms. If the company does not change its practices, Madigan said, the attorney general wants the company out of business.The company’s actions, Madigan said, constitute “flagrant and numerous violations” of Illinois’ civil rights and consumer protection laws.“My lawsuit alleges that Suburban Express has long been engaged in illegal discrimination and harassment of college students in Illinois, particularly University of Illinois students and their families,” Madigan said at a morning news conference at the Thompson Center to announce the lawsuit.
Among the allegations is that Suburban Express harasses its critics, publishes some of their financial information in an attempt to shame them, discriminates against customers based on their race, and generally tries to make the lives of anyone that doesn't love the services they get a living hell. All of this followed a months-long investigation into the actions of the company and Toeppen himself.In response, Suburban Express posted to its Facebook page that it merely defends itself against lying critics, before suggesting how awesome it is.
"Defending ourselves against online harrassment (sic) does not constitute harrassment (sic) of the harrasser. (sic) The complaint seems to demonstrate a lack of any sense of humor on the part of Attorney General Madigan. Tongue in cheek posts like the picture of bowing passengers cannot reasonably be inferred to mean that we have something against certain customers."“The world is a better place as a result of Suburban Express. … We take this unfounded assault on our reputation seriously and we intend to defend this lawsuit vigorously,” the post concluded. “We’d love to hear from attorneys interested in defending us against this lawsuit.”
What attorneys will rush to the side of a company that has so clearly demonstrated exactly who and what it is will be interesting to watch. Part of Suburban Express' problem is that it engaged in so much of this harassment online, where the slate can never be truly scrubbed, and with which the AG will be able to present the court with the company's own words and actions.Given the long history of public behavior by the company, it's hard to imagine how any of this goes well for it.

Permalink | Comments | Email This Story


Read more here

posted at: 12:01am on 02-May-2018
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



May 2018
Sun Mon Tue Wed Thu Fri Sat
   
   







RSS (site)  RSS (path)

ATOM (site)  ATOM (path)

Categories
 - blog home

 - Announcements  (0)
 - Annoyances  (0)
 - Career_Advice  (0)
 - Domains  (0)
 - Downloads  (3)
 - Ecommerce  (0)
 - Fitness  (0)
 - Home_and_Garden  (0)
     - Cooking  (0)
     - Tools  (0)
 - Humor  (0)
 - Notices  (0)
 - Observations  (1)
 - Oddities  (2)
 - Online_Marketing  (0)
     - Affiliates  (1)
     - Merchants  (1)
 - Policy  (3743)
 - Programming  (0)
     - Bookmarklets  (1)
     - Browsers  (1)
     - DHTML  (0)
     - Javascript  (3)
     - PHP  (0)
     - PayPal  (1)
     - Perl  (37)
          - blosxom  (0)
     - Unidata_Universe  (22)
 - Random_Advice  (1)
 - Reading  (0)
     - Books  (0)
     - Ebooks  (0)
     - Magazines  (0)
     - Online_Articles  (5)
 - Resume_or_CV  (1)
 - Reviews  (2)
 - Rhode_Island_USA  (0)
     - Providence  (1)
 - Shop  (0)
 - Sports  (0)
     - Football  (0)
          - Cowboys  (0)
          - Patriots  (0)
     - Futbol  (0)
          - The_Rest  (0)
          - USA  (0)
 - Technology  (1000)
 - Windows  (1)
 - Woodworking  (0)


Archives
 -2024  March  (115)
 -2024  February  (168)
 -2024  January  (146)
 -2023  December  (140)
 -2023  November  (174)
 -2023  October  (156)
 -2023  September  (161)
 -2023  August  (49)
 -2023  July  (40)
 -2023  June  (44)
 -2023  May  (45)
 -2023  April  (45)
 -2023  March  (53)
 -2023  February  (40)


My Sites

 - Millennium3Publishing.com

 - SponsorWorks.net

 - ListBug.com

 - TextEx.net

 - FindAdsHere.com

 - VisitLater.com