You implement security in order to have privacy and I agree it's poorly understood in the digital realm, mostly because it's "out of sight and out of mind". I like to use an analogy I can't remember where I picked up and reductio ad absurdum to get them past this automatic response, because that's what it is and it's based in the horrid and dangerous "Nothing to hide, nothing to fear" saying.
- The usual conversation -
I ask them: "Do you have curtains ?" and they say: "Yes, of course" and I ask "Why ? I mean you have nothing to hide right ? What does it matter if someone can see what you are doing inside your house ?", usually they freeze for a second, "Because it's creepy". I continue "Well if it's creepy that someone would watch you in your house, isn't it just as creepy if they watched you online, what you read, what porn you watch, what you talk to your friends about ? Which do you think tells more about who you are ?". At this point silence and an increasingly worried look is the norm.
I keep going: "It's not about hiding anything, it's about what is private. Otherwise why not tell everyone your darkest secret, your greatest fears, the thing you are most ashamed of doing in your life ? And that's why you should do [this or that]"
But even so, it's true most default back quickly. Still a few call, ask, improve their practices. People only seem to take it seriously after they have been directly impacted in a powerfully damaging way.
Edit: I have obviously had this conversation enough times to make this script in dealing with it. If you have to do it more than twice, automate it. :)
Ok, I am aware of how it works, but I'm not talking pentests or hardening. I'm talking simple, cheap design choices in this case, that could've eliminated the whole Mirai debauchery.
In your app you already have a setup wizard, right ? Add one more page to the end "Hey, we're almost done! We just need to make sure your device is secure. Please choose a username and (strong) password."
Edit: Because if you have a login, you already have the components in place, you are not developing a new feature.
This one simple, design choice would have cost very little, both in terms of development time and increase in support costs, because Support is a cost center that scales with your user base and your knowledge base. Obviously not pennies, but still small costs.
There is the classical point of diminishing returns from security investments, problem is for most IoT products, we are significantly left, towards zero investments and, at this point, small investments and a few smart design choices would yield significant returns in security.
And with developers that's exactly what I don't get. How has it not become internalized that allowing users to run the default user/pass combo is very poor idea ? I'm not asking for much, I don't expect them to know a lot about security, but not even adhering to some basic good practices of security is killing me.
How many pennies would've been needed to insert a simple page forcing you to change user/password combo and to choose a reasonably strong password after first boot ?
In the case of Mirai it's not even a cost issue, just lacking good practices.
But when you tell someone "That's not secure, you can easily get hacked. You need to [insert good security practices here]", what response do you get ?
In my experience, most answer along the lines of "So what ? What could they get ? I have nothing important." or "Why would anyone ever hack me ?" or "But I have an antivirus, doesn't that make me safe ?".
And then spend the next 15 minutes explaining to them how things actually work and why they need to take it seriously and offer to help. 9 out of 10, they never reach out. And it's not their fault, but the way security in general is perceived.
By sending binary SMSs. There are multiple classes of SMS, including binary messages through which operators can access and change data directly on your SIM. Since that's also your crypto chip, yeah ...
His defense will be that he never had criminal intention, that it was an unfortunate accident, that can be chalked up to inexperience and curiosity. That he didn't take measures to hide his identity and that he was attempting to report a security issue and that the version that dialed 911 is a very very stupid idea of a joke.
And the prosecution will argue that the very action of writing a piece of software that targets a critical infrastructure is proof of in itself of criminal intention.
It will be up to the judge, but hopefully he will be lenient.
This should serve as a warning for 2 things for you younger cats out there:
1. Learn how to disclose responsibly. Use proper channels for disclosing vulnerabilities and don't post exploits online like that (only after you have made contact, reported it and discussed a reasonable time table for patching or not at all). Or know the risk of full disclosure and go with that, but still never post a exploit like that online like that.
2. Any idea of a joke that involves the authorities should trigger a "Yeah, authorities are not well known for their sense of humor. They tend to not be amused" moment.
Edit: The attack against 911 was in the code itself and that argument won't stand a second in Court.
Like any new technology early adopters pay way more, because economies of scale have yet to be achieved. Musk knows this, same with Tesla, he is marketing to a high-income target market first, because they are the ideal early adopters and it's easier to scale down rather than scale up features in a product.
And factoring in subsidies, electricity cost savings over a period 5-10 years, it might be more affordable than you think.
To go with Lemmy "Regrets are always late and usually pointless" and to go with Frank "... I have a few, but then again too few to mention", except 1. not marrying her.
I feel like I might really dive into this conversation.
Technically feasible, yes, agreed. The simulations tell us this much, that at point T+x, we could have a green electricity grid, but you have to take into account the process of getting there and that means economics and politics. And there's a lot of half-measure that seem green, but just kick the can.
Ok, from the engineering side, the flexible, dispatchable sources will be required like I said, can't fully remove them. They can be hydro, which is clean and great, but it's not universally available and were it is, it's expensive to setup and tends to wreck local ecosystems. In most developing countries, the flexible source will remain what is already available most likely, at least in the short-medium term, and that is coal and gas. (this will be mostly for economic reasons)
... “renewable electricity generation from technologies that are commercially available today, in combination with a more flexible electric system, is more than adequate to supply 80% of total U.S. electricity generation in 2050 while meeting electricity demand on an hourly basis in every region of the United States.” ... That's why the time frame is 30+ years and that's in the US. What about less developed countries ? What's the time frame there ?
What I'm saying is: we will get there eventually, we really need to, our survival as a race might well depend on it, but it's going to be one hell of a ride, it's going to take a while and it will occur at different paces in different places.
And that you need a combined approach in terms of policy as well: investments, direct grants or subsidies for large producers for new and existing renewable plants and transmission infrastructure / public-private partnership projects (depending on your countries economic preferences), incentivizing individuals to go green (ex: subsidies on solar panel purchases by homeowners in Germany, government backed buybacks of old cars, subsidies for electric cars), better environmental standards, incentives for green certifications and an actual independent third-party validation of the companies that receive/offer said certificates, increased power to government environmental agencies (don't overdue it, point is not to shrug Atlas through punitive measures, but to get them to work towards going green), tax-breaks for companies that can prove low-emission is an option, but would probably be a bureaucratic nightmare, carbon-tax and myriad of other tweaks and measures.
And the 'Free Market' doesn't like any of this. Politics and economics, not just the greatest engineering challenge we have undertaken to date.
Technically yes, economically difficult for most nations, if it's approached at this level.
Germany has had an interesting approach to solar, where they subsidized solar panels for homeowners. I think it is the smarter approach because you incentives individuals to go green, rather than trying to implement a top down solution.
And even so, we will need to keep power plants on call for redundancy and high load purposes.
Solar and wind based energy production is not going to fully or even mostly replace our gas/coal burners because they lack constant and predictable outputs.
Also, we have neither infrastructure for storing power at this level, nor would it be economically feasible.
Hydro and geo-thermal are better sources in this sense, but neither are abundant and have their own drawbacks.
'- promote the use of electricity and natural gas in place of coal' - Only valid if the electricity is produced by means other than burning fossil fuels, otherwise you are just moving the problem up the supply chain.
Same way with electric cars, if the electricity is still being produced by dirty means, it is not all that impressive a reduction in poluttion or emissions, it's just moving the problem up the chain.
Not trying to sound defeatist or anything, it's just not a complete solution, still seem like band aid attempts by themselves.
- The usual conversation - I ask them: "Do you have curtains ?" and they say: "Yes, of course" and I ask "Why ? I mean you have nothing to hide right ? What does it matter if someone can see what you are doing inside your house ?", usually they freeze for a second, "Because it's creepy". I continue "Well if it's creepy that someone would watch you in your house, isn't it just as creepy if they watched you online, what you read, what porn you watch, what you talk to your friends about ? Which do you think tells more about who you are ?". At this point silence and an increasingly worried look is the norm. I keep going: "It's not about hiding anything, it's about what is private. Otherwise why not tell everyone your darkest secret, your greatest fears, the thing you are most ashamed of doing in your life ? And that's why you should do [this or that]"
But even so, it's true most default back quickly. Still a few call, ask, improve their practices. People only seem to take it seriously after they have been directly impacted in a powerfully damaging way.
Edit: I have obviously had this conversation enough times to make this script in dealing with it. If you have to do it more than twice, automate it. :)