They already do a lot of near-real time video modification (Line of scrimage, first down lines, player highlights).
What if, instead of a football, they simply replace the football with, say, a can of Coors Light trailing a silver line (so you can see the trajectory). Or replace all the linemen with images of pick-up trucks, the QB as a Tesla, and the receivers as Cadillacs. Catching cans of Coors. With a ticker sponsored by MADD (Mothers Against Drunk Driving) on the bottom of the page.
the who field can be replaced with a Verizon/TMo/whoever network map, showing how well mobile connections can be established from point A to B.
"On a separate note do you think that Amazon refused the request because it turns out they've got recordings of everything from the factory QA testing forward for every device?"
IMHO, probably not.
For that to be the case, Amazon would have to upload the data at some point, and the first thing privacy wonks do with a device like this is throw a up a sniffer and watch all of the traffic these things emanate.
If they were seeing anything like a constant data stream or unreasonably large periodic bulk flows from an Alexa device to the mother ship, they'd have screamed about it.
Given what the device does, the outbound data flows will follow fairly predictable patterns if it's truly behaving as advertised.
There are 3 things (at least), not 2 to worry about.
"...and then you have two potential problems: first, what does the company giving you the service do with that info and, second, what would third parties (e.g., law enforcement or hackers) like to do with that info if they could get a hold of it. "
Actually, you have at least 3 potential problems: the two above, plus: How long will it be before Amazon is presented with - or is compelled to produce - an "Alexa, Law-Enforcement" version of their software for targeted installation on these devices, along with the new, standard issue Rule-41 based warrant + gag order?
The code to build an Alexa on a Raspberry Pi is already on Github, it's not a stretch to tweak it from "watch for keyword and upload next 30 seconds of audio" to "upload all audio."
Amazon didn't say "come back with a warrant" out of the goodness of their hearts. They don't want US Government to kill what could end up being their flagship product in its infancy.
Ben Wittes has (had?) a blind faith in the inherent "goodness" of the US Government, based on a vastly different set of starting assumptions.
Now, he's being forced to revisit some of his first principles. This is a good thing, because he's respected in his communities in ways that groups like this one are not, which means in theory he has an ability to influences said communities.
Expect some fairly sharp changes in mentality from pundits in the next couple of years. Hopefully they don't come too late to make a difference, although I expect that they have.
"Add into the fun a set of researchers finding (SHOCKER!) voting machines to be terribly insecure. That in itself isn't new, but letting everyone in on how exactly to do it certainly is."
People having been ringing the "holy crap voting machines are insecure bell" publicly for more than a decade.
But fundamentally, if we want anything resembling a secure IoT, we're going to have to figure out a way to make it more expensive for companies to ship a vulnerable product than it is for them to fix it first, because the attack surface isn't going to get smaller.
here's a more solid start, based on use of MITRE's CVE system.
Assume Samsung is selling IoT enabled toasters, because why not. Everything's better with a network stack. Anyway, MSRP on this toaster is $100usd and Samsung releases the product Jan 1, 2017, and ships 1000 toasters.
Now, if there are no open CVE's on any component of the IoT stack on this toaster in the 90 days before Samsung ships, they're effectively insulated from liability. Oh, and in that world, the sky is Fuscia.
But, If there _is_ an open CVE was announced >= 90 days before Samsung launches the product, _and_ it gets exploited, Samsung is the hook for 5% of the MSRP for each unit sold of said product for every 90 days of age on the CVE.
Example: Samsung begins selling their IoT enabled toaster (MSRP == $100usd) on Jan. 1, 2017. And they sold 1000 of them on day 1. Said toaster has a vulnerability that was announced on Aug. 15, 2016 (just outside the 90 day grace period). If one of these toasters gets exploited and causes trouble, Samsung is going to write a check for (5% of $100) == $5 for each of the 1000 toasters sold as of the date of the CVE being exploited, plus the same fine going forward for each non-patched unit they sell.
Now, pretend that vuln wasn't released on Aug. 1, 2016, it was release on Aug. 1, 2016. Same ship date, same quantity. Except now instead of 5% per toaster, it's 10%. Add 5% for every 90 day interval of CVE age. Also, allow the total penalty per unit to exceed 100% of MSRP with no upper bound. So, you release an IoT enabled toaster with a 12 year old ssh vuln, and it gets exploited? assume qty 4-90 day periods / year to make it easy, now your penalty is (48 * $5) = $240 * 1000 = $240k in fines for each $100MSRP toaster you sold.
And why use MSRP as the basis for the penalty? Well, because it's both easy to validate and publicly verifiable.
No grace period, no appeal, cut a check to a high school to fund a secure coding class, because CVE's are public and theres no way the organization "couldn't have known".
Oh, and multiple CVE's? 5% per CVE, and scale it out.
If you can verifiably patch these toasters 100% then you restart the clock from the time the patch was pushed to the toaster. If you can't patch them, well, eventually you'll get to write a check big enough to make the board pay attention.
Bonus: Specifically disallow said penalties as a loss for tax purposes.
As to your other question: It's a Samsung toaster running a google code, Samsung pays. It's their label. If Samsung wants to go back and fight it out with Google based on contract terms, that's fine, Samsung can attempt to recoup their (already paid) losses from Google.
(yeah, I know. There's no chance this or anything like it will ever happen.)
Wow: Moderator, I don't know what happened to the formatting in this post, but it looks like it's mangled the formatting for the comments that are after it - can you fix or remove?
On the post: Trump Muzzles Federal Employees; Reporters Start Asking For Leaks
Re: Hopefully Trump doesn't go after the AP like Obama did
On the post: Trump Muzzles Federal Employees; Reporters Start Asking For Leaks
Re: Hm
You may think you don't care about HHS. But consider that the operating divisions for HHS include, but are not limited to:
more here: https://www.hhs.gov/about/agencies/orgchart/
These all roll up under HHS, and are presumably all subject to this gag order, given HHS as the parent organization.
US Department of Commerce? Yeah. That includes:
Also all presumably under a gag order.
More here: https://www.commerce.gov/sites/commerce.gov/files/media/files/2015/docorgchartfinal.pdf
One or two of those might be important.
On the post: Arrested Flag Burner Sues Arresting Officers
Re: Re: Burning Flags - So Asinine
"Polite" people rarely get noticed enough to make history.
On the post: Arrested Flag Burner Sues Arresting Officers
Re: Strange
It's all about the feels.
On the post: Arrested Flag Burner Sues Arresting Officers
Re: Get money from the state
Prediction: there will be a payout, and the case will quietly go away.
On the post: Baltimore Ravens Owner Has Ingenious Solution For NFL Ratings Drop: Stop Annoying Fans With Too Many Ads
Re: Re: Be careful what we wish for
On the post: Baltimore Ravens Owner Has Ingenious Solution For NFL Ratings Drop: Stop Annoying Fans With Too Many Ads
Re: Be careful what we wish for
They already do a lot of near-real time video modification (Line of scrimage, first down lines, player highlights).
What if, instead of a football, they simply replace the football with, say, a can of Coors Light trailing a silver line (so you can see the trajectory). Or replace all the linemen with images of pick-up trucks, the QB as a Tesla, and the receivers as Cadillacs. Catching cans of Coors. With a ticker sponsored by MADD (Mothers Against Drunk Driving) on the bottom of the page.
the who field can be replaced with a Verizon/TMo/whoever network map, showing how well mobile connections can be established from point A to B.
The possibilities are nearly limitless.
On the post: Techdirt's First Amendment Fight For Its Life
Re: Re: Re: Re: Re: Re: Re: Re: Re: What goes around, comes around
Not "may". "will".
On the post: Amazon Refuses To Comply With Police Request For Amazon Echo Recordings In Murder Case
Re: did they overlook this?
IMHO, probably not.
For that to be the case, Amazon would have to upload the data at some point, and the first thing privacy wonks do with a device like this is throw a up a sniffer and watch all of the traffic these things emanate.
If they were seeing anything like a constant data stream or unreasonably large periodic bulk flows from an Alexa device to the mother ship, they'd have screamed about it.
Given what the device does, the outbound data flows will follow fairly predictable patterns if it's truly behaving as advertised.
On the post: Amazon Refuses To Comply With Police Request For Amazon Echo Recordings In Murder Case
Re: Semi secure at best
Someone needs to open up an Alexa and determine if that button is software-driven, or is hard-wired into the electrical path to the microphones.
I'm guessing it's software-controlled, in which case, it's going to be fairly easy to circumvent with an updated/custom OS.
On the post: Amazon Refuses To Comply With Police Request For Amazon Echo Recordings In Murder Case
There are 3 things (at least), not 2 to worry about.
Actually, you have at least 3 potential problems: the two above, plus: How long will it be before Amazon is presented with - or is compelled to produce - an "Alexa, Law-Enforcement" version of their software for targeted installation on these devices, along with the new, standard issue Rule-41 based warrant + gag order?
The code to build an Alexa on a Raspberry Pi is already on Github, it's not a stretch to tweak it from "watch for keyword and upload next 30 seconds of audio" to "upload all audio."
Amazon didn't say "come back with a warrant" out of the goodness of their hearts. They don't want US Government to kill what could end up being their flagship product in its infancy.
On the post: Appeals Court To Cops: If You 'Don't Have Time' For 'Constitutional Bullshit,' You Don't Get Immunity
Re: Are We Learning?
It's only ok when the police do it for you.
On the post: Long Time Mass Surveillance Defenders Freak Out Now That Trump Will Have Control
Re: Not Me, Couldn't be, then Who?
Ben Wittes has (had?) a blind faith in the inherent "goodness" of the US Government, based on a vastly different set of starting assumptions.
Now, he's being forced to revisit some of his first principles. This is a good thing, because he's respected in his communities in ways that groups like this one are not, which means in theory he has an ability to influences said communities.
Expect some fairly sharp changes in mentality from pundits in the next couple of years. Hopefully they don't come too late to make a difference, although I expect that they have.
On the post: Election Day CyberFest: Hackers, Hacking, 'Journalism,' The FBI, And Jiveass Baloney
Insecure voting machines are nothing new
People having been ringing the "holy crap voting machines are insecure bell" publicly for more than a decade.
See: https://citp.princeton.edu/research/voting/
Their paper was published in Sep., 2006, but was pretty much ignored by mainstream media.
On the post: 'Nice Internet You've Got There... You Wouldn't Want Something To Happen To It...'
Re: Re: Re: Re: Re: Nerd Harder!
But fundamentally, if we want anything resembling a secure IoT, we're going to have to figure out a way to make it more expensive for companies to ship a vulnerable product than it is for them to fix it first, because the attack surface isn't going to get smaller.
On the post: 'Nice Internet You've Got There... You Wouldn't Want Something To Happen To It...'
Re: Re: Re: Re: Nerd Harder!
Assume Samsung is selling IoT enabled toasters, because why not. Everything's better with a network stack. Anyway, MSRP on this toaster is $100usd and Samsung releases the product Jan 1, 2017, and ships 1000 toasters.
Now, if there are no open CVE's on any component of the IoT stack on this toaster in the 90 days before Samsung ships, they're effectively insulated from liability. Oh, and in that world, the sky is Fuscia.
But, If there _is_ an open CVE was announced >= 90 days before Samsung launches the product, _and_ it gets exploited, Samsung is the hook for 5% of the MSRP for each unit sold of said product for every 90 days of age on the CVE.
Example: Samsung begins selling their IoT enabled toaster (MSRP == $100usd) on Jan. 1, 2017. And they sold 1000 of them on day 1. Said toaster has a vulnerability that was announced on Aug. 15, 2016 (just outside the 90 day grace period). If one of these toasters gets exploited and causes trouble, Samsung is going to write a check for (5% of $100) == $5 for each of the 1000 toasters sold as of the date of the CVE being exploited, plus the same fine going forward for each non-patched unit they sell.
Now, pretend that vuln wasn't released on Aug. 1, 2016, it was release on Aug. 1, 2016. Same ship date, same quantity. Except now instead of 5% per toaster, it's 10%. Add 5% for every 90 day interval of CVE age. Also, allow the total penalty per unit to exceed 100% of MSRP with no upper bound. So, you release an IoT enabled toaster with a 12 year old ssh vuln, and it gets exploited? assume qty 4-90 day periods / year to make it easy, now your penalty is (48 * $5) = $240 * 1000 = $240k in fines for each $100MSRP toaster you sold.
And why use MSRP as the basis for the penalty? Well, because it's both easy to validate and publicly verifiable.
No grace period, no appeal, cut a check to a high school to fund a secure coding class, because CVE's are public and theres no way the organization "couldn't have known".
Oh, and multiple CVE's? 5% per CVE, and scale it out.
If you can verifiably patch these toasters 100% then you restart the clock from the time the patch was pushed to the toaster. If you can't patch them, well, eventually you'll get to write a check big enough to make the board pay attention.
Bonus: Specifically disallow said penalties as a loss for tax purposes.
As to your other question: It's a Samsung toaster running a google code, Samsung pays. It's their label. If Samsung wants to go back and fight it out with Google based on contract terms, that's fine, Samsung can attempt to recoup their (already paid) losses from Google.
(yeah, I know. There's no chance this or anything like it will ever happen.)
On the post: 'Nice Internet You've Got There... You Wouldn't Want Something To Happen To It...'
Re: Re: Nerd Harder!
Make companies financially liable for security issues in their products in a way that makes securing their software less expensive than not.
Until that happens, this type of issue isn't going to get better.
On the post: FBI Director: We Need More Data On Police Shootings So Law Enforcement Can 'Change The Narrative'
Re: Comey's remarks show two parts of the problem
The raw data must also be released to the public for independent researchers to evaluate, in near-real time.
On the post: Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report
Re: "What we do is legal" and "Our policy is to do X" are standard boilerplate responses.
On the post: Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers
Re: Re: Re:
Next >>