|
https://arstechnica.com/security/2017/04/rash-of-in-the-wild-attacks-permanently-destroys-poorly-secured-iot-devices/ lol
|
# ? Apr 7, 2017 22:00 |
|
|
# ? Apr 28, 2024 04:15 |
|
Are these things accessible because they use UPnP or are people port forwarding?
|
# ? Apr 7, 2017 22:10 |
|
The IoT rules
|
# ? Apr 7, 2017 22:11 |
|
Thanks Ants posted:Are these things accessible because they use UPnP or are people port forwarding? Little of column A/little of column B. YOSPOS secfuck thread used to be called "The S in IoT stands for Security"
|
# ? Apr 7, 2017 22:13 |
|
Thanks Ants posted:There's a lot of IoT that is just some dumb board being told what to do by AWS Lambda functions, which are great for learning but yes, the product needs to have some logic in there as well. If you have a thermostat that you can control via your phone then when you're at home the control path for that device shouldn't be to use the app to change something on a web service and then wait for the thermostat to retrieve it. Those AWS connected devices all need to be running a Linux too. At least they offer a C version along with the JavaScript! Except everyone is using the JavaScript. That's why your pet food dispenser needs a cortex A15 more powerful than your typical desktop from 15 years ago to run. Amazon is now pushing something called "green grass" which allows AWS lambdas to be run directly on the devices or some such. Minimum requirements? At least one Armv6 core at 1GHz, 256MB ram.
|
# ? Apr 7, 2017 22:22 |
Thanks Ants posted:Are these things accessible because they use UPnP or are people port forwarding? Mostly the former. Good luck explaining to the masses about port forwarding.
|
|
# ? Apr 7, 2017 22:23 |
|
hobbesmaster posted:Amazon is now pushing something called "green grass" which allows AWS lambdas to be run directly on the devices or some such. Minimum requirements? At least one Armv6 core at 1GHz, 256MB ram. Wow, you mean now I can run software on a local device? :O
|
# ? Apr 7, 2017 22:35 |
|
If this isn't the right place, sorry. I successfully installed streisand on a VPS. I have dd-wrt on my router, so I enabled the OpenVPN client and followed the streisand server's Linux client instructions, pasting the four certificates from the unified file into the corresponding fields in dd-wrt and choosing the other options that matched. However, when I applied, I lost my internet connection. It looks like at least two other people have had the same issue: reddit. Is this some fundamental mismatch between streisand and dd-wrt, or did I just cock up a setting somewhere?
|
# ? Apr 8, 2017 02:27 |
|
vOv posted:Wow, you mean now I can run software on a local device? :O It's called fog computing. I'm serious
|
# ? Apr 8, 2017 03:07 |
|
Thanks Ants posted:Are these things accessible because they use UPnP or are people port forwarding? They're mostly consumer routers. hobbesmaster posted:Those AWS connected devices all need to be running a Linux too. At least they offer a C version along with the JavaScript! Except everyone is using the JavaScript. That's why your pet food dispenser needs a cortex A15 more powerful than your typical desktop from 15 years ago to run. Amazon's model for Greengrass stuff is decent. You have a hub with reasonable intelligence that can sustain some functionality if the connection goes down, and acts as a central communication point for all the dumb sensors and whatnot running on the local network. The dumb stuff talks to the hub via purely local MQTT, instead of exposing a buggy http server to the world via UPNP or something. Done right, the sensors can be dumber and lower-powered, the hub is a smaller, better-hardened potential attack surface, and the whole system doesn't poo poo itself when connectivity drops for a minute. Running the same code locally and externally means that it's easy to develop as a single platform, and in a larger commercial/industrial setting, you can tune what runs best locally versus in the cloud with minimal hassle. (meanwhile, back in reality, consumer IOT devices will continue to be put together by absolute poo poo-tier developers copy-pasting outdated versions of bad sample code, commercial systems will continue to be implemented on tight schedules that abandon security as unfinished /*FIXME!*/ tech debt that never leaves the backlog, and like many other AWS services, Greengrass is supposed to provide a convenient path to vendor lock-in - but none of that is really a surprise)
|
# ? Apr 8, 2017 06:13 |
|
Space Gopher posted:They're mostly consumer routers. The problem is that it's the gateways that are misconfigured not the cortex m0 talking to it over ble/zigbee/whatever. Possibly harder is the need to get consumers to use a separate IoT gateway from whatever cheap thing they got from their ISP. The average consumer wifi router doesn't meet the minimum requirements.
|
# ? Apr 8, 2017 07:46 |
|
Some companies use Javascript to run their IoT devices? Seriously?
|
# ? Apr 8, 2017 10:36 |
|
Sure. It's designed to be embedded, it has faster VMs than for any other scripting language, and a huge number of resources for working with it. You'd rather have people writing C?
|
# ? Apr 8, 2017 11:30 |
|
Subjunctive posted:Sure. It's designed to be embedded, it has faster VMs than for any other scripting language, and a huge number of resources for working with it. You'd rather have people writing C? Only in modern processors you'd use in phones. Node.js on a arm9 is an order of magnitude slower than anything else.
|
# ? Apr 8, 2017 18:02 |
|
hobbesmaster posted:The problem is that it's the gateways that are misconfigured not the cortex m0 talking to it over ble/zigbee/whatever. Possibly harder is the need to get consumers to use a separate IoT gateway from whatever cheap thing they got from their ISP. The average consumer wifi router doesn't meet the minimum requirements. Yes - and the selling point here is that Amazon manages the actual communication logistics, including auth and encryption. You write application code and put it on their managed platform. Amazon's not perfect, but they're way better than random poo poo-tier IOT developer #420 who's rollin' their own auth with "if (password == "s|_|pers3cret")..." As for the hardware, it's kind of a moot point. It's not like the platform software is going to be installed and configured on old routers. It's mainly targeted at commercial operations that are OK with a small appliance to run their cloud enabled HVAC/lighting system or whatever. Any consumer bridge that does adopt it, though, isn't going to have too much trouble. It'll run on a Raspberry Pi Zero, which retails for all of . hobbesmaster posted:Only in modern processors you'd use in phones. Node.js on a arm9 is an order of magnitude slower than anything else. 99.9% of the time speed won't matter. You can seamlessly call larger-scale services, so you put your dumb "is this even worth caring about?" conditionals and low-latency responses close to the device, and push anything that requires actual work out into the massive compute fabric you're connected to (all at a very low price per gigabyte-second of AWS Lambda time, of course, so cheap that you should never worry about future costs). Node is lovely for anything complex, but it's easy to write, it's easy to make calls out to the world, and there's a robust API ecosystem for whatever integration you want to do. It's good enough for if-conditional-then-call and queuing up events to POST everything about what you do to gently caress-yo-privacy.net at one hour intervals.
|
# ? Apr 8, 2017 19:41 |
|
Subjunctive posted:Sure. It's designed to be embedded, it has faster VMs than for any other scripting language, and a huge number of resources for working with it. You'd rather have people writing C? Well, yeah. It seems just more efficient for devices that are supposed to be (or should be) low power.
|
# ? Apr 8, 2017 20:02 |
|
So this came across my feed: https://twitter.com/Snowden/status/850766326943690752 Haven't had a chance to look through it yet.
|
# ? Apr 8, 2017 20:07 |
|
I'll be surprised if that was written by someone with English as a first language
|
# ? Apr 8, 2017 20:20 |
|
Da, tovarisch, I am American who wants MAGA. Pozhalucta give Ukraine to Putin.
|
# ? Apr 8, 2017 20:22 |
|
Also topical: after hearing about the whole thing with the Feds trying to get Twitter to cough up the information for that AltCIS twitter, I have a question. Is there a way to keep your identity secret doing something like that, or is it just a matter of how badly the government wants to find you? I know they can see through TOR, I presume they can "get past" (wrong term) proxies. Using public wifi seems like it would help a bit, but on the other hand they could use that to narrow down which employees live in the area (assuming it's a real employee) and start staking those places out. I doubt they would really pay for the thousands of man-hours to fire/discredit an employee that might not even be an employee, but I'm speaking hypothetically. I'm assuming it's a matter of the government having millions of times the resources and expertise of a normal person, but I know basically nothing about infosec.
|
# ? Apr 8, 2017 20:29 |
|
Furism posted:Well, yeah. It seems just more efficient for devices that are supposed to be (or should be) low power. Nobody should ever write anything connected to the internet in C. hobbesmaster posted:Only in modern processors you'd use in phones. Node.js on a arm9 is an order of magnitude slower than anything else. What scripting language is faster than V8 on those platforms?
|
# ? Apr 8, 2017 20:36 |
|
Subjunctive posted:Nobody should ever write anything connected to the internet in C. Python, perl, etc. V8 cut off armv5 support years ago and there's still a ton of arm9s being put into new products because they're still the cheapest way to get a full Linux system running on a router/etc. Remember all numbers in JavaScript are floats and FPUs are not a given.
|
# ? Apr 8, 2017 20:41 |
|
Subjunctive posted:Nobody should ever write anything connected to the internet in C. As long as you religiously query the API about data sizes and allocate appropriately before receiving anything, it's safe as houses.
|
# ? Apr 8, 2017 20:45 |
|
Subjunctive posted:Nobody should ever write anything connected to the internet in C. Remove all kernels from existence. And all underlying libraries.
|
# ? Apr 8, 2017 20:48 |
|
ratbert90 posted:Remove all kernels from existence. And all underlying libraries. Don't roll your own sockets
|
# ? Apr 8, 2017 20:49 |
|
ratbert90 posted:Remove all kernels from existence. And all underlying libraries. I assume he meant new applications which is reasonable because there's even good C++ compilers for smaller microcontrollers now.
|
# ? Apr 8, 2017 20:53 |
|
22 Eargesplitten posted:I'm assuming it's a matter of the government having millions of times the resources and expertise of a normal person, but I know basically nothing about infosec. mickens' "mossad vs not mossad" threat model comes to mind: https://www.usenix.org/system/files/1401_08-12_mickens.pdf if a nation state really, really, really wants you, good luck. use signal, use tor, use salt circles, use prayer. in the actual case you're talking about though, it's extremely unlikely anybody in sigint would give the remotest of shits who that person is so they're going to be fine as long as it's dipshit investigators sending bad legal threats to twitter instead of a serious unmasking attempt
|
# ? Apr 8, 2017 21:00 |
|
That first paragraph is the weirdest Lorem Ipsum I've ever read. Despite his seeming need to make a joke every sentence (Is he a goon?), I get what he's saying. It's a good point, there are some things that just aren't worth bothering about since there's nothing you can do about them. Protect yourself from the more likely threats. That's why I use Bittorrent Sync to sync up my Keepass across my devices, if someone is listening closely enough to know what that is at that exact moment I should stop pissing off the NSA. Someone's going to tell me why that's a bad method, aren't they?
|
# ? Apr 8, 2017 22:27 |
|
hobbesmaster posted:Remember all numbers in JavaScript are floats and FPUs are not a given. I worked on JS engines off and on for the better part of a decade, yeah. They're specified as floats, but most engines have integer representation and optimizations, so you don't get FP instructions issued unless you use floats or exceed +/-2^30. Actually, all do, going back to the mid-90s. Is FP performance really bogging things down? ratbert90 posted:Remove all kernels from existence. And all underlying libraries. Or get them out of C, but unironically yes. Even modern C++ would be much better.
|
# ? Apr 8, 2017 23:11 |
|
Subjunctive posted:Is FP performance really bogging things down? The minimum requirement for V8 and Node.js for the past 5 years or so is armv6 with VFPv2. The last versions that did support targets with softfp were horrendously slow; think a minute to execute the simplest commands on an arm926 at 400Mhz with 256mb of ram. You are correct of course, there is no need for this to be the case but it is the reality of current JavaScript. They just don't care. Which is a pity because arm9s are dirt cheap, run real Linux distributions and are more than powerful enough to run your smart coffeemaker or whatever. They've been running everyone's home internet connection for what 15 years now?
|
# ? Apr 8, 2017 23:44 |
|
22 Eargesplitten posted:That first paragraph is the weirdest Lorem Ipsum I've ever read. i had a bit of an internal scream when i saw bittorrent, but tbh i know gently caress all about the protocol these days and from ten seconds on google "bittorent sync" is some kind of private tracker thing where everything in the swarm is under your control? i genuinely have no idea how good or bad that is but there's probably somebody here who does
|
# ? Apr 9, 2017 02:02 |
|
It's fine but you may also wish to consider syncthing which is free and open source
|
# ? Apr 9, 2017 02:25 |
|
It's a program/app that on demand synchronizes selected files between two linked devices on the same network. Not sure how related it actually is to a torrent. I'll try that other one, if there's an Android version too. I know it's probably more secure to not have it on my phone, but I have a password somewhere around 250-300 entropy bits, so I should have time to change all of the passwords in the manager before anyone got in.
|
# ? Apr 9, 2017 03:03 |
|
Has anyone taken Offensive Security's AWE course and/or the OSEE certification lab, either in-house or at Black Hat? I'm thinking about bringing them in but some feedback regarding the quality and depth would be awesome.
|
# ? Apr 9, 2017 03:06 |
|
So someone hacked a bunch of tornado sitents... https://patch.com/us/across-america/dallas-hacker-blamed-triggering-citys-tornado-sirens Aside: my favorite IoT hack was awhile back when someone hikacked these FM transmitters (the ones way out in the boonies where the broadcasting towers are) and replaced the regularly scheduled programming with a very esoteric and very NC-17 rated podcast.
|
# ? Apr 9, 2017 13:37 |
|
Link to story about the podcast hack?
|
# ? Apr 9, 2017 15:05 |
|
ohgodwhat posted:Da, tovarisch, I am American who wants MAGA. Pozhalucta give Ukraine to Putin. Yup, looks legit. Looks like they're mostly exploits for vulnerabilities that have already been patched, so probably targeting intermediaries that never update their poo poo (read: every one of them). Oh, and a bunch of Solaris attacks because lol Oracle.
|
# ? Apr 9, 2017 15:18 |
|
flosofl posted:https://arstechnica.com/security/2017/04/rash-of-in-the-wild-attacks-permanently-destroys-poorly-secured-iot-devices/ loving GOOD! People have been kind of harping on me because I just hate anything related to the cloud or iot and now people are finally loving realizing that this poo poo is totally hosed up. It is literally the reason i had my avatar changed because someone decided to give me red text saying the cloud is stupid and to be feared in jest, now see what poo poo could happen? Because a device needs to talk to things, servers or otherwise, it is still talking to the outside which means it has to listen (at some point). People dont loving need coasters ( there was a kickstarter for one to make sure everyone drank enough water), teddy bears,toasters, fridges,tvs, or what-the-poo poo YOUR PHYSICAL DOOR LOCKS to talk to the outside. What this attack did is now these manufacturers need to answer why the machine was compromised (which we already know why) but, most importantly, either may or not pay their customer. If the customers don't receive enough compensation i believe this is going to spread distrust from the customer base into the lovely iot industry . Just imagine... A world where the cloud is seen as a risk (which all companies need to do even when considering something as tried and true like AWS) you need to consider instead of a magical, do nothing wrong, service
|
# ? Apr 9, 2017 15:39 |
|
I loving love Cloud To Butt right now.
|
# ? Apr 9, 2017 15:41 |
|
|
# ? Apr 28, 2024 04:15 |
|
andrew smash posted:Link to story about the podcast hack? https://arstechnica.com/security/2016/04/nation-wide-radio-station-hack-airs-hours-of-vulgar-furry-sex-ramblings/
|
# ? Apr 9, 2017 16:08 |