back to article 'That's not a bug, it's a feature' takes on a darker tone when malware's involved

One of the charms of coding is that malice can be indistinguishable from incompetence. Last week's Who, Me? story about financial transfer test software running amok is a case in point. The hapless dev left code running overnight that should have moved a single cent in and out of his test account. Instead, it machine-gunned $ …

  1. RegGuy1

    The S in IoT stands for Security

    Security is always going to be difficult. But some things are obvious: always have a choke point (a firewall) through which your external traffic must pass. Dedicate this device to only controlling traffic flow, and put as little code on there as possible, the fewer bells and whistles a firewall has the better it should be. Reduce the types of traffic to the bare minimum. Have these choke points actively managed with alerts being followed up by humans (yes, I know they cost money...).

    As soon as anything is on the network there is a risk. And remember: The S in IoT stands for Security. :-)

    1. Anonymous Coward
      Anonymous Coward

      Re: The S in IoT stands for Security

      A seasonal carol:

      "No ess, no ess,

      "No ess, no ess,

      "Gorged is the klng of pwning the mess."

  2. GNU Enjoyer
    Headmaster

    Firmware requires firmness

    TP-Link routers do not run firmware, as that is socketed {P}ROM chips containing microprocessor instructions (the only correct meaning, as that is the only one that makes any sense, as such configuration isn't as soft as software (as you cannot reprogram it (while with the right hardware you can burn certain bits to 0 or 1 (chip dependent) in PROM, to make slight modifications like bypassing digital handcuffs, that doesn't permit complete reprogramming)), but isn't as hard as hardware (as you can just swap the chip)).

    They run software on either a SPI EEPROM chip, or a NAND chip, which can be internally (via tftp or internal programming) or externally programmed.

    Referring to such software as firmware is quite disgraceful, as it causes people to fail to register that the device runs software (it instead runs this firmware thing, which magically can only be changed by the manufacturer) and never end up realizing that they deserve and often legally must be given the freedom to control, modify, understand, share and/or replace the software.

  3. chuckufarley Silver badge

    Sometimes there is third party...

    ...software than can be run on these devices, but unless you literally roll your own distro you must place your trust in the loan random person maintaining the image compatible with your device. They might not even be in Nebraska...

    1. John Riddoch
      Pint

      Re: Sometimes there is third party...

      Have a beer for the XKCD reference :)

    2. Dom 3

      Re: Sometimes there is third party...

      I've got two TP-link micro-routers, both running the OpenWRT Linux distro.

  4. pc-fluesterer.info
    Big Brother

    And what about US-gear?

    Nice talk about foreign gear. But what about US? Cisco, Citrix and the rest of the gang? They are riddled with backdoors as well. "Forgotten" hardcoded admin credentials and the like. Remember: the Chinese attacks against US telcos exploited backdoors in place for the government.

    There is no "good" backdoor!

    Proprietary (closed-source) products cannot be trusted, regardless of their origin.

    The only tolerably secure solution is FOSS. And even that has limitations as we all know.

    1. Anonymous Coward
      Anonymous Coward

      Re: And what about US-gear?

      Yeah, there is this point that NSA have been as culpable as How Lo. Methinks security needs to begin at the top - and I am not looking at Lo's brother.

      1. Anonymous Coward
        Anonymous Coward

        Re: And what about US-gear?

        Yes, but in this case it's a matter of which devil do you want to throw in with. On the one hand is the Chinese devil whose aim is to rule the world for the betterment of the Han Chinese, on the other hand is the US devil upon whom your national security depends. Mind you, I'll never advocate for government doing more than the bare minimum to keep society going, but given a choice I'd rather deal with the devil willing to stand between me and an invasion than with the devil willing to do the invading.

        Like us or not, being spied upon by the US is the better choice - we don't want to rule other nations. We just want their support when we're doing things. Beyond that, we don't care what you do. Besides, let's be honest - were it not for the US keeping a lid on Europe, you guys would still be fighting wars against each other just as you were for the thousand years before we came along and put a stop to them. Any European spying we do is mainly aimed at keeping you from starting yet another world war.

  5. amanfromMars 1 Silver badge

    It is a lot worse/better than dares be reported ..... lest the news terrifies humble natives

    This just in: it is. We just don't really believe it. Until we do, there's an entire industry-wide meta-vulnerability going completely unchecked. Better believe it. ® .... Rupert Goodwins/El Reg

    Rupert/El Reg, there are entire industry-wide meta-vulnerabilities completely indefensible and these be a constant and very attractive and filthy rich source of streaming reward and energy for critical vital bug exploit and export brokers/virtual terrain team players/alternative reality programmers.

    What do you imagine happens whenever gaggles of such brokers/players/programmers resolve to engage in JOINT AIDVentures* together for the Singularity that produces and presents Exclusive Inclusive, Mutually Advantageous, Positively Reinforcing ACTivity** ..... whenever to even think to attack it has one outed as a hostile enemy for suitably appropriate treatment ?

    And something to look forward to causing a right heroic stir in the New Year ‽ .

    * .......... JOINT Operations Internetworking Novel Technologies Advancing IntelAIgently Designed Ventures

    ** .......... Advanced Cyber Threat and/or Treatment ..... Advancing CyberIntelAIgent Traction

  6. Ian Johnston Silver badge

    You don't even need to embed a star player in your target company, just someone competent enough to send copies of the code under development back to the malware creators, and get their changes back into the tree.

    And how, precisely, do we think Israeli companies seem to be so good at breaking into mobile phones?

    1. Ali Dodd

      I suspect Mossad may have a hand in it with some deep implanted assets..

      1. Anonymous Coward
        Anonymous Coward

        Mossad do have a reputation for being somewhat effective at 'convincing' people to cooperate with their plans.

        So not necessary to have a deep implant, as such, as 'convinced' friends work just as well .. with less risk of being traced back to Mossad/Israel. !!!

        :)

        1. amanfromMars 1 Silver badge

          If it be true and not just a convenient and fanciful fiction that ....

          Mossad do have a reputation for being somewhat effective at 'convincing' people to cooperate with their plans. ..... Anonymous Coward

          One imagines that conviction involves and revolves and resolves itself around suitably appropriate and extremely rewarding expenses payments being magically transferred by Mossad leaderships to secretive accounts of proven worthy of gracious and grateful support players, either torrential team or rabid lone wolf?

      2. Anonymous Coward
        Anonymous Coward

        "I suspect Mossad may have a hand in it with some deep implanted assets.."

        Remember Israeli Defense / Mossad / NSO do hires Apples engineers

  7. Anonymous Coward
    Anonymous Coward

    Is this more misdirection?

    @Rupert_Goodwins

    Nice article. But here's the thing.......the supposed malware is one thing.......but the BEHAVIOUR of the infected device is a different thing, and not mentioned.

    In order to be useful, the malware infected device must EXFILTRATE data....likely a lot of data.

    For example, in the Experian hack, (which went on for at least three months, perhaps years)....terabyes of data was stolen.

    Why do we never hear about tools to identify malware by detecting suspicious network activity?

    Why is is always about hardware and software on specific devices?

    Why is it always about China....and not about Cisco or Jupiter?

    I think we should be told!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this more misdirection?

      "Why is is always about hardware and software on specific devices?"

      Try reading Chinese news security blogs. This one is UK ( Five eyes member ).

    2. Anonymous Coward
      Anonymous Coward

      Re: Is this more misdirection?

      Quote: "...Cisco or Jupiter..."

      You forgot about NIST!!

      Just saying!!

  8. Pete 2 Silver badge

    It's not a hack, it's a benefit

    > given the huge installed base

    Is this the point where a white-hat comes out of the shadows with an exploit that simply bricks all these devices?

    Claiming to do so for the greater good. Maybe even being a government-adjacent organisation.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's not a hack, it's a benefit

      @Pete_2

      Assumptions.........

      (1) There is actually malware in the devices, and ....

      (2) The alleged malware is in active use.....

      I thought I was paranoid.......but I never once imagined bricking millions of devices when there is no proof at all of malfeasance!!!!

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not a hack, it's a benefit

        Who needs proof if we can force the rubes to buy our expensive, NSA certified, gear?

        1. Pete 2 Silver badge

          Re: It's not a hack, it's a benefit

          > buy our expensive, NSA certified, gear

          Loaded with good American malware, rather than this foreign rubbish!

  9. FirstTangoInParis Silver badge

    Cheap ….

    Thirty odd years ago I got interviewed for a job modifying bottom of the range telephone handsets for the home market. I was told I’d be allowed to spend no more than half a day on the design and 50 pence on materials. I didn’t take the job.

    I do wonder if today’s bottom end electronics is the same. I suspect it is because I’ve had USB hubs that failed after a few days. On the software front, the companies will pay low wages and will not see even the merit in spending time checking software through source code checkers and analysers.

  10. ITMA Silver badge
    Devil

    "That's not a bug, it's a feature"

    Isn't that a Microsoft line?

    1. Anonymous Coward
      Anonymous Coward

      Re: "That's not a bug, it's a feature"

      No, it's their business model.

  11. Anonymous Coward
    Anonymous Coward

    Router settings pages that only work on Edge.

    I once got a router where settings pages only work on Microsoft browsers due to it's JavaScript intentionally requiring a Microsoft browser. Typically I don't use Windows. Router returned.

    Also, settings pages ideally should be able to work on text only browsers, without the need for JavaScript, etc...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like