If this takes off
There will be security conscious people looking for a Commodore 64 on Ebay.
Vendors including Google have spent a few years crafting an API they hope to push into browsers that will make this month's Internet of Things conflagrations pale by comparison. There's not been much noise about the Web Bluetooth API, and thankfully it's not yet accepted as a standard. It probably should never be one, if you …
@Triggerfish
I'm thinking if your technical you will be going crude in the future, y'know locks with real keys, dumb fridges, kettles whose only switch is on and off etc.
You mean like I do now? I'm already suspicious with remote locking on the car, and don't get me started on pay-by-bonk...
I agree, the thing is I think there is a boiling the frog effect going on with a lot of people. I commented on another thread about how I have techs here (I'm the least techy I'm more engineer turned PM and such, than a computer bod, the techs here have computer degrees, and cisco quals etc), who absolutely have no qualms about Win 10 spyware (I have been accused of tinfoil hattery), or leaving themselves logged into facebook and the commenting on how products they have browsed on their pc are now being advertised on their phones. Their response to these issues is mainly meh, or I just live with it. (Seriously even things like the Xbox app on win 10 start menu being greyed out in add/remove programs - unistall, five minutes google for the powershell script sorted it FFS).
There was a guy here who wants his Cisco security and his response to a conversation about IOT I brought up was I was worrying to much and it wont happen, non issue etc
I genuinely think they have been trained by companies and the world around them that this is the new normal, and us older buggers are just paranoid.
"I genuinely think they have been trained by companies and the world around them that this is the new normal, and us older buggers are just paranoid."
It's simply the old "experience is a dear teacher but there are those who will learn by no other". They'll learn. They'll also discover the truth of the complementary saying: "experience is something you need just before you get it".
"It's simply the old "experience is a dear teacher but there are those who will learn by no other". They'll learn. They'll also discover the truth of the complementary saying: "experience is something you need just before you get it"."
I can think of two COUNTER-sayings.
One, "If there are those who will learn by no other, what happens when a situation requires prior knowledge to live through it?"
Two, "What about those who don't get it even WITH experience?"
One, "If there are those who will learn by no other, what happens when a situation requires prior knowledge to live through it?"
Two, "What about those who don't get it even WITH experience?"
They become examples for others to learn from.
"Those who don't learn from history are condemned to repeat it."
"Their response to these issues is mainly meh, or I just live with it."
I find that younger people with no experience or wisdom in life have the "so what?" attitude. Tell the same thing to an older person and you will get the exact opposite response. The younger generation has been conditioned to accept "free" content. They happily go to the street and protest a 3 letter organization tracking us while telling Facebook all about it.
I started to word things differently. I started saying that large multi-billion dollar for-profit corporations have no business knowing anything about my personal life. Do you really think big businesses can be trusted with your personal information?
>would have been thieves who had cracked the remote locking system.
Most vehicles, not just BMW, are borked by the same flaw - also gates and doors etc with rolling codes. They just jam the receiver and copy the code sent by the fob - as long as the car etc doesn't receive the code, it can still be used.
My desktop doesn't even have any wireless functionality at all, so good luck trying to turn on a BlueTooth antenna that doesn't exist. That plus the fact that I've only got a feature phone & have disabled the BT on it (don't need it, don't have any BT devices to pair to it), so even if I did have an antenna on the computer the only thing that might talk to it is intentionally deaf.
If I had a laptop with BT I'd turn it off for the same reason as my phone, since I don't want to sync my laptop & phone, & it's much easier to plug in the USB3 crossover cable for data transfers that scream by at speeds unlikely to be reached over wifi. Oh wait, I don't have any wifi on the desktop either, so the desktop & the laptop couldn't communicate that way either.
Damn I hate to be smug, but I'll bask in the glow of being a crotchety old fart for a change.
*Moons the web devs*
Kiss my wrinkly furry ass!
=-)p
"My desktop doesn't even have any wireless functionality at all, so good luck trying to turn on a BlueTooth antenna that doesn't exist."
It seems to me that most of the general computer using population at home these days are on laptops and tablets. And from what we see and hear about average mobile phone users, all the wireless options are on be default to connect to whatever source they happen to be near at the time. I bet most of them have barely even registered the fact most if not all laptops have Bluetooth, never mind how to switch it off.
Of course, Bluetooth isn't a huge target for hackers because of the proximity requirements, but if a Bluetooth Web API goes ahead, suddenly it becomes immensely more attractive if you can hack someone's phone from the other side of the world just by scanning for vulnerable PCs.or infecting popular websites.
Author is simply wrong. Why? Just think about it!
You want to use Bluetooth - for whatever reason. If you can't use/access it from your web browser, then you will have to download a native app for that. Native apps have obviously far less restrictions applied to them, than anything running inside a web browser, right? Right.
So, providing access to Bluetooth from the web browser, too, obviously can not make things any worse than they are. Actually, on the contrary: it provides a more secure environment for running Bluetooth-based apps, than that was previously available. With this, you don't have to download and install an app for that purpose any more, but can use your far more secure and restricted browser environment to do some things over Bluetooth.
And don't even get me started about how obviously there will be tons of security prompts in the browser before any web site or app can actually access the Bluetooth API or transfer any data from or to a Bluetooth device.
So, then what exactly is your problem with it? Besides your limited understanding of the browser, the web and security, that is.
"Author is simply wrong. Why? Just think about it!"
Ok, first off you make a very bold, decisive statement. So we are going to look at your following comments with interest.
"You want to use Bluetooth - for whatever reason. If you can't use/access it from your web browser, then you will have to download a native app for that. Native apps have obviously far less restrictions applied to them, than anything running inside a web browser, right? Right."
Straight away you assume that Bluetooth is being used for applications. There are other reasons why bluetooth will be on. Silly mac wireless keyboards, for example. In car connectivity. Bluetooth being on doens't mean that there is a 'app' need/want.
"So, providing access to Bluetooth from the web browser, too, obviously can not make things any worse than they are. Actually, on the contrary: it provides a more secure environment for running Bluetooth-based apps, than that was previously available. With this, you don't have to download and install an app for that purpose any more, but can use your far more secure and restricted browser environment to do some things over Bluetooth."
Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web, with items that you previously didn't contaminate, possibly, in some cases have nothing to do with the actual web. Look up bluetooth and medical devices.
"And don't even get me started about how obviously there will be tons of security prompts in the browser before any web site or app can actually access the Bluetooth API or transfer any data from or to a Bluetooth device."
Ahh yes. And those security prompts will always be there? Because of, you know, no exploited bugs, malware being present. (Imagine - a world without spam! I want this utopia.)
"So, then what exactly is your problem with it? Besides your limited understanding of the browser, the web and security, that is."
I think the author was pretty clear what his problem was.
For the record I also think the author was wrong to approach this in a journalistic fashion, (ok, there is a little bit of the 'Sun what done it' in it but hey. )
He should have just stated 'This is fucking ludicrous.' and left it at that.
"Straight away you assume that Bluetooth is being used for applications"
I did nothing alike. Not that assuming it would have been wrong. Just sayin'.
"Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web"
Over your head. My whole point was that with some or most Bluetooth access potentially moved to the browser the overall attack surface will be reduced, because now you won't need to download and install native apps permanently anymore for a lot of Bluetooth-related stuff, but can simply run them on-demand from the much safer browser environment.
"Ahh yes. And those security prompts will always be there? Because of, you know, no exploited bugs, malware being present. "
There might be bugs and exploits, but they will be definitely less available from a browser environment, than they were from the native environment. So, all in all - as already explained - the attack surface and the risks will be reduced, even then when there will be some new exploits and bugs introduced.
"I think the author was pretty clear what his problem was."
You're obviously confusing two things here. Being clear about something doesn't mean being right about it. I've questioned the latter, and you're talking about the former.
"There might be bugs and exploits, but they will be definitely less available from a browser environment, than they were from the native environment."
A native application can be 'bad' of course but that's always been the case and some effort has to be made at each PC to get it installed.
For the browser, if it has a bluetooth API, that's a whole new class of malware vectors that can be installed on a webserver. That can be done by an evil webmaster or a hacker contaminating a webserver. A victim could be exposed by following interesting links in innocent webpages, as we all do. If a website is known and proven to be 'innocent' and you use it, it could be compromised in the future, etc, etc.
You thought those Flash ads auto-playing videos was bad, wait until the advertisers can ping your phone/fitbit/watch.
1) Tracking by devices - Ghost/Privacy mode won't help, They could ID your device and ID you at any machine, no FB login, no cookies required.
2) Ad now plays on your phone/BT speakers - across the room so you have to get up to make it shut up.
3) Malvertisements can now connect to your phone, send a subscribe text to a premium-rate "service" and you are a proud member of the £24.99/month Flagellation Of The Day message service.
3a) Malvertises can call premium rate numbers - £5.99/minute (or part thereof) - Dial, connect, hang up, repeat, all of the audio cues happen over BT this can go on for as long as you have that tab/window open (unless something gets borked in the implementation and closing the tab/window doesn't close the BT connection) and you may have no idea.
This is a very bad idea.
This post has been deleted by its author
"Straight away you assume that Bluetooth is being used for applications"
I did nothing alike. Not that assuming it would have been wrong. Just sayin'.
"Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web"
Over your head. My whole point was that with some or most Bluetooth access potentially moved to the browser the overall attack surface will be reduced, because now you won't need to download and install native apps permanently anymore for a lot of Bluetooth-related stuff, but can simply run them on-demand from the much safer browser environment.
So the second bit I've emphasised is saying that with Bluetooth in the browser you won't need to download the apps that, in the first bit I've emphasised, you're denying were being used without Bluetooth in the browser? Somehow I don't think you've got your own head round your own arguments. Maybe that's why the rest of us have problems with them.
Well unfortunately browser sandboxes aren't any more secure than any other kind of sandbox. For most users they don't protect anything as most things are happening in the browser anyhow.
Yes, native apps are a problem, but since people are aware that those are shit, people might stop buying shitty devices that don't adhere to simple public protocols.
No, native application aren't shit by default (they could be, of course). The problem with a browser is it became a generic host for code downloaded from remote mostly each time - and also too often that code includes third party code got without much control just to make money.
Users have much more control upon native applications than web ones.
There is a much higher barrier to installing an application compared to visiting a web page. Most people still wrongly assume that websites are always innocuous. If a moderately competent user installs an application, it will be from a reasonably trusted source - the manufacturer's website, or the CD that comes with the gizmo. Yes, it is possible to get users to install malware; doing so is not nearly as easy as getting them to visit a malicious website.
Also, the fact that data from the device has to go through the Internet rather than just to the app opens up all sorts of additional attacks; MITM, etc. Finally, the fact that even when everything is working as intended, the data has to go to the manufacturer's cloud has awful implications. I really don't see why Google needs to know how I set my thermostat, and I really don't want it to stop working because my Internet connectoin is down.
"If you can't use/access it from your web browser, then you will have to download a native app for that."
so: PART of the fix is some _REAL_ security on the IoT device end, to _PREVENT_ unauthorized bluetooth-level access from an unauthorized client, PARTICULARLY a web browser running javascript exploit code downloaded from an infected embedded advertisement...
(or whatever)
seeing as I'm involved directly with TWO different bluetooth applications that run on android, and the device(s) that the android device controls, it's a major concern.
I can foresee unauthorized firmware loads happening... so THAT much has to be protected against.
"Shudder. When I imagined that, my instinctive response was: There's a small cave up in the hills not far from my parents' place. I'm seriously thinking of taking up permanent residence in it."
I thought of that, too. Then I remembered modern ground surveillance satellites can be equipped with infrared cameras...
My toaster died yesterday.
I hit it. Hard.
Now it works again. I bet there isn't a bluetooth API for that...
I'm constantly baffled by people coming up with IoT solutions for problems that simply don't exist, and that in the vast majority of cases have simple, effective, debugged, and secure solutions already - like, er, physical keys, physical switches, thermostats...
@Neil Barnes
thermostats
With winter coming, I tried to switch the heating on. No joy. Thermostat was correctly set - but the batteries had gone flat! (admittedly after about six years, show me a Li-Ion that can do that!) - I think I need something even lower-tech - light up the wood-burner?
Surely the talkie toastertm should have been warning enough, especially what happens to it. Twice....
Yes it's a work of sci-fi but that's where this is going.
On a side note, the people that thought of this stuff were never around public spaces when bluetooth first came onto the market and had no authentication at all - cue childish pranks involving sending rude pictures to unsuspecting yuppies in train stations just to see who looked at their phones and pulled an odd face.
Now that was just at a local level.....
Is there an IoT gubbins that is better than a Leatherman? An SAK? Ha! Thought not.
I'm fairly certain I've come across a beer mug that could be used wirelessly with an associated app. Didn't look into it,--as the thing seemed to be made of plastic, and I'd never drink from it,--but it may have been connecting 'wirelessly' some other way... The point of it eludes me. Anyway, what I'm wondering is: how bad, or absurd, does IoT get?
@Michael Thibault
Anyway, what I'm wondering is: how bad, or absurd, does IoT get?
I think we can be confident that we have a long way to go yet on the bad and absurd scale.
But on the bright side, they won't last for ever (see recent report on 50% drop in sales of iWatches), then we can crawl out of our caves, blink in the sunlight, and take our rightful places as rulers of a newly-analogue world.
I'd rather want one that speaks WIFI as that would reach through the access point from my kitchen to where I want to know its status.
We live in a world where even single chip WIFI solutions have enough horsepower to provide a simple webserver you can talk to directly with your browser.
Quite.
Sends message to toaster: makeToast TWO_SLICES, LIGHT_MEDIUM_BROWN
Error message received: ERROR_BREAD_STILL_IN_BAG
So unless I want dried bread being toasted and left hanging above the toaster over night and folding over so it won't go in automatically when the toaster starts its best that I do it myself. Manually.
Unless of course I get a toaster which has a magazine for bread above and which keeps the flies off then this isn't going to work and I am going to have a massive ugly hunk of metal/plastic in my kitchen.
And since toast takes about a minute to make; you know the amount of time it takes to locate a plate, a knife, butter and spread of choice then there is no reason to have this automated because bone has to be there to eat it still warm.
Idiot idea.
I am not one for wearing a hairshirt for environmentalism, while still thinking it's a good idea we use a bit less energy etc, so in this time when we are supposed to be worrying about energy usage to some degree, why the hell are we also making devices that suck more power, especially when you are going to hit the ERROR_BREAD_STILL_IN_BAG / WATER_STILL_IN TAP problem as well?
Also occasionally standing up and moving could be a good thing for you.
"Also occasionally standing up and moving could be a good thing for you."
Unless, of course, you trip on the camouflaged toy your kid/pet left on the floor and end up getting your throat impaled on the spiky toy just ahead. Given all the risks of moving versus not moving, I'd rather move only when I absolutely HAVE to.
"Unless of course I get a toaster which has a magazine for bread above and which keeps the flies off then this isn't going to work and I am going to have a massive ugly hunk of metal/plastic in my kitchen."
The new HP Toaster.
Only £5.99 comes with a "starter" cartridge of bread ready for toasting.
We do not recommend re-filling the bread cartridges with non-HP bread or using non-HP branded cartidges (they won't work anyway, we'll just change the firmware DRM the next time you visit a page on your bluetooth enable laptop/browser)
Replace HP bread cartidges are available for the low, low price of £29.99 and can make up to 20 pieces of toast.
(Please not the cartridge expiry dates. For you safety, cartridges inserted after the expiry date will not work. Also not that the HP Toaster self cleaning process will automatically run after each use or every 24 hours if not used and this may use up to to slices of bread per process.
They have a tack record of implementing and backing every bad idea. APIs like this one (or the USB one, or just about any that came out in recent years) make browsers more complex so it's harder if not even impossible to fork your own browser engine or even write one from scratch.
This keeps the browser market in an oligopoly, something all players there can live with. For them its good, for the user it's bad... but nobody cares about those anyhow.
As always, more complexity will mean more bugs and therefore more security problems.
Rather more likely that Chrome will implement it, since Google are pushing it, and almost certain that Chrome won't make it easy (or perhaps even possible) to disable it.
This whole thing sounds about as well thought out as UPnP or even ActiveX. Both of those were bad ideas and their badness was clearly explained at the time, ignored, and then borne out by bitter experience. However, they remain in modern products for the sake of backwards compatibility. I suppose a bright young thing with *no fucking clue* about the history might see them there and think "Oh, we could do something like that for IoT...".
Jeez. Just how long will it be, and how much pain do we have to go through, before the companies that make any kind of coded kit, from toasters to PCs, realize that the first action in any code is to make it secure? It seems probably never in the case of when, and not even when the pain kills the patient in the case of what has to happen.
"Jeez. Just how long will it be, and how much pain do we have to go through, before the companies that make any kind of coded kit, from toasters to PCs, realize that the first action in any code is to make it secure? It seems probably never in the case of when, and not even when the pain kills the patient in the case of what has to happen."
In most spheres, security doesn't sell because it gets in the way of getting the job done, which is the first and foremost requirement of ANYTHING. You buy things to get jobs done; if not, you're throwing money away. Security first can ONLY come if a Machiavellian Prince with some scruples takes over the world and demands it with extreme penalties for noncompliance. Otherwise, sovereignty, competition, and overall human stupidity will ensure it'll never happen.
"Security first can ONLY come if a Machiavellian Prince with some scruples takes over the world and demands it with extreme penalties for noncompliance. Otherwise, sovereignty, competition, and overall human stupidity will ensure it'll never happen."
Nope. There's nothing Machiavellian about all the existing regulation that ensures that it's illegal to sell vehicles that fail adequate safety standards, children's toys with lead paint, electrical items without adequate insulation etc.
It simply required legislators to see the need for them and use their sovereignty to require stuff sold in their own market places to be safe. They'll get the message here as well. It might take them longer because the TLAs have vested interests. Also it won't stop the Del-boys trying to get round regulation but that's what Trading Standards are there fore. Eventually the mainstream market will supply devices with adequate security.
You might reasonably reply that the rise of market places such as eBay makes it possible for the Del-boys to sell non-conforming items. Yes it will; it also makes it possible for other safety regulation to be by-passed. It's another thing for legislation to catch up with. It's not an entirely separate issue but it's one which will get tackled in due course.
"You might reasonably reply that the rise of market places such as eBay makes it possible for the Del-boys to sell non-conforming items. Yes it will; it also makes it possible for other safety regulation to be by-passed. It's another thing for legislation to catch up with. It's not an entirely separate issue but it's one which will get tackled in due course."
No, because the gray market by definition goes AROUND regulation, any and all. You ADD regulations, they just go AROUND them, usually by a direct shipment which is easy to do with something this small, unlike larger things like cars. Do they really, REALLY inspect every single little parcel at EVERY port of entry? It's a lot like the drug wars. If people want them badly enough, they'll find ways to get it in spite of God, Man, or the Devil. You have to either fix the source or fix the destination. Sovereignty prevents you fixing the source and stupidity prevents you fixing the destination. It's times like this that you have to wonder if this is the right battle.
Nope. There's nothing Machiavellian about all the existing regulation that ensures that it's illegal to sell vehicles that fail adequate safety standards, children's toys with lead paint, electrical items without adequate insulation etc.
Number of people killed or seriously harmed as a direct result of faulty vehicles - High, resulting in increasing safety standards and technology.
Number of people killed or seriously harmed as a direct result of exposure to lead-based paints : High, resulting in (once it was proven to be harmful) the removal of lead-based paints.
Number of people killed or seriously harmed as a direct result of electrical items without adequate insulation : High, resulting in tighter standards and so on.
Number of people killed or seriously harmed as a direct result of hacked routers etc? 0. Resulting in who-gives-a-fuck levels of standards. Sure a few people might've harmed themselves or had a medical event as an indirect result of losing money/having secrets exposed and so on, but they're not direct results of things.
And since we're talking security, think of the security on your car. I could have your car open in only a couple of seconds if I didn't care about keeping things tidy - smash window, grab inside handle, done. With all but the few models that those electronic keys and ignition locks, it's fairly trivial to use an alternative to a key, something that also can be fairly quick. Oh, that's if the manufacturer made more than a few doze keys. I have a common early 90's car, and a couple others I know use the same key (or the key's are close enough/locks worn enough. When it comes to security, cars are a really bad analogy.
It simply required legislators to see the need for them and use their sovereignty to require stuff sold in their own market places to be safe.
They do. Only, "safe" means "actually hurts people", not "might cause someone's network to slow down" (we're talking legislators here, people who sometimes susprise me that they have enough brain function for autonomic processes (eg breathing) to still function). They're not likely to care, and as has been stated elsewhere many people will simply buy "cheap not-quite-standard" over "expensive but standard" from "here today, gone tomorrow" corp.
OMG Richard, Your my hero.. Keep these stories coming. Our only hope is the press making light of this Shit. I do want to point out tho that this same issue of poor coding, crappy foresight and asinine product planning is preset to some degree in almost every consumer device today. If its destined for a consumer, there is zero doubt its got serious security bugs that allow the device to be taken over. As just one example, BluRay players all have some old horribly outdated and never updated Java in them. https://en.wikipedia.org/wiki/BD-J
We need to not only address the IoS we need to address ALL of consumer electronics.
A UL for software needs to occur. We need to give software the same legal status as hardware and allow software companies to be sued. No more 50 page disclaimers. Software needs the same legal status as any hardware device, like a car.
"A UL for software needs to occur. We need to give software the same legal status as hardware and allow software companies to be sued. No more 50 page disclaimers. Software needs the same legal status as any hardware device, like a car."
How do you deal with the China angle, though? China has sovereignty, and most of the devices come through gray markets where regulation doesn't really exist.
"No, gray markets go AROUND regulations by cutting out the middlemen like customs."
Actually they can't treat customs as middlemen. You buy something from eBay from an overseas vendor customs may open it, apply duty forward it by an agent who collects the duty (assuming it was a legitimate item) and then charges you for the duty and their services. I've had it happen.
Roll this forward. Regulation comes into play.
Customs peruse eBay/Amazon/whoever for stuff that looks as if it might not comply and make a few trial purchases. If it's a vendor with a UK address, even if the stuff is posted direct from China the UK vendor gets prosecuted. For the rest eBay/Amazon/whoever get an offer they can't refuse and simply stop advertising the stuff.
Regulation enables enforcement. Enforcement might never be 100% but between direct enforcement and deterrence it can provide a good enough control.
"Customs peruse eBay/Amazon/whoever for stuff that looks as if it might not comply and make a few trial purchases. If it's a vendor with a UK address, even if the stuff is posted direct from China the UK vendor gets prosecuted. For the rest eBay/Amazon/whoever get an offer they can't refuse and simply stop advertising the stuff."
And if the vendor ITSELF is from outside enforceable reach, like alibaba which is itself based in China? As for the eBay stuff, odds are the sellers can go fly-by-night and disappear before enforcement can come at them, not to mention eBay and the like are MULTInational so are hard to really pin down as their operations can shift; like I said, they and China can play sovereignty against tight governments. That's also how taxes are dodged and why big oil companies tend to get favors. Few things get a government's attention like a big firm threatening to pull up stakes and take their business (and tax revenues) out of their reach.
"China has sovereignty"Yes it does. In China. UK, the EU, the US, the UNameit aren't China. Our own governments have their own sovereignty to set regulations on what can be legally sold in their own jurisdictions. Regulation is the first step to actually dealing with gray markets.
And when the public finds out that such legislation would mean the prices of stuff takes a huge hike probably several thousand %? That the IoT enabled shit they're demanding goes from stupidly cheap to ridiculously expensive?
Much as I would like things to be a lot more secure, there's a lot of issues around supply/demand and so on.
(Oh, and another point on legislation - if TPP passes, any country that's signed up to that won't be able to legislate in such a way from what little I know of it!)
Language like that, the unwillingness to acknowledge that there is more to IoT beyond pointless connected toasters and fridges, the baying anti-IoT mob and down-voting of anyone who may dare suggest otherwise, is having a chilling effect on rational discussion of IoT.
Much of what is being railed against isn't even IoT but simply remote control and browser-based access.
Out in the real world there are many devices which have only a Bluetooth connection, and one needs to use Bluetooth to interact with them. Users want a simple means to do that and a browser-based mechanism which is platform and architecture independent suits them and manufacturers.
Google Chrome already supports a Bluetooth API and it is proving popular, Mozilla are having to play catch-up to stop users moving to Chrome to use that. There are issues which need to be debated and resolved but 'it's a steaming pile of shit' and 'burn it down' is not the right approach.
Don't like it, can't see the point; fair enough, but there are plenty of people who not only like it but want it. They aren't going to listen to those who simply appear to be luddites or a pitchfork and torch carrying mob.
Methinks you do protest too much.
People have differing views on trading their personal data for convenience.
That's up to them but a lot of shall we call them "IT savvy folk"? are worried about such things. After all if there's a way to make money out of abusing such systems you can bet your life that someone will abuse them. Calling them names does not make the problems they perceive go away but just antagonises them.
Don't confuse popular with good. Just because Chrome offers such a facility does not make it safe or secure. Lots of people lack the knowledge to know when they are being exposed to risks in this way and accept the feature without thinking about the possible side effects. That's not to condemn them they just don't know of the risks.
Finally the manufacturers are adding to the bad name the IoT is getting. By throwing everything at the wall and seeing what sticks does raise questions as to what they were smoking. Internet connected kettles, light bulbs and so on do raise more than a few eyebrows and given the threat from IoT sourced DDoS botnets the reputation of the IoT will only get worse.
The reason we are up in arms about the IoT is because we've had enough life experience to know that every time something is pushed on the public with the zeal and fervour that the IoT is, two things are true:
1. There's a nefarious purpose behind the apparent usefulness, in the case of IoT the level of surveillance and profileing it will enable; and
2. In order to push the thing on the public, the thing it's replacing will be made obsolete and unavailable in order to deny consumers the choice and force the new thing on everyone. In this case that means that soon, "non-smart" devices will become increasingly difficult, and eventually impossible, to obtain.
It is this lack of choice that will inevitably be imposed on us that we are up in arms about. If we could be sure that manufacturers will indefinitely continue to sell "non-smart" light bulbs, toasters, TVs, fridges and cars, we'd likely still reject the idea but if people wanted to use it that's their lookout. But we all know that won't happen. What will happen is that one day, we'll go to the shop to buy a light bulb and only the "smart" ones will be available - and trying to run it without a connection to the net will simply result in it not working, thus forcing us to adopt the invasive tech, or go back to using candles.
It is this forcing of the technology, the inevitable denial of choice, based on repeated past experience of similar things being foisted on the public, that is why so many people here are so fervently opposed to it.
"... the geniuses pushing ideas like this could spend their time fixing the mess they've already helped to create"
I'd like to suggest that they have no intellectual capacity for constructive work, because if they did then this article would have belonged to an alternative universe. Sadly it does not.
I'D like to suggest that, to them, it's not a mess; it's the desired result. It's also the human condition; you versus the neighbors. And unless you want to go back to hairshirts, making everything you need from scratch, no electricity or running water and life expectancies under 50, you pretty much have to bend over.
"life expectancies under 50"
Increased profits by mixing foodstuffs with non-nutritive and sometimes toxic adulterants was a desired result of Victorian grocers.
Ready access to water was a desired result of a public pump in the middle of Soho.
Brightly coloured walls were the desired result of arsenic-based pigments in wall-paper.
Eliminating these and other desired results during the course of over a century and a half is what's lifted life expectancies over 50.
Yes, I do get it. What I'm saying is that the big big plan is to make it so that modern society comes part and parcel with Big Brother via the backdoor. How will you buy a dumb TV, for example, when there aren't any left because TV standards will REQUIRE an interactive TV just to pick up the channels? You can't use analog TVs by themselves anymore because all channels for digital, for example. That's just the first step.
And it'll apply to all appliances soon, using powerline networking or whispernets if need be to get around anything cleverdicks/smartypants try to block the networking (and using suicide circuits to break the devices if you try to kill the radio chips).
The alternative is that the user decides it isn't such a good idea to let every burglar and pervert on the planet hack into their home security cameras, mobile phones, internet banking ...
It seems we are in something of a transitional phase. Society is happily reading stories about "celebs" getting hacked and their nude selfies posted everywhere, and outraged reading stories about "the great and the good" getting hacked and shown to be neither. However, it hasn't yet penetrated people's consciousness that *they* are using exactly the same technology and living the same sorts of lifestyles.
"But I'm not a celeb, or great, or good." It doesn't matter. There is also a steady stream of stories about ordinary people being horrible to other ordinary people. We seem to enjoy reading those as well, without making the connection to our own lives. We all have friends and enemies, people we'd like to know more about but who aren't telling, people who'd like to know more about us but we aren't telling.
It really is only a matter of time before *someone* is motivated to point the hacking tools at you.
I've developed a small piece of hardware with serial comms (via bluetooth, but not directly using the bluetooth API) and built a UI for it as a Chrome App. It's a great approach - I've done plenty of Swing but wanted something that's easier to distribute (check), quick to prototype (check), leverages a technology I'm familiar with (HTML/CSS/JS, check), portable across platforms (check). Frankly it's a great solution.
Except Google have announced they're dropping Chrome Apps, and there's no replacement. They're trying to push this Bluetooth API as a replacement, and if it came off it could have been a partial solution, although it's too far off for me to make use of it. The point is it's a very useful thing to have in the toolbox.
Yes, there are obvious security concerns, just as there are with DOM extensions for microphone access and videocamera access (WebRTC, already a part of many browsers), geolocation (same), and the various other things that need to do more than display a flat page, tasks which are currently confined to Flash or Applets.
But I don't see you lot bleating about that do I? What a bunch of whining jessies (last bit because I'm going to get downvoted, so I may as well deserve it)
"But I don't see you lot bleating about that do I?"
I think you do, at least on this site, and there are a steady stream of stories about the ways in which these things have been abused. Nevertheless, I think this particular API merits additional abuse because it provides a bridge from a malicious web-site to any bluetooth-enabled device that you own. Most device designers will have designed their BT interfaces on an assumption that the client is both local and has been explicitly trusted by the device owner. Providing a bridge to hostile clients in a different legal jurisdiction probably isn't a smart idea. Most end-users won't understand that this is being done, won't understand the risks, and won't even be warned unless browsers break with tradition and launch a shiny new feature as off-by-default.
"What a bunch of whining jessies "
You appear to have missed some punctuation there. Consider yourself whined at.