Posts by Doctor Syntax

Re: Wrong

"Straight away you assume that Bluetooth is being used for applications"

Over your head. My whole point was that with some or most Bluetooth access potentially moved to the browser the overall attack surface will be reduced, because now you won't need to download and install native apps permanently anymore for a lot of Bluetooth-related stuff, but can simply run them on-demand from the much safer browser environment.

So the second bit I've emphasised is saying that with Bluetooth in the browser you won't need to download the apps that, in the first bit I've emphasised, you're denying were being used without Bluetooth in the browser? Somehow I don't think you've got your own head round your own arguments. Maybe that's why the rest of us have problems with them.

Re: If this takes off

"I genuinely think they have been trained by companies and the world around them that this is the new normal, and us older buggers are just paranoid."

It's simply the old "experience is a dear teacher but there are those who will learn by no other". They'll learn. They'll also discover the truth of the complementary saying: "experience is something you need just before you get it".

Re: Bah!

"I enjoy living vicariously through others' experience of installing Linux on laptops."

So, here's my little MSI laptop, bought a few years ago for the express use of doing things, namely being taken into libraries and archives for doing research. Download Mint, burn onto disk. Plug USB disk drive into said laptop, insert disk into drive. Start computer, press function key for boot menu and select boot from USB. Mint disk fires up. Select options appropriate to language and time zone. Wait for installer to do its thing. Remove USB drive and reboot.

I hope you enjoyed that vicarious experience.

"I don't enjoy the litany of all the things that won't work properly without hours of fucking about under the bonnet."

Neither do I which is a good reason for not doing them as in the above.

"I need a computer as a tool for helping me do other things, interesting things, not as an end in itself."

And so do I. That little device is still doing exactly that research recording task. It's also a nice little laptop to take when going on holiday - although it works better when I don't do what I did this week: forget to pack the charger!

Re: Bah!

"And to that same foetus who will whine at me about Linux: If I could buy an off-the-shelf machine with the features I want and Linux installed I would have done so twelve months ago."

You youngsters* seem to need someone to wipe your noses all the time.

Buy your favoured drive-less laptop. Download an install image of a Linux distro and copy it to a USB thumb-drive Plug thumb-drive into laptop, blow away the eyeturd (you will find no disagreement from me on your points 1 & 2) and install Linux for yourself. Unless you consider a laptop and a USB stick to be "parts" (you bought such parts in 1993?) no buying of parts is required.

*You claim to be still commuting. That implies you're of working age therefore you're a youngster from my PoV.

Re: Nationalise the lot of 'em

You have to extend that to redundancy etc as well. Depending on the party ruling at the time the state might be very keen on handling all the pensions (not that they've been brilliant at that), parental leave of course. But they're not going to handle the costs of companies adjusting the size of the workforce to changing requirements.

"It's a company whose sole business consists of selling somebody's personal services."

Which, of course, is exactly what the big consultancies do. The difference is scale and hence the ability to fund lawyers against HMRC.

Re: IR35, is currently costing the taxpayer around £440m a year

"But if HMRC really have ignored how the contract "actually works", you'll be able to convince a judge and he'll chuck it out. Been there; done that. Although I only won on appeal."

You may have been lucky. Back in the day when i had to take an interest in such things there were some perverse decisions reported.

Re: "Nice to Have"

"if the standard involves effort (sliding the bolt on the door)"

Too late, there's probably a patent on that.

Re: persuading

"it's not Happy Panda's problem, it's ours."

It's theirs if they can't sell their stuff. Contains full of instant land-fill being turned away at the docks? The message will get through PDQ.

"Finally - as to the suggestion of arresting USERS because they have insecure IoT kit - that's stupid, there is no way that could ever be proposed to be added to law"

That depends on how bad the problem becomes. There are several points to apply pressure.

One is the market place via the types of regulation and certification that's in place already for electrical safety etc. It gives Trading Standards or the like to deal with vendors in the country and for customs to turn away incoming shipments. There's absolutely nothing novel in principle about this, it's just that govts. need to be kicked into motion to get a round tuit.

Another is the ISPs and through them the users. They can be required to put it into T&Cs that non-compliant kit can't be exposed on the net, either outside of firewalls or via uPnP.

Finally, after due warning, the users themselves if they insist on connecting stuff it can be made an offence. In practice, of course, the ISP would almost certainly deal with it by cutting off the customer but having the illegality as back-up to deal with awkward customers.

All this combined would make non-compliant stuff unsaleable. That would lean on the manufacturers more effectively than trying to negotiate international standards.

That leaves countries that are reluctant to get round to doing such things. "Nice internet connection you have there. Shame if it got disconnected for an hour or two now and again. Or a day or two."

Re: The blacklist of things

"Then what happens when innocent users SUE for the collateral damage of them not being able to go on the Internet for no fault of their own?"

What happens? The ISPs learn the advantage of making sure it doesn't happen again. Or, to put it another way, they learn the cost of not having made sure it couldn't happen in the first place.

As per another of your posts, we;re dealing with Stupid here so we need to to take actions that don't depend on Stupid understanding things.

Re: Today the web was broken ...

"Believe me, it's only going to get worse"...

...before it gets better.

Re: Capt. Hindsight

"As long as you are happy to pay manufacturer to have support team that will be resetting these passwords 24/7. Are you ?"

The user sets those. The default password is on the label. You reset it to get that and you then have to set a new password before you can get it online.

You, the user, lost the label? Sorry, can't help you, we don't have a record of it.* You'll have to buy a new one. Please look after that better.

* That prevents anyone ringing up trying to get the default password if it transpires the pile of crap device can be reset remotely.

"DNS resolution is needed for a lot more than just the URL you typed into the browser or clicked in Google. Each of the secondary domains that site calls have to be resolved too, and there can be dozens of them on a fairly typical site on the internet."

To say nothing of the tertiary and quaternary domains. OTOH if this forced sites to serve all their own crap this could be seen as a useful by-product

"The problem as ever will be no company having the balls to do this."

Turn that one round. As one of Nixon's henchmen said, when you have them by the balls their hearts and minds will follow.

Require them to do this.

Re: Home Router Traffic

"Also, to all the standards-talkers, persuade China first, discuss afterwards."

No, require stuff legally on sale and/or in use to meet standards and China will be persuaded.

Re: Standards Bodies need notice

"There is solution but it's not even remotely close to what you're rallying for."

I haven't seen you suggest it.

Re: Standards Bodies need notice

"Do you really want to live in communist utopia where government can control which device you can use to connect to Internet ?"

I didn't see that being suggested. It's not a matter of controlling which device, it's a matter of controlling the safety standards they meet. They'll already by subject to all sorts of safety requirements. For instance the telecoms network operators will already have specs as to what can be connected to ensure it doesn't put harmful voltages on the line or draw excess current. Or are your telecoms providers communist-run?

Re: Standards Bodies need notice

"I just wonder if you notice subtle difference between $30K car and $50 electronic device and how differently both industries regulated."

Your $50 electronic device should already be regulated as regards electrical safety.

Re: Maybe..

"This is obvious clickbait, it suggests all IOT devices are vulnerable,biy the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login."

The answer lies somewhere in between. It might be a single manufacturer in this case and not everything is necessarily vulnerable but there have been enough reports of routers with telnet ports open on the internet side etc. You don't need to look back very far in el Reg to pick up these.

Re: Maybe..

"mostly the same stands for their customers."

It's the customer end that you start with. Does the kit meet UL/CE standards? If not then it becomes illegal to put it on the 'net in the relevant country or, even better, it becomes illegal for the ISPs to route it. It also becomes illegal to offer it for sale so if it's on sale from a local vendor then they get a visit from Trading Standards or whatever in that particular jurisdiction. If it's being offered for sale on eBay from China or wherever then eBay gets a visit.

The manufacturers will get the message without direct action - they want to sell stuff, they meet the standards.

Make no mistake, something will be done, the only questions are what and when.

Re: Maybe..

"Problem is proving that the USERS/Owners suffered at all."

No It's the suffering that users/owners are causing to others that's the problem.

Re: Maybe..

"Another fine law to make criminals out of ordinary people."

Dunno where you live but hereabouts if you're running an unsafe car on the roads you can get a conviction however ordinary you are.

Re: Maybe..

The "TPTB" would not take the action you require simply because Twitter and Netflix were down for a while.

Can't Neflix and Twitter afford to buy a few politicians do any lobbying?

Re: Maybe..

"I doubt any legislative action will actually be all that effective. The average Congress critter is not noted for critical thinking skills but emotional pandering."

I think a few large corporations being exposed to risk like this will be able to apply as much emotional pressure as is needed to produce results.

Re: A few points

"CE-marking and US equivalents are good for purchasers to aspire to buying, but faced with a choice between high-price or low-price, with the difference in features being purely a few regulatory stickers affixed to the casing, which one will the purchaser end up buying?"

The alternative should be between the device being legally offered for sale or not. That doesn't provide the buyer with much of a quandary. If he buys from Del-boy he risks the device being forfeit, and maybe a fine.

"Brick the devices and watch US and European companies go bust very quickly as consumers just stop buying devices with internet connections that can use their subscription services."

As per my comment above, apply a bit of Darwinian selection. Make it worth while to ship secure stuff. Having sold/issued to the subscriber a steaming pile of ordure isn't an excuse for losing business, it's just a reason.

In established fields it simply wouldn't be allowed to sell a dangerous design of electrical equipment or vehicle. If it later transpires that something wasn't fit then the vendor will be expected to recall it for remediation; that option should be available to vendors of insecure IoT devices. The the vendor simply goes bust or the customer refuses to accept the recall then there has to be a mechanism for ensuring it's not exposed on the 'net.

If you want an alternative analogy, consider a contagious disease - of humans or animals. If the disease is sufficiently dangerous TPTB usually have sufficient powers to ensure that humans are isolated and animals destroyed. It's draconian but essential for the wider community.

Re: Too simple solution?

"You have to take Stupid into consideration."

Stupid is the problem. If the punter is too stupid it has to be their problem rather someone else's. I'm a biologist by training. I see no problem in applying Darwinian selection to the IoT.

How about "Here's your device, there's the password. We have no copy of it. Looking after it is your responsibility."

Re: no internet

"in which case you'll NEXT be hearing from my attorney."

In which case we'll produce stills from the camera as evidence.

If you expose a camera on the web it's hard to deny that it's there.

Re: Enquiring minds and all that?

"Oh believe me, some people think councils are responsible for absolutely everything."

Our local council seems to avoiding responsibility for as much as it can except for the PC bits or those which get column inches for the leaders, even if they're not part of the council's remit.

"An adjustable spanner and a hammer."

Or just one very heavy adjustable spanner.