Short Topix: IoT Device Disposal A Security Nightmare

by Paul Arnote (parnote)

USB Stick Found In Frozen Seal Poo For Over Year; It Still Works!

The National Institute of Water and Atmospheric Research (NIWA) in New Zealand found a USB stick that was embedded in leopard seal scat, and that sat frozen for over a year before being thawed out for study.

The amazing thing, though, is that the USB stick is still functioning, after being ingested by a leopard seal, sitting in a freezer for over a year, and then being thawed out. No one knows who the USB stick belongs to, but it includes pictures taken by a kayaker (the front part of kayak is visible in some images), and even some video, which NIWA posted to their Twitter feed.

From the NIWA account of finding the USB stick:

So, if this is YOUR USB stick, you can reclaim it, but only after you deliver some additional seal scat as payment.

Autoplaying Videos, Audio No Longer Allowed In Firefox

There are few things that irritate me more when browsing the web than autoplaying video and audio. It literally makes me see red. After all, I think I'm perfectly capable of not only pressing the "Play" button, but of also deciding if a particular video or audio file is something I want to see or hear. I should also be able to control when I see or hear that media element, at a time that's convenient to me, and not someone else's idea of when I should see or hear it.

Starting with Firefox 66, due out March 19, autoplaying video and audio will be disabled by default. The end user can decide to make allowances on a site-by-site basis if they want to allow autoplaying media.

Excerpted from the Mozilla Hacks blog:

All I can say is ... HALLELUJAH! It's about time!

IoT Devices Security Nightmare Continues After You Dispose Of Them!

I've mentioned IoT things here before. I've never been a fan. In fact, I think they got the name wrong. I call them I(di)oT devices. I don't need my refrigerator connected to the internet. I just need it to keep my food cold or frozen. In fact, I don't need or want most of my appliances connected to the internet. The only items that I want or need to be able to connect to the internet are my computers, my tablets, and my phones.

Why don't I like I(di)oT devices? It's things like the compromised security that we're talking about here. It's because companies and other "entities" just can't help themselves or behave themselves when it comes to keeping OUR private, personal, confidential data just that: private, personal and confidential. It's not that I have anything to hide. But certain things should simply be private, personal and confidential.

A blog owner (who never really identifies himself), on his blog called Limited Results, has done a series of articles about "smart" light bulbs. They range in price from €15 to €30 each (or approximately $17 to $35 each, in U.S. currency). He didn't even look at other IoT devices (yet). What he found is quite alarming. He just looked at "smart" light bulbs. Like those lights that can be turned off and on via your Google Home or Amazon Alexa/Echo device. You expect light bulbs to have a limited service life. Therefore, they are disposable. But once you dispose of them, your security headaches and worries haven't ended.

He looked at (and disassembled) four "smart" light bulbs: LIFX, WIZ Connected, Tuya and Yeelight (Xiaomi). You "activate" these bulbs by downloading the appropriate app on a smartphone, and then use the app to connect the bulb to your internet connection. Once that connection is made, the wifi information (SSID and password) are transferred from the smartphone to the "smart" light bulb.

As part of his disassembly, he read the chips installed with each unit. NONE of the devices encrypted any data. On all four devices, the wifi SSID and password were stored as plain text! On the LIFX device, both the root certificate and RSA private key were also extracted without much difficulty.

All of the companies were contacted and notified of the security flaws identified. All the companies confirmed the security issues. One, the manufacturer of the WIZ Connect, took a rather laid back and cavalier approach to the issues. Their reply is quoted below, from the blog:

Only one manufacturer responded favorably: the manufacturers of LIFX. Here is their reply, from their website:

So, if you have or are using one of these devices (including older LIFX "smart" light bulbs), be extra vigilant when disposing of them. Even after the light producing portion of the bulb has long burned out, the rest of the items inside the container may easily give up information that may risk compromising your network security.

Perhaps, the only way to insure your security would be to take a hammer to such devices when disposing of them, and placing the various resulting small pieces in separate trash bags.

Cyber-Defense Test: Russia To Unplug From The Internet

Russia is planning a "test" of their cyber-defense abilities by briefly disconnecting Russian citizens from the internet in the event of an "emergency," according to a BBC technology article. While no firm date has been specified, the "test" is expected to occur sometime before April 1.

There is no definition of what an "emergency" might consist of, but analysts have speculated an "emergency" might include internal unrest, anti-government protests, military confrontation(s), blocking cyber-warfare attacks/counterattacks, or other countries (or block of countries) attempting to cut off internet access to Russia.

When the test occurs, all data passing between Russian citizens and organizations will stay inside the country, rather than being routed internationally. All international connections to the internet will be "unavailable" during the test.

In a September 19, 2014 article, The Guardian reported that Andrei Soldatov, an expert on Russia's spy agencies, stated that "it would be technically possible for Moscow to shut off the internet because Russia has "surprisingly few" international exchange points. All of them are under the control of national long-distance operations, like Rostelecom, which are close to the authorities, he said."

The Russian Parliament introduced a draft law last year, called the Digital Economy National Program, that mandates technical changes be made to operate independently. As a result, and according to a Digital Trends article (quoting ZDNet), "the process of taking the internet in Russia offline involves routing all internal internet web traffic to government-controlled points managed by Roskomnadzor, a Russian telecom watchdog. All Russian internet companies have since agreed to the law that originally mandates the testing, but several have also shown concern over potential disruptions in overall internet traffic."

Despite that none of the current 12 organizations that control root servers for DNS are located in Russia, many copies of the internet's core address book already exist inside Russia. The test will demonstrate that ISPs can direct data to government controlled routing points. One possible goal is to have all domestic traffic routed through these government controlled routing points, believed to be an effort to set up mass censorship, somewhat like that found behind the Great Firewall of China.

The Russian government has been paying ISPs to modify their infrastructure so that all domestic traffic can be properly rerouted internally. Any traffic that is destined for servers and services outside of Russia's borders will simply be discarded.

Remember Internet Explorer? Microsoft Wishes You Wouldn't

Internet Explorer (IE) has officially been dead since 2015, when it was replaced with the newer Microsoft Edge, which is currently being rebased on Chromium. However, it hangs on ... and on ... and on ... and on. It just won't seem to die, living a zombie-like existence.

Microsoft isn't updating IE any longer. The last version was IE 11, which came out in 2014. But they ARE making it available. You'll love the reason why, too. Some IT departments and enterprises rely on IE to power various web based apps. Some of the IT departments take an "if it ain't broke, don't fix it" approach. The apps run as expected on IE, so they are accomplishing their goal(s). In that case, there's no incentive to use anything else. But, there are also IT departments and enterprises who don't have sufficient manpower to migrate all those web apps to more standards-compliant, more modern web browsers -- including Microsoft Edge, or any of its even more capable replacements.

So therein lies the problem. Microsoft doesn't want to "punish" IT departments and enterprises who simply lack adequate manpower to update or replace web apps that are performing their intended function. So, on and on goes IE, which hasn't been updated in five years.

But truly, Microsoft wishes the IE would be allowed to die. They wish it would just finally be able to go away. Microsoft has posted a plea of sorts on their tech community blog. Excerpted from that blog:

Of course, the comments to the blog entry are nearly as informative as the blog entry itself. Take this response, from Martin_Geuss, for instance:

Of course, the rest of the world knows and realizes that the problem goes farther back in history then just the introduction of Windows 10. The problem goes way, way back to the earlier releases of IE, and Microsoft's arrogance about it. Microsoft, instead of adhering to established web standards, attempted to set and establish web standards with IE. No one else was listening, and the web went its own way, down the road they already were on. As a result, over the years, IE became less and less compliant with established web standards that everyone else (but Microsoft) was adhering to.

Only when absolutely forced to do so would Microsoft support the established web standards. For many years, the running joke among Windows users was that the next version of IE should just be a link to the latest Firefox installer, since that is what most users did as one of their first acts, anyway.

Gmail Getting Enhanced, More Useful Right Click Menu

For years, Gmail has had the same paltry, pretty-much-useless right click context menu.

To say that its functions were minimally useful would have been an understatement. That right click context menu is shown above, in a screenshot taken from my own current Gmail account.

Well, coming soon to a Gmail account near you, the right click context menu is going to get a facelift. In the process, most Gmail users will find the new context menu much more useful.

The upcoming changes were announced on a G-Suites blog site. The new enhancements will allow Gmail users to perform the most common actions from the right click context menu, with a minimum number of mouse clicks. Not only are all of the current right click context menu items present, by so are several other actions, such as Reply, Reply all, Forward, Delete, Mark as read, Snooze, Move to, Label as, Mute, and the ability to search for additional emails from the selected sender.

The updates will roll out first to G-Suite customers. Those of us who use the free, public, regular Gmail, should see the updates come to our inboxes by the end of February. The updated right click context menu has already come to my Gmail account. Both images above are from my Gmail account.

Ever Dream Of That One-Way Trip To Mars? Keep Dreaming. Company Is Bankrupt.

Mars One, which started up in 2011 with the express goal of sending prospective individuals on a one-way trip to colonize Mars, has filed bankruptcy. While Mars One has touted 200,000 interested individuals, the actual number of volunteers for the project is just less than 2,800. Still, that's quite a few people interested in a one-way trip to Mars, where they will live out the rest of their natural lives, however brief or long that may prove to be.

Actually, Mars One is composed of two parts. There is the non-profit Mars One Foundation, and then there is the for-profit Mars One Ventures AG. It is the latter that has filed bankruptcy, after being bought out by a Swiss financial services company in 2016. The non-profit is reported to remain unaffected, as they work to procure additional and ongoing funding for their project in light of the pending bankruptcy of the for-profit arm of the project.

The actual mission plan to place colonists on Mars via a one-way trip is quite fascinating. You can read more about the mission goals and aspirations here. The news release about the impending bankruptcy of the for-profit arm of the project, and how it impacts the non-profit portion, can be viewed here.

Let's hope that, because of this, Mars One doesn't become Mars None.