Previous Page
PCLinuxOS Magazine
Article List
Next Page

Short Topix: IoT Device Disposal A Security Nightmare

by Paul Arnote (parnote)

USB Stick Found In Frozen Seal Poo For Over Year; It Still Works!

Source: NIWA

The National Institute of Water and Atmospheric Research (NIWA) in New Zealand found a USB stick that was embedded in leopard seal scat, and that sat frozen for over a year before being thawed out for study.

The amazing thing, though, is that the USB stick is still functioning, after being ingested by a leopard seal, sitting in a freezer for over a year, and then being thawed out. No one knows who the USB stick belongs to, but it includes pictures taken by a kayaker (the front part of kayak is visible in some images), and even some video, which NIWA posted to their Twitter feed.

From the NIWA account of finding the USB stick:

... the memory stick was in reasonably good condition considering where it had come from. So they left it to dry out for the next couple of weeks in the hope they may be able to see what information it contained.

And, ironically, there are photos of sealions at Porpoise Bay in the Caitlins and a video of a mum and baby sealion frolicking in the shallows, the only clue to who might have taken them is the nose of a blue kayak.

If they're yours and you want the USB stick back, it comes with a price. The leopard seal researchers would like some more leopard seal scat please.

"The more we can find out about these creatures, the more we can ensure they are looked after."

There is information at on what the scat looks like (thick puddles in varying colours), how to collect it (gloves and an ice cream container!), and how to say safe (keep at least 20m away from the animals).

Dr Hupman's work also includes analysing leopard seal sightings in a bid to determine whether they are becoming more prevalent in New Zealand waters.

So, if this is YOUR USB stick, you can reclaim it, but only after you deliver some additional seal scat as payment.

Autoplaying Videos, Audio No Longer Allowed In Firefox

There are few things that irritate me more when browsing the web than autoplaying video and audio. It literally makes me see red. After all, I think I'm perfectly capable of not only pressing the "Play" button, but of also deciding if a particular video or audio file is something I want to see or hear. I should also be able to control when I see or hear that media element, at a time that's convenient to me, and not someone else's idea of when I should see or hear it.

Starting with Firefox 66, due out March 19, autoplaying video and audio will be disabled by default. The end user can decide to make allowances on a site-by-site basis if they want to allow autoplaying media.

Excerpted from the Mozilla Hacks blog:

Starting with the release of Firefox 66 for desktop and Firefox for Android, Firefox will block audible audio and video by default. We only allow a site to play audio or video aloud via the HTMLMediaElement API once a web page has had user interaction to initiate the audio, such as the user clicking on a "play" button.

Any playback that happens before the user has interacted with a page via a mouse click, printable key press, or touch event, is deemed to be autoplay and will be blocked if it is potentially audible.

Muted autoplay is still allowed. So script can set the "muted" attribute on HTMLMediaElement to true, and autoplay will work.

There are some sites on which users want audible autoplay audio and video to be allowed. When Firefox for Desktop blocks autoplay audio or video, an icon appears in the URL bar. Users can click on the icon to access the site information panel, where they can change the "Autoplay sound" permission for that site from the default setting of "Block" to "Allow". Firefox will then allow that site to autoplay audibly. This allows users to easily curate their own whitelist of sites that they trust to autoplay audibly.

Firefox expresses a blocked play() call to JavaScript by rejecting the promise returned by with a NotAllowedError. All major browsers which block autoplay express a blocked play via this mechanism. In general, the advice for web authors when calling, is to not assume that calls to play() will always succeed, and to always handle the promise returned by play() being rejected.

If you want to avoid having your audible playback blocked, you should only play media inside a click or keyboard event handler, or on mobile in a touchend event. Another strategy to consider for video is to autoplay muted, and present an "unmute" button to your users. Note that muted autoplay is also currently allowed by default in all major browsers which block autoplay media.

We are also allowing sites to autoplay audibly if the user has previously granted them camera/microphone permission, so that sites which have explicit user permission to run WebRTC should continue to work as they do today.

At this time, we're also working on blocking autoplay for Web Audio content, but have not yet finalized our implementation. We expect to ship with autoplay Web Audio content blocking enabled by default sometime in 2019. We'll let you know!

All I can say is ... HALLELUJAH! It's about time!

IoT Devices Security Nightmare Continues After You Dispose Of Them!

Left: LIFX Smart Bulb. Right: Tuya smart bulb with cover removed.

I've mentioned IoT things here before. I've never been a fan. In fact, I think they got the name wrong. I call them I(di)oT devices. I don't need my refrigerator connected to the internet. I just need it to keep my food cold or frozen. In fact, I don't need or want most of my appliances connected to the internet. The only items that I want or need to be able to connect to the internet are my computers, my tablets, and my phones.

Why don't I like I(di)oT devices? It's things like the compromised security that we're talking about here. It's because companies and other "entities" just can't help themselves or behave themselves when it comes to keeping OUR private, personal, confidential data just that: private, personal and confidential. It's not that I have anything to hide. But certain things should simply be private, personal and confidential.

A blog owner (who never really identifies himself), on his blog called Limited Results, has done a series of articles about "smart" light bulbs. They range in price from €15 to €30 each (or approximately $17 to $35 each, in U.S. currency). He didn't even look at other IoT devices (yet). What he found is quite alarming. He just looked at "smart" light bulbs. Like those lights that can be turned off and on via your Google Home or Amazon Alexa/Echo device. You expect light bulbs to have a limited service life. Therefore, they are disposable. But once you dispose of them, your security headaches and worries haven't ended.

He looked at (and disassembled) four "smart" light bulbs: LIFX, WIZ Connected, Tuya and Yeelight (Xiaomi). You "activate" these bulbs by downloading the appropriate app on a smartphone, and then use the app to connect the bulb to your internet connection. Once that connection is made, the wifi information (SSID and password) are transferred from the smartphone to the "smart" light bulb.

As part of his disassembly, he read the chips installed with each unit. NONE of the devices encrypted any data. On all four devices, the wifi SSID and password were stored as plain text! On the LIFX device, both the root certificate and RSA private key were also extracted without much difficulty.

All of the companies were contacted and notified of the security flaws identified. All the companies confirmed the security issues. One, the manufacturer of the WIZ Connect, took a rather laid back and cavalier approach to the issues. Their reply is quoted below, from the blog:

"We do take security very seriously. At the same time, we have to find solutions that "fit" into what needs to remain a "cheap enough" product for a consumer. Ensuring perfect security when someone has physical access to the product, as in being able to tear it apart, is always a hard thing to do."

An other extract from the WIZ manager: "Also, we do not provide easy access to flashing GPIO, no JTAG on our PCBs, not to mention that our lamps are sealed and potted, so it would be quite hard to reflash a product and sell it back looking "new"?"

Only one manufacturer responded favorably: the manufacturers of LIFX. Here is their reply, from their website:

LIFX Improve Security Standards with Encryption

A report posted by Limited Results claimed that three categories of security vulnerability exists in our lights. Indeed we have been working in collaboration with Limited Results since he alerted us to these, with thanks, in 2018. In response, we have already addressed each vulnerability with firmware updates during Q4 2018:

#1: WiFi credentials are now encrypted

#2: We have introduced new security settings in the hardware

#3: Root certificate and RSA private key is now encrypted

So, if you have or are using one of these devices (including older LIFX "smart" light bulbs), be extra vigilant when disposing of them. Even after the light producing portion of the bulb has long burned out, the rest of the items inside the container may easily give up information that may risk compromising your network security.

Perhaps, the only way to insure your security would be to take a hammer to such devices when disposing of them, and placing the various resulting small pieces in separate trash bags.

Cyber-Defense Test: Russia To Unplug From The Internet

Russia is planning a "test" of their cyber-defense abilities by briefly disconnecting Russian citizens from the internet in the event of an "emergency," according to a BBC technology article. While no firm date has been specified, the "test" is expected to occur sometime before April 1.

There is no definition of what an "emergency" might consist of, but analysts have speculated an "emergency" might include internal unrest, anti-government protests, military confrontation(s), blocking cyber-warfare attacks/counterattacks, or other countries (or block of countries) attempting to cut off internet access to Russia.

When the test occurs, all data passing between Russian citizens and organizations will stay inside the country, rather than being routed internationally. All international connections to the internet will be "unavailable" during the test.

In a September 19, 2014 article, The Guardian reported that Andrei Soldatov, an expert on Russia's spy agencies, stated that "it would be technically possible for Moscow to shut off the internet because Russia has "surprisingly few" international exchange points. All of them are under the control of national long-distance operations, like Rostelecom, which are close to the authorities, he said."

The Russian Parliament introduced a draft law last year, called the Digital Economy National Program, that mandates technical changes be made to operate independently. As a result, and according to a Digital Trends article (quoting ZDNet), "the process of taking the internet in Russia offline involves routing all internal internet web traffic to government-controlled points managed by Roskomnadzor, a Russian telecom watchdog. All Russian internet companies have since agreed to the law that originally mandates the testing, but several have also shown concern over potential disruptions in overall internet traffic."

Despite that none of the current 12 organizations that control root servers for DNS are located in Russia, many copies of the internet's core address book already exist inside Russia. The test will demonstrate that ISPs can direct data to government controlled routing points. One possible goal is to have all domestic traffic routed through these government controlled routing points, believed to be an effort to set up mass censorship, somewhat like that found behind the Great Firewall of China.

The Russian government has been paying ISPs to modify their infrastructure so that all domestic traffic can be properly rerouted internally. Any traffic that is destined for servers and services outside of Russia's borders will simply be discarded.

Remember Internet Explorer? Microsoft Wishes You Wouldn't

Internet Explorer (IE) has officially been dead since 2015, when it was replaced with the newer Microsoft Edge, which is currently being rebased on Chromium. However, it hangs on ... and on ... and on ... and on. It just won't seem to die, living a zombie-like existence.

Microsoft isn't updating IE any longer. The last version was IE 11, which came out in 2014. But they ARE making it available. You'll love the reason why, too. Some IT departments and enterprises rely on IE to power various web based apps. Some of the IT departments take an "if it ain't broke, don't fix it" approach. The apps run as expected on IE, so they are accomplishing their goal(s). In that case, there's no incentive to use anything else. But, there are also IT departments and enterprises who don't have sufficient manpower to migrate all those web apps to more standards-compliant, more modern web browsers -- including Microsoft Edge, or any of its even more capable replacements.

So therein lies the problem. Microsoft doesn't want to "punish" IT departments and enterprises who simply lack adequate manpower to update or replace web apps that are performing their intended function. So, on and on goes IE, which hasn't been updated in five years.

But truly, Microsoft wishes the IE would be allowed to die. They wish it would just finally be able to go away. Microsoft has posted a plea of sorts on their tech community blog. Excerpted from that blog:

Why shouldn't I just keep doing what I have been doing?

So, why was it so important that we invert our approach to legacy? Because if we didn't, you would end up in a predicament--and probably sooner than you think. You see, Internet Explorer is a compatibility solution. We're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers. So, if we continued our previous approach, you would end up in a scenario where, by optimizing for the things you have, you end up not being able to use new apps as they come out. As new apps are coming out with greater frequency, what we want to help you do is avoid having to miss out on a progressively larger portion of the web!

Of course, the comments to the blog entry are nearly as informative as the blog entry itself. Take this response, from Martin_Geuss, for instance:

This problem would not exist if Microsoft had delivered a competitive browser with Windows 10.

Now you tell the people not to use Internet Explorer, but you avoid to give an advice.

It's crystal clear: Everybody should switch to Google Chrome. I know Microsoft is building a new chromium based browser, but seriously: why?

Who should be trusted? A company which is struggling in browser development since years? Or the one that has proven it can deliver a modern and capable browser?

Of course, the rest of the world knows and realizes that the problem goes farther back in history then just the introduction of Windows 10. The problem goes way, way back to the earlier releases of IE, and Microsoft's arrogance about it. Microsoft, instead of adhering to established web standards, attempted to set and establish web standards with IE. No one else was listening, and the web went its own way, down the road they already were on. As a result, over the years, IE became less and less compliant with established web standards that everyone else (but Microsoft) was adhering to.

Only when absolutely forced to do so would Microsoft support the established web standards. For many years, the running joke among Windows users was that the next version of IE should just be a link to the latest Firefox installer, since that is what most users did as one of their first acts, anyway.

Gmail Getting Enhanced, More Useful Right Click Menu

For years, Gmail has had the same paltry, pretty-much-useless right click context menu.

To say that its functions were minimally useful would have been an understatement. That right click context menu is shown above, in a screenshot taken from my own current Gmail account.

Well, coming soon to a Gmail account near you, the right click context menu is going to get a facelift. In the process, most Gmail users will find the new context menu much more useful.

The upcoming changes were announced on a G-Suites blog site. The new enhancements will allow Gmail users to perform the most common actions from the right click context menu, with a minimum number of mouse clicks. Not only are all of the current right click context menu items present, by so are several other actions, such as Reply, Reply all, Forward, Delete, Mark as read, Snooze, Move to, Label as, Mute, and the ability to search for additional emails from the selected sender.

The updates will roll out first to G-Suite customers. Those of us who use the free, public, regular Gmail, should see the updates come to our inboxes by the end of February. The updated right click context menu has already come to my Gmail account. Both images above are from my Gmail account.

Ever Dream Of That One-Way Trip To Mars? Keep Dreaming. Company Is Bankrupt.

Mars One, which started up in 2011 with the express goal of sending prospective individuals on a one-way trip to colonize Mars, has filed bankruptcy. While Mars One has touted 200,000 interested individuals, the actual number of volunteers for the project is just less than 2,800. Still, that's quite a few people interested in a one-way trip to Mars, where they will live out the rest of their natural lives, however brief or long that may prove to be.

Actually, Mars One is composed of two parts. There is the non-profit Mars One Foundation, and then there is the for-profit Mars One Ventures AG. It is the latter that has filed bankruptcy, after being bought out by a Swiss financial services company in 2016. The non-profit is reported to remain unaffected, as they work to procure additional and ongoing funding for their project in light of the pending bankruptcy of the for-profit arm of the project.

The actual mission plan to place colonists on Mars via a one-way trip is quite fascinating. You can read more about the mission goals and aspirations here. The news release about the impending bankruptcy of the for-profit arm of the project, and how it impacts the non-profit portion, can be viewed here.

Let's hope that, because of this, Mars One doesn't become Mars None.

Previous Page              Top              Next Page