[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do

Kevin W. Wall kevin.w.wall at gmail.com
Mon Feb 27 19:35:00 EST 2017


On Mon, Feb 27, 2017 at 4:14 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
...<big snip>...
> It's going to get a whole lot worse.  My (relatively cheap) non-Nest
> thermostat keeps begging me to hook it up to the Internet for *my*
> "convenience".
>
> How hard is it for a wifi device to search for all SSID's (including hidden
> ones) & find one that is either open already or WEP-protected, and then
> trivially break it?  BTW, it does NO GOOD to block such a device from YOUR own
> wifi network, because there are perhaps 5-15 wifi networks IN YOUR
> NEIGHBORHOOD that ARE accessible.

Not difficult, but I don't think that manufacturers will start doing this
as that would constitute illegal access of a computer nextork even if the
network was WEP and had a default router/AP password. Open Wi-Fi networks,
that's a little harder call to make, but that too seems doubtful.

> Virtually every device you purchase these days is wireless-enabled -- "dumb"
> TV's, refrigerators, washing machines (!?!).  Even if/when such a device
> doesn't automatically attempt to "call home" on the Internet, it advertises an
> SSID itself, and becomes instantly hackable by anyone within wireless
> distance.

Bingo! Give that man a prize! That definitely is a major issue. I've had
several printers now where I've had to disable this even though I connected
them to hard-wired ethernet. And most of those also come with a
shit-for-security web interface that has vulnerabilities like Shell Shock,
etc. And off course, those web interfaces are running with superuser priv
so the device gets totally pwn'd if you don't lock them down from the
get go.

> God knows what will happen when these very low cost Verizon/ATT/etc
> cellular-connected IoT devices become ubiquitous, and where the device
> manufacturer pays for the cellular connection.  I don't think there is any law
> that prohibits such a device from calling home w/o your permission.  In such a
> situation, jamming devices will become *essential*.

But, according to FCC rules, jamming is illegal, even if it's only your
own local devices. But you make a good point. Eventually, someone will
be willing to fund your connection so they can surveil all your activities.
Better start reading all those T&C and EULAs.

Sigh.
-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the cryptography mailing list