Poking through 14+ years of posts I find information that’s as useful now as when it was written.

Golden Oldies is a collection of the most relevant and timeless posts during that time.

In August 2016 I wrote Self-driving Tech Not Ready for Primetime and a month later Tesla was hacked. But, as you’ll find out tomorrow, hacking isn’t the only problem — humans are actually way higher on the problem scale. While it’s not easy, hacking dangers can be minimized, but fixing humans is impossible.

Read other Golden Oldies here.

I’ve been writing (ranting?) about the security dangers of IoT and the connected world in general.

Security seems to be an afterthought— mostly after a public debacle, as Chrysler showed when Jeep was hacked.

GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010.

Pity the half million at-risk OnStar owners.

A few days ago Tesla was hacked by Chinese white hat Keen Team.

“With several months of in-depth research on Tesla Cars, we have discovered multiple security vulnerabilities and successfully implemented remote control on Tesla Model S in both Parking and Driving Mode.”

They hacked the firmware and could activate the brakes, unlock the doors and hide the rear view mirrors.

Tesla is the darling of the Silicon Valley tech set and Elon Musk is one of the Valley gods, but it still got hacked. And the excuse of being new to connected tech just doesn’t fly.

And if connected car security is full of holes, imagine the hacking opportunities with self-driving cars.

The possibilities are endless. I can easily see hackers, or bored kids, taking over a couple of cars to play chicken on the freeway at rush hour.

Nice girls don’t say, ‘I told you so’, but I’m not nice, so — I told you so.

Image credit: mariordo59

Do ads for smart stuff excite you?

Do you lust for a smart refrigerator, smart doorbell or some other smart product?

Do you want a smart home?

What about a smart city?

We already have a smart electric grid.

What do they all have in common?

They can be hacked.

It’s something to think about.

Smart = hackable.

Hacking a personally owned smart device is bad, but it pales in comparison to what happens if (when) the grid is hacked, whether by a foreign power or civilians for ransom.

Ukraine’s power was hacked in 2015, but old technology saved it from a far worse outcome.

A bill introduced in 2016 has been working its way through the US Congress. It would require similar old tech for US power grids. The bill provides a study period, so it will be 2020 before anything actually happens.

The old tech is actually the only solution that is immune to cyber/digital attacks of any kind.

Can you guess what it is?

If you guessed analog/manual/human give yourself a gold star. If you are under 40 you get five gold stars.

“Specifically, it will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators,” said US Senators Angus King (I-Maine) and Jim Risch (R-Idaho), who introduced the bill on the Senate floor in 2016. (…) The US is very close to improving power grid security by mandating the use of “retro” (analog, manual) technologies on US power grids as a defensive measure against foreign cyber-attacks that could bring down power distribution as a result.

Are you surprised? I’m not.

I always thought hooking the power grid up to the hackable internet was a dumb idea.

Kind of like locking your house and then taping spare keys to the doorframes.

Now we’ll spend millions on these “improvements.”

Stupidity really does rule.

Image credit: Midnight Believer

Do you invite strangers into your home and let them to listen to your most personal conversations or view your most intimate moments?

Would you leave them alone with your kids to say what they pleased using unquotable language?

Would you stand by while they rummaged through your files copying what they pleased, leaving chaos behind and demanding payment so you could clean up the mess?

No?

Chances are you already do.

You invite them in with every connected device you buy.

Even vaunted Apple isn’t immune.

Security hasn’t been a high priority for companies around the globe, especially those running startups.

Consider the saga of a doll called Cayla from Genesis Toys; banned in Germany and under investigation in the US.

Cayla and a similar toy, i-Que, made by the same company are Internet-connected and talk and interact with children by recording their conversations.

CloudPets are stuffed animals made by Spiral Toys, which didn’t even bother to secure their database.

In addition to storing the customer databases in a publicly accessible location, Spiral Toys also used an Amazon-hosted service with no authorization required to store the recordings, customer profile pictures, children’s names, and their relationships to parents, relatives, and friends.

Samsung’s smart refrigerator was hacked yielding up G-mail logins, which, in turn, can yield up your whole on-line life.

Besides the fridge, the hackers also found 25 vulnerabilities in 14 allegedly smart devices, including scales, coffee makers, wireless cameras, locks, home automation hubs, and fingerprint readers.  

Pretty lame, considering that in January 2014 security was ranked as the top spending priority for CIOs and 75% said it would increase in 2015.

Makes you wonder what it was spent on.

European countries, such as Germany and Denmark, have strong privacy laws and simply ban these products, but I doubt our government will do more than hold hearings and wring their hands.

So it’s up to you.

Your major protection is very simple.

1. Don‘t buy connected devices unless you really can’t live without them.

For those you do buy don’t expect anything from the manufacturer.

2. Learn how to reset the passwords and choose strong ones.
3. Don’t use all-purpose logins, such as those from Facebook or Google — no matter how convenient they are.

It’s called “personal responsibility.”

If you’re not familiar with the idea ask your parents — or, more likely, your grandparents.

Image credit: cea +

Edward Snowden’s revelations made people hyper-conscious of government snooping, while the proliferation of mobile and connected devices has made snooping easier, not to mention very profitable.

And profit is what’s behind the rise of global cyber-arms dealers that sell human suffering and death as surely as their real-world counterparts sell weapons.

Last summer, Bill Marczak stumbled across a program that could spy on your iPhone’s contact list and messages—and even record your calls. Illuminating shadowy firms that sell spyware to corrupt governments across the globe, Marczak’s story reveals the new arena of cyber-warfare.

Marczak’s stumble revealed three zero-day exploits (“Zero days” refers to the amount of time—i.e., none—a target has to fix an entirely new kind of hack before damage can be done.).

It’s called a jailbreak and the ability to do it remotely is every hacker’s dream.

… the ability to hack remotely into the digital brains of the world’s most popular hardware—the desktops, laptops, tablets, and especially the mobile phones made by Apple. And not just break into Apple devices but actually take control of them. It was a hacker’s dream: the ability to monitor a user’s communications in real time and also to turn on his microphone and record his conversations.

In a superhuman effort, Apple patched all three exploits in just 10 days.

It’s an uplifting story, but the fact is Apple and other computer-makers are fighting a losing battle. As long as there are hackers, they will continue to find ways to hack any device that interfaces with them. These dangers were highlighted this fall when a New England company found itself the target of a mass denial-of-service attack from millions of non-computer “zombie devices” connected to the Internet—most notably baby monitors.

“What these cyber-arms dealers have done is democratize digital surveillance,” says the A.C.L.U.’s Chris Soghoian. “The surveillance tools once only used by big governments are now available to anyone with a couple hundred grand to spend.” In fact, they may be coming to your iPhone sometime soon.

Hat tip to KG for sharing the Vanity Fair article about Marczak.

Flickr image credit: Pimkie

It’s amazing to me, but looking back at more than a decade of writing I find posts that still impress, with information that is as useful now as when it was written.

Golden Oldies is a collection of what I consider some of the best posts during that time.

I wrote this Halloween post exactly 10 years ago and the costume is even scarier today. The character described has added to their tricks list, including hospitals, connected cars, IoT devices and ransomware, to name just a few.

Read other Golden Oldies here.

I’ve been writing (ranting?) about the security dangers of IoT and the connected world in general.

Security seems to be an afterthought— mostly after a public debacle, as Chrysler showed when Jeep was hacked.

GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010.

Pity the half million at-risk OnStar owners.

A few days ago Tesla was hacked by Chinese white hat Keen Team.

“With several months of in-depth research on Tesla Cars, we have discovered multiple security vulnerabilities and successfully implemented remote control on Tesla Model S in both Parking and Driving Mode.”

They hacked the firmware and could activate the brakes, unlock the doors and hide the rear view mirrors.

Tesla is the darling of the Silicon Valley tech set and Elon Musk is one of the Valley gods, but it still got hacked. And the excuse of being new to connected tech just doesn’t fly.

And if connected car security is full of holes, imagine the hacking opportunities with self-driving cars.

The possibilities are endless. I can easily see hackers, or bored kids, taking over a couple of cars to play chicken on the freeway at rush hour.

Nice girls don’t say, ‘I told you so’, but I’m not nice, so — I told you so.

Image credit: mariordo59

Tech loves to brag that it is “data driven.”

But contrary to tech lore, data isn’t black and white. It can be massaged and manipulated to support or contradict opposite sides of the same argument.

Take self-driving cars. Google claims the data proves them safer than human drivers.

But is that what the data really shows or is it being stage-managed?

I’m aware that my opinion doesn’t carry much (any) weight, so let’s consider instead the view of Etsy CTO John Allspaw.

“You can’t just extrapolate Google cars driving ~1.5 million miles under specific conditions (weather, topology, construction, traffic, accidents around it, etc.) to usurping the ~3 trillion miles/year under all conditions in the US. 1.09 fatalities per 100 million miles is the current non-self-driving numbers.

2014 had ~30k fatal crashes out of the 3 trillion miles traveled. We have to understand not how those crashes happened, but what makes the vast majority of them not happen. Luck is not a contributor, expertise is. Understanding human expertise is the key, not human frailty.”

Tech claims that security isn’t that big a problem and certainly not one that requires statutory approaches or regulation.

Two years ago Eddie Schwartz, vice president of global security solutions for Verizon’s enterprise subsidiary, said that self-driving cars will prove an irresistible target for hackers if they ever hit the roads.

Change if to when. Of course they’re irresistible; hacking and controlling a real car on a real road, with the potential of  doing real damage, would be catnip to a large number of naïve kids (to prove they can), not to mention angry adults (getting even) and terrorists (creating chaos).

Missy Cummings, director of Duke University’s robotics program, doesn’t believe self-driving cars are where near ready for prime-time.

The cars aren’t yet able to handle bad weather, including standing water, drizzling rain, sudden downpours and snow, let alone police instructions (…) “I am decidedly less optimistic about what I perceive to be a rush to field systems that are absolutely not ready for widespread deployment, and certainly not ready for humans to be completely taken out of the driver’s seat.”

And now being added to the thrills and threats of hackable cars comes Otto — an affordable $30K (cheap when you consider the cost of a new rig) retrofit to make big rigs self driving.

Remember the 1971 movie Duel?

Update by substituting a hacker for the original driver.

But then, tech is famous for rushing in and then loudly disclaiming any responsibility for human misuse, let alone abuse.

UPDATE: August 18: Uber just bought Otto.

Credit: Otto on YouTube

Happy Halloween! In case you’ve got party plans and want to be a really scary character sans blood and guts.

The costume is almost anything handy, but ratty jeans, well-worn black t-shirt, preferably with an anti-social message, worn sneakers, scruffy hair, and red-rimmed eyes is the norm; or you can go all the way over to pure designer if that’s your thing. The only necessary accessory is a laptop (or facsimile if you think you might party hard enough to lose it). That’s it, the generic (feel free to customize it) costume of one of the scariest folks cruising along today.

Your character plays with water systems, steals from online accounts, rips off Second Lives, messes with elections, and shakes down the online gambling industry.

Figured it out yet?

Good. So, grab your (metaphorical) black hat and let’s party! And may you enjoy an evening of great treats and no tricks :-P