- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
TRWTF is JS isn't involved in this WTF.
Admin
TRWTF is M$ isn't involved in this WTF.
Admin
My mind is irrevocably locked onto the thought of Mindy Kaling, so help me ...
Admin
First of all, how dare you?
Admin
It would be a crime not to report this company. But somehow I see almost every prejudice I have against IoT confirmed. (almost because I never thought they'd issue updates)
Admin
I call BS. Most IoT devices in a domestic environment will be behind a NAT (or series of NATs) , and always use an outbound connection to their host for ease of installation and use with a dynamic IP. So unless they can somehow successfully open and forward TCP port 22 inbound on every client site makes this whole "script that SSHs Into the device" story sound completely bogus. If they are all somehow connected to a giant VPN spanning every device, this would have made a much better story anyway. If someone somewhere managed to make STUN for TCP (aka STUNT) actually work reliably enough for a forced firmware upgrade, then they should be given a Nobel Prize.
Admin
Three digits, four symbols, a space and a letter add up to 9. So the minimum password length was nine characters, not eight!
Admin
Is it possible to do an equivalent of passive mode FTP with SSH, to get past the router's NAT?
Admin
You don't understand. The minimum password length is 8 characters but you have to enter 9 at least.
Admin
You know, I've been hearing this same thing for at least twenty years now, if not longer.
Admin
Kind of, yes. You can open a reverse tunnel ("RemoteForward") to make any local port available on the target machine, including, of course, the ssh port itself. We actually do this for equipment we sell (not exactly IoT stuff, but the use case here is similar; most of them are behind NAT routers, indeed).
Though we need a central server that they connect to, so the six VMs doing stuff might be a bit problematic. Not that they'd need them, anyway. Thousands of ssh instances, that's nothing. I could run them on my laptop (with the global key on it :) within a reasonable time frame. ssh takes a bit of CPU time at login for key exchange etc., but afterwards the script is just sending commands to the remote device and waiting for it to process them. You could easily run dozens of them in parallel.
But the better design, of course, would be to have the devices themselves scan for updates regularly, making sure the updates are signed. No need to even ssh into them for that purpose (we only need to for manual troubleshooting etc.).
Admin
Your password is allowed to contain at most one backspace!
Admin
Maybe not a Nobel Prize (computer science and math are not categories in those awards), but maybe the IEEE or ACM (Association for Computing Machinery, not American Country Music) awards would be appropriate. Seeing as we are talking about the Internet of Things, might I suggest an Ignoble prize?
Admin
The real WTF is:
Initech can scp directly into each device even when it is behind a firewall!
FYI:
Those cameras apparently open up a tunnel to the service ("are online"), such that the service ("script") can ssh into them (over this tunnel) and forcefully do the update. So they do not need to open a hole into the firewall, they are the hole.
As each model type has it's own ssh key, these SSH private keys must be uploaded to the EC instances of course, such that the script can do it's work. An agent would be enough, but nope, the keys were uploaded. So the keys, which are stored privately on each laptop to prevent them to be in a network, are stored in the EC, which is a virtual network (a virtual network is far less secure than any physical network).
Also the EC instances are needed, because the devices need to pull the firmware. If you can ssh into a device, you can scp the files, too. Or sftp them in case you miss the scp binary. So no need to curl at all! But no, that's probably far too easy, I suppose.
Admin
"when our passwords get leaked again"
Admin
HA! I noticed that too, alongside Mindy apparently not raising an eyebrow at that.
Admin
The funny thing about these "super-secure" password requirements is that completely randomly-generated 25-character passwords often don't meet the requirements, even though they have much higher entropy. I have to take a truly random password and add a space in the middle or whatever.
Admin
Remind us again: how long did it take for the universal lock key for DVD players to become public knowledge? Of course, an SSH private key is a [bold]CompletelyDifferentSituation/bold
Admin
Hello there,
I'm not really formed to network / security (I mostly program offline software), so I do not really understand why what Initech does is bad practice. (apart from storing passwords, I know that ^^). Can someone make me a short explanations, or point me to articles that are relevant?
Thanks :)
Admin
The Enigma was cracked because of the design flaw it would not map a character to itself. Passwords must have figures and symbols might also be a design flaw? As you said, 25 character pwd can have a higher entropy
Admin
Besides the password storing, the other topic is the SSH keys. And maybe the NAT/firewall holes that the IoT devices are creating, but I'll stick to the SSH keys.
These IoT devices all share a single SSH key per model of device. One master key that opens up SSH access to every single one of their Model Q cameras.
Those master keys are stored on every single laptop for everyone in the department. Every developer. Every middle manager. Every executive.
Now, consider how those two items interact with things like employee turnover and laptop theft.
Admin
Sell enough of them that you get bought by Amazon or Google and let someone else worry about the security breach.
Admin
Not necessarily... Your password could satisfy the letter and number rule at the same time.
12π @#$%
Math!
Admin
Nah. Use e instead.
Or better - i. Real hackers would never check for the number i in passwords. (ba-dum tchsss)
Admin
You missed the joke, you should've said real hackers would never imagine that anyone would use the number i in their password.
Admin
There is a website out there called "the internet of sh*t" collecting stories of flawed internet of things devices. Very entertaining.
Admin
I particularly like sites where they have a complex password rule, but don't tell you what it is. I had one where I typed in what I thought was a pretty good password: 9 characters including a capital letter, several small letters, 2 digits, and a punctuation symbol. I got a message saying it didn't meet their password rules. Didn't say what the rules were, just that I didn't meet them. I tried a number of changes and still, doesn't meet the rules. I finally stumbled on deleting a character and that made it pass. I had used the same digit twice in a row, maybe the rule was you can't use the same character twice in a row? That's a dumb rule. I still don't even know if that was it, or what the rule was.
Tip: When you give an error message, be specific enough that the user might actually be able to figure out what to do to fix the problem.
Admin
"Well, we were worried about storing something so sensitive on the network."
Their workstations aren't connected to a network?
Admin
Besides what ooOOooGa and Feeling Lucky said, the correct thing to do would be
Honestly, even if you can't do 1, 2 is much easier than what they're doing. Makes me suspect they want that constant tunnel into every device so they can do some lascivious peeping on whatever the camera is seeing.
Admin
So close, yet so far. The correct lesson is don't buy any InternetOfShit crapware from anyone.
Admin
oh, i just remembered a silly story: a manager boasted about his new security system. he CHALLENGED anyone to get past it. so someone sneaked into the manager's office to check it out...it was a fingerprint scanner. he got around it simply by unplugging it and plugging something else into the same slot!