And, not to be prudish, but the lack of regulation is part of what has allowed the industry to explode. It's more unlikely I can succeed at a kickstarter for a neat computer dongle if it needs an extra few thousand dollars for regulatory approval before I can ship it. While I have no personal experience with the FDA approval process, my father worked for a company in the healthcare industry - I'd hear stories of multi-month long FDA audits of their hardware after a 'statistically significant' number of failures in the field. That kind of pressure is not amenable to single-man operations, as is frequent in our field - nor should a dev be on the hook for lifetime tech support for a silly lightbulb or other trinket. Yea, the infrastructure as it currently stands has issues, but while regulatory pressure will whip the big players into line, it could also easily choke out smaller players and startups.
On the subject of answers, rather than questions... I have a funny story. So the XBox one has this neat feature where you can control your console via an app on your local area network PC or phone. The default setting was that any device on the network the Xbox was connected to could control it. Imagine this, in a college dorm. I saw a lot of xboxes available to control. So, after testing with a friend (yep, I could easily interfere with whatever), I developed a key combo that I could rapidly input from any console state which would open the settings menu and disable the remote control feature, locking out my own access (And I'd know it had worked because I'd be disconnected). That's right, I effectively developed a virus which patched the vulnerability. If attackers have the advantage in this field, then maybe we should put more effort into thinking about friendly counter-attackers. If the silly IoT device can be pwned, then it can be pwned for good, as it were. Does anyone know of any groups working in this area, or any research done towards it? Pen-testing and other white hat hacking activities I know about, but does anyone officially do this kind of guerilla-patching?
I'm having difficulty finding any authoritative or historical resources on this, but I recall that "good" viruses were for some time planned that would do just that: Run around, see if they could infect via the method, then patch and self-destruct.
Ultimately the idea was considered not good because of difficulties with getting it to work as expected, pressure and fear that the fix would introduce more issues, liability issues, and so on, and probably some ethics debates on computer intrusion even for the purpose of securing the device.
I'm not really sure what stance to take on such an issue, since the idea behind it is good intentions, but I feel like it can lead to unintended consequences that ultimately would have no one liable. For my personal machines I have fairly vanilla setups, but many of my friends and colleagues have rahter intentionally complex set ups and most definitely would object to someone accessing their set up and making changes without their permission.
Wow. If a virus propergated like this on today's networks, would such traffic event make a noticable dent in the available bandwidth?
Anyways, I hadn't heard of this virus - it's super neat. Patching its own infection vector and even explicitly removing an existing virus from the target machine... The article loathes it for how overtly it affects machines (forced restart to apply an update) and networks (congestion), but the work it attempted to do was decidedly good. Sounds to me like it worked well, but had poor execution in accounting for the network effects it would have. (I doubt it was rigorously tested in a prod environment ;) ) If anything, I'd see this as a case study that this kind of offense-as-defense strategy has the potential to work... Its just nobody wants to take responsibility to do so.
my father worked for a company in the healthcare industry - I'd hear stories of multi-month long FDA audits of their hardware after a 'statistically significant' number of failures in the field.
Healthcare industry?
Statistically significant (which I note you put in scare quotes) failures?
I damn well hope so that such incidents are taken very seriously by the FDA.
Yeah, I think his point was that it's not sustainable for a company selling $20 webcams to get that sort of scrutiny.
The counterpoint is that, if the webcam is used in failure-critical situations, then it absolutely should be under that level of scrutiny. The problem is finding how you can define that operational scenario in law.
In a world where random webcams can mount DDoS attacks on basically any internet service, is there any non-failure-critical situation for an internet-connected device? (Honest question.)
One alternative is you get the standards and quite a few components (eg FOSS) that help meet them. You aren't evaluated unless you're sued due to harms from your product. The potential fines or damages go up with the amount of negligence they find. This way, it only costs money when harm happens.
Meanwhile, people wanting to use higher security as a differentiator can get evaluated ahead of time as some do now.
No it's not. I can't sue Microsoft for preventable, buffer overflows in Windows. The evaluations they target that government accepts dont even look at the source. There's no software liability or source-based evaluation requirements for mass-market software at the moment.
Matter of fact, NSA's new scheme only requires 90 day evaluation at EAL1 (certified insecure).
On the subject of answers, rather than questions... I have a funny story. So the XBox one has this neat feature where you can control your console via an app on your local area network PC or phone. The default setting was that any device on the network the Xbox was connected to could control it. Imagine this, in a college dorm. I saw a lot of xboxes available to control. So, after testing with a friend (yep, I could easily interfere with whatever), I developed a key combo that I could rapidly input from any console state which would open the settings menu and disable the remote control feature, locking out my own access (And I'd know it had worked because I'd be disconnected). That's right, I effectively developed a virus which patched the vulnerability. If attackers have the advantage in this field, then maybe we should put more effort into thinking about friendly counter-attackers. If the silly IoT device can be pwned, then it can be pwned for good, as it were. Does anyone know of any groups working in this area, or any research done towards it? Pen-testing and other white hat hacking activities I know about, but does anyone officially do this kind of guerilla-patching?