Back to: PSA: Why there won't be a third book in the Halting State trilogy | Forward to: Why I want Bitcoin to die in a fire

Trust Me (I'm a kettle)

The internet of things may be coming to us all faster and harder than we'd like.

Reports coming out of Russia suggest that some Chinese domestic appliances, notably kettles, come kitted out with malware—in the shape of small embedded computers that leech off the mains power to the device. The covert computational passenger hunts for unsecured wifi networks, connects to them, and joins a spam and malware pushing botnet. The theory is that a home computer user might eventually twig if their PC is a zombie, but who looks inside the base of their electric kettle, or the casing of their toaster? We tend to forget that the Raspberry Pi is as powerful as an early 90s UNIX server or a late 90s desktop; it costs £25, is the size of a credit card, and runs off a 5 watt USB power source. And there are cheaper, less competent small computers out there. Building them into kettles is a stroke of genius for a budding crime lord looking to build a covert botnet.

But that's not what I'm here to talk about.

I have an iPad. (You may be an Android or Windows RT proponent. Don't stop reading: this is just as applicable to you, too.) I mostly use it as a reacreational gizmo for reading and watching movies, and a little light gaming. But from time to time it's handy to have a keyboard—I use it for email too. So I bought one of these (warning: don't buy it direct, it costs a lot less than £90 on the high street). It's a lovely piece of kit: charges over micro-USB, magnetically clips to the front of the iPad to cover it when not in use, communicates via bluetooth.

But I suddenly had a worrying thought.

This keyboard contains an embedded device powerful enough to run a bluetooth stack. The additional complexity of adding wifi is minimal, as is the power draw if it's designed right. Here's an SD card, with wifi. It's aimed at camera owners: the idea is it can automatically upload your snapshots to the cloud. Turns out it runs Linux and it's hackable.

Look at that cute Logitech bluetooth keyboard. There's a lot of space in it, behind the slot the iPad sits in. Presumably that chunk of the case is full of battery, and the small embedded computer that handles the bluetooth stack. Even if it isn't hackable in its own right, what's to stop someone from buying a bunch of bluetooth keyboards and installing a hidden computer in them? Done properly it'll run a keylogger and some sniffing tools to gather data about the device it's connected to. It stays silent until it detects an open wifi network. Then it can hook up and hork up a hairball of personal data—anything you typed on it—at a command and control server. Best do it stealthily: between the hours of 1am and 4am, and in any event not less than an hour after the most recent keypress.

I hear tablets are catching on everywhere. Want to dabble in industrial espionage? Get a guy with a clipboard to walk into an executive's office and swap their keyboard for an identical-looking one. When they come back from lunch they'll suffer a moment of annoyance when their iPad or Microsoft Surface turns out to have forgotten it's keyboard. But they'll get it paired up again fast, and forget all about it.

I don't want you to think I'm picking on Logitech, by the way. Exactly the same headache applies to every battery-powered bluetooth keyboard. I'm dozy and slow on the uptake: I should have been all over this years ago.

And it's not just keyboards. It's ebook readers. Flashlights. Not your smartphone, but the removable battery in your smartphone. (Have you noticed it running down just a little bit faster?) Your toaster and your kettle are just the start. Could your electric blanket be spying on you? Koomey's law is going to keep pushing the power consumption of our devices down even after Moore's law grinds to a halt: and once Moore's law ends, the only way forward is to commoditize the product of those ultimate fab lines, and churn out chips for pennies. In another decade, we'll have embedded computers running some flavour of Linux where today we have smart inventory control tags—any item in a shop that costs more than about £50, basically. Some of those inventory control tags will be watching and listening to us; and some of their siblings will, repurposed, be piggy-backing a ride home and casing the joint.

The possibilities are endless: it's the dark side of the internet of things. If you'll excuse me now, I've got to go wallpaper my apartment in tinfoil ...

183 Comments

1:

Charlie, it's hard enough sitting here in my cube all day, and now you have to activate my paranoia centers...

2:

And the Pi ain't the only item out there. There's also a Python-based KickStarter project for about the same price.

If a relatively small-scale KS project can provide them to backers for £24, I imagine mass production could do them a lot cheaper right now, though in my opinion to make this a viable scam, the price will have to go a lot lower.

So we may be safe for a bit longer. Just not a lot.

3:

I note that crackdowns on spam, viruses, hacking, and malware always tend to drive the hobbyists out, leaving the field clear for actual organized criminals. I also note that there's money in botnets and indentity theft. And if the price of such devices drops 50% in 2 years ...

4:

We ought to get into the appliance-countermeasures market now, while it's in its infancy. I can see the ads now: "Can you trust your dishwasher?"

5:

What you'll really want is a Faraday cage around your abode with hardwired, firewalled antennae for your authorized, encrypted signals. Good luck with that.

6:

Malware is one obvious application, but there are shady-but-not-overtly-bad applications. Not that I expect bitcoins to truly stick around, think about consumer product manufacturers jamming bitcoin miners in every toaster sold, and collecting the profits when those miners hit a wifi node.

For problems that parallelize well, companies like GE could build their own, private SETI@home style networks, and get the public to pay for the privilege.

7:

Presumably these kettles will implement HTCPCP. Perhaps you can ping them and see if they respond with HTTP error 418. If it is surveilling you it SHOULD return error 451 instead.

8:

Last year I did a pitch for devices that used crypto keys to pair with one another, allowing a phone, for example, to pair with a projector-and-keyboard set in the boardroom, or a pad to pair with a larger screen in one's office.

I hadn't realized that without the keys, we would be looking at the kettle in the lunchroom pairing with my phone!

--dave

9:

I've lost the link now, but there's an article out there describing the process of reverse engineering the firmware on one of the (several) ARM SoCs embedded in a standard hard disk controller to run Linux and thereby monitor, corrupt or modify all data going to and from the disk.

Basically we're all doomed and the spooks have won.

10:

The increasing tendency to "chip" pets (for better ID in case they escape or are stolen and end up in a shelter) has just gotten considerably freakier.

So has the possibility of chips in humans.

And how about smartcard-based money? Is your money spying on you?

11:

I just bought a Teensy 3.1 (http://www.pjrc.com/teensy/teensy31.html). Less than $20 for a 32 bit ARM M4 clocked at 72MHz with 256K of flash and 64K of RAM. Not earth shattering, but that's in less than a square inch of circuit board. As it happens, I shall be using it to drive a keyboard I'm building, but the keyboard driver isn't going to come close to using it at capacity - I'm going to be attaching a little LCD text display and resisting the temptation to put a 'Zork' mode on there as well. There's so much headroom available on even the cheapest micro controllers now that adding 'features' like key loggers and other malware possibilities is almost embarrassingly easy.

You've read Dennis Ritchie's "Reflections on Trusting Trust", I take it?

12:

"Can you trust your dishwasher?" {Looks in mirror} Not entirely, no. ;-)

My cellphone is old enough to not have built-in GPS though.

13:

It still gives up a lot of valuable location data, anyway.

14:
We ought to get into the appliance-countermeasures market now,

Forget about those big companies, the emergent market for DPI is the homeowner!

(assuming you can trust your government-approved DPI appliance)

16:

I am a tech journalist from Russia.

The general consensus here is that this story was a fake. Original sources were not reliable, and nobody else managed to prove it.

17:

You mean, that cat may be a mobile surveillance device? No, no, that's not the case, not at all. And that we've just managed to infiltrate there's a new feline in the Stross household is completely coincidental.

More seriously, it might lead to an update on Acoustic Kitty if you could subvert what is currently a pretty simplistic RFID speck.

18:

When I got my Origami slate computer (and a Bluetooth keyboard to accompany it) back in 2006 people looked askance at my only using the touchscreen to enter passwords and account information. Feeling some undeserved vindication now...

-- Steve

19:

There is a contention made, I'm pretty sure in Vernor Vinge's "A Deepness in the Sky", that once an advanced technological civilization develops ubiquitous and universal surveillance and data collection, it collapses within decades. I've always found the idea striking. I need to reread that section of the book and see what the justification is.

20:

Probably because we'll all spend all our time reading other people's trivial maunderings - oh, wait, that's Facebook (tm).

21:

This is starting to look very P.K.D. - or Red Dwarf. Picture a couple huddling under the covers in the morning, dreading the moment when one of them has to schlump downstairs and deal with the kettle, the toaster, etc.

22:

One way of mitigating the potential damage is to have aggressive logging on your wifi access point. Then you can check to make sure that only known devices are accessing the point, and search for rogue devices if they are discovered.

A much easier method would be to simply implement WPA2 (or at a minimum WEP, which though broken, maybe sufficient to prevent low powered devices from cracking the connection). If you want to share the connection, simply share the password. At a café or similar, you can put the password on a sign, and/or on each receipt (especially if you change the password regularly).

I'm not worried now. But in the future, I think I might got the isolationist route. Live far enough away from anyone else that the only wireless signals are ones I control, and simply prevent anything that I don't know from connecting.

But what about my wireless access point? That could easily have it's own little computer inside it... Shit. It's turtles all the way down.

23:

AIUI, only when it's on, and quite possibly only when it's on a voice call.

24:

You may also want to start auditing any electrical work done in your home; if someone is going to be be installing a ceiling fan, why not add some bitcoin mining energy parasites to your wall space, too? Especially if they can work out a "Hey while I'm here, do you mind if I use your wifi? My phone's got no signal. What's the password? Thanks." into conversation.

25:

Yes, that was Deepness in the Sky-- the other failure mode for civilizations was brittleness due to excessive efficiency.

I'm wondering about the future in Swanwick's "The Dog Said Bow Wow" where malware is so pervasive that people have to give up on computers.

26:

Gimmicked keyboards and mice have all sorts of wonderful potential attack modes. My favorite doesn't involve wireless at all. There are long-standing rumors of weaponized exploits against operating-system level USB stacks: plug in a device with the exploit, and the machine is immediately pwned at a level that conventional antivirus systems aren't equipped to detect.

A US agency recently wound up destroying all of their mice and keyboards to try to deal with a malware infestation. They were roundly mocked in much of the technical trade press for what was supposed to be a gross overreaction. My take was a bit different: presuming that they were well advised by the relevant U.S. government experts (you know who), what does that imply about the capabilities they expect of a plausible attacker?

27:

Yes, you're correct. The idea was that once you have the panopticon, the temptation for universal law enforcement comes in where all the laws are enforced all the time. Stack this with the concept of a day.

In fact our good host has written an essay on the topic.

29:

One thing that I've always thought obvious but I never see discussed online is the fact that "You have nothing to hide if you're innocent" isn't just a naive statement, but an actual tenet of the morality of various protestant denominations of Christianity. Surveillance should be welcomed, because it keeps us honest.

Now if you stop to think of how various flavours of evangelical Christianity influence US foreign policy regarding issues such as Israel, etc...

30:

Last spring a friend, who listens to too much right wing talk radio, said that the big scare that was being talked about was smart power meters.

I can imagine a few things that a power meter might reveal. Does your house have a persistent load that might indicate you are growing pot under lights in your basement?

31:

Universal law enforcement is very unlikely to happen, at least without serious advances in intelligent software that can distinguish what's a real crime and what isn't (otherwise you'll get an automatic warrant for assault if you and a mate have a jokey play fight in public). Even if the system flags scenes for review I doubt there would ever be enough officers to deal with the workload.

The real danger IMO is if the system keeps a file of all flagged instances for every person to be used at political discretion. At the mildest this means that whenever a particular issue becomes Hot like cyclists going through red lights they pull up the data on everyone whose done that in the last year and fine them all. At the worse the moment you start getting a political movement forming you access the files of the leaders and round them all up for a long list of petty crimes.

32:

The classic example of this is putting a bug and cellular radio in a power strip. The device is ubiquitous and inherently powered. One can plug it in in an office or conference room without suspicion.

33:

Hey, Cory Doctorow had a story in Technology Review about a misbehaving toaster. Some of this is old news.......

34:

Dave P at 15,

You know, Harry Palmer (Michael caine) is not a bad model for Bob Howard.

35:

Don't worry about the aluminum foil, chickenwire is good enough. I have friends with that stuff in their walls and it plays merry havoc with their wifi.

Does make me wonder when we're going to see buildings routinely built with tempest shielding and with all sorts of wireless sniffers to make sure that only authorized devices are chatting away.

36:

What you'll really want is a Faraday cage around your abode

Actually, I've got (most of) one. No, I'm not paranoid, but I do have a Victorian detached house that used to be cold and hard to heat in winter, so I had major building work done to fit extra insulation to exterior walls throughout. It came in the form of foam with metallized surfaces, which turned out to be effective at stopping WiFi signals (but cell phones still work). This was an unexpected benefit, as I live next to a multiple occupancy building that's got about 8 WiFi units in it - most on channel 1 so god knows what sort of problems they have. I can't see any of them now unless I move to a side window.

My WiFi networks use WPA2 (without WPS of course) and 20+ character random passwords. I would never claim to be safe against a serious attack, but script kiddies and kettle CPUs aren't going to be a problem. I'm more worried about the software in my TV & BluRay player, but that lives on the DMZ and can't reach the LAN.

OK, I admit it, I am paranoid. 30+ years as a sysadmin do that to you.

37:

How about your TV sending things somewhere.

Apparently LG "smart" TVs log your viewing habits and send them "home" even if you tell it not to do such.

http://www.zdnet.com/lg-smart-tvs-send-viewing-habits-filenames-back-to-manufacturer-7000023411/

And for the paranoid, think about the AppleTV, Roku, and all those game consoles where you are expected to attach a keyboard.

And then there are folks putting up their laptop as a hotspot named attwifi or similar to be able to watch the traffic of all AT&T customers who enter the area and automatically connect. I understand they (AT&T and the phone vendors) have beefed up the way this works since the early days and such but still. Now think of all those Android phones that will never update to a newer OS.

38:

One thing that I've always thought obvious but I never see discussed online is the fact that "You have nothing to hide if you're innocent" isn't just a naive statement, but an actual tenet of the morality of various protestant denominations of Christianity. Surveillance should be welcomed, because it keeps us honest.

Why are these people never concerned that whoever does the surveillance might not be honest?

I'm starting to suspect that Christians in the USA actually worship Satan.

PS. I'm an atheist.

39:

At to costs. Understand that if you buy these various small computer lumps in volumes of a few 100 or a 1000 you can likely get the costs down by 50% or more.

Instead of buying a R PI you could just by the chips you want and use their firmware and them make your own dedicated lump that's smaller and easier to hide.

40:

Surely one consequence, if this becomes widespread, will be the final end of open wireless networks. Any unprotected network will be clogged with parasites to the point of uselessness.

The surveillance implications are more disturbing than the botnets -- in the long view, if chips are cheap, the price (and thus incentive to create) of a bot is going to go through the floor.

41:

A few years back, the startup that I worked for was acquired by a cellphone manufacturer that I affectionately nicknamed “The Finnish Soviet Socialist Republic”. As part of our assimilation, the FSSR’s director of security for North America came to our office and gave us a presentation on security, and how the FSSR’s competitors are constantly scheming and conniving to obtain its corporate secrets. (The FSSR is presumably trying to do the same thing to its competitors, but for some reason this guy didn’t talk so much about that.)

One of the security tips he gave us: Do not ever ever accept USB cables, flash drives, or similar plug-into-your-company-computer swag that random people hand out at trade shows.

42:

There's a trick security consultants do when brought in to help a firm implement better security. Or some when none exists.

Drop a few or few dozen USB memory sticks around the parking lot a day or so before they show up.

Then they go in and early in the presentation start logging into everyone's management computer system via the information captured and relayed back to them via the malware on the USB sticks.

It's a great way to get the attention of upper management and focus the discussion.

43:

Hey Charlie, you're perhaps 20 years late to the mark. Check out Wallace and Melton's Spycraft: The Secret History of the CIA’s Spytechs from communism to Al-Qaeda (2008, Dutton). Back in the 1970s and 1980s, the CIA tech guys joked that the time would come when they'd print the radio and microphone on the battery, since the size of the batteries was the biggest constraint on their bugs even back then. If they want to bug you now, consider yourself bugged.

That said, I've noticed precisely no uptick in CIA (or NSA) espionage functionality in the intervening decades. Having the technology of the panopticon is not the same thing as gaining the intelligence to do anything useful with it.

That said, such technology finds its way out into the world, especially when CIA officers are allowed to moonlight in corporate America. I think it's perfectly justified to worry about ubiquitous keyloggers, house-hacking, and all the other problems that come with the idiocy of an internet of things (sorry, my biases are showing here. I think it's a stupid idea whose inevitability is so much vapor ware).

However, this will simply be a new marketplace for the security boffins. I predict that botnet sniffers and similar devices (virtual or real) will be an ordinary part of people's computer systems within the next decade, just as anti-virus software has become mandatory.

44:

I've certainly seen some rather far-fetched stories come out the the Russian media, such as the 20 billion Euro in cash in a warehouse at Sheremetyevo which was flown in from Iraq. But I was doing a bit of novel-noodling, and there are high-value banknotes that would let that much cash be carried by a plane. There's also a lot of Euro banknotes been printed.

Like this story, it shifts from unbelievable to at least possible. And, like this story, it runs into scale problems. The package of money to pay off a kidnapper, or some of the bugging methods suggested here, are achievable. Getting enough control of a factory to do this kettle-stunt, and without anyone talking, is on a whole different scale.

But if we look at devices that are already including a computer, instead of subverting the assembly plant, all that's needed is a truckload of faked chips going into the supply chain. I have domestic hardware which in controlled by essentially Victorian technology, but if I replaced it I would expect to see a computerish control system.

I am not sure a kettle is something that is worth the tech in the control system. But a microwave oven, that has the computer already there.

45:

Why be afraid of the kettle? That only tells people that you've had a spot of tea.

Your vibrator, on the other hand, knows all the really nasty secrets! If someone really wanted to spend money on learning about your sex life, you vibrator would know if you are male or female, how many lovers you have, and whether you do anal - and that's just for starters. You could probably build a camera into any electrically powered sex toy, and a really expensive vibrator could probably sample DNA, or perhaps cancel it's own noise and record sound...

What makes this much more interesting is that I've recently spent time in a chain of sex toy stores as an outside vendor. (They use a technology company I sometimes work for.) The high-end vibrators there can cost up to two hundred dollars and some of them have very fancy controllers (which I suspect aren't analog.) I used to wonder why those high-end vibrators, which I suspect are bought by high-end people, were so expensive.

Now I know.

From now on any sex toys that get used in my house will be made of wood. I will carve them from a tree I planted myself.

46:

They did a similar thing to this for a TV show in the UK a couple of years ago. In the place just down the street from a bank's cyber-crime centre where most of the staff went for lunch they set up a kiosk handing out freebies, including USB sticks. They all had a key-logger and something to send the keystrokes outside if they could.

Despite signs and protocols telling them not to plug the things in, they got about 150 user names and passwords in 3 hours, including enough information to waltz through the firewall with someone quite senior's remote log-in details. It was quite depressing really. I mean, someone doing it to me at home is one thing. Embarrassing, potentially financially bad for me too, but it's me and my risk. But the bank's cyber-crime centre - you'd hope they'd be a bit more security conscious since it's the job and all.

47:

If you are thinking of SSDs and NAND storage, you may want to check out this: https://github.com/monk-dot/NandX

In Linux you can modify the NAND-handling kernel code to hide arbitrary data in the 'bad' write-blocks. The author of this has also worked on reverse engineering the firmware of SSDs (which are backed by NAND memory) to do the same things.

48:

The trade name is "Kingspan", metallized foil coating high-density foam. There are some new-build houses going up next to the drive in to work; the exteriors at this stage of the build appear to be a foil sheet, but may involve a breathable membrane (you see that on roofs, before the slates go on).

There are window coatings that are intended to reflect heat back into buildings; they look tinted from the inside, reflective from the outside. Add that to your metallized insulation, and you're fairly close to the domestic Faraday cage...

...the window coatings saved some injuries in Edinburgh just over twenty years ago. A tenement block in Guthrie Street had a gas explosion that turned it to rubble; twenty yards away in the newly-coated Traffic Warden headquarters, they were just going on-shift, and the coating prevented a lot of flying glass.

The best restriction on surveillance is to keep the manning levels down in GCHQ and the Security Service to existing levels, and resist any contractorization of such UK functions (you can tell I've just read Cory's "Homeland"). If they've only got a few hundred operators, those operators are going to be fully taken up by tracking the genuinely worrying punters (twitchy blokes back from Syria full of revolutionary fervour) rather than reading anyone's email.

On the other hand, if the government is serious about surveillance (i.e. serious in the sense of "you are on the Continuity IRA's Army Council" or "you are the head of a leading crime family"), they'll just break into your house and wire it for sound, and you won't know a thing about it.

49:

A little further down the technology track, when electronic neuro-enhancement moves towards thought interpretation, a wearable neuro-interface could report your thoughts to 3rd parties. How could you turn off your thoughts when you are dependent on the devices?

Once I may have harbored hopes that the sheer quantity of data about us would overwhelm the capability of the watchers. But once everyone can be monitored by by local smart devices analyzing our every thought and deed, this be doable. It could well be that such devices issue "thought violation tickets" that are paid by direct bank access and cannot be realistically fought.

50:

Actually, if it's a dystopia you're living in, once local smart devices analyzing our every thought and deed are possible, then all the proles are already dead, having been replaced by local smart devices.

51:

Vanzetti ah - you've noticed, have you? How long before everone eles does, is the important question.

52:

I get stick from some friends for revelling in not being up to date on hardware and not taking part in all these let the companies know who you are linked to networking thingies. I point out the panopticon possibilities etc, and nooo, they aren't having any of it.

Hey, Gravelbelly #48 - I got into school that day to be told that I had blown up!

53:
Why are these people never concerned that whoever does the surveillance might not be honest? I'm starting to suspect that Christians in the USA actually worship Satan.

I file it under the same "MWha?" header I keep the fact that they believe Jews to be the chosen people of their God, yet they themselves are in no hurry to convert to Judaism...

PS. I'm an atheist.

Aren't we all around here?

54:

believe Jews to be the chosen people of their God, yet they themselves are in no hurry to convert to Judaism...

FYI, Rob Bell is an Evangelical Christian with a sensible view on this specific issue. He believes he is a Jew, and Jesus is his rabbi. I would guess he believes Jesus is the rabbi all other Christians too, but I might be missing details of the is-a-rabbi-of relationship so I'm not sure. IIRC this is described in his "Velvet Elvis" book.

He seems to be leading a feel-good sect there. More ecstatic than legalistic. If you're shopping for a flavor of Christianity to convert to (which you aren't), I would recommend him.

55:

It looks like bitcoin-mining malware may already be here. Bitcoin-stealing malware definitely is.

56:

Don't worry about the kettle, we're already borked. It turns out the radio chips in our phones were designed in the 90s, when designers didn't care about security; they're full of backdoors and exploitable bugs. It's possible to take over a phone remotely without having to interact with its control processor at all.

On the other hand, Wifi is not that hard to protect. WPA2 has an access control mechanism where you whitelist the MAC addresses you want to accept connection with. It can be spoofed, but it's a lot harder than a kettle will likely be able to work.

57:

Trying this again, since I apparently hit Preview instead of Submit, and then went back to the main page and lost it. Anyhow...

I keep the fact that they believe Jews to be the chosen people of their God, yet they themselves are in no hurry to convert to Judaism...

Evangelicals believe that they have a New Covenant with god and are the new chosen people. Also that if they can get all of us (Jews) into Israel it will bring about the the Rapture where we will either all convert, or die. I have no intention of moving. And then there are the "Messianic Jews" who are essentially Southern Baptists who think pretending to be Jewish make them closer to Him.

I don't know about evangelicals worshipping Satan, but from what little I've read of the gospels, Lesus was a-hole who spoke like a cult leader. Of course, it's not like any of it is exactly accurate.

58:

I spent part of this morning reading Steven Wolfram waxing poetical about how the new distributed Mathematica / Wolfram Alpha / Wolfram Language will use symbolic computing to become the dominant computing paradigm. A lot of it was nothing new; the Jini distributed infrastructure team, the Alice distributed collaboration project, the GemStone distributed object system I worked on, and, for that matter every Lisp system around, have been working on this for decades. But there's one difference. Wolfram is providing, right now, a public beta of distributed Mathematica running on Raspberry Pi which includes a REPL interpreter. Wolfram's hawking these things for use as remote intelligent sensors. Imagine a few thousand of them with microphones scattered around a city as a gunshot detection system. Now imagine those same microphones used to eavesdrop on conversations, with the distributed computing used to filter out noise and untangle multiple conversations.

59:

I wouldn't call myself an atheist, although the religion of Illumination, which I think is cool, definitely does believe that the Abrahamic religions actually do, in fact, worship Satan.

60:

I was wondering why my pop-toaster suddenly bursts into a rousing chorus of 'The East is Red' from time to time.

Charlie taking your trojan horse keyboard example I see that as an example of a failure to enforce complete mediation of access. If on the other hand pairing a bluetooth keyboard required identification, authentication & authorisation of the keyboard then that security exploit would not be possible. That mediation should also restrict what that keyboard can do in it's downtime, e.g. no IRC sessions. Another reason why firewall design needs to be bi-directional.

Saltzer and Schroeder would be spinning in their graves, if they weren't still alive.

61:

One of the many recently fixed bugs in Linux HID (USB keyboard, mouse, etc.) drivers was exploitable in this way and was apparently being actively exploited.

62:

It doesn't take a smart meter to detect grow operations! I've heard they will usually bypass the existing electric meter.

A smart meter that logs every few seconds can reveal much more detail, though; display power usage depends on the brightness of the picture and it's possible to guess which TV channel someone is watching based on total power usage. I suppose this could be extensible to non-broadcast video streams as well, if they're long enough to provide a recognisable signature.

63:

@ 54 ...is an Evangelical Christian with a sensible view... Err, um, oxymoron? Total logical contradiction? Err .....

64:

womble2 With modern LED illumination (including UV-outputs) growing err "interesting" plants will no longer show up as excess power usage. Indeed, I'm thinking of getting a few, to keep my capsicums growing/alive through the winter. They can take temps down to about 4C, but it's the short winter days that do them in - not enough UV.

65:

£24 might be expensive for a hobbyist or even an organised criminal, but it's chump change for a government. We already know the extent the NSA is going to to spy on it's own citizens; how easy is international espionage if you can build keyloggers etc. into the hardware at source? It wouldn't take a lot for China to be able to spy on most of the world via its manufacturing base.

On the one hand that sounds like paranoid nonsense to me, but on the other the US government is routinely tracking the position of millions of mobile phones.

66:

That's only when working regularly. If it's hacked, only removing the battery will prevent a cellphone from sending position / audio / video to the ones who hacked it.

67:

I heard that smart power meters can detect what TV program you are watching. It's not only the power drain they pick up; they can also receive all sorts of stray EM since the cable system is noting but an oversized antenna.

68:

Hmm, £24 per kettle, with a likely rather low return rate, and millions of them?

Yeah, you're probably right that it's currently feasible only within governmental budgets.

(In my slightly more cynical moments, I do wonder whether the US government outcry against Huawei is not that Huawei kit has spy capacity within it, but that if it does, it's not feeding whatever it's finding to the NSA whereas Cisco &c. are.)

69:

Is that why iPhones have non-removable batteries?

(Disclaimer: so does my Sony Xperia phablet)

70:

On the plus side of the balance sheet, crimes will be easier to solve. No more police procedurals with interviewing unreliable witnesses and plodding door to door. Just call up the data on all these devices, have your crime solver(TM) put together a picture of the likely perp and then send the drones out to arrest, detain and transport to the lockup. Might well even reduce jury trial times. Better than precogs?

71:

"Have we a clear picture of the circumstances in which we should say of a pot that it talked?" Ludwig Wittgenstein, Philisophical Investigations (1953)

Apparently, we do.

72:

Well, the manufacturers say that's because it saves space...

73:

On the plus side of the balance sheet, crimes will be easier to solve. ... Might well even reduce jury trial times.

Only if you can trust the data that's reported by those devices. Otherwise I would just fire up my ConspiracyFramer(TM) application and put the kind of false evidence into those devices that gets you convicted.

74:

Um. There have been companies selling "wall wart" power supply blocks full of surveillance goodies for a decade or more. Since almost every device has a wall wart or charger now, and they're commodity items, there's no need to hack the end product.

The recommended mode for the spy warts was to plug one in to any convenient power strip, then toss the wire under a desk. Most workspaces have so many of the things, nobody would notice an extra.

Some of them don't even broadcast; they talk over the power lines. Ancient tech there, rediscovered every decade or so. I used to have an intercom that worked that way. Powerline telegraphy goes back to the 1800s.

75:

Except that Harry keeps his maths down to picking the ponies.

76:

I think the Kettles are Skynet components. (At least, that idea wanted me to mention it.)

77:

Universal law enforcement may not happen, but the police don't need to log everything and retroactively charge the "target crime" committers to be scary; if you become a "person of interest" to the police (married the wrong person, went on a demonstration, wrote something supportive of Mark Duggan's family) and they're able to see everything you do, they can choose to charge you or not for each crime you commit (and you will commit crimes; everyone does) depending on what suits their larger goal of making your life a misery for having defied them.

78:

RFC 2324

2.3.2 418 I'm a teapot

Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.

79:

And just in case we weren't feelin paranoid enough, here's a new article from The Register: http://www.theregister.co.uk/2013/12/12/throughwall_tracking_more_accurate_lower_power/

80:

Ah, you've caught up with the mention of HTCPCP in comment 7

81:

Otherwise I would just fire up my ConspiracyFramer(TM) application and put the kind of false evidence into those devices that gets you convicted.

IMHO, this (and Vanzetti's comment above) are the two smartest comments in this thread. (not to insult anyone - the whole thread is very intelligent.) However, I think it will go further than simply framing someone.

One of my predictions for the next 10 years is that we will see people whose lives are ruined in every possible way by a computer program some government uses for exactly that purpose. They will not merely be convicted of crimes; their entire web of legal, social and financial relationships will be savagely attacked by broadcasting material which is specifically targeted at particular recipients. Acquaintances who were once molested will be shown videos of children complaining of being molested by the target. The target's employers will receive "evidence" that the target was once convicted of embezzlement. The target's credit and bank accounts will be attacked. The police will be told that the target is on drugs, driving a stolen car, and heavily armed. Etc.

If this seems unlikely, consider a combination of revenge porn, online bullying, identity theft, a no-fly list and the KlearGear scandal, all aimed at one person and cranked up to eleven.

At first, destroying the entirety of someone's life will require an entire render-farm (or something similar) and careful human guidance. It will be an extremely expensive experience reserved for people a particular government truly dislikes - possibly the Julian Assanges and Edward Snowdens of this world. But as Moore's law progresses and hardware and software become cheaper the ability to attack someone in this manner will require a single PC and very little human intervention. If you've got a few bucks and hate somebody... blast 'em!

82:

Bring it on.

a) After it happens a few times, people will recognize the pattern and become extremely jaded unless they're a lot subtler than the demonization bomb you've described.

"Did you know Bob was a pedophile?" "I heard he was a terrorist" "No man, he's a cannibal! LOLZ"

b) Moore's law is going to make this widely available. Wikileaks on a shoestring has embarrassed governments accross the world.

c) The little guy has a lot less to lose. Ed Snowden upended his life, Manning ruined hers. Do CEOs, politicians and Bank presidents really want to play this kind of brinkmanship against people who simply don't give enough of a fuck?

It should be interesting.

83:

It's already being done - you're just discussing it being done officially, automatedly, and being able to get into bank accounts.

84:

No, I don't think you are right, for a certain value of correctness. Exhibit A - the tabloids such as the mail run regular anti-immigrant, racist, anti-environment, anti-science stories. These are usually debunked pretty soon, but the corrections are on page 94 and the readers never notice or hear about them. The pattern of these wrong and bad articles is the same every time, predictable and obvious to anyone who is interested in seeing it. However that doesn't stop people from believing it, and even if they don't really care one way or another, the drip of factoids leaves them with the impression that the story is true.

Therefore in real life, 80% of the people who read the smear story will still believe it correct years later.(% made up off top of my head)

Exhibit B - the non-existent WMD's in Iraq, which have been shown not to exist, never existed and were lied about. But a large percentage of the US population still thinks they were there and were found, or were there and so well hidden nobody has found them. By extension, this means the republicans and Bush and Cheney were correct and there's no reason to not vote for them next time around. {except obviously Bush and Cheney aren't the ones running, but you know what i mean}

So no, there is every reason to think that your blase approach to it is wrong and will completely fail.

85:

I liked your cites. They are very good and very interesting. While you are correct that this is already being done, it's essentially a boutique effort mediated entirely by human beings. What your cites describe is, in my mind, the wrong kind of attack in terms of maximum economic and legal effectiveness, and it's not going nearly as far as it could with a government behind it.

On the other hand, your cites show some stuff I'd never considered...

86:

I'm not sure I agree. While the pattern will become obvious in time, it may take twenty years of ugly behavior before everyone learns to recognize life-ruining software in action. (Note Bruce Sterling's comments on The Centipede - as usual, he's five years ahead of everyone else.)

Also, you noted that most attacks will be more subtle and I do agree with this. Something like "proving" to a wife, husband or the public that their spouse is having an affair will be forceful enough to make sure that most "terrorists" toe the party line. From the government's point of view this might be equivalent to a five-year sentence. Full-on assaults will be as comparatively rare as the death penalty, but I do expect to see them happen.

87:

I'm not sure how valuable the auto-smearing software will be. Right now this stuff is bad because people assume you're guilty if caught with it. There haven't been that many cases of ex-wives framing husbands with kiddie pics on their machines, though it is technically feasible. Most people hear about it in the news, they think it's legit. If it becomes clear that this stuff can be faked, it would be easier to brazen out the investigation. "I got caught with a kiddie pic bot again." "Yeah, it happens." I think the power of the charge rests in the credulity of the public.

In an authoritarian regime, this would be one more way to discredit someone but does anyone really believe the charges? Kim Jong-Un's uncle just got purged. He's accused of the laundry list: conspiring against revolution, consorting with capitalists, deviant sex, and corruption. Would people believe these charges if there were pictures as well? We don't do firing squads in the west but how many people confess to wanting to spend more time with their families when forced out?

88:

One caveat: I think that there's less value in faking material that isn't true and more in finding out real blackmail dirt. Operating on the assumption everyone has something to hide, start looking. This would be difficult in the 20th century. In the 21st?

The upshot might be that there's no more scandals about legal but embarrassing activities. Can't shame for being gay or into BDSM or furries or cheating on spouses or sexting pics. Illegal sex/porn and other forms of criminal activity would be the only ones left.

It's funny how gay was the old radioactive but is now no big deal. It used to be the sort of thing to shame people from public life. It's for the most part completely removed from the blackmailer's bag of tricks.

89:

Along with lessening interest in what makes decent blackmail material, there might also grow to be less tolerance of blackmailing and violation of privacy. We could hope, anyhow.

Needless to say this has already hit the diplomatic level.

90:

This. This is so true, sadly.

Try to think about it another way: It takes more time to debunk myths than to create them, it takes more time to disprove slander than to spread it. And slander is, by definition, news, while the fact that your neighbor is not Evil with a cap E is, again by definition, no news.

So, the advantage is on the side of the attacker. Think of it as a spam attack, where you are vulnerable when your spouse has neglected their filters.

Yes, I'd like to believe in generaly smartness preventing such things, but I'm sadly not sure right now ... Maybe, in a few years down the road, we'll be surprised by how mature everyone handles the distractions and possibiliites of modern media. I hope so. But I'm skeptical.

91:

Oh COME ON ..can anyone in this day and age be so inocent as one or two of the preceeding comentators?

On the Subject of BLACKMAIL ? Leaving aside the issue of political purges and the Firing Squadishness thereof? You are always going to get that sort of thing ..look up ..

" n 48 BC, Caesar was given permanent tribunician powers,[85] which made his person sacrosanct and allowed him to veto the Senate,[85] although on at least one occasion, tribunes did attempt to obstruct him. The offending tribunes in this case were brought before the Senate and divested of their office.[85] This was not the first time that Caesar had violated a tribune's sacrosanctity. After he had first marched on Rome in 49 BC, he forcibly opened the treasury although a tribune had the seal placed on it. After the impeachment of the two obstructive tribunes, Caesar, perhaps unsurprisingly, faced no further opposition from other members of the Tribunician College.[85] Denarius (42 BC) issued by Cassius Longinus and Lentulus Spinther, depicting the crowned head of Liberty and on the reverse a sacrificial jug and lituus, from the military mint in Smyrna.

In 46 BC, Caesar gave himself the title of "Prefect of the Morals", which was an office that was new only in name, as its powers were identical to those of the censors.[85] Thus, he could hold censorial powers, while technically not subjecting himself to the same checks that the ordinary censors were subject to, and he used these powers to fill the Senate with his own partisans. He also set the precedent, which his imperial successors followed, of requiring the Senate to bestow various titles and honors upon him. He was, for example, given the title of "Father of the Fatherland" and "imperator".[83]

Coins bore his likeness, and he was given the right to speak first during senate meetings.[83] Caesar then increased the number of magistrates who were elected each year, which created a large pool of experienced magistrates, and allowed Caesar to reward his supporters.[84]"

Puts the modern North Korean Dictatorship into the shade even doesnt it? And this before you consider Caesars interesting reputaion for ...

" JULIUS CAESAR: The Political Uses of Sex

A pagan man to the core, Caesar appears to have been an unscrupulous libertine who used and abused wives and mistresses to suit his sexual or political urges. "

Within more recent reach you could look up The Profumo Affair or the Late Sainted Preident Kennedys post death seputaion for sexual appetite? If you search for .. " president kennedy sex scandals " ...you will get ..

About 117,000 results (0.31 seconds)

http://www.psychologytoday.com/blog/addiction-in-society/200805/the-top-seven-kennedy-sex-scandals

There is a counter to this for living politicians as exemplified by the phrase " Publish And Be Damned ! " ..

" ONE morning in December 1824, the Duke of Wellington received an unpleasant letter. 'My Lord Duke,' it began, 'in Harriette Wilson's Memoirs, which I am about to publish, are various anecdotes of Your Grace which it would be most desirable to withhold, at least such is my opinion. I have stopped the Press for the moment, but as the publication will take place next week, little delay can necessarily take place.'

The letter, signed by one Joseph Stockdale, a pornographer and scandal-monger, was a naked attempt at blackmail. The Duke was a field marshal, cabinet minister, national hero, husband and father, while Harriette Wilson was a famous London courtesan past her prime, then living in exile in Paris. Wellington was being asked to pay money to be left out of her memoirs.

His response is famous: 'Publish and be damned]' And they did. Through 1825 the memoirs appeared by instalments, each with a dramatis personae listing the notables named in order of rank - 'Dukes: Argyll, Beaufort, de Guiche, Leinster . . .' and so on through earls and viscounts down to humble esquires.

London society was thrilled and scandalised. Half the aristocracy was named in the book, and painted in a most unflattering light. The memoirs went through 31 editions in one year; excerpts were pirated and sold as illustrated broadsheets and French and German editions quickly appeared to delight the gossips of the Continent. "

But we do remember " Publish and Be Damned " don't we?

By the by, " "Prefect of the Morals"is not bad as self awarded titles goes but I rather like ..'Metaphysician in Chief.'

" Bertrand Russell: "In Tibet the second official in the state is called the 'Metaphysician in Chief.' Elsewhere philosophy is no longer held in such high esteem."

You could have really triffic Business Cards if you were " 'Metaphysician in Chief.'

"Father of the Fatherland" and "imperator" is not bad though.

92:
if you become a "person of interest" to the police (married the wrong person, went on a demonstration, wrote something supportive of Mark Duggan's family) and they're able to see everything you do, they can choose to charge you or not for each crime you commit

Doesn't even have to be "big picture" reasons... If lots of minor officials have read access to the system, they can take people down for petty reasons. Neighbourly disputes, rivalry in love, perceived slights.

Like the stories about LOVEINT, writ large.

93:

@67:

I heard that smart power meters can detect what TV program you are watching.

Many American homes have three or more televisions now. From my experiences inside them, all of them are likely to be on, tuned to different channels, with either nobody in the room watching them or someone holding the remote and pushing the channel change button every three or four seconds like a money with electodes in its brain.

Knowing what channel(s) the TVs are tuned to isn't as useful as it would have been, oh, 30 years ago.

94:

As a "sorry couldn't resist" aside: Everybody knows toasters run NetBSD, not Linux.

95:

guthrie @ 84 Indeed. Because of a previous nasty incident, a newspaper-shaped-object, in this country & it's deliberately lying editor at the time (No, that's not libel, we do know, now) ... Calculatedly set out to slander several tens of thousands of people. Which is why it took years for the truth to come out, & why sales of that rag are so low in Liverpool & it is referred to, there as: "The Scum" [ For foreigh readers - look up "Hillsborough disaster" ]

96:

Can't remember the details, but there's a hi-tech young lady in (?) Cheshire (?) being given a very hard time by the local cops, because she dumped one of them. Been in-&-out of the press over the past few months. Disgraceful business. Everyone, now knows that she is completely innocent, but, of course, her "official" record is still murky, beacuse that means officialdom publicly admitting that it has corrupt officials & makes mistakes. Shades of Timothy Evans [ See: "10, Rillington Place" ]

97:

I used to think that running an open wireless AP (with some sensible QoS and/or port blocks to make sure people have a hard time being dicks) was a public good. But if it is going to hypothetically be used for spam/malware then it's probably less of a good. :P

98:

There are other applications besides malware or espionage. If currencies like bitcoin become even more common, and computing cost goes down further, the main obstacle to making a profit generating coins would be the price of power. Embed specialized automated mining rigs inside generic devices such as power supplies or any of the other things that you mention.

Individually they are not that powerful, but if you get 10 or 20 thousand out there mining 24/7 while someone else is paying the electric bill...

99:

Is this so? Can someone do the math on wether power is the main cost in computing?

Come to think of it: Let's say a Rasp Pie costs 20€, and a kWh 20 €ct, then the Rasp Pie would have to use 100kWh for breakeven between operational costs and initial investment. What does a Rasp pie draw? 1W? then we are talking 100.000 hours, or about 12,5 years (given a bit downtime). All those numbers are pure guesswork, But for the foreseeable future energy costs will be small compared to initial investment in the hardware. Everybody forgets how cheap energy still is.

100:

The Raspberry Pi draws 2.5 or 3.5 mW, depending on model. The main draw is the wifi connection required to do anything much useful. Wifi power consumption numbers are all over the place, but 100 mW isn't a terrible number for planning purposes. If the Pi costs 20 euros, and a wifi card costs about 20 euros (the USB wifi that I'm using now cost about that much a few years ago), and 1kWhr is about .2 euros ... I'm getting about 70 weeks, or a little over a year, for power costs to outweigh device costs.

This doesn't substantially disagree with what you said, I just felt like running the numbers.

source: http://nesl.ee.ucla.edu/fw/documents/reports/2007/poweranalysis.pdf

101:

I heard that smart power meters can detect what TV program you are watching. It's not only the power drain they pick up; they can also receive all sorts of stray EM since the cable system is noting but an oversized antenna.

Yeah. Right.

Why on earth would they put the extra decoding chips in a meter when they don't even use better than WEP until recently. I really doubt that the mass produced meters have anything at all like this.

Plus Coax is one of the best ways to shield a signal. The center core is the antenna and it is surrounded by 2 or 4 layers of ground conductor. There is likely more leakage back out via the power cord of a TV than via the Coax. And in general most of the coax in a house has ALL the channels provided by the cable company. And since more and more people get their TV via a DVR (cable company or Tivo) or boxes like AppleTV or Roku you really want to figure out what those boxes are putting out. And this is likely way easier to hack than the power meters.

102:

Probably true. OTOH they might not have decoding chips but use Software Defined Radio (SDR). And when I talked about EM signals I didn't think about cable TV but other sources: computers, WiFi, Bluetooth, ...

BTW, I once lived in a house where one of the parties installed an "inofficial" outlet of another party's cable channel. The result was that anyone in the house was able to receive cable TV via antenna - so Coax is only as well shielded as its weakest link.

103:

"Once I may have harbored hopes that the sheer quantity of data about us would overwhelm the capability of the watchers. "

People keep thinking this, even as we see better and better information processing on a daily basis.

Also, as has been pointed out earlier here, and in every other discussion I've seen, real time human-level monitoring is not needed. Record everything now, flag and tag automatically to today's standard, and then pull the records later if the person (or their spouse, child. Friend, business partner, ...) is of interest.

104:

Vanzetti: "Why are these people never concerned that whoever does the surveillance might not be honest?"

"I'm starting to suspect that Christians in the USA actually worship Satan. I file it under the same "MWha?" header I keep the fact that they believe Jews to be the chosen people of their God, yet they themselves are in no hurry to convert to Judaism..."

In case you didn't know, this has been an issue in Christianity since Paul said 'no snipping, and eat what you want!'.

105:

"The little guy has a lot less to lose. Ed Snowden upended his life, Manning ruined hers. Do CEOs, politicians and Bank presidents really want to play this kind of brinkmanship against people who simply don't give enough of a fuck?"

In the heavily-armed USA in which I live, the elites f@ck people over casually, in large numbers, and never suffer.

106:

I'm not so sure about that. Remember Ted Haggard? Similar scandals seem to be pretty frequent.

One thing is that human psychology can be counterintuitive about these kinds of things. Witness Rob Ford's ongoing scandals, sometimes people just don't care.

I admit to a little of this with say, Julian Assange and his pecadilloes, I honestly don't give a damn, emotionally speaking. It seems we are predisposed to support "our guy" even against revelations that are extremely negative. As for Manning's mental breakdowns and gender dysphoria, they simply humanize her more. Altemeyer's book on "the authoritarians" goes into this in some depth.

Take the Mccann family, everyone in Portugal assumes they killed their daughter, because their police said so. The UK audience of course does not believe any such thing, on no firmer ground, because they are on "their team". I guess it depends how robust your interpersonal networks are, if you can resist such attacks.

I have a friend who gets into internet fights and then escalates them into the real world, figuring the real identity of the people he's arguing with and causing them trouble in real life. I'm pretty sure he's cost people jobs and a deal of mental stability. All it takes is one underemployed geek with an internet connection, a phone, and an axe to grind. The less life you have the less you have to lose in one of these contests.

107:

All it takes is one underemployed geek with an internet connection, a phone, and an axe to grind. The less life you have the less you have to lose in one of these contests.

A new use for Mechanical Turk?

108:

Already used in a US TV series, NCIS http://en.wikipedia.org/wiki/Gut_Check_(NCIS)

109:

It's not that the power is the main cost, it's that Bitcoin mining malware means you can externalize (almost) all the cost of earning money. All you have to do is write a miner into your virus, video game, or silicon specification for the chip to control the kettles your employer makes, and other people will buy and maintain the equipment to make your money for you.

"Software which externalizes the cost of your business model to unwitting dupes" would be a halfway decent definition of malware, now that I think of it. Does it include Facbook, though...?

110:

Sorry Charlie but you're about 4 years late (it's been done, and Apple's fix is of course incomplete, you can just use a non patched system to hack the keyboard, or a Linux box or whatever):

http://semiaccurate.com/2009/07/31/apple-keyboard-firmware-hack-demonstrated/

http://support.apple.com/kb/ht3937

The real problem is that our computers are now full of little computers, Turing complete with read/write storage, that we don't and can't really control or audit. This guy hacked the firmware on his hard drive:

http://spritesmods.com/?art=hddhack&page=4

which is really cool because you can then create a system that is highly resistant to forensics, even "remove the platters and read in a 'clean' system" level of forensics.

My take on this: security went through the looking glass some time ago, people are just now noticing. To quote Gibson "The future is already here - it's just not very evenly distributed."

111:

A Raspberry Pi costs $25 including not only the CPU, but the graphics engine, HDMI interface, USB hub, RAM, etc. Actual ARM CPU chips can cost less than $1, and there are less powerful microcontroller CPUs that cost even less. In an "Internet of Things" environment, you don't need the wireless processor, because the network connection is already part of the device you're piggybacking on, but even in a non-connected toaster, you've got a circuit board that can spare a few square cm to add a few little surface-mount components like the CPU and microphone, and have them installed by the same factory in China that's building the rest of the board, down the street from the other factory that's integrating it into your toaster.

112:

Looking at the spec sheet, the max amperage that can go into a Raspberry Pi is 1A, 5V, so "5 W", more or less (if you need more power draw to peripherals, use a powered USB hub).

So at most 2 years. But that is if you start with a full computer, instead of going the "bespoke design" (costs effort and time, should end yo uwith a much cheaper per-unit price, though). I'd be surprised if you end up with a price more than 1-2 GBP for a decent solution.

If you go the "microcontroller with some onboard RAM", you can buy ready-made solutions starting somewhere in the 27 eurocents per chip range (if you buy in bulk, through third-party vendors, you can probably do vastly better if you buy a couple of thousand directly from the manufacturer). The QFN-28 seems to be in the 27-28 SEk range, in lots of 100 or more.

113:

IIRC "QFN-28" is a device package standard not a processor name.

The cheapest microcontroller-on-a-board devices ready for use are usually development boards sold at a loss by chip designers to encourage engineers to buy them for beer money and maybe choose their devices for future projects.

114:

Ah, so it is. I seem to have meant a DSPIC33EP128MC502-I/MM in a QFN-28 form factor.

115:

This is not entirely a new problem. There was a rash of picture frame Malware back in the 00's , 2007 and 2008

http://blog.trendmicro.com/trendlabs-security-intelligence/yet-another-digital-picture-frame-malware-incident/

Its only going to get worse and in the end I would not be surprised to see a real push for "retro" tech soon after something really bad happens on account of thse devices.

As always of course SF is ahead. I recall a 1989 movie Robot Jox built around the premise of a global restriction on computers after a nuclear war or something similar.

116:

I suspect Frank Herbert may have nailed the meme in Dune, with his Butlerian Jihad. Dune was published in 1965. Reading that linked article, I found out that Herbert swiped the idea from Samuel Butler's Erewhon (published in 1872!), wherein the inhabitants enacted a ban on "machines newer than 270 years fearing that 'it was the race of the intelligent machines and not the race of men which would be the next step in evolution.' Hmmmm. Really not a new idea. Sorry singulatarians. You're, erm, quaint.

The nice thing about luddite revolt in the face of an internet of things is that it costs little or nothing. Beyond a smart grid for balancing the load from distributed, small scale wind and solar installations, there aren't a lot of obvious "can't live without" uses for smart appliances. Personally, I'd rather remember where I put my keys as a memory exercise than buy a gizmo to remember it for me.

117:

For another personal idea about Samuel Butler, when I first heard about "Darwin among the Machines",

http://en.wikipedia.org/wiki/Darwin_among_the_Machines

I thought it was some text by Daniel Dennett.

http://en.wikipedia.org/wiki/Daniel_Dennett

Err, not really.

118:
The nice thing about luddite revolt in the face of an internet of things is that it costs little or nothing. Beyond a smart grid for balancing the load from distributed, small scale wind and solar installations, there aren't a lot of obvious "can't live without" uses for smart appliances.

There are plenty non-obvious ones, of course. Going back to doing without them would be really painful, so much so that I suspect we can't, except perhaps on the most superficial of levels. Too much of our logistics and coordination depends on them.

Short of some disaster (Carrington event?) knocking us back to the 19th century, I don't think we're going there.

119:

I know I'm a bit late to the party, but has anyone considered the potential of doing something similar with a thermostat? Especially the smart ones if a bit of malware gets slipped through the QC process?

Its got advantages in that its supposed to be part of the network and able to reach outside of it. That makes it good for a botnet of things.

And for spying, its already got sensors and what the owner wants to do (timer) and if it learns, well, that will give you a good idea of times and certain behaviors.

Just thinking.

120:

There are plenty non-obvious ones, of course. Going back to doing without them would be really painful, so much so that I suspect we can't, except perhaps on the most superficial of levels. Too much of our logistics and coordination depends on them.

Yep. We like using debit cards everywhere. Cars that get way better mileage due to all that computer code hidden behind the dash. Cell phones that work as you move fro tower to tower. DVRs are nice. Our utility bills are cheaper due to smart meters.

I LIKE being able to monitor the air temp and humidity of an empty townhouse 300 miles away without having to get someone to check in on it every day or so.

121:

Well, anyone who's that interested in knowing where my phone is should hack away then! My_phone'location =/= Me'location sometimes, and possibly for days at a stretch!

122:

There are plenty non-obvious ones, of course. Going back to doing without them would be really painful, so much so that I suspect we can't, except perhaps on the most superficial of levels. Too much of our logistics and coordination depends on them.

Or some malware that looks for Nest units on the local LAN and exploits a hole in their network interface. Nest is really neat. I've installed one. But I keep wondering what their process is for security updates.

123:

Maybe I'm lazy or old-fashioned, but I was distinguishing between an internet of things (stuff connected to the internet) and smart appliances.

Some smart appliances are good, some are not. For example, I've got an old car with an old-fashioned thermostat, while my partner has a new car where you set the thermostat to the preferred temperature for each party. In my old car, temperature control is simple: I turn on the heat if I'm cold and the AC if I'm warm. In my partner's car, I have to fiddle with the thermostat setting until the car decides to pump out either hot or cold air. It's much more difficult, because the thermometer is pretty inaccurate. More than once, I've gotten a blast of cold air when I'm shivering. This is a car that's smart enough to have climbed to a whole new plateau of idiocy, and because I have to navigate through multiple menus to get to the climate control and negotiate the temperature with an idiot machine, I have to take my eyes off the road. In my old car, I can navigate temperature by touch, because each knob is a different shape in a different place, and I can control it by feeling whether I'm comfortable or not, and by monitoring the car's engine temperature to see if the A/C is straining the engine.

The internet of things is a different beast. Yes, it adds convenience, but at what price? I've got to keep all these things charged up, which adds to my electric bill at a time when I'd rather be more economical.

David brings up an even more useful point about security: AFAIK, most new internet-connected devices are not secured at all, and there's no way for someone who's not a hacker to add their own security. I can't buy Norton Home Protection, for example. I don't want a teapot that's capable of spying on me, even if it can have tea ready for me when I get home. Why should I? It takes how many minutes to make tea? I'm not that desperate for theophylline. Similarly, I don't want anyone else to know where my keys are, so I'm not tagging them with an internet-enabled device.

There are true and false conveniences. I'll say again that most of the internet of things I've seen are false conveniences. Their cost is greater than their benefit.

124:

A reply to "You have nothing to hide if you're innocent" that seems very good to me is this one: Why then does the NSA (etc) hide the fact that they are spying on everyone?

125:

Amazing how the millions of man-years vested in primates in space project keep paying off right here on Earth. Case in point: Most people have come the (reluctant) conclusion that automated probes are superior to the original notion of ships captain and crewed by live humans. Machines are more expendable, of course, more reliable, and often quicker. But mostly, automated missions are enormously cheaper in terms of energy and infrastructure support.

I suspect this dictum will have consequences here on Earth as conventional energy supplies dwinde. 'Alternative energy' is costlier, yes. It's also not as reliable. But mostly, alternative energy supplies don't do sweet damn-all for cars, trucks, planes, ships, or any other source of transport powered by hydrocarbons. But what if you could mostly remove humans from the loop? By, say, remote intelligence, or automating the delivery network of physical goods? Yeah, people won't be moving around as much, vacations will become costlier, and so on and so forth. But at least the flow of goods will continue on more or less as usual, and nobody will be starving due to lack of diesel.

Any good low-energy high-tech future stories out there? Where 'good' has as a necessary condition it's not a grim meat hook future (No Paolo Bacigalupi, please.) Even woo woo drug-centric eco-hippy stories are preferable to that.

126:

Or some malware that looks for Nest units on the local LAN and exploits a hole in their network interface. Nest is really neat. I've installed one. But I keep wondering what their process is for security updates.

While the NEST could be a security problem, I have to think that our cellphones are by far the best sources of spying.

127:

As a NEST owner, I am ambivalent about it. On the plus side, it clearly does save money by being smarter that a schedulable thermostat. It also looks cool too.

But, it can be annoying as it learns your schedule. It is like trying to teach a small child, and therefore time consuming.

After a recent power cut, the NEST went into some sort of death spiral with its battery charge. I had to buy a USB charger to recharge the battery and this seems to have got it back on track again to keep the house warm.

I suspect that this sort of "smart" appliance is going to increase our cognitive load, not decrease it.

128:

I am not sure that harry palmer is a particularly good match for our Bob.

Palmer is working class and an ex criminal Bob is middle class and hasn’t committed any crimes (almost nukeing Wolverhampton doesn’t count).

Palmer is or at least the film version almost a proto metrosexual, foodie and hipster character.

tv tropes and wikipedia seem to think that in the early 60’s shopping in the supermarket was a working class thing in fact at the time of writing supermarkets where the wave of the future and where trendy.

If Bob where a current day Palmer we would likely be riding a fixie and shopping an trendy pop up shops in little conduit street (run by posh slones the sort of place where you can by Buzz ricksons) -

And he would be defiantly suited and booted I don’t see Bob looking over Mo’s shoulder when she’s reading vogue to check out what suit David beckham is wearing.

Though apropos to the article will the laundry service have Bob and Mo's cooker and microwave replaced with a solid fuel Aga for security reasons

129:

@119:

I know I'm a bit late to the party, but has anyone considered the potential of doing something similar with a thermostat?

Intel was cataloging 80386 processors with piggyback sockets to take a meg of EEPROM... back in the mid-1990s. Specifically listed in Intel's catalog as "for home thermostat applications."

It seemed like thermonuclear overkill for something that is traditionally handled by a bimetallic strip and a pair of contacts, or a simple mechanical timer, and I got a lot of amusement from it.

Now... the chips, overkill or not, are probably cheaper than the mechanical bits they're designed to replace. Who knows how many are loose in the wild now. You're talking about a thermostat controller that's smart enough to run Unix.

130:

There aren't a lot of people using insulin pumps who would be willing to give them up. The people using heart assist pumps definitely don't want to give them up. Remember that Cheney had the rf link on his pacemaker turned of for fear of being hacked.

These are just a few of them many smart appliances that people don't want to live without.

131:

Pardon me for the extreme sarcasm, but the singularity hasn't happened, and smartness doesn't require a wifi cybermodem attached to a brain.

To repeat for the third time, I'm attacking the internet of things, not necessarily smart devices.

The thing that's both fascinating and absurd is that people keep conflating the two. What the heck is going on here? A device can smart enough to do a complex job without having any connection to the outside world at all. Conversely, I don't think a teapot will ever be smart, even if the damn thing is connected to the internet.

As others pointed out with everything from NEST thermometers to LAN networks stretching across citiesand net-enabled door locks, when something's either hackable or exquisitely vulnerable to trivial breakdowns, it's got problems, no matter how smart it is.

Is it even possible for people to question the assumption that smart devices are necessarily connected to the net? If not, why not?

132:

Conversely, I don't think a teapot will ever be smart, even if the damn thing is connected to the internet.

"Smart" is relative. Just like a social insect is fairly dimwitted on its own, a colony can be quite intelligent in dealing with it's environment. A teapot might become smart in a similar way, using information from other teapots and devices to make the perfect cup of tea, when you want it, before you even know you want it. It may also be instrumental in having your favorite tea ordered, etc, etc.

Finally, let's not forget Douglas Adams' THHGTTU, where some things are way smarter than their functions (e.g. Marvin). The teapot might end up with a generic, very powerful brain (or possibly connected to one) but only do the "trivial" brewing, rather like human slaves used for a few simple tasks.

Which is a long winded explanation of why you are correct that smart /= connected, but not necessarily vice versa.

133:

Forgive my techn-ignorance if I'm making nonsensical comments, but ISTM that as the panopticon develops, having screening/privacy apps would be a big flag for further interest from TPTB. Going back to the "You have nothing to hide if you're innocent" ethos, the fact that you're hiding/seeking privacy proves guilt or at least suspicion. Accordingly, it might be more prudent to create one or more relatively innocuous/misleading/concentric publicly accessible avatars, personae, etc,. probably AI-assisted (think multiple-level Second Life on Steroids or some Early nternet/Late Cyberpunk conception of the Internet). Here in the US of A, corporations are "persons"- perhaps the reverse might become true where persons become (shell)corporations.

134:

Palmer is or at least the film version almost a proto metrosexual, foodie and hipster character.

Len Deighton didn't just write thrillers. He wrote a cookery column for a newspaper; each was a comic strip, illustrating some aspect of cooking. Very 1960s; especially in how it advises the reader to shop :)

I've got the book that collected most of the strips; it's called the "Action Cookbook", and was a publisher's attempt to tie in with the success of IPCRESS.

If you look closely at the film, you'll see one of the strips pinned to the kitchen wall of Harry's flat...

135:

Any good low-energy high-tech future stories out there? Where 'good' has as a necessary condition it's not a grim meat hook future (No Paolo Bacigalupi, please.) Even woo woo drug-centric eco-hippy stories are preferable to that.

I think Ken MacLeod's The Sky Road may qualify. It's supposed to be post-Singularity but without flashy signs of it -- no glittering diamond machinery, engineered wormholes, or posthuman threats. In fact the surroundings seem to lack much of the technology of the 20th century as it has become superfluous. Example: people don't bother with night time street lighting any more, because they have enhanced low light vision.

As I recall not much really happens but I enjoyed seeing the world anyway. As a point of reference, I thought the best part of Anathem was before the protagonist started having adventures in the outside world.

136:
I'm attacking the internet of things, not necessarily smart devices. The thing that's both fascinating and absurd is that people keep conflating the two.

That's because the two are in practice pretty much the same thing, at best two sides of the same coin.

In general, smart devices will be connected, increasingly so as the price of connection drops; and connected devices will be smart, increasingly so as the price of smarts drops.

There's long experience with industrial systems that have somehow ended up connected to the Internet, air-gapped networks that aren't air-gapped, even in situations where that's a really bad idea on the balance. The convenience is just too great and connections are just put in.

Now, there may be the occasional device that's just one or the other; but many devices will be both and there's no real bright line that one can draw. On many of today's networks, a device can't connect at all unless it has at least some smarts; and most smart devices will gain at least some benefit from being connected. Indeed, the "no bright line" is one of the fundamental facts of computer science: a computer is a computer is a computer (Church-Turing thesis).

It's also the case that the devices that are both connected and smart are the interesting ones; an occasional device that's just one or the other won't change the grand narrative all that much, compared to the much more interesting and dominant story of the devices that are both.

137:

Zorro There IS a "good" part to Anathem ?? Pretentious vacuous re-naming of every damn thing to the point that I gave up at or before p10.

138:

I don't think a teapot will ever be smart ...

<snark>You Americans don't really get teapots, do you?</snark>

Here's a smart teapot. On sale in department stores in the UK this season ...

139:

Here's a smart teapot. On sale in department stores in the UK this season ...

How does it know when the most delicate flavours have been sufficiently extracted? The bit about pre-programmed settings suggests that the programmers have just associated a different waiting time with each kind of tea, e.g. IF lycheeoolong THEN wait( 5.28 ) ELIF formosangunpowder THEN wait( 6.71 ) FI. If so, that's pretty crude. It would be more useful to have sensors that measure the amounts of flavour and caffeine, theophylline, etc.

140:

You're forgetting the part where the tea maker scans Arthur you to work out the perfect brew

141:

With the note that I'm more of a coffee person, that code would be a valid methodology IFF all tea blenders try and produce the same flavour from their, say, Lapdog Shoesnog blend.

142:

That's why I haven't bought one.

When they hook it up to an HPLC-MS rig, or maybe an NMR scanner, and use the outputs to determine the desired steeping, time, then I'll buy one. Along with the Faraday-cage room and the supply of liquid helium to keep the superconducting magnets chilled I expect it to cost a little bit more ....

143:

I'm sure there's an opportunity for an SF author to come up with some replacements for those rather old fashioned technologies. Although admittedly the only stuff I can think of is qualitative, not quantitative, so the question is what sort of tiny probes can you make that will react over time and give you an idea of concentration?

144:

Here, here! Many of these gadgets seem like solutions in search of problems, plus there's this:

"The more they overhaul the plumbing, the easier it is to stop up the works."

(feel free to attribute, those who recognize this quote)

145:

While the NEST could be a security problem, I have to think that our cellphones are by far the best sources of spying.

But at some level the typical person sort of expects there might be security issues with cell phones. It's in the "air" of common knowledge to some degree.

But most folks aren't thinking of internet security issues when they are adjusting the heat settings for their house.

Personally I suspect the biggest home security issues in the US will be with all the cheap crap SECURITY systems being installed that will be found to be very hackable. So that new wiz bang system from Time Warner Cable or AT&T that "keeps you safe" turns out to be hackable to the extent that the bad guys can tell when you've left for work and replace the feeds with loops for an hour while the place is robbed.

(Maybe this will happen in other places but the US seems to be going through a wave of everyone feeling safer getting a "smart" home security system with cameras and remote controls for various doors and such.)

146:

It seemed like thermonuclear overkill for something that is traditionally handled by a bimetallic strip and a pair of contacts, or a simple mechanical timer, and I got a lot of amusement from it.

If you lead a life where you are away from your home for 8 hours at a time or very irregular intervals then a programmable thermostat that can be remotely controlled is a really big improvement over the old bimetallic strip. If I leave for an appointment and it turns out I need to stay out 8 hours instead of 1 I can adjust things. As to a simple timer they do weekends badly and are hard to deal with in my house where there's rarely anyone home during the day Mon, Wed, and Fri but someone there most of the time Tues and Thurs.

Heck I saved $30 last summer when the power company sent out an alert about a high usage event where they said that if you kept your usage below something like 90% of max from noon till 6 PM you got a credit. So I turned off the AC remotely. House didn't really get that warm over the 6 hours. They had 3 or 4 of these during a hot spell.

147:

i guess nmr might face some problems with the number of compounds...

actually, i'd look at one of those:

http://en.wikipedia.org/wiki/Electronic_nose

given that the actual detector might be some kind of chip coated witg enzymes and a limited work life, this gives us the razor or print cartridge model. for a somewhat "eco" approach, try

http://en.wikipedia.org/wiki/Hymenoptera_training

i guess it's someehat trivial to deduce your exhaustion, maybe your adenosine level, from skin odor for such system and adjust brewing in accordance...

148:

@123: Agreed, manual is often under-rated. And any design which a) requires learning and b) has capacity to be implemented ambiguously, or incorrectly, or in and of itself may behave arbitrarily, is just plain bad design. Or at least design what might be considered pre-evolved. Besides, they, the designs should always consider Murphy’s assistant…

@133: Going back to the "You have nothing to hide if you're innocent" ethos, the fact that you're hiding/seeking privacy proves guilt or at least suspicion. – No, it proves you are human only. Every young adult naturally seeks privacy (Peter's room, keep out!), a time-out place, a realm to control. And as older/aged adults should the need for privacy remove itself, even if it just having a little extra modicum of control to exercie over some other body - or reworded, a means to removing yourself from theirs?

As to tea, or coffee, or whatever, part of all we do is based on “fuzzy logic”, so to speak. Everything lacks meaning without a comparative scale for judging – one must make a bad cup of tea once in a while to appreciate the good cup i.e. ~ Perhaps the machine in order to keep us on our appreciating toes (that too maybe, lol) should randomly stick in a bad cup so as to make sure we are not becoming complacent!

149:

But it doesn't need that brain testing kit, any more than you do. All it needs is: 1. Some information on the tea to brew (human input or scan UPC barcode) 2. Water temp (and possibly hardness). 3. brew time 4. Human input satisfaction. 5. Access to other teapots to statistically compare variables and output.

With enough connected teapots and existing data, it can make a good pot just knowing the tea to be used. It could also adjust its output based on your preferences deviating from the statistical expectations. Designed correctly, it could even warm the pot if needed.

150:

@ 149 ref 2 Water hardness is indeed very important in making tea, to the point that there certainly used to be different brands or different iterations of what was, from the outside the "same" brand, to deal with the peoblem. Rather like the difference in the 60's between Tetleys Leeds (Another Pint) & Teley's Warrington (What is this muck - I'll have a Wilsons/Threlfalls/Hydes/Robinsons, please!)

151:

When they hook it up to an HPLC-MS rig, or maybe an NMR scanner, and use the outputs to determine the desired steeping, time, then I'll buy one.

Or a colony of suitably hacked bacteria. See "The first caffeine-addicted bacteria: Decaffeination and Measurement of Caffeine Content by Addicted Escherichia coli with a Refactored N-Demethylation Operon from Pseudomonas putida CBB5". I thought I'd do a quick Google to see whether synthetic biology had attacked caffeine sensing, and found that.

152:

Here, here! Many of these gadgets seem like solutions in search of problems, plus there's this:

Completely agree!

"The more they overhaul the plumbing, the easier it is to stop up the works."

That reminded me of a scene in Heinlein's Have Space Suit—Will Travel. The protagonist "Kip" Russell is trapped in a pit by an evil Wormface. This is on the Moon or Pluto, I can't remember which. The pit is actually a kind of prison cell, equipped with basic sanitation including a tap and a drain. Kip tries to escape by ramming a sock down the drain and making the tap stay running, hoping he can float up on the water as it rises. But the water just rises to a few cm above the floor, then stays constant. Kip makes a remark along the lines of "I should have known a truly advanced civilisation could make plumbing that fails safe. I wish we could.".

And there's the point, I suppose. Plumbing won't be made fail-safe by sticking computers all over it to make it "smart", or by hooking it up to the Internet. It needs more attention to the physics and materials, not to the virtual stuff.

By the way, how about a Clarke-Heinlein law: "The plumbing of any sufficiently advanced civilisation is indistinguishable from magic"?...

153:

Pluto, Kip ended up with extreme frostbite after having to go outside to plant a rescue beacon.

Those wormies sure were evil, but their plumbing was perfect.

154:

@148: I think privacy is a normal and reasonable human desire; I also think that the total-surveillance types don't. Consequently in their opinions: the desire to hide or have interest in privacy is inherently incriminating. Thus: "if we don't know what you're doing, you must be doing something bad."

155:

normal

Now all we have to do is agree on the meaning of that term.

156:

Actually, the "nothing to hide" argument doesn't survive first contact with actual economy. Most entrepreneurs are not that fond of others finding their sources for raw materials or retail consumer goods. Local sellers might say they are crazy, but usually they are not that crazy telling you the price they pay for the things they sell you. And packaging material might be treated like state secrets...

157:

You've read Dennis Ritchie's "Reflections on Trusting Trust", I take it?

I believe that's Ken Thompson, not Ritchie. Lemme Google it... yeah, Thompson's Turing Award acceptance speech, printed in Communications of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763.

For those who haven't read it, Thompson outlines a simple means of invisibly buggering a compiler so that all descendants of that compiler are also invisibly buggered. Since code development is iterative, this means no software can ever really be trusted unless you designed, built and coded your entire computing environment yourself, right up from the assembler to the OS and end-user applications. For most people that's impractical, so it's probably not a bad idea to just assume all your digital computing is untrustworthy, and design your lifestyle accordingly.

158:

I think privacy is a normal and reasonable human desire; I also think that the total-surveillance types don't.

While I like my privacy, I do not believe it is a natural desire akin to desire for sex or chocolate; I think it is culturally induced. The reason is simple -- for most of history humans had no privacy at all.

159:

Jocelyn, mattsquair - so the Evil Aliens could at least make the drains run on time....

160:

Or else we had total privacy, for values relating to the possibility of ANY governmental surveillance rather than values relating to the ~200 people in our immediate neighbourhood.

161:

For a couple of years, I had a relatively smart teakettle, which was a gift from my wife after I burned out the Nth stovetop teakettle by letting it boil dry.

It has thermostatic control, buttons on the front that let me pick what temperature I want for different kinds of tea or coffee, and shuts off after an hour of non-use. About the only additional controls I could want would be a clock that would start it automatically in the morning or a timer that would beep after N minutes.

I'm not going to trust a machine to decide how long to steep the tea; the tea will tell you that. And a pot that's that customized for tea isn't going to know from coffee. Meanwhile, the basic kitchen timer tells me when it's been N minutes.

(Unfortunately, it stopped being smart a couple of months ago, and I haven't had the cycles to see if it's fixable; descaling with vinegar didn't help. So for now I'm nuking water in the microwave.)

162:

Actually, I've been thinking about a DIY intelligent teapot. The idea was to start from a coffee machine and go on. Maybe resurrect it as an open-source hardware project?

163:

Woody Allen may have anticipated some of this nearly 50 years ago in his confronting-the-hostile-appliances bit:

"The elevator says, 'Are you the guy that hit the television set?'"

164:

this means no software can ever really be trusted unless you designed, built and coded your entire computing environment yourself, right up from the assembler to the OS and end-user applications.

Don't forget the hardware. It's been a very long time since you could build a computer that did much of anything which didn't use chips with code backed into the chips. I don't think anyone is going to go back to 74xx type logic circuits anytime soon for their computer designs. Unless you really are into slow green screen with light green characters that appear about as fast as you can read.

165:

@158: While I agree that PHYSICAL privacy is a cultural-concept (and a rare situation throughout history) ISTM that few cultures require complete and total transparency of thought and word from all to all.

166:

My kettle is made of metal, and works by putting fire under it. I'm ok for now, I reckon...

167:

If you lead a life where you are away from your home for 8 hours at a time or very irregular intervals then a programmable thermostat that can be remotely controlled is a really big improvement over the old bimetallic strip.

Or not, depending on architecture.

Most US housing is relatively recent and is made from wood, cinderblock, or concrete -- usually relatively thin (materials cost), possibly with some sort of insulation layer, and central AC/hot air for climate control.

In contrast, the average British dwelling is 75 years old and they're mostly made out of brick or stone. (You'll find cinderblocks with a brick skin in newer homes, with cavity wall foam insulation; you'll find timbers in the roof space to hold up the slate-clad pitched roof.)

I live in an apartment at the older end of the scale (it will be 200 years old in about another 8 years). It's made of stone. The joists under the floor are 6" and 8" cross-section oak beams; some of the walls are up to three feet thick (you should see the drill bit the cable installer had to use) and most of them are a foot thick. They didn't know much about structural engineering in those days, labour was cheap and construction materials were just lying around (rocks), so they over-engineered like crazy.

Upshot: if I turn the heating off in winter, the flat cools by about 1-2 celsius degrees per hour. If I then turn the heating on, the air warms up quite rapidly ... but the walls and floor (and furniture in contact with same) remain chilly: it takes a hell of a long time to warm up that amount of stone.

The Nest thermostat is a great idea in principle, but utterly useless in a building like this. (Enter a room, thermostat turns on radiator panel: room takes 6 hours to warm up.)

168:

Further on this, even up to between 30 and 40 years ago, 2 skins of brick (not cinderblock) with an insulated cavity between them was about the most common construction.

169:

As a contrast, our place (mid 80s) is brick skin over cinderblock, and the internal (non-structural) walls are straw.

Yes, highly compressed straw with a plaster skim over, instead of plasterboard on stud walling.

It makes for great insulation, but lousy heat capacity.

170:

Here's a Schneier blog post on research done to defeat "trusting trust" attacks, so we're not completely screwed by them. But you can have verified code back to the MBR and still be bugged at the hardware level.

171:

a) Persona management is added work. Lots of work, to do it properly. b) Most "software-generated chaff" falls between "pointless" (machine-generated Google searches; to accomplish what, exactly?) and "easily filtered noise" (do the numbers obey Benford's Law? Is it random enough? Is it too random?). c) You only have to screw up once to permanently link personae. Log out of Sockpuppet A's Facebook account then log in as Sockpuppet B without deleting the cookies? They're now down as using the same browser on the same machine - if Facebook hadn't already figured that out from analytics (what type and version browser, what extensions, what screen resolution, etc).

Basically, it's harder than you think.

173:

The Nest thermostat is a great idea in principle, but utterly useless in a building like this.

Of course not. One size fits all solutions rarely do. Nest is great in low thermal mass situations. Highly insulated or not. When not even better.

But it also doesn't make sense for someone like my mother in law who leave her apartment MAYBE once a week. For her there is no need to let things cool off then get hotter on a schedule. In fact she seems to notice if there's more than about a degree or two of fluctuation.

In my house I may put one in as I don't care if the house gradually cools down from 68F to 60F over 10 hours. (I really need new windows.) But would like it to be at a decent temp when I get home and when I get up.

174:

Our thermostat is normally set @ 62F --- err 15.5C (It was installed in 1968, & meanwhile the central heating boiler has been changed since & the pump 3 times ...) But we have a blank N wall, a greenhouse facing SW & very thick loft insulation. Circumstances alter cases.

175:

One possible equilibrium is shifts in law enforcement to adapt to the new circumstances - common place crimes (speeding, IP violations, jaywalking ect) being removed from the books, or reduced to an automated yelling at and a symbolic fine, while at the same time adopting utterly draconian enforcement against high-externality crimes.

IE, a future where lots of crimes have been removed from the books, but spamming, malware coding, ect, earns you public execution.

176:

Circumstances alter cases.

So we agree???

177:

Excuse me, but jaywalking isn't a recognized crime in the UK. Pedestrians have right to use roads except motorways (where they, and other non-motorized traffic are forbidden) and a few special cases (railways, airport aprons) -- although they only have priority at designated crossing places. The term and the offence were more or less constructed via lobbying by promoters of the automobile in an attempt to exclude other road users from the highways.

Also, your "absolutely draconian enforcement" idea conflates two issues: probability of apprehension, and severity of punishment. There's quite a lot of evidence that increasing the severity of punishment does nothing to reduce the incidence of crime -- whereas increasing the probability of being caught is very effective, even if the punishment is relatively mild.

I'd rather see a state where fewer crimes are prosecuted, with far more efficient apprehension of offenders, but for lesser punitive/retributive stakes (thus reducing the likelihood of crime sprees: "might as well be hanged for a sheep as a lamb" springs to mind).

178:

I've admired the way manufacturers have used the availability of USB ports as standardised power for various geegaws, most notably small electric fans and air ionisers. I'm afraid I assumed that they used 2-conductor cables, just for power, but now...well, if I'd ever actually bought any of these toys, I'd feel foolish right now and at least looked to see that no data could be exchanged...or working up an adapter to cut the data channel out of the connexion.

179:

There's quite a lot of evidence that increasing the severity of punishment does nothing to reduce the incidence of crime -- whereas increasing the probability of being caught is very effective, even if the punishment is relatively mild.

I like to think of it as "human beings are probably at least as smart as pigeons, and we know how to train pigeons".

180:

Charlie @ 177 This has been known for at least 50 years, but legislators & administrations still don't seem to get it, do they? Leaving aside Daily Heil campaigns, the problem is that this requires both more, & better-paid & better-educated police, rather than slamming down on the few who are caught. The fact that it might be cheaper in the long run (fewer people in expensive prisons) doesn't seem to enter in to the calculations.

This "high first cost" fallacy has affected things like public transport & public building project facilites, as well ....

181:

No need to worry! The standard being lined up as the next USB, Thunderbolt, doesn't appear able to do "power only" - it doesn't have any dedicated power lines, for a start - so obviously your concern is unnecessary. /sarcasm, just in case.

182:

If we are talking about how guvmints censor, manipulate & distort information. .... And how they try to put the frighteners on to people who are "off-message" from their pov .... Then perhaps This strange piece should be informative. It describes how the guvmint & especially certain corrupt sections of the Brit Civil Service were frustrated by a brave "nutter" ( He was a railway enthusiast ) and the lengths to which those in power were prepared to go. Shades of Edward Snowden. [ Hint - ignore the first half of the linked article, & start at the paragraph just above the second photograph .. ] A fascinating insight to recent history.

183:

Late to the show as usual, but I recently came across this article describing how bog-standard MicroSD cards (not the fancy ones that phone home to the cloud) can be hacked as well. As it turns out, those cards have a controller on board to manage the bad blocks, that controller is a general-purpose CPU and that CPU has a backdoor for OEMs to flash the code it's running.

Lots of gory details in the slides linked to at the end of the article, but the article itself already has plenty of meat on its bones, including some man-in-the-middle scenarios.

Specials

Merchandise

About this Entry

This page contains a single entry by Charlie Stross published on December 12, 2013 1:27 PM.

PSA: Why there won't be a third book in the Halting State trilogy was the previous entry in this blog.

Why I want Bitcoin to die in a fire is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Search this blog

Propaganda