sigalrm’s Techdirt Profile


About sigalrm

sigalrm’s Comments comment rss

  • Jan 12th, 2017 @ 7:51am

    Re: Re: Re: Re: Re: Re: Re: Re: Re: What goes around, comes around

    "If one folds, others may too. "

    Not "may". "will".

  • Dec 28th, 2016 @ 8:09am

    Re: did they overlook this?

    "On a separate note do you think that Amazon refused the request because it turns out they've got recordings of everything from the factory QA testing forward for every device?"

    IMHO, probably not.

    For that to be the case, Amazon would have to upload the data at some point, and the first thing privacy wonks do with a device like this is throw a up a sniffer and watch all of the traffic these things emanate.

    If they were seeing anything like a constant data stream or unreasonably large periodic bulk flows from an Alexa device to the mother ship, they'd have screamed about it.

    Given what the device does, the outbound data flows will follow fairly predictable patterns if it's truly behaving as advertised.

  • Dec 28th, 2016 @ 7:32am

    Re: Semi secure at best

    "For the semi secure types there's a button that can be used instead of allowing the mic to be on 24/7 i.e. push-to-talk."

    Someone needs to open up an Alexa and determine if that button is software-driven, or is hard-wired into the electrical path to the microphones.

    I'm guessing it's software-controlled, in which case, it's going to be fairly easy to circumvent with an updated/custom OS.

  • Dec 28th, 2016 @ 7:20am

    There are 3 things (at least), not 2 to worry about.

    "...and then you have two potential problems: first, what does the company giving you the service do with that info and, second, what would third parties (e.g., law enforcement or hackers) like to do with that info if they could get a hold of it. "

    Actually, you have at least 3 potential problems: the two above, plus: How long will it be before Amazon is presented with - or is compelled to produce - an "Alexa, Law-Enforcement" version of their software for targeted installation on these devices, along with the new, standard issue Rule-41 based warrant + gag order?

    The code to build an Alexa on a Raspberry Pi is already on Github, it's not a stretch to tweak it from "watch for keyword and upload next 30 seconds of audio" to "upload all audio."

    Amazon didn't say "come back with a warrant" out of the goodness of their hearts. They don't want US Government to kill what could end up being their flagship product in its infancy.

  • Nov 18th, 2016 @ 3:35pm

    Re: Are We Learning?

    Shooting your own dog will almost certainly result in animal cruelty charges.

    It's only ok when the police do it for you.

  • Nov 14th, 2016 @ 9:14am

    Re: Not Me, Couldn't be, then Who?

    No, they haven't been living in a vacuum.

    Ben Wittes has (had?) a blind faith in the inherent "goodness" of the US Government, based on a vastly different set of starting assumptions.

    Now, he's being forced to revisit some of his first principles. This is a good thing, because he's respected in his communities in ways that groups like this one are not, which means in theory he has an ability to influences said communities.

    Expect some fairly sharp changes in mentality from pundits in the next couple of years. Hopefully they don't come too late to make a difference, although I expect that they have.

  • Nov 9th, 2016 @ 12:20pm

    Insecure voting machines are nothing new

    "Add into the fun a set of researchers finding (SHOCKER!) voting machines to be terribly insecure. That in itself isn't new, but letting everyone in on how exactly to do it certainly is."

    People having been ringing the "holy crap voting machines are insecure bell" publicly for more than a decade.


    Their paper was published in Sep., 2006, but was pretty much ignored by mainstream media.

  • Oct 21st, 2016 @ 3:13pm

    Re: Re: Re: Re: Re: Nerd Harder!

    (ok, so that got long. Sorry about that).

    But fundamentally, if we want anything resembling a secure IoT, we're going to have to figure out a way to make it more expensive for companies to ship a vulnerable product than it is for them to fix it first, because the attack surface isn't going to get smaller.

  • Oct 21st, 2016 @ 3:10pm

    Re: Re: Re: Re: Nerd Harder!

    here's a more solid start, based on use of MITRE's CVE system.

    Assume Samsung is selling IoT enabled toasters, because why not. Everything's better with a network stack. Anyway, MSRP on this toaster is $100usd and Samsung releases the product Jan 1, 2017, and ships 1000 toasters.

    Now, if there are no open CVE's on any component of the IoT stack on this toaster in the 90 days before Samsung ships, they're effectively insulated from liability. Oh, and in that world, the sky is Fuscia.

    But, If there _is_ an open CVE was announced >= 90 days before Samsung launches the product, _and_ it gets exploited, Samsung is the hook for 5% of the MSRP for each unit sold of said product for every 90 days of age on the CVE.

    Example: Samsung begins selling their IoT enabled toaster (MSRP == $100usd) on Jan. 1, 2017. And they sold 1000 of them on day 1. Said toaster has a vulnerability that was announced on Aug. 15, 2016 (just outside the 90 day grace period). If one of these toasters gets exploited and causes trouble, Samsung is going to write a check for (5% of $100) == $5 for each of the 1000 toasters sold as of the date of the CVE being exploited, plus the same fine going forward for each non-patched unit they sell.

    Now, pretend that vuln wasn't released on Aug. 1, 2016, it was release on Aug. 1, 2016. Same ship date, same quantity. Except now instead of 5% per toaster, it's 10%. Add 5% for every 90 day interval of CVE age. Also, allow the total penalty per unit to exceed 100% of MSRP with no upper bound. So, you release an IoT enabled toaster with a 12 year old ssh vuln, and it gets exploited? assume qty 4-90 day periods / year to make it easy, now your penalty is (48 * $5) = $240 * 1000 = $240k in fines for each $100MSRP toaster you sold.

    And why use MSRP as the basis for the penalty? Well, because it's both easy to validate and publicly verifiable.

    No grace period, no appeal, cut a check to a high school to fund a secure coding class, because CVE's are public and theres no way the organization "couldn't have known".

    Oh, and multiple CVE's? 5% per CVE, and scale it out.

    If you can verifiably patch these toasters 100% then you restart the clock from the time the patch was pushed to the toaster. If you can't patch them, well, eventually you'll get to write a check big enough to make the board pay attention.

    Bonus: Specifically disallow said penalties as a loss for tax purposes.

    As to your other question: It's a Samsung toaster running a google code, Samsung pays. It's their label. If Samsung wants to go back and fight it out with Google based on contract terms, that's fine, Samsung can attempt to recoup their (already paid) losses from Google.

    (yeah, I know. There's no chance this or anything like it will ever happen.)

  • Oct 21st, 2016 @ 12:46pm

    Re: Re: Nerd Harder!

    There's an easy way to fix this.

    Make companies financially liable for security issues in their products in a way that makes securing their software less expensive than not.

    Until that happens, this type of issue isn't going to get better.

  • Oct 21st, 2016 @ 8:21am

    Re: Comey's remarks show two parts of the problem

    Reliable data about police use of force is only one piece.

    The raw data must also be released to the public for independent researchers to evaluate, in near-real time.

  • Oct 5th, 2016 @ 12:56pm

    Re: "What we do is legal" and "Our policy is to do X" are standard boilerplate responses.

    Remember, Yahoo only has to hold out long enough for Verizon's check to clear.

  • Oct 5th, 2016 @ 8:59am

    Re: Re: Re:

    Wow: Moderator, I don't know what happened to the formatting in this post, but it looks like it's mangled the formatting for the comments that are after it - can you fix or remove?

  • Oct 5th, 2016 @ 8:57am

    Re: Re:

    Kill someone remotely from 25 feet and you can be a long way away before it's even realised that the insulin pump didn't simply malfunction, but was manipulated.

    Assuming it can be determined the pump was manipulated. Which isn't a given.

    Insulin pumps have two delivery modes:

    • Bolus, which is used to deliver a large dose of insulin - for example to correct for high blood sugars or to dose for carbs in a meal;
    • Basal, which is a slow, continuous dosage intended to keep blood sugars level over time. _and_ which, on this model of pump, can be automatically by adjusted based on time of day.

    So, all you realistically would need (in theory) would be line of sight, since the 25' limitation is a bluetooth spec limitation and not a hard and fast physical limitation, and to know what time the person typically goes to bed.

  • Oct 5th, 2016 @ 8:47am


    I would think a hacker with murderous intent would be much more likely to use a weapon, not a computer.

    A weapon is a state of mind, not an object. You can be beaten to death with the (trivially) detachable seatbelt on an airplane if you put your seatmate in a mind to do so.

    An insulin pump is no different. It would, however, be damn near impossible to prove or identify after the fact. There's no such thing as "insulin poisoning", there's just "hypoglycemia, resulting in unconsciousness, followed by death" if not caught in time.

  • Apr 14th, 2016 @ 2:42pm

    Re: Re: Re:

    Do you want to end up on a watch list? Because googling the physics of nuclear technology will get you put onto a watch list.

  • Apr 14th, 2016 @ 2:40pm

    Re: Re:


    boy it'd be nice if we could edit comments :)

  • Apr 14th, 2016 @ 2:38pm


    "Somebody should explain to him that encryption is just mathematics and banning encryption is a little like legislating the value of pi. I believe Indiana has experience with this."

    At last. A Plausible explanation for Common Core Math. Who new the US Government was capable of a long game?

  • Apr 14th, 2016 @ 8:08am

    All it needs is a little logo

    Similar to the "TSA Approved" logo on luggage locks, we'll need a little "Burr/Feinstein Approved" logo to go on every device sold with this feature.

  • Mar 22nd, 2016 @ 1:26pm

    Lets look at the timelines...

    Last Friday, Salah Abdeslam, one of the suspects in the Paris attacks, was arrested in Brussels. He apparently stated, during questioning, that additional attacks were planned.

    Last night, additional attacks were carried out. In Brussels.

    They had a terrorist suspect- in-hand, being interrogated, and by several accounts cooperating with the authorities that had him in custody - and the attacks still caught authorities unaware.

    And the go-to evil technology is encryption?

More comments from sigalrm >>