DCN Services: technologeneral
General Technical Musing from the Staff at Dyess Computer & Networking Services, LLC.
04/11/17
Subtitled: I pay a doctor so I don’t have to learn medicine
We will get back to the equipment cleaning conversation, but today I wanted to look at an article I came across while scanning through slashdot.org. The article is “New Malware Intentionally Bricks IoT Devices” and was originally published at (among other places) bleepingcomputer.com (An amazing resource for all things anti-malware, especially if you want to do it your self, but need some guidance on how to do that). I am sorry it is so long, but there was a lot I needed to go over (read “rant about”).
Without rehashing the article, it is linked, a summary could read something like this: Someone, somewhere, is tired of the fact that many (most?) IoT devices have crappy security (both inherently and because manufacturers set defaults at the lowest settings), and rather than allowing them to sit there with a sign that says, “botnets welcome here,” has decided that if neither the manufacturer nor the end user could be bothered to secure it, that it didn’t deserve to be allowed on the internet.
Now, slashdot is a forum style news aggregator frequented by techies and geeks and such (I feel right at home 
), and predominantly (as of last perusal), the overwhelming vibe there was, well basically, “Go Team.” or as a /.er posting anonymously put it, “It’s one of those rare times when I can say that I know what they are doing is wrong, but I understand. I don’t support them. I’m just not going to stop them. I won’t root for them, at least not out loud.”
), and predominantly (as of last perusal), the overwhelming vibe there was, well basically, “Go Team.” or as a /.er posting anonymously put it, “It’s one of those rare times when I can say that I know what they are doing is wrong, but I understand. I don’t support them. I’m just not going to stop them. I won’t root for them, at least not out loud.”
So, why the conflicting statements. Why is this bad and yet oh so good? I mean, we are talking about something akin to me coming into your house and bashing your television to pieces with a baseball bat (or cricket bat if you prefer), because you don’t have an alarm or reasonable lock on your doors (or because you use the same key that comes with every model of that door). So why would anyone root the perpetrator on?
- People love vigilantes (look at almost every superhero ever made, half or more of all action movies, and the deep seated feeling that sometimes the only way to fix something is to do it yourself.)
- People love when someone else’s hubris leads to their downfall. (used here to include, “it can’t happen to me”, “what do I have that anyone would want”, “Everything else I want to do is more important than securing that.”) It is the entire reason “Greek Tragedy” is a thing…that and the Ancient Greeks needed something to do before the advent of computers.
and finally, - Tech people KNOW that security is more important than the usefulness of your device (except when it isn’t)because the security of your device effects the security of all the other devices. And they KNOW that the only way to cause a true change is to either make the change they want so appealing nobody would do without it, or make the status quo so painful to maintain that no one is willing to do it. The first is next to impossible in the security world. No one (except geeks and techies) wants devices that are harder to get into and use. And no one (same comment) wants a continuous learning curve on how to configure those devices themselves.
The second method only works if you go to extremes. You don’t believe me?
You are aware that there are people with, well, a particular set of skills, that enable them to get into your computers, phones, DVRs, and other electronic devices, can track the things you are doing on the internet, and use all of that information to break into your accounts and steal your money or your identity, or use your devices to cause damage to other people and companies.
You know this and you still (most likely) do some or all of the following:
- Have no antivirus/anti-spyware installed on your computer(s) (or have the one that was forced on you…I mean came bundled with the system you bought).
- Not having your AV/AS doing active scans.
- Still using Windows Vista (Bad) or XP (Worse)
- Use the same password or passwords to access everything
- Use a password or pin that has any of thew following: names, ages, Birthdate or years, words you can find in the dictionary, or commonly used patterns.
- Use passwords that are too short.
- Use an administrator account on your computer for general use.
- Leave the default username and password enabled and in use on anything (this should be changed before you do anything else to the system)
- Accept End User License Agreements without reading them.
- Accept the default settings for anything without understanding what it means and the security implications (or worse, not looking at the settings at all).
- Don’t complain to software, hardware, or system vendors when they are not providing up to date security options with their products.
- and finally, assuming that malware are Pokemon and that your favorite AV or AS product will “Catch ‘em All” (It won’t. We use a combination of about 10 different tools that find and remove specific types of malware, including viruses, worms, trojans, adware, spyware, tracking cookies, rootkits, and other undesirable software, programs, and modifications.)
And the reason you probably still do all of that is, because it is hard (it is) and it is time consuming (more than you would believe) and it is a big world… surely it won’t happen to me (sorry. That is what every one of the hundreds of people who had their devices bricked thought (if they had thought about it at all)).
It is not that the techies and geeks don’t see that the person who set this up is wrong. They see that. They just also see the reason for the incredible frustration directed at both manufacturers and consumers in this little Greek tragedy.
On the other hand, they could be wrong. It could always be some joker just wanting to watch the world burn.