Author: Eliot

Yet another IoT bug

Miele could have benefited from MUD, as well as the experience of the Internet security community.

The Register is reporting a new IoT bug involving Miele PG 8528 professional dishwashers, used in hospitals and elsewhere.  In this case, it is a directory traversal bug involving an HTTP server that resides on port 80.  In all likelihood, the most harm this vulnerability will directly cause is that the dishwasher would run when it shouldn’t.  However, the indirect risk is that the device could be used to exfiltrate private information about patients and staff.  The vulnerability is reported here.

Manufacturers expect that it will be very simple to provide Internet services on their devices.  To them, initially, they think that it’s fine to slap a transceiver and a simple stack on a device and they’re finished.  They’re not.  They need to correct vulnerabilities such as this one.  They apparently have no mechanism to do so.  Manufacturers such as Miele are experts within their domains, such as building dishwashers.  They are not experts in Internet security.  It is a new world when these two domains intersect.

We need MUD

And yes, Manufacturer Usage Descriptions would have helped here, by restricting communication either to all local devices or to specifically authorized devices.

Taxing Bitcoin? IRS gets involved

Once again: is bitcoin a currency, and do currency rules apply? Or is it a capital asset and do those rules apply?

The Wall Street Journal is reporting that a large Bitcoin exchange Coinbase has been served with a so-called “John Doe” warrant in search of those people attempting to evade taxes.  A number of privacy advocates are upset at the breadth of the warrant, because it demands access for an entire broad class of people, and not specific people.

Bitcoin is used for all sorts of nefarious purposes, including online ransoming.  Tax evasion would be the least of its problems.  Were Coinbase a bank, they would be required to inform the federal government of transactions greater than $10,000 or of those individuals believed to be structuring transactions to avoid the $10,000 filing requirement.  These are anti-money laundering provisions that go hand in hand with tax enforcement.

And so my question: if it is wrong for the federal government to make such a demand of Coinbase, is it also wrong of them to make the same demand of banks?  If it is not, then why should Coinbase be treated differently?  And if Coinbase is not treated as a bank, is Bitcoin then not a currency?  If it’s not a currency, should it be treated as a capital asset for taxing purposes?  If that is the case, how would the IRS be able to enforce the reporting requirements associated with assets?

The alternative seems to be to trust people to not launder through Bitcoin.  If history, including recent history, is any measure, that’s a bad idea.  Either way, Bitcoin has already shown that privacy has its downsides.

Trump and Ryan’s healthcare failure doesn’t mean they will fail in the future

Just because President Trump and and Speaker Ryan lost the Healthcare battle doesn’t mean they’ll lose the coming tax overhaul battle.

Over the last twenty-four hours many people have been talking about who should take the “blame” for the failure of the Republican healthcare bill.  Some say it is President Trump, others say it is Speaker Ryan, others say it is the so-called Freedom Caucus and yet others astonishingly others blame Democrats.  They are all wrong.

It is the American people who did not want the Republican healthcare plan.  According to at least one poll, only 18% of Americans wanted the bill to pass.  Many of the rest of us were vocal in our opposition on the Internet, in town halls, writing letters, and calling our Congresspeople because the bill would directly affect us and those who we love.

The pundits are saying that the failure President Trump’s and Speaker Ryan’s plan will complicate their agenda, moving forward.  They say this because the healthcare plan was supposed to pay for the massive tax overhaul that the president has in mind.  These people who say these things are underestimating both the president and the speaker, and in particular Steve Bannon.

There are two forces in play.  Speaker Ryan and many Republicans want to see the tax system overhauled.  While Speaker Ryan would like to see overhaul come in revenue neutral, when push comes to shove, he will be willing to deficit spend in the short term, and make cuts later, with the logic being that the government has swam in red ink before, and a little more for a bit longer won’t hurt; and that Republicans will eventually stem the bleeding by simply forcing the issue.

Steve Bannon has a different logic.  He would just assume see the government bleed to death.  If destruction of the federal government is brought about faster due to the tax overhaul, that would be more than fine with him.  Those same Republicans in Congress who nearly caused the government to default might play this game.

The reason this is likely to work is that the tax overhaul will be a gigantic give-away, and everyone will make money in the short term.  Nobody will be screaming at Congressmen in town halls.  Nobody will be worried about how this will hurt them personally.

It will be our children and theirs who pay for this policy.

MUD sliding along

Your chance to try and chime in on Manufacturer Usage Descriptions, a way to protect IoT devices.

You may recall that I am working on a mechanism known as Manufacturer Usage Descriptions (MUD).  This is the system by which manufacturers can inform the network about how best to protect their products.  The draft for this work is now about to enter “working group last call” at the IETF.  This means that now would be a very good time for people to chime in with their views on the subject.

In the meantime, MUD Maker has also been coming along. This is a tool that generates manufacturer usage descriptions.  You can find the tool here.

MUD isn’t meant to be the whole enchilada of IoT security.  Other tools are needed to authenticate devices onto the network, and to securely update them.  And manufacturers have to take seriously not only their customers’ needs, but what risk they may impose on others, as Mirai reminded us.  Had MUD been around at the time, it’s possible that Mirai would not have happened.

Finding REAL News as Opposed to Fake News

Here are three simple tests to determine whether a site is a trustworthy news outlet. Are there multiple sections? Does it have multiple news bureaus? Does the site post corrections?

The great New York Senator Daniel Patrick Moynihan famously said that everyone is entitled to his own opinion, but not his own facts.  Unfortunately, our democracy is being undermined by a combination of an epidemic of fake news and people being willing to believe the drivel.

What, then, are trustworthy news outlets?  To start with, they have to have paid reporters.  Determining the truth requires investigation with feet on the ground.  It requires document searches, interviews, and research.  That costs money.

Still, a well funded propaganda outfit could pay (or claim to pay) for “reporters”.  How to tell the difference?  Be suspicious of any site is primarily focused on national politics or any single issue.

Here are a three tests to guide someone as to whether a news outlet is likely legitimate for daily consumption.  The tests themselves aren’t perfect, but they’re pretty good.

1. Does the outlet have many news bureaus?

A real newspaper will have at least one regional bureau for the region they are covering, and will often have an additional bureau for a state capital or for Washington.  Fake news sources may not have any bureaus.  A simple test is to type the name of the site and then “news bureaus” into a search engine and examine the results.  Note that a regional paper will tend to have only a few bureaus outside their region.  That’s okay, so long as they stick to news where they have those bureaus and more importantly reporters.

2. Does the outlet have multiple unrelated sections?

Real news sources will have sections such as weather, sports, obituaries, arts, finance, and region, as opposed to just politics.  They may not have all of these sections: for instance, the Wall Street Journal doesn’t have a weather section, but their finance section is unparalleled.

3. Does the outlet ever publish corrections?

Even if the answer to the first two questions is “yes”, no one is perfect.  But a good news outlet will recognize their imperfections and always seek to report the truth, no matter how embarrassing it may be.  A good measure of an outlet’s trustworthiness is how regularly they correct themselves.

Let’s Test

Given these parameters let’s see whether a web site is a good source for news.

Source Multiple Bureaus? Unrelated Sections? Corrections?
The New York Times Multiple, throughout New York, US, and the world NY region, sports, weather, obits, arts Regularly at the bottom of an article online, or in a section in paper.
Fox News Multiple affiliates Sports, weather, numerous regions Not too often.
Breitbart Four bureaus no Very rarely
Wikipedia No Yes (vast) Entries are continually edited
The Daily Caller No No Never
NPR Many regional affiliates along with international bureaus Numerous Regularly online and on radio
The Wall Street Journal Strong presence in financial capitals Finance, Travel, even some Sport Regularly at the bottom of articles
Politico Primarily national, with a few state and international bureaus No Very Rarely

Trust, of course, is not a binary.  That’s why it’s important to get information from multiple sources, maybe not every day, but regularly.  Also, just because something is not marked as a trustworthy news outlet doesn’t mean their lying.  It does however, mean, that they’re something other than a trustworthy news outlet.  A blog, perhaps, or an analysis site.  Wikipedia is an interesting case because nobody gets paid, but the information tends to be reasonably trustworthy (or at least transparent).

All of this doesn’t get people off the hook from using their common sense.  RT would easily pass the above tests, and yet they are a well known and well funded propaganda arm of Vladimir Putin.  Probably not a good news source.  Most blogs aren’t so well funded.