Hmm - haven't we been discussing just this recently on these treasured pages? CAB - Computer Aided Burglary.
Researcher criticises 'weak' crypto in Internet of Things alarm system
Security shortcomings in an internet-connected burglar alarm system from UK firm Texecom leave it open to hack attacks, an engineer turned security researcher warns. Luca Lo Castro said he had come across shortcomings in the encryption of communication after buying Texecom’s Premier Elite Control Panel and ComIP module and …
COMMENTS
-
Thursday 31st December 2015 19:38 GMT a_yank_lurker
Huh?
“Realistically, this attacker isn't going to be able to perform an attack against the ComIP module. They don't have the skills, tools, or motivation to target an individual,” - Is this guy clueless? There was a show on US cable several years ago showing how professional burglars case neighborhoods looking for likely targets. If the one with a couple of brain cells realize they might turn off an alarm system they might be willing to spend time locating the vulnerable targets in their area.
Yes, many criminals do have a hard time carrying on a conversation with the vast intellect of brick. but there are enough with a clue who seeing reports like these (not condemning the report - it is needed) will realize they might want to learn how to remotely disable these systems.
-
Thursday 31st December 2015 21:29 GMT The Axe
Re: Huh?
Who this "expert"? He doesn't seem to know much about criminals. I suppose he'll probably also say that car alarms need highly skilled IT experts to break and therefore it's unrealistic for cars to be stolen without actually breaking a window as criminals are stupid. It's the "expert" who is stupid. He probably advised the car makers when they were making their insecure car alarms.
This "expert" needs to realise that not all criminals are clueless. Criminals can come from all walks of life.
-
Monday 4th January 2016 06:32 GMT cybergibbons
Re: Huh?
Which would probably be why they said "it would be beyond the capability of most would-be burglars with access to no more than basic electronic tools like wire strippers, a multi-meter, and crocodile clips".
Are you arguing that most burglars would be capable of this? That would strongly go against the available evidence.
Burglary and car theft have very different risks and rewards, which you seem to have ignored in your analogy/comparison.
You can almost entirely work out the security system on a car just by the model and year. There is very little variation. Not possible with a home alarm. It's easy for criminals to identify and target cars like this.
Once you have bypassed the security system on most modern cars, that's it. You can open the door and start the engine. Not so with a house - bypass the alarm, and you still need to deal with physical security.
Most burglaries don't result in a good reward of a known value. You might get £500, you might get £5k. Lift a high-end car, and you will be looking at a lot more.
-
Friday 1st January 2016 00:55 GMT Adam 1
Re: Huh?
For a hundred quid, a criminal could buy a WiFi pineapple (or similar), setup a fake AP, sending out fake deauth packets for their real router and waiting for the unlock code to be recorded.
Wow, I managed to make that sound like you need to be done l337 haxor to do. It's really not. At all. And if you really can't RTFM because you have the intelligence of a house brick, you can watch the step by step on YouTube.
It really isn't a good argument to say "not vulnerable" because it is "beyond the capability of most would-be burglars". That is like saying that it doesn't matter that your car may be easy to hotwire but don't worry because they would have to get through the locked door first.
We live in a world where IOT light bulbs leak the password of their WiFi network. Security in the digital age is about layers, not some impenetrable moat on the outside of your castle. You assume that your adversary can see and manipulate any communications between any of the devices and build the security in from the foundation.
-
Saturday 2nd January 2016 09:21 GMT Anonymous Coward
Re: Huh?
Completely agree with the other commenters here - the "expert" doesn't know what they're talking about. Lots of alarm people are ex-locksmiths rather than IT security experts - is this the case here by any chance?
Criminal networks are highly effective at sharing information and systematising the breaking of security. I may not have the personal skill to design an operating system or i7 chip, but it doesn't stop me using them highly effectively. It only takes one person to do it and sell the tools.
Combine this with a company that's a/ evidently clueless about network security b/ appears to have a natural reaction of denying rather than responding to security issues and it's an accident waiting to happen.
What's the odds criminals are trying to hack their customer list (and those of their resellers) right now? Combine it with rented access to a router botnet and cross reference with IP address geolocation and you've probably got a nice address list to go after. The alarm system remote monitoring will probably even tell you when there's no-one in the house...
-
Sunday 3rd January 2016 06:46 GMT MachDiamond
Re: Huh?
It wouldn't be hard to use a low power Pi or similar computer dropped near a target and log when the alarm is activated and disarmed. A week or so of data would give a good indication of the homeowners schedule. If it could be done via the net, a burglar could monitor several alarms for a longer period of time to build a larger statistical universe. Most people with regular jobs keep a pretty consistent schedule.
-
Monday 4th January 2016 06:32 GMT cybergibbons
Re: Huh?
I can build a device that will disable a significant number of wireless alarms on the market in the UK. It costs about £12 to make. It took very little research (relatively) to work it out.
Never seen anyone else sell them - I've even tried asking on some of the forums that are used for trading ATM skimmers, fake chip&pin terminals etc. They just aren't made - criminals aren't currently interested in bypassing alarms on domestic properties.
-
-
Monday 4th January 2016 06:32 GMT cybergibbons
Re: Huh?
I don't think there are enough burglars with enough sense to carry out these attacks - certainly not against domestic properties with self-installed panels with no professional monitoring.
I've been asked to look into five cases now where a homeowner has suspected that the burglars had used advanced electronic bypass methods to get in. Whilst I could never say for sure, there was no evidence in any of these cases that anything untoward had happened.
There's a world of difference between casing high-end targets (which would have graded alarms) and most burglars working out how to bypass individual homes over the Internet.
-
-
-
Thursday 31st December 2015 20:01 GMT Anonymous Coward
Re: Bah!
"And in what universe does a remotely controlable burglar alarm make any sense, [...]"
Presumably the use of an app on a smartphone is to replace a dedicated controller - like many IoT things. Outside your front door use the app to disable the alarm before you enter - and vice versa to arm it when leaving the house.
Convenience has often taken priority over security - which is only ever as strong as the weakest link.
-
Thursday 31st December 2015 20:15 GMT Commswonk
Re: Bah!
And in what universe does a remotely controllable burglar alarm make any sense, especially one controlled over the bleeding world wide web?
The universe of marketing, for starters. And the universe of politicians who start drooling uncontrollably if the words "digital" or "apps" are used. Not, it must be said, in any universe where common sense has a place.
It serves to prove that you really can fool most of the people most of the time.
-
Friday 1st January 2016 14:58 GMT h4rm0ny
Re: Bah!
>>"It serves to prove that you really can fool most of the people most of the time."
Things I can do with an Internet connected security system that I can't do with an old-fashioned one:
* Check that I set it after I've left home.
* Enable it if I find I need to later on (e.g. if I did forget).
* Disable it if I need to (e.g. my partner returns when I'm not around / I want my neighbour to check on something for me / I have a delivery or service person I want to enter my home whilst I'm at work)
* Be notified immediately on my phone that it has been triggered and take appropriate actions such as calling the police / turning the alarm off if it's a false alarm or it's done it's job and I want to stop driving the neighbours crazy / logging into cameras in the home to see what's happened)
* Have more than a rudimentary All or Nothing approach to my home security. (E.g. different access levels for different people / ability to amend these on the fly as needed).
Of course, feel free to mock it as an example of how you can fool most of the people most of the time (you've mangled the quote, btw).
-
Saturday 2nd January 2016 12:20 GMT Stoneshop
Re: Bah!
Given that a decent alarm system usually has the capability to send alarm notifications by phone (which tends to get replaced with "over Da Intarwebz" though), SMS should be a viable option for most of the requirements you list:
[x] * Check that I set it after I've left home.
[x] * Enable it if I find I need to later on (e.g. if I did forget).
[x] * Disable it if I need to (e.g. my partner returns when I'm not around / I want my neighbour to check on something for me / I have a delivery or service person I want to enter my home whilst I'm at work)
Limit control for this option to phone numbers registered with the control unit, and add a one-time code (copied from the control unit before you leave) if you're worried about number spoofing.
[x] * Be notified immediately on my phone that it has been triggered and take appropriate actions such as calling the police / turning the alarm off if it's a false alarm or it's done it's job and I want to stop driving the neighbours crazy / logging into cameras in the home to see what's happened)
[x/ ] * Have more than a rudimentary All or Nothing approach to my home security. (E.g. different access levels for different people / ability to amend these on the fly as needed).
Amending on the fly is explicitely something I wouldn't want. Security, including access modes and zones, is something I'd design and set up beforehand. If I then need to grant access in a way that doesn't match those predefined modes, then it's "tough shit, come back tomorrow".
I want my home control system (which an alarm can be considered part of, although not necessarily integrated with) to offer a limited number of predefined states, such as "I'll be home in half an hour, set the living room thermostat to $preset(comfortable)" unless you have direct physical access. And controlling the system from outside the house can only select the applicable subset of those predefined states.
-
Sunday 3rd January 2016 04:10 GMT tom dial
Re: Bah!
The concomitant of this convenience, however, is to degrade, apparently quite a lot in the case of this equipment, the system's performance of its basic function.
Note also that the last two items cited mostly do not require external wireless control despite the fact that they can be implemented in that way.
-
-
Monday 4th January 2016 08:41 GMT John Robson
Re: Bah!
Which is great - assuming infinite battery life...
And the thing should be SSL'd even over the WLAN - as someone mentioned above the light bulbs are leaking wifi credentials - as is Windows 10. Pretty sure a kettle did it recently as well...
Given that it probably insists on either WEP or an open wifi network....
Oh well - whatever happened to devices having an ethernet port :(
-
Monday 4th January 2016 11:17 GMT I am not spartacus
Optional
"Oh well - whatever happened to devices having an ethernet port :(
It really has come to something when this fits in to the general category of 'Grumpy old git/technophobe response' (and, I'm not sure whether you would count that perception as undesirable, but that is how I read it).
-
Monday 4th January 2016 15:13 GMT John Robson
Re: Optional
Hardly technophobic..
I can see the benefit of having some devices on WiFi - mostly user devices, but I doubt that an ethernet port shouldn't be significantly more expensive than a WiFi chip and antenna.
My NowTV boxes aren't mobile, they don't need the mobility of a WiFi connection, neither does an alarm system - which is presumably wired in to the house...
My Blu Ray player has an ethernet port on the back... One of the things I looked for when I bought it...
The benefit of using wires is that the airwaves need be shared by fewer devices. Wires make good a spatial division multiplex and avoids all the issues of whatever the latest wireless security issue is, as well as not limiting your next gen router to an older WiFi speed, compromising the remainder of your devices.
-
-
Tuesday 5th January 2016 14:54 GMT John Robson
Re: Optional
It came from the "remote control via pocket computer"
There isn't any indication that any of the comms are encrypted and there is a tendency in devices nowadays to be WiFi only - often not a recent version, forcing all devices to drop to a lower standard...
That this has ethernet is one good point IMHO - of course the rest of the security is still needed
-
-
-
-
-
-
Friday 1st January 2016 23:48 GMT Lee D
Re: Bah!
I refuse to put an alarm bell on my house. They are pointless, loud, annoying, and... totally ignored. Thus they are useless, even in a friendly neighbourhood. Every time an alarm goes off in my street (and it happens enough that I know this), it's completely ignored. Car. House. Doesn't matter.
So my house alarm just texts me instead. Then I can login and look at the cameras from home. Motion detection on such a setup is pointless and distracting, so there's no point relying on movement being detected in order to alert me. But a door opening, or a window breaking, that means something happened. Possibly. Like the way that the CCTV motion detection going off could mean that it's a bit windy in the garden, the door magnet going off could just be a windy door banging on the latch or a PIR being set off by the cat.
But with a remote control system, I am able to be alerted. I am then able to make a decision, based on the alerts and other remote-accessible data (like cameras, alarm trigger logs, etc.). Then... guess what... IF I SUSPECT a burglary, I can set the house alarm off remotely. And alert the police directly. Or phone the neighbours. Or drive straight home. Or not.
Without a remote home alarm? My alarm would go off, people would all ignore it, and I'd know nothing until I got home. Does having a remotely-controlled alarm put me at a disadvantage or provide an avenue into my home? No. Because it's properly designed and thought out. Hell, even the CCTV can detect if it's being obscured or cut and alert me, because I know for a fact that the CCTV on its own is next to useless to actually preventing the crime.
But a remote home alarm? There's a ton of uses. And it doesn't have to provide avenues for a burglar, or insecure access to your home.
(The other day I found out which damn delivery driver it is who keeps pulling my bins across the front of my driveway so that I can't get my car in without stopping in the road. Because walking into the garden sends an alert and flags the cameras to record, and my home cameras are set up on my monitor at work (and, no, you can't DO anything, just see the camera over a VPN connection))
-
Saturday 2nd January 2016 05:08 GMT Stevie
Re: Alarm bells ar pointless, bins, setting/unsetting the alarm
But an alarm siren at earsplitting volume *inside* the house, coupled with flashing xenon strobe lights will make the burglar's job that much more difficult and exact a just toll on the bastards.
None of which needs an internet connection. Remote controls to the house are just another way for technology to interrupt me when I'm doing my life. My alarm calls the rozzers by itself. Let them deal with the situation and tell me about it when I get back from dinner.
Catching the person who blocks your driveway with bins doesn't require an internet connection either.
If you can't remember to set your alarm when you go out, there's no guarantee you'll remeber to check it over the web either.
And if you can't trust your partner with a kill code for your alarm system, you have issues the internet won't fix.
Admit it, Internet of Burgalar Alarms fanboys, you want it because it is shiny, not because it is useful. Don't come crying to El Reg when villains in stripped jerseys and masks hack your front door and have it away with your flatscreen and dolby 7.1 Surroundsound setup.
The NSA will have your killcode every time you use it too. At least they have to send a van with a cable TV imposter with a trad setup.
-
-
-
Thursday 31st December 2015 20:01 GMT Commswonk
What?
1: To be able to remote control the alarm system remotely...
I blinked at this several times before remembering that we were advised that El Reg staff were going to have a break to, er, celebrate the New Year. Notwithstanding this linguistic horror you are nonetheless forgiven.
2: That means a lot of legacy products, compared to the two to three year product lifetime we are seeing on general IoT products.
Well that's another reason for having nothing to do with the stuff, then. Two to three year product life? I expect anything vaguely falling into the description "hardware" to have a much longer life than that. Two to three years falls into the category of "taking the piss".
-
Friday 1st January 2016 13:23 GMT Paul Crawford
Re: What?
Indeed 2-3 years is taking the piss, but that is what we see with the majority of smartphones. You have to look hard to find any getting support or security updates even when under 1 year old, let alone 3.
But this misses the point - such shit security practice like unencrypted communications that reveal passwords, etc, have been known to be shit for decades so there is no excuse. It simply comes down to companies not employing staff or external support (e.g. penetration testing, etc) who know what they are doing when it comes to security. So many of the bugs that keep coming up, and design flaws, are well known and often (in some cases, like memory abuse) picked up by compiler warning and static analysis tools. That don't get used.
-
Sunday 3rd January 2016 10:43 GMT Stoneshop
Re: What?
1: To be able to remote control the alarm system remotely...
I blinked at this several times before remembering that we were advised that El Reg staff were going to have a break to, er, celebrate the New Year.
Yes. I'm sure they intended to write "To be able to remotely control the alarm system's remote control remotely.", but then festivities happened.
-
-
-
Saturday 2nd January 2016 15:10 GMT Anonymous Coward
Re: IoT and Security?
"But who cares about security in a security system...
...Oh. Now I get it."
Well, yeah, my point exactly. We've all been used, here, to utter shite security for any IoT gadgets (light bulbs, others) that normally kind of stay in the local LAN, even if local WIFI is something to be defined (radio can last a long way). So, yeah, IoT security = bollocks is now granted.
But here, this is not IoT gadgets for me, this is a SECURITY system, for pro and home use ! For which there is, indeed, uses cases of remote usage, through public networks (call/signal/inform someone) !
And they screw up so badly (lol, base64 encoding security), and spin it so badly ...
I'd be a criminal, I'd start to organise burglar teams lke this:
- cyber-intruders, central team, instructing burglars on where and when go
- local burglars, local teams
Can't loose vs. those morons ...
Anon, as I don't want any copyright on the above.
-
-
-
-
Thursday 31st December 2015 22:59 GMT Commswonk
Re: sim card in alarm system
Phone home owner; all well and good. Phone police? Don't think so; ISTR that the police will not now take calls from "automated" burglar alarms because of the number of false alarms. I think remote alarms have to go to an "alarm company".
Which raises the question "if the home owner gets an automated alarm call what are they going to do about it?" Ring the police and risk getting short shrift anyway? It would have to be a text to the home owner in any case; a voice call could be frustrated by the user yakking away on their phone, which looking at a large percentage of the population at any given time is all too likely.
-
Friday 1st January 2016 15:00 GMT h4rm0ny
Re: sim card in alarm system
>>"Which raises the question "if the home owner gets an automated alarm call what are they going to do about it?"
Log into my IoT home security cameras and see if it's a false alarm or not. If I can see a stranger in my home or a forced open door, then I can call the police and tell them that it's not a false alarm myself. That's what we're going to do about it.
-
-
-
Thursday 31st December 2015 21:12 GMT Doctor_Wibble
Spear Phishing
If the target is worth the time then you aim a trojan at the user, their home computer then listens on the local network, sniffs the password as they test (or show off) their remotely controllable alarm system, and then either sends the info out or waits for your 'main screen turn on' instruction to come through, 'what happen' being entirely optional.
Better yet, start up a mailing list management company and given time you will have a collection of ready-made target lists to work from.
If the data is only present on the remote network then you pwn the remote network. May or may not be trivial of course but that's why these films have the proverbial motley crew, to cover all the angles.
-
Thursday 31st December 2015 22:50 GMT DropBear
I admit my cognitive abilities are completely shot right now but...
...how exactly does one reconcile "a secure local network" with "punching holes in the firewall", for fuck's sake? If it's a local setup phase ONLY that travels unencrypted over a hopefully secure local wifi that's still bad enough, granted, but maintaining an unsecure connection that LEAVES the local wifi is an entire different ballgame. So which is, because it's not even that one of you is talking bullshit, it's that the two things are incompatible - it's either one or the other!
-
Friday 1st January 2016 00:42 GMT Captain DaFt
"it would be beyond the capability of most would-be burglars with access to no more than basic electronic tools like wire strippers, a multi-meter, and crocodile clips."
It would seem this 'expert' is still designing alarms for the 1970s. Things have slightly changed since then.
Most crooks these days have access to highly sophisticated computers called smart phones.
All it'd take to bypass these security systems would be some war-driving software and a copy of the control app loaded, and Mr. Smooth Criminal loots your house at leisure.
-
Friday 1st January 2016 11:58 GMT Mystic Megabyte
@Captaindaft
> and Mr. Smooth Criminal loots your house at leisure.
Some years ago a friend returned to her London house just as a man in a suit was climbing down the drainpipe! Mr. Smooth Criminal was a professional cat-burglar who obviously only stole pocketable items. He also avoided the heavily locked front door by not using it. the. The suit was a neat way to blend in, the police are looking for hoodies carrying a TV.
Rather than risk getting attacked she let him walk away, I don't think that he was caught.
-
-
Friday 1st January 2016 00:48 GMT Andy629
oops. have just bought this very hardware for an alarm upgrade, to allow remote access etc for alarm checking / reset. I'm struggling to understand why anyone with a clue would link an alarm system over the internet without using a vpn though. As for traffic not being encrypted on the LAN, surely if someone has access to your Lan it's mostly game over anyway...
Telecom have an opportunity here to pull their finger out and probably steal a lead on the competition - some of the systems available are truly appalling (wireless systems with one way transmission)
-
Friday 1st January 2016 13:37 GMT Anonymous Coward
"oops. have just bought this very hardware for an alarm upgrade"
I recommend you discover the joys of multiple VLANs and multiple SSIDs. 1 for your PCs/laptops, 1 for NASs/servers, 1 or more for IoT stuff, 1 for your phones, 1 for guests. Each will need routing, and a good firewall policy. It's non trivial but necessary if you want a modicum of security.
The trouble is, not only is it a bugger to setup the above properly but you will need a bit more than your average ISP freebie router to do it. However get yourself something like a Draytek or FritzBox or a custom ROM based thing like Tomatoe or pfSense on an old PC/laptop plus a modem as required and you can do all of that. Reasonably cheap switches can be had eg Netgear GS110TP for PoE + layer 2 managed for cameras and the like.
-
-
Friday 1st January 2016 16:44 GMT Mage
Expertise
You only need ONE expert in the WORLD to know how to break into a system, that writes it up clearly, maybe with a video.
Then anyone able to use a multimeter can follow the instructions.
"We aren't buying your security setup for our workstations and servers" said the College, "most of the students don't have clue."
"How many of the best ones do have a clue and are untrustworthy?" I asked. "Do they have any friends, or websites?"
We got the order.
Without me having to suggest some of their students by name.
-
Sunday 3rd January 2016 12:00 GMT TheOtherHobbes
Re: Expertise
In a world where scriptkiddies are pwning WordPress installations by the million to make botnets and cybercrime gangs are coining it with variations on cryptolocker, anyone who thinks crims don't know how to technology is so lacking in clue they probably have trouble remembering how to breathe.
-
-
Friday 1st January 2016 20:03 GMT Roland6
Warning! Reality Mismatch!
And the problem is exacerbated because alarms are designed to be installed and last 10 to 15 years. That means a lot of legacy products, compared to the two to three year product lifetime we are seeing on general IoT products.
I suggest this shows just how far from the real world many IoT pundits and 'toy' developers are. The sorts of things IoT is being targeted at are things that currently are, quite reasonably, expected to work with minimal maintenance for a minimum of 10 to 15 years in a domestic environment and significantly longer (30+ years) in many industries.
By way of example, whilst the circuit board in the external box need to be replaced every ten years or so (degradation due to sun and weather) the alarm control box, under the stairs, I don't expect to do anything to it until some component (eg. it's PSU) fails, which shouldn't be within a few decades.
Similarly light bulbs might have a 'limited' lit life, but that doesn't mean that they don't last; I still have a couple of bulbs I've not changed since I moving into my current house 12 years ago, because they just don't get used very much. My central heating controls are still the originals and I see no need to replace them anytime soon.
Which gives rise to an interesting security problem, namely: within the life of these systems we can expect commodity computational power to develop to the point where the "state-of-the-art" security installed in them can be broken by any one simply downloading the relevant cracking tool.
-
Saturday 2nd January 2016 10:01 GMT K
compared to the two to three year.. for.. IoT products
Hence why the IoT is another marketing hypergasm, thats going end in a premature nut bust!
3 years ago I replaced all the lightbulbs in my house with LED ones, so that I could save money, they have a life expectancy of 9-10 years and I expect to get full usage out of them!
-
This post has been deleted by its author
-
Sunday 3rd January 2016 06:39 GMT MachDiamond
Hard then simple
Many crack jobs DO require a very knowledgable person to be the first in finding a security flaw. Once the secret is out, it's only a short amount of time before somebody has coded a bit of software to exploit the vulnerability and it's a piece of cake for anybody to break in with only enough brains to manage Sunday cartoons.
Company's/Developers should only enter the security devices market if they will spend the time to build a competent product. They should also bring in outside testers to try and circumvent their products.
Scenario:
A burglar combs the listings of homes for sale in a high priced neighborhood and sees some pictures of a home with stuff that can be resold without a fuss. The estate agent was being very helpful by stupidly taking a close up picture of the alarm panel to show potential buyers that the home has an alarm system. Now the burglar has a fair inventory of what his haul could be and the particulars of the alarm system. A little bit of searching online and/or some consulting with others in his trade and he will have an idea on how to bypass the alarm. Since the best return is made by burglarizing high end homes and those homes ubiquitously have alarms fitted, professional thieves are much more tech savvy than many start up alarm system companies think. If all it takes is a tablet and some sniffer software, thank you very much.
-
Sunday 3rd January 2016 08:14 GMT Mad Chaz
Checklist
1: Find an open/wep secured wifi and get connected.
2: Scan the network for such a device. Record cleartext password at any time the application gets connected. Probably every 5 minutes while it checks status.
3: Turn it off, rob the place, turn it back on.
4: Profit
Yea, I'm sure that could never happen ....
-
Monday 6th March 2017 09:42 GMT jsciii
One of Those Guys isn't Right
Many of the comments are interesting and good ideas, but don't really address the specific problem. The researcher says he used WireShark and was able to see the communication between the Texecom hub and an iPhone in clear text. The Texecom spokesman was a bit more vague, but he appeared to be saying that communication with systems on the internet are protected with TLS or SSH. If this were true then they wouldn't be in plain text. So perhaps the researcher is new to WireShark and thought he was seeing plain text. But it is more likely to me that the Texecom spokesperson didn't include iPhones in his statement. I think he used the word "servers." Perhaps they somehow define that word in their minds so that it doesn't include iPhones. (Can't you imagine a lawyer choosing the word "server" because she thinks that the only servers are those systems in the data center.)