Your equipment is supplied by the lowest bidder.
Will they never learn? No, the act of learning requires a level of sentience above what what the bulk of humanity have evolved at this point in time.
A US IT security company says it found copies of the Conficker malware infecting police body cameras. Florida-based iPower reports that body cameras it received from supplier Martel Electronics were loaded with 2009's baddest botware. Researchers Jarrett Pavao and Charles Auchinleck found that when plugged into a PC, the …
I agree that it's probably better to always choose the second lowest, just to keep it honest. But I suspect the problem is lack of completeness in the specification. They probably forgot to specify that the cameras not have malware on them.
They probably forgot to specify that the cameras not have malware on them.
By your reasoning, it would be acceptable to package a USB mass storage stick with a USBKiller board built-in and sell it to in response to a tender for mass USB storage devices because the tender document forgot to include the sentence: "Must not cause damage to USB host"
No, I think the people purchasing these cameras have a reasonable expectation that the devices are not carriers of malware out-of-the-box.
They put trust in the supplier to provide fit-for-purpose equipment: the equipment in this case has been found to cause damage to the software on the computers they are plugged into making the machine they are plugged into, unfit for purpose. Such damage means the cameras may not safely be used and therefore makes them unfit for purpose.
Australian Consumer Law is very clear about this, pretty sure the US and UK have equivalents.
"pretty sure the US and UK have equivalents."
There's something about goods being "fit for purpose" and "of merchantable quality" (or similar) in UK consumer law.
NB *consumer* law.
Business to business transactions are not included. Businesses making purchases are expected to have more sense than consumers in general (or to pay someone who has more sense).
You are correct thet UK consumer law requires sold goods to be fit for purpose. But that does not necessarily cover purchass between businesses.
So you end up with contract clauses like: "The equipment shall be fit for purpose, including but not limited to being free from viruses...". It is impossible to explicitly mention everything.
WTF has that to do with police purchases? Consumer law only applies to purchases for private use.
The real fail here has been in the BOFHs who did not screen and check products before hooking them up to the corporate network....
Or maybe by your logic BOFHs should just sit back with their feet on their desks and wave the consumer law in the bosses face when the system gets a virus or something breaks.
Not my fault the system is infected: the computer company should have supplied computers with no malware on them.
Not my fault the backup is useless: the tape company should have supplied good tape.
Sorry, no. It's not just the lowest bidder. Blaming external factors is just the lazy way out.
Equipment can get infected somewhere along the manufacturing process, be that PCs from Dell, cameras, printers, ....
Any BOFH worth anything would be highly sceptical of new equipment. Don't trust anything. Even when a new type of equipment has been checked, do an audit on devices new and old once in a while.
For infected cameras to get deployed requires that far more than just the manufacturer has failed in their job.
Sorry, no. It's not just the lowest bidder.
I agree - it is much more of a systemic issue.Lots of the higher bidders will be cutting the same costs but just taking more profit out of the contract.
The problem (If you want to see it as one) is that the obligation to maximise shareholder profit will always ensure as many corners get cut as they can get away with. Lots of people even see this as the right thing to do and call it "efficiency."
Where it creates an issue is where the customer is unable to use market forces in retaliation (such as when the supplier has an effective monopoly or the customer doesnt have the ability to detect problems).
If they really cared, the police forces who had bought these crappy cameras would be terminating contracts and suing the suppliers for delivery of defective goods. Other forces would also join in and drop all their contracts and with a bit of luck they would go out of business because an exec decided that doing things properly was "too expensive."
However, in practicality, what tends to happen is the customer (in this case the police) use their own funds (in this case public funds) to fix the problem so the supplier can continue to drive nice profits.
"The problem (If you want to see it as one) is that the obligation to maximise shareholder profit will always ensure as many corners get cut as they can get away with. Lots of people even see this as the right thing to do and call it "efficiency.""
Can we please stop repeating this myth. There is no obligation to maximize profit, and even if there were, not cutting corners would be justifiable as profit exists in short and long terms. There might be a desire to maximize short-term profit, either on the management or shareholders' parts, but there is no such obligation.
A business can maximise shareholder value by either:-
a) cutting every corner, producing a crap product, look for a new sucker to buy each time
b) spending slightly more on the product, getting steady stream of repeat business from satisfied customers
While there are plenty of (a)s, there are quite a few (b)s too.
"There is no obligation to maximize profit, ..."
Traditionally, the onus to provide evidence falls on the person claiming existence, not absence, as it would be difficult for me to prove the lack of a law, except for quoting all law and saying look through it and you will see. Although someone else has helpfully provided a link.
There is no obligation to maximize profit, and even if there were, not cutting corners would be justifiable as profit exists in short and long terms. There might be a desire to maximize short-term profit, either on the management or shareholders' parts, but there is no such obligation.
This is just pointless semantics.
There may well be no legal obligation to maximise profits which can be defended in court as justification for action, but any company with publicly traded shares which says they are going to increase costs and reduce shareholder dividends will suffer.
The management responsible to the shareholders will feel an obligation even where one does not exist in law.
The shareholders, if they see profits dwindling away, will pretty soon take measures to change the management.
The overall effect is that as long as cutting corners gives MORE profits to the shareholders, and the repercussions are felt elsewhere (i.e. the public bail them out, pay to fix it or whatever), then the shareholders and management will be happy. Until the shareholders feel the pain of cutting corners, it wont ever be a problem for the management.
Arguing that the obligation is not written in corporate law seems a bit pointless.
Close but no cigar. Realtime Embedditis. Your equipment is built by an embedded engineer. Being lowest bidder has nothing to do with it.
1. OS is used with base build. No updates
2. No means to update it without breaking everything
3. Security means "PASSword" as password - no measures in terms of network security or threat mitigation.
4. You cannot add any extra protection as an afterthought because the app built by the person suffering from Realtime Embedditis takes on the CPU in single handed combat and owns it. It is proudly realtime though.
This is the type of people who build SCADA, smart metering and industrial automation today. These will be the people who will build the brave new world of connected everything and IOT tomorrow.
As you could have guessed I have worked with this type of individuals more than once. Every fecking time I wanted to embed the keyboard in their skull. They never learn. This is just one more example of that.
Sounds like its a windows-based worm, nothing to do with the camera firmware: when you plug the device in it serves up a mass-storage-class to allow transfer of files, that is the only reasonable thing to do. If the computer you plugged it into (at some point in the setup or testing process, presumably) is infected and chooses to save an infected file, then the device becomes a passive carrier of the worm.
It is even possible that the cameras became infected at the same time as their OS and app were installed: how can you blame the firmware in this case?
Yep, can't wait for the IoT to spread. Life will be sooo much simpler and safer, won't it? Won't it? Yeah, right.
On an unrelated note: "El Reg similarly tried to contact Martel, and though we were unable to get comment we can confirm the company's on-hold music to be relatively pleasant and inoffensive."
This is the sort of thing why I'm reading El Reg.
"Assuming that the current hype that is IoT becomes a thing"
IoT is already a thing and is already in widespread use. What's new is that marketing has made people like you partially aware of it. IoT is all around you in sensors on the Tube, automated electronic bus stop signs, smart thermostats, smart meters, cameras, pro sport recording/monitoring devices and many, many more. It's certainly set to grow as skills improve and more people are aware of the technology but it's most definitely already a thing.
> What's new is that marketing has made people like you partially aware of it. IoT is all around you in sensors on the Tube, automated electronic bus stop signs, smart thermostats, smart meters, cameras, pro sport recording/monitoring devices and many, many more.
I am fully aware of the myriad connected systems already in existence but thank you for the lecture. I am also aware of the fact that some of these have already been compromised. The point I intended to make was that the hype-driven push to get significantly more of these systems out and into ever more parts of our lives will provide ever wider and richer attack-vectors. This will attract more attention from professional miscreants looking to make money and will raise the level of malware innovation because a market will emerge.
My apologies if my original post led you to assume that I'm a numpty.
It won't be richer attack vectors, it'll be the army of "professional developers" employed to create new IoT solutions who'll use sample code rather than understanding. These will lead to the same old attack vectors like SQL injection where obvious security holes are copied and pasted to ever increasing numbers of devices. Unfortunately the people who know how to do this stuff securely are too few in number as is always the case in IT.
> '...lead to the same old attack vectors like SQL injection where obvious security holes are copied and pasted...'
Indubitably so but I suspect they'll also open up new ones too
> 'Unfortunately the people who know how to do this stuff securely are too few in number'
Well said and too true, and I suspect under resourced in the majority of organisations.
I'd also hazard a guess that many of these things will have on-board resources pared down to the minimum to keep costs down, making any overheads imposed by decent security a non-starter (imagine going to the bean counters and saying 'We need to double the cost of the boards to allow for extra processing for encyption' for example).
"imagine going to the bean counters and saying 'We need to double the cost of the boards to allow for extra processing for encryption'
Don't EVER "go" to the bean counters - or the managers - with something like this!. Send them an email, and keep a copy. They'll probably fire you all the same, but you could then take revenge or even make some bucks by blackmailing them afterwards. ;-)
Indeed, have had vague concerns since the first reports of state-sponsored SCADA hacks a few years back but now this stuff is being pushed into the consumer mainstream to the extent that early adopters feel the need to have a connected iKettle (really? Why?) I suspect this will become an increasingly entertaining field to watch (assuming that you haven't filled your life with random IoT tat, in which case replace 'entertaining' with 'scary').
Given the push for connected vehicles and recent issues with hacks accessing some critical vehicle systems over an unsecured canbus I think we're in for quite a ride (excuse the pun).
Back in the dark ages before the Internet, I was a tech writer at a company that was attempting to develop a smart house for consumer distribution (they eventually went bust because back then $500K houses were even less common than they are today, and at $15K just for a fully populated control box it probably wasn't making the upgrade list on anything cheaper than that). There are real problems trying to build a system that responds in real-time and remains price point competitive. IIRC our controller was going to use Intel 186 chips and had a specialized tiny os. The folks writing the design specifications manufacturers would be expected to use were writing for 4-bit and 8-bit processers with the expectation that in some instance no more than 4K or RAM would be available. At the time our PCs were running Windows 3.1.11 on I believe DOS 5.0. As the DTP specialist and CAD backup guy I had the pleasure of working on a 386 with maxed out RAM and dual monitor display (one was paper white for CAD). While I expect the names of the common components will have changed, I don't expect the disparity of capabilities between the PC and the embedded components have.
So I have a fair bit of sympathy for the engineers working on the embedded controllers. The people for whom I have no sympathy are snake oil salesman promoting them as the wave of the future.
Defense attorneys can use this to exclude such video evidence. Judges likely to agree.
Such a decision wouldn't make much sense from a technical point of view, but legal minds could easily decide to impose a minimum level of IT security standards on the evidence chain. Viruses in the body cam clearly fails to meet any such standard, so toss the video out of court.
This news item could have major implications.
Small careless, non-certified manufactures may be squeezed by bigger corporations that can deal with telephone book sized specifications, and certifications to endless standards.
How long until some well-funded agency actually does manufacture video evidence to frame up their selected target? It's so "unlikely" that it would work every single time.
I foresee quite a wave of this sort of thing as budget chinese makers encroach on the big brands.
My Elephone P8000 came with a custom launcher that b0rked it within 24 hours, but 48 hours later I'd managed to coax a reboot out of it and did a factory restore, replacing the launcher immediately. Fingers crossed the update I'm about to install won't restore the nasty.
An interesting insight and the link to the support forum made good reading: I assume the guy with no shift or punctuation keys on his keyboard is a company shill given his defensive proclamation: 'where are you getting your information from most of the virus protectors give false readings and so does other virus protectors for pc'?
Particularly ridiculous given that one of the complainers gave explicit evidence of skulduggery! (Hey, was that you? Well done! Give 'em hell!)
Perhaps the company needs a marketing tagline: 'The Elephone never forgets (to call home and get the latest malware)'
Well it wasn't me on the elephone forums but following the post I installed an update, still got Nova launcher on there after (quick fix, was rated good on a search, no time to play with a selection) and it seems its still there and stable after the update. Except I'm not sure the update actually applied, looking at the version number now its rebooted. Too tired and want to get drunk so I'm leaving that for now.
tl;dr Get a wileyfox Storm, save the hassles!
Biting the hand that feeds IT © 1998–2019