back to article Web devs want to make the Internet of S**t worse. Much worse

Vendors including Google have spent a few years crafting an API they hope to push into browsers that will make this month's Internet of Things conflagrations pale by comparison. There's not been much noise about the Web Bluetooth API, and thankfully it's not yet accepted as a standard. It probably should never be one, if you …

  1. Ole Juul

    If this takes off

    There will be security conscious people looking for a Commodore 64 on Ebay.

    1. Triggerfish

      Re: If this takes off

      I'm thinking if your technical you will be going crude in the future, y'know locks with real keys, dumb fridges, kettles whose only switch is on and off etc.

      1. Pen-y-gors

        Re: If this takes off

        @Triggerfish

        I'm thinking if your technical you will be going crude in the future, y'know locks with real keys, dumb fridges, kettles whose only switch is on and off etc.

        You mean like I do now? I'm already suspicious with remote locking on the car, and don't get me started on pay-by-bonk...

        1. Triggerfish

          Re: If this takes off

          I agree, the thing is I think there is a boiling the frog effect going on with a lot of people. I commented on another thread about how I have techs here (I'm the least techy I'm more engineer turned PM and such, than a computer bod, the techs here have computer degrees, and cisco quals etc), who absolutely have no qualms about Win 10 spyware (I have been accused of tinfoil hattery), or leaving themselves logged into facebook and the commenting on how products they have browsed on their pc are now being advertised on their phones. Their response to these issues is mainly meh, or I just live with it. (Seriously even things like the Xbox app on win 10 start menu being greyed out in add/remove programs - unistall, five minutes google for the powershell script sorted it FFS).

          There was a guy here who wants his Cisco security and his response to a conversation about IOT I brought up was I was worrying to much and it wont happen, non issue etc

          I genuinely think they have been trained by companies and the world around them that this is the new normal, and us older buggers are just paranoid.

          1. Doctor Syntax Silver badge

            Re: If this takes off

            "I genuinely think they have been trained by companies and the world around them that this is the new normal, and us older buggers are just paranoid."

            It's simply the old "experience is a dear teacher but there are those who will learn by no other". They'll learn. They'll also discover the truth of the complementary saying: "experience is something you need just before you get it".

            1. Anonymous Coward
              Anonymous Coward

              Re: If this takes off

              "It's simply the old "experience is a dear teacher but there are those who will learn by no other". They'll learn. They'll also discover the truth of the complementary saying: "experience is something you need just before you get it"."

              I can think of two COUNTER-sayings.

              One, "If there are those who will learn by no other, what happens when a situation requires prior knowledge to live through it?"

              Two, "What about those who don't get it even WITH experience?"

              1. Ken Hagan Gold badge

                Re: counter-sayings

                That's easy. Experience hands the case over to her husband, Mr Darwin.

              2. Doctor Syntax Silver badge

                Re: If this takes off

                One, "If there are those who will learn by no other, what happens when a situation requires prior knowledge to live through it?"

                Two, "What about those who don't get it even WITH experience?"

                They become examples for others to learn from.

                "Those who don't learn from history are condemned to repeat it."

          2. Wade Burchette

            Re: If this takes off

            "Their response to these issues is mainly meh, or I just live with it."

            I find that younger people with no experience or wisdom in life have the "so what?" attitude. Tell the same thing to an older person and you will get the exact opposite response. The younger generation has been conditioned to accept "free" content. They happily go to the street and protest a 3 letter organization tracking us while telling Facebook all about it.

            I started to word things differently. I started saying that large multi-billion dollar for-profit corporations have no business knowing anything about my personal life. Do you really think big businesses can be trusted with your personal information?

        2. Triggerfish

          Re: If this takes off

          RE the car one of our guys had his car robbed recently parked in Mayfair, BMW no smashed windows, when he went to the police they asked the model and said it would have been thieves who had cracked the remote locking system.

          1. Anonymous Coward
            Anonymous Coward

            Re: If this takes off

            >would have been thieves who had cracked the remote locking system.

            Most vehicles, not just BMW, are borked by the same flaw - also gates and doors etc with rolling codes. They just jam the receiver and copy the code sent by the fob - as long as the car etc doesn't receive the code, it can still be used.

    2. TheVogon

      Re: If this takes off

      "kettles, toasters"

      Just why??

      See https://www.youtube.com/watch?v=LRq_SAuQDec

  2. redpawn

    I've always dreamed

    of websites connecting to my TV and refrigerator. Think of the wonderful targeted ads based on the contents of the fridge and my viewing habits. Much better than Superfish. Keep up the good work. Waiting with bait like breath for the next great idea.

  3. Anonymous Coward
    Anonymous Coward

    I'm glad to be a curmudgeon.

    My desktop doesn't even have any wireless functionality at all, so good luck trying to turn on a BlueTooth antenna that doesn't exist. That plus the fact that I've only got a feature phone & have disabled the BT on it (don't need it, don't have any BT devices to pair to it), so even if I did have an antenna on the computer the only thing that might talk to it is intentionally deaf.

    If I had a laptop with BT I'd turn it off for the same reason as my phone, since I don't want to sync my laptop & phone, & it's much easier to plug in the USB3 crossover cable for data transfers that scream by at speeds unlikely to be reached over wifi. Oh wait, I don't have any wifi on the desktop either, so the desktop & the laptop couldn't communicate that way either.

    Damn I hate to be smug, but I'll bask in the glow of being a crotchety old fart for a change.

    *Moons the web devs*

    Kiss my wrinkly furry ass!

    =-)p

    1. John Brown (no body) Silver badge

      Re: I'm glad to be a curmudgeon.

      "My desktop doesn't even have any wireless functionality at all, so good luck trying to turn on a BlueTooth antenna that doesn't exist."

      It seems to me that most of the general computer using population at home these days are on laptops and tablets. And from what we see and hear about average mobile phone users, all the wireless options are on be default to connect to whatever source they happen to be near at the time. I bet most of them have barely even registered the fact most if not all laptops have Bluetooth, never mind how to switch it off.

      Of course, Bluetooth isn't a huge target for hackers because of the proximity requirements, but if a Bluetooth Web API goes ahead, suddenly it becomes immensely more attractive if you can hack someone's phone from the other side of the world just by scanning for vulnerable PCs.or infecting popular websites.

  4. FF22

    Wrong

    Author is simply wrong. Why? Just think about it!

    You want to use Bluetooth - for whatever reason. If you can't use/access it from your web browser, then you will have to download a native app for that. Native apps have obviously far less restrictions applied to them, than anything running inside a web browser, right? Right.

    So, providing access to Bluetooth from the web browser, too, obviously can not make things any worse than they are. Actually, on the contrary: it provides a more secure environment for running Bluetooth-based apps, than that was previously available. With this, you don't have to download and install an app for that purpose any more, but can use your far more secure and restricted browser environment to do some things over Bluetooth.

    And don't even get me started about how obviously there will be tons of security prompts in the browser before any web site or app can actually access the Bluetooth API or transfer any data from or to a Bluetooth device.

    So, then what exactly is your problem with it? Besides your limited understanding of the browser, the web and security, that is.

    1. Kernel

      Re: Wrong

      You forgot the Joke Alert icon - I hope.

      1. FF22

        Re: Wrong

        You "forgot" to supply any counterarguments.

    2. m0rt

      Re: Wrong

      "Author is simply wrong. Why? Just think about it!"

      Ok, first off you make a very bold, decisive statement. So we are going to look at your following comments with interest.

      "You want to use Bluetooth - for whatever reason. If you can't use/access it from your web browser, then you will have to download a native app for that. Native apps have obviously far less restrictions applied to them, than anything running inside a web browser, right? Right."

      Straight away you assume that Bluetooth is being used for applications. There are other reasons why bluetooth will be on. Silly mac wireless keyboards, for example. In car connectivity. Bluetooth being on doens't mean that there is a 'app' need/want.

      "So, providing access to Bluetooth from the web browser, too, obviously can not make things any worse than they are. Actually, on the contrary: it provides a more secure environment for running Bluetooth-based apps, than that was previously available. With this, you don't have to download and install an app for that purpose any more, but can use your far more secure and restricted browser environment to do some things over Bluetooth."

      Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web, with items that you previously didn't contaminate, possibly, in some cases have nothing to do with the actual web. Look up bluetooth and medical devices.

      "And don't even get me started about how obviously there will be tons of security prompts in the browser before any web site or app can actually access the Bluetooth API or transfer any data from or to a Bluetooth device."

      Ahh yes. And those security prompts will always be there? Because of, you know, no exploited bugs, malware being present. (Imagine - a world without spam! I want this utopia.)

      "So, then what exactly is your problem with it? Besides your limited understanding of the browser, the web and security, that is."

      I think the author was pretty clear what his problem was.

      For the record I also think the author was wrong to approach this in a journalistic fashion, (ok, there is a little bit of the 'Sun what done it' in it but hey. )

      He should have just stated 'This is fucking ludicrous.' and left it at that.

      1. FF22

        Re: Wrong

        "Straight away you assume that Bluetooth is being used for applications"

        I did nothing alike. Not that assuming it would have been wrong. Just sayin'.

        "Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web"

        Over your head. My whole point was that with some or most Bluetooth access potentially moved to the browser the overall attack surface will be reduced, because now you won't need to download and install native apps permanently anymore for a lot of Bluetooth-related stuff, but can simply run them on-demand from the much safer browser environment.

        "Ahh yes. And those security prompts will always be there? Because of, you know, no exploited bugs, malware being present. "

        There might be bugs and exploits, but they will be definitely less available from a browser environment, than they were from the native environment. So, all in all - as already explained - the attack surface and the risks will be reduced, even then when there will be some new exploits and bugs introduced.

        "I think the author was pretty clear what his problem was."

        You're obviously confusing two things here. Being clear about something doesn't mean being right about it. I've questioned the latter, and you're talking about the former.

        1. frank ly

          Re: Wrong

          "There might be bugs and exploits, but they will be definitely less available from a browser environment, than they were from the native environment."

          A native application can be 'bad' of course but that's always been the case and some effort has to be made at each PC to get it installed.

          For the browser, if it has a bluetooth API, that's a whole new class of malware vectors that can be installed on a webserver. That can be done by an evil webmaster or a hacker contaminating a webserver. A victim could be exposed by following interesting links in innocent webpages, as we all do. If a website is known and proven to be 'innocent' and you use it, it could be compromised in the future, etc, etc.

          1. Swarthy
            Mushroom

            Re: Wrong

            You thought those Flash ads auto-playing videos was bad, wait until the advertisers can ping your phone/fitbit/watch.

            1) Tracking by devices - Ghost/Privacy mode won't help, They could ID your device and ID you at any machine, no FB login, no cookies required.

            2) Ad now plays on your phone/BT speakers - across the room so you have to get up to make it shut up.

            3) Malvertisements can now connect to your phone, send a subscribe text to a premium-rate "service" and you are a proud member of the £24.99/month Flagellation Of The Day message service.

            3a) Malvertises can call premium rate numbers - £5.99/minute (or part thereof) - Dial, connect, hang up, repeat, all of the audio cues happen over BT this can go on for as long as you have that tab/window open (unless something gets borked in the implementation and closing the tab/window doesn't close the BT connection) and you may have no idea.

            This is a very bad idea.

          2. This post has been deleted by its author

        2. Doctor Syntax Silver badge

          Re: Wrong

          "Straight away you assume that Bluetooth is being used for applications"

          I did nothing alike. Not that assuming it would have been wrong. Just sayin'.

          "Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web"

          Over your head. My whole point was that with some or most Bluetooth access potentially moved to the browser the overall attack surface will be reduced, because now you won't need to download and install native apps permanently anymore for a lot of Bluetooth-related stuff, but can simply run them on-demand from the much safer browser environment.

          So the second bit I've emphasised is saying that with Bluetooth in the browser you won't need to download the apps that, in the first bit I've emphasised, you're denying were being used without Bluetooth in the browser? Somehow I don't think you've got your own head round your own arguments. Maybe that's why the rest of us have problems with them.

        3. Anonymous Coward
          Anonymous Coward

          @FF22

          You truly are the epitome of the current generation of morons who believe they're technical but don't have the first fucking clue. You shouldn't be let anywhere near any a computer except under supervision of a competent adult.

    3. Christian Berger

      Re: Wrong

      Well unfortunately browser sandboxes aren't any more secure than any other kind of sandbox. For most users they don't protect anything as most things are happening in the browser anyhow.

      Yes, native apps are a problem, but since people are aware that those are shit, people might stop buying shitty devices that don't adhere to simple public protocols.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrong

        No, native application aren't shit by default (they could be, of course). The problem with a browser is it became a generic host for code downloaded from remote mostly each time - and also too often that code includes third party code got without much control just to make money.

        Users have much more control upon native applications than web ones.

    4. Filippo Silver badge

      Re: Wrong

      There is a much higher barrier to installing an application compared to visiting a web page. Most people still wrongly assume that websites are always innocuous. If a moderately competent user installs an application, it will be from a reasonably trusted source - the manufacturer's website, or the CD that comes with the gizmo. Yes, it is possible to get users to install malware; doing so is not nearly as easy as getting them to visit a malicious website.

      Also, the fact that data from the device has to go through the Internet rather than just to the app opens up all sorts of additional attacks; MITM, etc. Finally, the fact that even when everything is working as intended, the data has to go to the manufacturer's cloud has awful implications. I really don't see why Google needs to know how I set my thermostat, and I really don't want it to stop working because my Internet connectoin is down.

    5. Anonymous Coward
      Anonymous Coward

      Re: Wrong

      Can I have some of what you're smoking, it seems very strong indeed

    6. bombastic bob Silver badge
      Flame

      Re: Wrong

      "If you can't use/access it from your web browser, then you will have to download a native app for that."

      so: PART of the fix is some _REAL_ security on the IoT device end, to _PREVENT_ unauthorized bluetooth-level access from an unauthorized client, PARTICULARLY a web browser running javascript exploit code downloaded from an infected embedded advertisement...

      (or whatever)

      seeing as I'm involved directly with TWO different bluetooth applications that run on android, and the device(s) that the android device controls, it's a major concern.

      I can foresee unauthorized firmware loads happening... so THAT much has to be protected against.

  5. Steven Roper

    "Imagine a world where every web site can connect to devices near you – or on you.”

    Shudder. When I imagined that, my instinctive response was: There's a small cave up in the hills not far from my parents' place. I'm seriously thinking of taking up permanent residence in it.

    1. Anonymous Coward
      Anonymous Coward

      "Shudder. When I imagined that, my instinctive response was: There's a small cave up in the hills not far from my parents' place. I'm seriously thinking of taking up permanent residence in it."

      I thought of that, too. Then I remembered modern ground surveillance satellites can be equipped with infrared cameras...

    2. Anonymous Coward
      Anonymous Coward

      Good thought. Put the tea on, we'll pop over later.

  6. Triggerfish

    Why the F...

    Do I need a bluetooth kettle and toaster anyway?

    1. Neil Barnes Silver badge

      Re: Why the F...

      My toaster died yesterday.

      I hit it. Hard.

      Now it works again. I bet there isn't a bluetooth API for that...

      I'm constantly baffled by people coming up with IoT solutions for problems that simply don't exist, and that in the vast majority of cases have simple, effective, debugged, and secure solutions already - like, er, physical keys, physical switches, thermostats...

      1. Pen-y-gors

        Re: Why the F...

        @Neil Barnes

        thermostats

        With winter coming, I tried to switch the heating on. No joy. Thermostat was correctly set - but the batteries had gone flat! (admittedly after about six years, show me a Li-Ion that can do that!) - I think I need something even lower-tech - light up the wood-burner?

      2. Sgt_Oddball
        Flame

        Re: Why the F...

        Surely the talkie toastertm should have been warning enough, especially what happens to it. Twice....

        Yes it's a work of sci-fi but that's where this is going.

        On a side note, the people that thought of this stuff were never around public spaces when bluetooth first came onto the market and had no authentication at all - cue childish pranks involving sending rude pictures to unsuspecting yuppies in train stations just to see who looked at their phones and pulled an odd face.

        Now that was just at a local level.....

    2. Michael Thibault

      Re: Why the F...

      Is there an IoT gubbins that is better than a Leatherman? An SAK? Ha! Thought not.

      I'm fairly certain I've come across a beer mug that could be used wirelessly with an associated app. Didn't look into it,--as the thing seemed to be made of plastic, and I'd never drink from it,--but it may have been connecting 'wirelessly' some other way... The point of it eludes me. Anyway, what I'm wondering is: how bad, or absurd, does IoT get?

      1. Pen-y-gors

        Re: Why the F...

        @Michael Thibault

        Anyway, what I'm wondering is: how bad, or absurd, does IoT get?

        I think we can be confident that we have a long way to go yet on the bad and absurd scale.

        But on the bright side, they won't last for ever (see recent report on 50% drop in sales of iWatches), then we can crawl out of our caves, blink in the sunlight, and take our rightful places as rulers of a newly-analogue world.

    3. Christian Berger

      Even if I wanted...

      I'd rather want one that speaks WIFI as that would reach through the access point from my kitchen to where I want to know its status.

      We live in a world where even single chip WIFI solutions have enough horsepower to provide a simple webserver you can talk to directly with your browser.

    4. BongoJoe

      Re: Why the F...

      Quite.

      Sends message to toaster: makeToast TWO_SLICES, LIGHT_MEDIUM_BROWN

      Error message received: ERROR_BREAD_STILL_IN_BAG

      So unless I want dried bread being toasted and left hanging above the toaster over night and folding over so it won't go in automatically when the toaster starts its best that I do it myself. Manually.

      Unless of course I get a toaster which has a magazine for bread above and which keeps the flies off then this isn't going to work and I am going to have a massive ugly hunk of metal/plastic in my kitchen.

      And since toast takes about a minute to make; you know the amount of time it takes to locate a plate, a knife, butter and spread of choice then there is no reason to have this automated because bone has to be there to eat it still warm.

      Idiot idea.

      1. Triggerfish

        Re: Why the F...

        I am not one for wearing a hairshirt for environmentalism, while still thinking it's a good idea we use a bit less energy etc, so in this time when we are supposed to be worrying about energy usage to some degree, why the hell are we also making devices that suck more power, especially when you are going to hit the ERROR_BREAD_STILL_IN_BAG / WATER_STILL_IN TAP problem as well?

        Also occasionally standing up and moving could be a good thing for you.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why the F...

          "Also occasionally standing up and moving could be a good thing for you."

          Unless, of course, you trip on the camouflaged toy your kid/pet left on the floor and end up getting your throat impaled on the spiky toy just ahead. Given all the risks of moving versus not moving, I'd rather move only when I absolutely HAVE to.

        2. Vic

          Re: Why the F...

          Also occasionally standing up and moving could be a good thing for you.

          There's a nice article on that very subject here.

          Vic.

      2. John Brown (no body) Silver badge

        Re: Why the F...

        "Unless of course I get a toaster which has a magazine for bread above and which keeps the flies off then this isn't going to work and I am going to have a massive ugly hunk of metal/plastic in my kitchen."

        The new HP Toaster.

        Only £5.99 comes with a "starter" cartridge of bread ready for toasting.

        We do not recommend re-filling the bread cartridges with non-HP bread or using non-HP branded cartidges (they won't work anyway, we'll just change the firmware DRM the next time you visit a page on your bluetooth enable laptop/browser)

        Replace HP bread cartidges are available for the low, low price of £29.99 and can make up to 20 pieces of toast.

        (Please not the cartridge expiry dates. For you safety, cartridges inserted after the expiry date will not work. Also not that the HP Toaster self cleaning process will automatically run after each use or every 24 hours if not used and this may use up to to slices of bread per process.

  7. Christian Berger

    Of course Mozilla will implement it

    They have a tack record of implementing and backing every bad idea. APIs like this one (or the USB one, or just about any that came out in recent years) make browsers more complex so it's harder if not even impossible to fork your own browser engine or even write one from scratch.

    This keeps the browser market in an oligopoly, something all players there can live with. For them its good, for the user it's bad... but nobody cares about those anyhow.

    As always, more complexity will mean more bugs and therefore more security problems.

    1. Doctor Syntax Silver badge

      Re: Of course Mozilla will implement it

      "They have a tack record of implementing and backing every bad idea."

      Nice Freudian slip there, Christian. Tack as in tacky. Spot on.

    2. Ken Hagan Gold badge

      Re: Of course Mozilla will implement it

      Rather more likely that Chrome will implement it, since Google are pushing it, and almost certain that Chrome won't make it easy (or perhaps even possible) to disable it.

      This whole thing sounds about as well thought out as UPnP or even ActiveX. Both of those were bad ideas and their badness was clearly explained at the time, ignored, and then borne out by bitter experience. However, they remain in modern products for the sake of backwards compatibility. I suppose a bright young thing with *no fucking clue* about the history might see them there and think "Oh, we could do something like that for IoT...".

  8. Novex
    Facepalm

    Security First

    Jeez. Just how long will it be, and how much pain do we have to go through, before the companies that make any kind of coded kit, from toasters to PCs, realize that the first action in any code is to make it secure? It seems probably never in the case of when, and not even when the pain kills the patient in the case of what has to happen.

    1. Charles 9
      FAIL

      Re: Security First

      "Jeez. Just how long will it be, and how much pain do we have to go through, before the companies that make any kind of coded kit, from toasters to PCs, realize that the first action in any code is to make it secure? It seems probably never in the case of when, and not even when the pain kills the patient in the case of what has to happen."

      In most spheres, security doesn't sell because it gets in the way of getting the job done, which is the first and foremost requirement of ANYTHING. You buy things to get jobs done; if not, you're throwing money away. Security first can ONLY come if a Machiavellian Prince with some scruples takes over the world and demands it with extreme penalties for noncompliance. Otherwise, sovereignty, competition, and overall human stupidity will ensure it'll never happen.

      1. Doctor Syntax Silver badge

        Re: Security First

        "Security first can ONLY come if a Machiavellian Prince with some scruples takes over the world and demands it with extreme penalties for noncompliance. Otherwise, sovereignty, competition, and overall human stupidity will ensure it'll never happen."

        Nope. There's nothing Machiavellian about all the existing regulation that ensures that it's illegal to sell vehicles that fail adequate safety standards, children's toys with lead paint, electrical items without adequate insulation etc.

        It simply required legislators to see the need for them and use their sovereignty to require stuff sold in their own market places to be safe. They'll get the message here as well. It might take them longer because the TLAs have vested interests. Also it won't stop the Del-boys trying to get round regulation but that's what Trading Standards are there fore. Eventually the mainstream market will supply devices with adequate security.

        You might reasonably reply that the rise of market places such as eBay makes it possible for the Del-boys to sell non-conforming items. Yes it will; it also makes it possible for other safety regulation to be by-passed. It's another thing for legislation to catch up with. It's not an entirely separate issue but it's one which will get tackled in due course.

        1. Charles 9

          Re: Security First

          "You might reasonably reply that the rise of market places such as eBay makes it possible for the Del-boys to sell non-conforming items. Yes it will; it also makes it possible for other safety regulation to be by-passed. It's another thing for legislation to catch up with. It's not an entirely separate issue but it's one which will get tackled in due course."

          No, because the gray market by definition goes AROUND regulation, any and all. You ADD regulations, they just go AROUND them, usually by a direct shipment which is easy to do with something this small, unlike larger things like cars. Do they really, REALLY inspect every single little parcel at EVERY port of entry? It's a lot like the drug wars. If people want them badly enough, they'll find ways to get it in spite of God, Man, or the Devil. You have to either fix the source or fix the destination. Sovereignty prevents you fixing the source and stupidity prevents you fixing the destination. It's times like this that you have to wonder if this is the right battle.

        2. Kiwi

          Re: Security First

          Nope. There's nothing Machiavellian about all the existing regulation that ensures that it's illegal to sell vehicles that fail adequate safety standards, children's toys with lead paint, electrical items without adequate insulation etc.

          Number of people killed or seriously harmed as a direct result of faulty vehicles - High, resulting in increasing safety standards and technology.

          Number of people killed or seriously harmed as a direct result of exposure to lead-based paints : High, resulting in (once it was proven to be harmful) the removal of lead-based paints.

          Number of people killed or seriously harmed as a direct result of electrical items without adequate insulation : High, resulting in tighter standards and so on.

          Number of people killed or seriously harmed as a direct result of hacked routers etc? 0. Resulting in who-gives-a-fuck levels of standards. Sure a few people might've harmed themselves or had a medical event as an indirect result of losing money/having secrets exposed and so on, but they're not direct results of things.

          And since we're talking security, think of the security on your car. I could have your car open in only a couple of seconds if I didn't care about keeping things tidy - smash window, grab inside handle, done. With all but the few models that those electronic keys and ignition locks, it's fairly trivial to use an alternative to a key, something that also can be fairly quick. Oh, that's if the manufacturer made more than a few doze keys. I have a common early 90's car, and a couple others I know use the same key (or the key's are close enough/locks worn enough. When it comes to security, cars are a really bad analogy.

          It simply required legislators to see the need for them and use their sovereignty to require stuff sold in their own market places to be safe.

          They do. Only, "safe" means "actually hurts people", not "might cause someone's network to slow down" (we're talking legislators here, people who sometimes susprise me that they have enough brain function for autonomic processes (eg breathing) to still function). They're not likely to care, and as has been stated elsewhere many people will simply buy "cheap not-quite-standard" over "expensive but standard" from "here today, gone tomorrow" corp.

  9. allthecoolshortnamesweretaken

    How long until we go back to dedicated land lines for the important stuff?

    1. Anonymous Coward
      Anonymous Coward

      Some of us never left them.

      1. Anonymous Coward
        Anonymous Coward

        I thought most of them got thrown out when the lines were re-purposed for DSL and the like... Anyway, leased lines can still be tapped...

  10. Anonymous Coward
    Anonymous Coward

    Once the browser was a portal to the world...

    ... not it's a portal to you and your data.

    No surprise Google is behind such a stupid idea. Maybe there's now really a market for a true "browser" that doesn't do anything stupid, unsafe and not secure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Once the browser was a portal to the world...

      "...stupid, unsafe and not secure"

      Such a program wouldn't be a browser anymore. Because ANYTHING we do is one or more of the three. It's part of life itself.

    2. HAL-9000

      Re: Once the browser was a portal to the world...

      perhaps http://lynx.invisible-island.net/ is what you're after

  11. Chris Stephens

    OMG Richard, Your my hero.. Keep these stories coming. Our only hope is the press making light of this Shit. I do want to point out tho that this same issue of poor coding, crappy foresight and asinine product planning is preset to some degree in almost every consumer device today. If its destined for a consumer, there is zero doubt its got serious security bugs that allow the device to be taken over. As just one example, BluRay players all have some old horribly outdated and never updated Java in them. https://en.wikipedia.org/wiki/BD-J

    We need to not only address the IoS we need to address ALL of consumer electronics.

    A UL for software needs to occur. We need to give software the same legal status as hardware and allow software companies to be sued. No more 50 page disclaimers. Software needs the same legal status as any hardware device, like a car.

    1. Charles 9

      "A UL for software needs to occur. We need to give software the same legal status as hardware and allow software companies to be sued. No more 50 page disclaimers. Software needs the same legal status as any hardware device, like a car."

      How do you deal with the China angle, though? China has sovereignty, and most of the devices come through gray markets where regulation doesn't really exist.

      1. Doctor Syntax Silver badge

        "China has sovereignty"

        Yes it does. In China. UK, the EU, the US, the UNameit aren't China. Our own governments have their own sovereignty to set regulations on what can be legally sold in their own jurisdictions. Regulation is the first step to actually dealing with gray markets.

        1. Charles 9

          No, gray markets go AROUND regulations by cutting out the middlemen like customs. How can products be regulated when not even the government knows they're coming in? The only way to tackle the gray market is at the source, but the source isn't cooperating. It's like the drug wars.

          1. Doctor Syntax Silver badge

            "No, gray markets go AROUND regulations by cutting out the middlemen like customs."

            Actually they can't treat customs as middlemen. You buy something from eBay from an overseas vendor customs may open it, apply duty forward it by an agent who collects the duty (assuming it was a legitimate item) and then charges you for the duty and their services. I've had it happen.

            Roll this forward. Regulation comes into play.

            Customs peruse eBay/Amazon/whoever for stuff that looks as if it might not comply and make a few trial purchases. If it's a vendor with a UK address, even if the stuff is posted direct from China the UK vendor gets prosecuted. For the rest eBay/Amazon/whoever get an offer they can't refuse and simply stop advertising the stuff.

            Regulation enables enforcement. Enforcement might never be 100% but between direct enforcement and deterrence it can provide a good enough control.

            1. Charles 9

              "Customs peruse eBay/Amazon/whoever for stuff that looks as if it might not comply and make a few trial purchases. If it's a vendor with a UK address, even if the stuff is posted direct from China the UK vendor gets prosecuted. For the rest eBay/Amazon/whoever get an offer they can't refuse and simply stop advertising the stuff."

              And if the vendor ITSELF is from outside enforceable reach, like alibaba which is itself based in China? As for the eBay stuff, odds are the sellers can go fly-by-night and disappear before enforcement can come at them, not to mention eBay and the like are MULTInational so are hard to really pin down as their operations can shift; like I said, they and China can play sovereignty against tight governments. That's also how taxes are dodged and why big oil companies tend to get favors. Few things get a government's attention like a big firm threatening to pull up stakes and take their business (and tax revenues) out of their reach.

        2. Kiwi

          "China has sovereignty"

          Yes it does. In China. UK, the EU, the US, the UNameit aren't China. Our own governments have their own sovereignty to set regulations on what can be legally sold in their own jurisdictions. Regulation is the first step to actually dealing with gray markets.

          And when the public finds out that such legislation would mean the prices of stuff takes a huge hike probably several thousand %? That the IoT enabled shit they're demanding goes from stupidly cheap to ridiculously expensive?

          Much as I would like things to be a lot more secure, there's a lot of issues around supply/demand and so on.

          (Oh, and another point on legislation - if TPP passes, any country that's signed up to that won't be able to legislate in such a way from what little I know of it!)

  12. enormous c word

    No thank you..

    How will connecting my Web Browser to every device in my home improve mey life exactly?

    Encasing my fridge / kettle / alarm clock / oven / washing machine with aluminium foil will be extremely inconvenient.

  13. Anonymous Coward
    Anonymous Coward

    I don't need no complex explanation...

    If Google are pushing it, I don't want it.

  14. Jason Bloomberg Silver badge
    Coat

    Internet of Shit

    Language like that, the unwillingness to acknowledge that there is more to IoT beyond pointless connected toasters and fridges, the baying anti-IoT mob and down-voting of anyone who may dare suggest otherwise, is having a chilling effect on rational discussion of IoT.

    Much of what is being railed against isn't even IoT but simply remote control and browser-based access.

    Out in the real world there are many devices which have only a Bluetooth connection, and one needs to use Bluetooth to interact with them. Users want a simple means to do that and a browser-based mechanism which is platform and architecture independent suits them and manufacturers.

    Google Chrome already supports a Bluetooth API and it is proving popular, Mozilla are having to play catch-up to stop users moving to Chrome to use that. There are issues which need to be debated and resolved but 'it's a steaming pile of shit' and 'burn it down' is not the right approach.

    Don't like it, can't see the point; fair enough, but there are plenty of people who not only like it but want it. They aren't going to listen to those who simply appear to be luddites or a pitchfork and torch carrying mob.

    1. nematoad

      Re: Internet of Shit

      Methinks you do protest too much.

      People have differing views on trading their personal data for convenience.

      That's up to them but a lot of shall we call them "IT savvy folk"? are worried about such things. After all if there's a way to make money out of abusing such systems you can bet your life that someone will abuse them. Calling them names does not make the problems they perceive go away but just antagonises them.

      Don't confuse popular with good. Just because Chrome offers such a facility does not make it safe or secure. Lots of people lack the knowledge to know when they are being exposed to risks in this way and accept the feature without thinking about the possible side effects. That's not to condemn them they just don't know of the risks.

      Finally the manufacturers are adding to the bad name the IoT is getting. By throwing everything at the wall and seeing what sticks does raise questions as to what they were smoking. Internet connected kettles, light bulbs and so on do raise more than a few eyebrows and given the threat from IoT sourced DDoS botnets the reputation of the IoT will only get worse.

    2. Steven Roper

      Re: Internet of Shit

      The reason we are up in arms about the IoT is because we've had enough life experience to know that every time something is pushed on the public with the zeal and fervour that the IoT is, two things are true:

      1. There's a nefarious purpose behind the apparent usefulness, in the case of IoT the level of surveillance and profileing it will enable; and

      2. In order to push the thing on the public, the thing it's replacing will be made obsolete and unavailable in order to deny consumers the choice and force the new thing on everyone. In this case that means that soon, "non-smart" devices will become increasingly difficult, and eventually impossible, to obtain.

      It is this lack of choice that will inevitably be imposed on us that we are up in arms about. If we could be sure that manufacturers will indefinitely continue to sell "non-smart" light bulbs, toasters, TVs, fridges and cars, we'd likely still reject the idea but if people wanted to use it that's their lookout. But we all know that won't happen. What will happen is that one day, we'll go to the shop to buy a light bulb and only the "smart" ones will be available - and trying to run it without a connection to the net will simply result in it not working, thus forcing us to adopt the invasive tech, or go back to using candles.

      It is this forcing of the technology, the inevitable denial of choice, based on repeated past experience of similar things being foisted on the public, that is why so many people here are so fervently opposed to it.

    3. HAL-9000

      Re: Internet of Shit

      that's right bugger off, and take your silly coat with you too

  15. Bronek Kozicki

    "... the geniuses pushing ideas like this could spend their time fixing the mess they've already helped to create"

    I'd like to suggest that they have no intellectual capacity for constructive work, because if they did then this article would have belonged to an alternative universe. Sadly it does not.

    1. Charles 9

      I'D like to suggest that, to them, it's not a mess; it's the desired result. It's also the human condition; you versus the neighbors. And unless you want to go back to hairshirts, making everything you need from scratch, no electricity or running water and life expectancies under 50, you pretty much have to bend over.

      1. Doctor Syntax Silver badge

        "life expectancies under 50"

        Increased profits by mixing foodstuffs with non-nutritive and sometimes toxic adulterants was a desired result of Victorian grocers.

        Ready access to water was a desired result of a public pump in the middle of Soho.

        Brightly coloured walls were the desired result of arsenic-based pigments in wall-paper.

        Eliminating these and other desired results during the course of over a century and a half is what's lifted life expectancies over 50.

        1. Charles 9

          You forget the times BEFORE that, where industrial pigments and sanitation weren't so abundant, plus most people grew their own food or bartered from the neighbors who also grew them. As I recall, back then life expectancies STILL weren't over 50.

  16. Bronek Kozicki
    Trollface

    @Charles 9 if I am not mistaken, you are comparing things such as modern medicine, housing or sanitation with the IoT. This is hilarious comparison, hope you get it.

    1. Charles 9

      Yes, I do get it. What I'm saying is that the big big plan is to make it so that modern society comes part and parcel with Big Brother via the backdoor. How will you buy a dumb TV, for example, when there aren't any left because TV standards will REQUIRE an interactive TV just to pick up the channels? You can't use analog TVs by themselves anymore because all channels for digital, for example. That's just the first step.

      And it'll apply to all appliances soon, using powerline networking or whispernets if need be to get around anything cleverdicks/smartypants try to block the networking (and using suicide circuits to break the devices if you try to kill the radio chips).

  17. Lee D Silver badge

    See that box?

    The one that says "Disable <random new technology of the moment"? Yeah, most of the time I tick that box the second it's introduced and never untick it ever again.

    Popups.

    Plugins.

    Autoplay Video

    WebGL

    Webcam and microphone access

    You name it, I'll disable it, thanks.

    1. Charles 9

      "You name it, I'll disable it, thanks."

      Pretty soon, most of the web will REQUIRE it just to run, in which case you'll have a decision to make. Bend over or go back to the Sears catalog (as in abandon the Internet altogether)?

  18. Anonymous Coward
    Anonymous Coward

    Well, what's the alternative? The user downloads a binary and runs as administrator.

    1. Ken Hagan Gold badge

      Re: Well, what's the alternative?

      The alternative is that the user decides it isn't such a good idea to let every burglar and pervert on the planet hack into their home security cameras, mobile phones, internet banking ...

      It seems we are in something of a transitional phase. Society is happily reading stories about "celebs" getting hacked and their nude selfies posted everywhere, and outraged reading stories about "the great and the good" getting hacked and shown to be neither. However, it hasn't yet penetrated people's consciousness that *they* are using exactly the same technology and living the same sorts of lifestyles.

      "But I'm not a celeb, or great, or good." It doesn't matter. There is also a steady stream of stories about ordinary people being horrible to other ordinary people. We seem to enjoy reading those as well, without making the connection to our own lives. We all have friends and enemies, people we'd like to know more about but who aren't telling, people who'd like to know more about us but we aren't telling.

      It really is only a matter of time before *someone* is motivated to point the hacking tools at you.

  19. Androgynous Cupboard Silver badge

    A different point of view

    I've developed a small piece of hardware with serial comms (via bluetooth, but not directly using the bluetooth API) and built a UI for it as a Chrome App. It's a great approach - I've done plenty of Swing but wanted something that's easier to distribute (check), quick to prototype (check), leverages a technology I'm familiar with (HTML/CSS/JS, check), portable across platforms (check). Frankly it's a great solution.

    Except Google have announced they're dropping Chrome Apps, and there's no replacement. They're trying to push this Bluetooth API as a replacement, and if it came off it could have been a partial solution, although it's too far off for me to make use of it. The point is it's a very useful thing to have in the toolbox.

    Yes, there are obvious security concerns, just as there are with DOM extensions for microphone access and videocamera access (WebRTC, already a part of many browsers), geolocation (same), and the various other things that need to do more than display a flat page, tasks which are currently confined to Flash or Applets.

    But I don't see you lot bleating about that do I? What a bunch of whining jessies (last bit because I'm going to get downvoted, so I may as well deserve it)

    1. Jason Bloomberg Silver badge

      Re: A different point of view

      Except Google have announced they're dropping Chrome Apps, and there's no replacement.

      Check out NW.js (formerly node-webkit) -

      http://nwjs.io/blog/chrome-apps-support

    2. Ken Hagan Gold badge

      Re: A different point of view

      "But I don't see you lot bleating about that do I?"

      I think you do, at least on this site, and there are a steady stream of stories about the ways in which these things have been abused. Nevertheless, I think this particular API merits additional abuse because it provides a bridge from a malicious web-site to any bluetooth-enabled device that you own. Most device designers will have designed their BT interfaces on an assumption that the client is both local and has been explicitly trusted by the device owner. Providing a bridge to hostile clients in a different legal jurisdiction probably isn't a smart idea. Most end-users won't understand that this is being done, won't understand the risks, and won't even be warned unless browsers break with tradition and launch a shiny new feature as off-by-default.

      "What a bunch of whining jessies "

      You appear to have missed some punctuation there. Consider yourself whined at.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like