It's clear from the information shown so far that these IOT locks aren't compatible at all with multipoint lock systems. Which means to install one you'd basically have to replace the door - to get worse security.
338 posts • joined 22 Mar 2010
Re: Lock makers that you can trust?
This lock isn't compatible with modern doors like that - only old style wooden doors.
Not that this is likely to be a problem because google don't sell it in the UK or even appear to have any plans to (something that the register completely forgot to mention for some reason).
Trustico execute commands typed into a URL as root.
The incompetence knows no bounds.
With any luck their currently down site will stay down permanently.
Re: Nest's smartphone app really is the best
You'd be surprised - the alarm I ripped out when it broke is still a current model, was 3 years old when I disposed of it.
Not an IC on it.. all transistor based, so it was about 5 times the size it should be about 12" by 8".. I doubt the design has changed since the 1980s.
Replaced with an ESP8266 that does the same job in a 1.5 inch square piece of silicon (and gives me wireless status as well plus remote arming if I'm in wifi range).
Wait.. no connection to a siren? WTF is the point in an alarm you can only hear from *inside* the house?
I presume it has battery backup just not mentioned. It's trivial to add and would be bloody stupid without it..
Re: here's a vendor which is not vulnerable to either attack
It does that by not supporting speculative branching at all.
So it's merely too crap to run spectre..
Re: List of CPUs affected?
Presently it's assumed to be all intel CPUs, with newer ones (<2 years) having extra instructions that drop the hit on benchmarks to 'only' 30%.
Windows 7 is on extended support, so should get a patch, but that's up to microsoft.
Technically it wasn't designed 'these days'. Diameter (RFC3588) dates from 2003. Which probably makes it dangerously modern by telco standards..
Strap a couple of SRBs to the corolla and point it directly upwards. It'll easily get to 1000mph then shortly do the same journey in reverse.
Re: What could possibly go wrong?
The much simpler solution of a box with a lock for which the amazon bloke has the key (or combination) doesn't seem to have been considered.
But that wouldn't net amazon 250 quid plus 20 quid a month subscription fees.
Yes you can theoretically mitigate it on the AP - it effectively turns into a DoS on the client, which is in many cases preferable to leaking information.
Aruba are the first I've heard to actually implement this if so (Unifi only fixed client mode).
Unless your ubiquiti hardware is a client you did nothing.
This is a client side vulnerability not AP side, and there's little that can be done on the AP to detect it (and unifi have said they currently aren't tackling that.
Too many people are installing AP updates and thing they've fixed it. Nope. You need to update every wireless client.
Well considering one was the CFO and one was the 'president of U.S. information solutions' the idea that neither of them knew of a significant data breach days after it happened is farcical.
Re: Can't even be arsed to use an Equifax cert?
Also they failed to defensively register
As a result they've all been registered by a mixture of people having fun and miscreants stealing data.
They're probably hardened against that, being $800 locks.
It's like being able to open padlocks with bits of beercan or pick locks in about 10 seconds flat (I've seen an electric lockpick in action.. 10 seconds is an outlier - it's probably quicker than using the key..). A *lot* of locks are just security theatre, but most burglars don't know that, and of those that do, they'll go after the easy ones rather than the hard ones, so all you have to do is make sure you don't get your lock from the bargain bin like your neighbour did and you're probably safe
I lost count of the number of companies that would publish an email support address that would just autorespond with a phone number. I don't get the mentality.. To badly misquote yoda.. have an email or don't, there is no middle ground.
Given the price I'm at a loss why it didn't have backup firmware and switch to that when the update failed. The kind of thing that has been standard in consumer upgradable devices for years.
But that would have cost them 10p, and required them to give a shit.
I'm not sure their reservation system actually does anything.
For various reasons I needed an extra hard drive caddy.. could have got it next day from amazon but this couldn't wait, so I did a 'reserve' on the PC World website and set off up there... so arrived maybe half an hour later. It's a £10 fairly common item.. should be easy, right?
They had the reservation on their system, sure, but it took the staff completely by surprise that anyone would actually want to pick one up - it took multiple staff hunting around the back of the store.. I was stood at the till for another half an hour before they turned up with the caddy. I would have walked out, but needed the damned thing.
In my head a reservation would mean that a little thing would pop up and a minion would go to the right place in the stock room (catalogued.. if your'e searching for stock you're doing it wrong) and put it behind the till.. 2-3 minutes tops. That's clearly not what happens..
It also says a lot about how much verification was going on with the magstripes ie. none.
The longest I've had to wait was 30 seconds which is generally small shops with handheld cheap readers. In larger stores it's so fast I've got the notification the money has gone from my account before the receipt printer has finished printing.. it's sub-second.
Heck, modern cards here don't even *have* a functional magstripe any more. Clone the magstripe on my card and you got some random data, congratulations.
The US is oddly behind on something so simple.
Re: IPv6 is fundamentally broken
That would be ipv6 then.
Although cripping the network using NAT would be just cutting your hand off to spite your face, given that address randomisation means you're not trackable anyway.
Re: IPv6 usage soaring?
1 in 6 is a bit low considering how many users are on large ISPs which have enabled ipv6 like Sky and BT.
A home user that does nothing special will be running it without knowing or caring.
The electricity companies are refusing to install smart meters in houses with solar PV stating that smart meters can't work with them, so whatever the standards might say the companies that have to actually implement this stuff say they don't work.
Re: What's the advantage to the consumer?
I did wonder how people were quoting those repayment times.. I reliably calculate 20 years.. I did pay quite a bit more than they cost now, but I have the higher FIT to make up for it.
In practice the effect on energy consumption is minimal. They work during the day when I'm at work and the house is just drawing baseline, and don't work in the evenings when I'm at home and everything is on. Hence in practice they might have saved maybe £5 a month, except in winter when they rarely even generate baseline.
FIT is around £300-£500 a year. £8k initial cost. 20 years is about right. Not that I mind - those are the same calcs that I was seeing online when I initially bought them - wanted them because they're cool tech not because they save money.
It's not harder at all - You'd block the /64, since the bottom 64 bits refer to a local network and can change fairly easily (/48 possibly if you want to block an entire site owner).
Re: This is the last backdoor
It's an interesting problem. Triggering a warrant canary - even by inaction - could be considered informing the public, so in that case can the law compel someone to lie?
You could even contrive a warrant canary such that the only way to fake it would be to break the law. Can the law compel someone to break the law?
Re: stumbling blocks
The definition is so loose that running an open wifi point could make you one. A&A used to (possibly still do) have a check box you could set saying 'I am a CSP'.
Definately not out of the door.. I can't see anything but a press release hawking features.
Re: What about the other browsers?
They probably will, if these allegations are proven.
Re: Get in first
And the startcom certs, since they're essentially the same company.
That's likely to have a bigger impact.
The problem is bank's ludicrously bad 'fraud detection' requires you to answer the phone otherwise they block all your cards because you apparently buying the same things you do every month is somehow suspicious.
You get a call from mumbai from someone with an accent so thick you can barely work out who they're from, demanding private information for 'security' and if you fail to answer correctly good luck spending any money for a whille.
It's a real concern. Banks should be hauled over the coals for it, as it not only encourages - even requires - behaviour that makes you vulnerable to fraud, they don't offer any alternatives - A simple text saying 'call the number on the back of your card' would suffice, but nope..
Why would it become a route for any network traffic? The OS shouldn't be changing its default route on a whim because something answered ping faster (maybe windows does, but I'm sure even MS aren't that stupid, surely?).
Maybe have a word with HP?
The 980 is listed as an option for that machine..
Or, maybe it works just fine and the article is bollocks?
I have a friend who has been forced to use a fake name because of this policy.
The name that everyone else knows him by was unacceptable to facebook because it isn't on his birth certificate, so he made up an obvious bullshit fake name and apparently that's fine...
Re: A Stalker's Dream
Yeah I don't really know how you enforce WAN access only... The windows device has the password. This must be reversible to work, so it's only a matter of time (hours, days) before you can download a tool that tells you the password which bypasses the restriction.
Also, how do you restrict.. I can't see it being particularly troublesome to bypass that. Once you're on the network you have access to that network - simple software blocks (under the control of the attacker, no less) simply won't work. You could simply dump all the now unencrypted traffic straight off the wifi interface & get loads of information.
Re: Bear of little brain is confused...
Basically the password is tied to the BSSID. You have 100 friends, all the networks that they connect to will be stored on your computer somewhere with reversible passwords.
That's quite a lot of passwords.. and I reckon it'll be about a day before you can download a tool to print out all those passwords (and malware starts dumping it across the internet).
Re: The moment I saw that option I turned it off and it will remain off.
Problem is.. can you be certain that everyone who visits your house has it turned off? your kids' friends?
I'm hoping there's some network based countermeasure that can be put in place to block devices with it enabled, or at least block devices using it (those that have not legitimately been given the password).
At home I found freeradius an absolute pig, but the LDAP I have using FreeIPA which does the trick for home.
Most of my devices don't allow WPA Enterprise though... not even the xbox one which is fairly recent. Or chromecasts.. so I still need a password based network for those. I'll have to invest in other countermeasures to defeat wifisense.
Re: MAC filtering is a waste of time
MAC filtering is a waste of time against attackers.
Against random windows 10 boxes connecting to your network because microsoft have given away all your passwords, it's quite effective.
Re: Nothing new here
I would really hope that it didn't apply to WPA Enterprise, otherwise it'll be sharing windows login details all over the place.
In small companies it's not uncommon to use a single password (smaller companies rarely have the requisite radius server setup or the experience to run one).
At home of course, it's all passwords. That said, from what they're saying you can detect wifisense users - it's saying they can't access local resources somehow.. in which case you can configure a network to break access for such users (for example redirect the first request outgoing to a local portal... if they don't click OK on that - which wifisense users won't be able to do - then no access).
Re: Not https as it is right now
Self Signed plus DNSSEC plus a signature in DNS is enough to verify that the site is what it claims to be at least as far as DNS goes (which is good enough for 99% of cases.. it flags MITM and government/corporate snooping which is what we're interested in).. DANE solves the same problem.
No browser manufacturer has shown any interest in implementing anything like it - it does make me wonder if the CAs are pushing brown envelopes in their direction sometimes.
That said, who cares if HTTP is 'insecure'. My home page with pictures of random stuff on it? Who give a stuff if someone can read that on the wire?
Re: Call filtering
The TPS is simply not enforced.. it even says when you report a violation (or said, about a year ago before I gave up on it) that individual reports are only aggregated.
In fact, a quick google shows it's worse.. http://www.bbc.co.uk/news/business-22833965
You're *more* likely to be called if you're on the TPS, because the 'direct marketing association' just sent out a big list with your number on it..
Re: Am I a wrung'en?
If they MITM SSL you just wrap SSL in SSL.. they still only see encrypted traffic.
Not that it'd happen - ecommerce and banking, and therefore a large part of the economy, relies on secure financial transaciions.
Re: Boycott those hotels
It does seem that way.
A couple of years back I had the chance of the Hilton for one price on special offer and a 'cheaper' hotel for the same price. I took the Hilton offer.
They then proceeded to charge for *everything*. Parking.. (first time I've *ever* had to pay extra for parking at a hotel), breakfast, even though the offer said 'included', wifi was a stupid price, 1 channel of TV and everything else extra, the bar and restaurant were eyewateringly expensive, etc.
I've never been back. Nowadays I always look for the place with reasonable wifi first and avoid the 'well known' brands.
Re: Do wireless signals know the boundaries?
Some of them already are - I've been in a few hotels where the mobile signal mysteriously dropped to 0 the moment you walked in the door.
Wow.. wifi in wards? The local one goes apeshit if they even see a mobile phone switched on on the wards, or any electrical device.. you'll be ejected if you don't switch it off immediately - that that's not on the critical wards either.
The only internet access is through their overpriced and shitty 'patient line' (which thankfully was completely broken when my wife was last in hospital, as it was £30 a day and that mounts up over a couple of weeks).
I've quietly scanned a few times and there's no 2.4ghz or 5ghz anywhere even in outpatients, or at least nothing obvious.. they could be using a proprietary protocol of course.
Re: Question - what about MS folk who already installed?
Indeed I actually had this happen last week. I had a USB->Serial I'd been using in linux, and for a specific application needed to plug it into windows. Instant brick. Windows wouldn't even enumerate it, and neither would linux afterwards.
I'm fairly technical but I hadn't heard of this 'feature' of the FTDI driver at that point and nothing I could do could poke it back into life, so it went in the bin. It was, as far as I can tell, a 100% genuine cable (bought from an established site, not ebay) so it was a false positive too.
In future I'll ask what chipset is used and stick to PL2303, as they've never failed on me.
1. AOSP has not been killed off, and I've never heard anyone suggest that it would be. They're talking about the AOSP *browser* which has been replaced by Chrome.
2. 4.2.1 is not 75% of phones. The entire 4.2.x series is only 20%, and 4.2.2 would be the majority of that - and 4.2.2 was released 18 months ago. Note the CVE relates specifically to 4.2.1. You can't even get close to 75% by adding all the previous versions together (which would be bogus anyway unless you could prove it existed right back to froyo/gingerbread).
So bug exists in a small % of old phones. Other than saying 'time to upgrade' what are people expected to do?
Re: I feel like I'm living in an alternative reality sometimes.
It's mostly press exaggeration... gets hits. The only place I haven't been able to get HSDPA is in the middle of wales, and apparently that was just O2 being shit (three have better coverage there).
In villages like the one I'm currently sat in there's nowhere that doesn't get plenty of signal.
OTOH one of the reasons to use free wifi is it doesn't come off your allowance - I pay £2/mo plus data, but that data is quite pricey, so free wifi is a net win.
The local greggs has free wifi and continental style outside tables. They're the ideal breakfast/lunch destination.