Brexit logic, redux

Oct. 27th, 2016 10:53 pm
pseudomonas: (libdem)
[personal profile] pseudomonas
Brexiters must — I think — hold one of two positions* for any given value C of "catastrophe":

1) It's right to implement the referendum result even if it will lead to catastrophe C
2) It would be wrong to implement the referendum result if it would lead to catastrophe C, but we believe that it will not lead to catastrophe C

If their position is (2), they have no right decrying as anti-democratic those of us who oppose implementing the referendum result because of a reasonable belief that it will lead to catastrophe C.

If their position is (1) they should have the [redacted] to come out and say so.

* Whether consciously or otherwise.
Someone may consistently take position 1 for C = a small misfortune (a 50% chance of recession, say), and position 2 for C = a major cataclysm (say, nuclear war)

Where does OBT research go after OBT?

Oct. 27th, 2016 01:38 pm
lindseykuper: A figure wearing a pink shirt decorated with a heart looks upward from between dark shapes that suggest buildings. (Default)
[personal profile] lindseykuper

New blog post, in which I note that OBT liked your research before it was cool.

Getting used to orthotics

Oct. 27th, 2016 01:08 pm
redbird: closeup of me drinking tea (Default)
[personal profile] redbird
I saw a podiatrist yesterday, because of odd recurring ankle pain (which has been happening for a few hours at a time, but not every day).

They took x-rays of both ankles and my right foot (the pain has been worse on that side), and found no fractures. I do have arthritis in my right big toe, which affects how I walk, but doesn't seem to be the issue here.

The podiatrist confirmed the nurse practitioner's diagnosis of mild tendonitis, and said it's likely be cause my calf muscles are so tight. I came home with a pair of orthotics, which I am supposed to start by wearing part-time, and instructions for stretching.

I left the orthotics in my shoes longer than the suggested hour yesterday, because I ran a few errands and stopped for brunch before coming home. That seemed okay, and I'm at about an hour and a half so far today.

I am easing into the stretching: the instructions are explicitly that my shoulders and arms, not my legs or feet, should be doing the work, and I don't want to strain my right shoulder. (I'm supposed to do five minutes twice a day, and managed three yesterday and not quite four today.)

Also, if it's not better in two weeks, I should call, but I should keep doing the stretches indefinitely, though maybe not spend this much time on them when it's maintenance.
pseudomonas: Ostrakon against Themistocles. (ostrakon)
[personal profile] pseudomonas
We don't have referendums* in the UK very much. Maybe we'd be more adept at dealing with them if we did. Who knows? So I'm talking on the basis of the representative sample of one referendum in recent times that actually passed.

There seems to be a view that a referendum passing on a matter makes it… real. One gets the idea that if we voted in a referendum to repeal the laws of gravity, the government would even now be reassuring people that weightlessness means weightlessness and of course it'll happen, it'd be undemocratic to suggest otherwise. We voted to leave the EU without losing jobs, so that's what we'll do! We voted to leave the EU without a brain drain, so that is what must happen!

The other view I see around is that this is a solemn overriding pressure; an irresistible force against which no objection is immovable. Brexit means Brexit! If it costs 5% of GDP, so be it! If it costs 15% of GDP, so be it! If it leads to a breakdown in foreign relations and influence, so be it! If it necessitates declaring war on France, so be it! If it calls up the Great Old Ones to devour the residents of all coastal local authorities, then, well, you get the idea.

The question "what price is worth paying or not paying" for Brexit is one that is never answered because the Government is still trying to kid us that there's not even a possibility that things might just not go the way they want.

I readily admit that I'm one of those Remoaner types who thinks that a bad outcome is very likely. But I think that even an ardent Brexiter with their head screwed on right ought to be taking the position:

a) It is bad to go against a democratic referendum.
b) Even so, there are some things which are worse than going against a referendum result.
c) There are various outcomes to the process. Some are bad. (You might well think the bad ones are less likely than I do — but I think any honest observer admits they're not impossible)
d) However much you think that a referendum result is a good thing and ought to be honoured, there are some outcomes that make it on balance not worthwhile.

My position on (d) is "we need to have a grown up discussion on what price is worth paying for what kind of Brexit".

The government's position on (d) seems to be "it's literally impossible for this situation to arise because that would mean going against a referendum". And we're back, circuitously, to the reality-bending powers of referendums. Weightlessness means weightlessness.

But don't worry. Everything will be OK because we voted for it to be OK.

* Or referenda. I don't mind.
Negotiations. Markets. Diplomacy. Whatever.
Who knows? Maybe it will all be OK.
Thought experiment that is deliberately extreme: there is a consultative referendum to sacrifice every firstborn child to placate the gods. A democratic one. It passes. You are the PM. Is your first act on hearing the result to whip out your cleaver?

Comments policy: This is not the place to debate the merits of Brexit per se, there are approximately eleventy million other places to do that. It's to discuss how one should *respond* to a referendum in various circumstances. Also, be nice. Also also, do not be Steven Kitson.

Apple: Spencer

Oct. 26th, 2016 06:13 pm
redbird: apricot (apricot)
[personal profile] redbird
I bought two of these at the Davis Square Farmers' Market today, and ate one when I got home (when it was still cool from being outside).

This is an average apple: a bit sweet but not very, a bit juicy, some apple flavor but nothing noteworthy, not especially tart. The inside is white and the skin mostly red, and it's a little bigger than a Macoun.

I'll be eating the other but probably not buy more. And then go to the supermarket for more Macouns (we're near the end of the farmers' market season here; I miss the year-round Greenmarket in Inwood).
spiralsheep: The cure for boredom is curiosity. There is no cure for curiosity (ish icons Curiosity Cures Boredom)
[personal profile] spiralsheep posting in [community profile] flaneurs
A photo tour of Edgbaston Waterworks chimney, Perrott's Folly, and Old Joe, with some comparatively rare images of the inside of the Folly and the intervisibility of the three towers and Birmingham Oratory:

Good things

Oct. 25th, 2016 10:56 pm
sasha_feather: Retro-style poster of skier on pluto.   (Default)
[personal profile] sasha_feather
--Dried mango
--Trail mix
--The marshy area I drive by on the way back from the pharmacy. Sometimes it looks very wild and alien
--Internet friends

(no subject)

Oct. 26th, 2016 01:18 am
dingsi: The Corinthian smoking a cigarette. He looks down thoughtfully and breathes the smoke out of his nose. (Default)
[personal profile] dingsi
me, a trans person: i don't like that this text we are discussing uses transgender as a noun in that sentence. which reminds me that just today i saw a news article about a trans man where the headline was "ask a transgender", it was awful and you should not do it, it's an adjective not a noun

cis person: but i have seen some trans people use it?

me, a trans person, talking about trans stuff: personally i dislike it, and although some people may choose to describe themselves that way individually, that still doesn't make it okay to use it to describe the whole group, we are not as a whole some weird extra gender category and to me it feels objectifying

cis person who is not trans: yes but language changes? not to diminish what you just said, but

Small-scale mission accomplished

Oct. 25th, 2016 06:55 pm
redbird: subway train, the cars sometimes called "redbirds" (redbird train)
[personal profile] redbird
After voting this morning, I went grocery shopping. On the way home, I was talking idly with the woman sitting next to me on the bus. As she was getting up, she thought she had dropped something, and it looked a little like something had fallen, but didn't sound like it, and she didn't see anything missing.

When I got home and put my groceries away, I found her CharlieCard/The RIDE (paratransit) ID card in one of the bags. The cards have the holder's name and photo, and no other information.

I googled a bit, using her name and "Arlington," and came up with three possible phone numbers. One of those got me a man who said it was a wrong number, but that the name sounded vaguely familiar; I may not be the first person to try reaching her there. (When we lived in New York, every few months I got a call from someone looking for bus information.) The other two got me voicemail, and I left messages.

The woman's sister called me after about an hour, thanked me enthusiastically for taking the trouble, and asked how I had gotten her number. I explained how I found her number, and said that I would want someone to do the same for me, and she said that she would call her sister and tell her to expect to hear from me.

I heard from the card-holder at about 6:00, and arranged to meet her at the nearest bus stop, because I really didn't want to go up to Arlington Heights. She was slightly flustered, and when I asked if she could get there pointed out that I had her Charliecard; it took a little back-and-forth to get past that to yes, she had enough cash for the bus fare. She took the bus down here, I handed the card over, and she thanked me and headed for the bus stop in the other direction.

I am pleased this worked out. (The MBTA's suggestion, when I emailed their lost-and-found address, was to give them the name and number on the card so they could deactivate it. This seemed suboptimal, to put it mildly.)

I voted this morning

Oct. 25th, 2016 12:50 pm
redbird: Me with a cup of tea, in front of a refrigerator (drinking tea in jo's kitchen)
[personal profile] redbird
[ profile] cattitude and I went to Arlington Town Hall this morning and voted. It was quick and easy, with no line: they have set up at least a dozen stations for filling out ballots.

Part of why it was so quick and easy is that the only relevant things on my ballot were president and four ballot measures: my Congresswoman, state representatives, and county sheriff are all running unopposed for reelection. (The sheriff did have a primary challenger.) On the way out, I got an "I Voted" sticker for my jacket.

I voted for Clinton, and no on ballot measures 1-3 (adding a casino, expanding charter schools, and conditions for keeping hens, pigs, and veal calves) and yes on 4 (legalizing marijuana). Three was the only difficult decision; I decided that eggs as a cheap and easy protein source for people on limited budgets was a higher priority for me than the animals. I buy cage-free eggs, and I'm willing to pay extra for that; I'm not prepared to make everyone do so, when for some people it might mean only being able to afford half as many eggs.

Marijuana legalization was an "of course," both because I'm generally in favor of legalizing drugs and because I moved here from Washington, and saw how legal marijuana works there.

PyCharm features: local history

Oct. 25th, 2016 12:56 pm
geekchick77: (Default)
[personal profile] geekchick77
You know that moment where you had working code, and now it has stopped working, and you aren't quite sure what you've changed? You made a lot of good changes since your last commit, and you don't want to throw those away, but you need to find the erroneous change. This is where PyCharm's local history functionality really shines. You can right click (or ctrl-click) on a file or a workspace, and see a timeline of all changes, with a visual diff of each change. This can help you quickly hunt down errors, without throwing away your good changes. It's particularly helpful if you're experimented with many different variations for a specific block of code.

Example screenshot
geekchick77: (Default)
[personal profile] geekchick77
I am working on a large app (hundreds of migrations) and it is becoming unwieldy. There are options for not running migrations when unit testing, but it'd be nice not to need to use them. Plus some of the old migrations reference old code I'd like to be able to delete.

I tried running squashmigrations, but the resulting migration file had errors when I tried to run it on a clean DB.

So, I decided to do the more drastic method of deleting and recreating migrations.

  1. ALL databases must be at the same migration level before you begin.
  2. If you have a custom user model, do NOT delete the migration that creates it. You can safely delete subsequent migrations.
  3. If you have data migrations, you need to maintain those.

Procedure for app that contains the custom user (e.g. if app name is "users"):
  1. Ensure all databases (local, staging, production, etc.) are at the same migration level.
  2. Create backups of all your databases.
  3. Save the code for any data migrations in a temporary file.
  4. Delete migration files from 0002 upward (assuming 0001 created the custom user) and commit to git
  5. delete from django_migrations where app='users' and name NOT LIKE '0001%';
  6. python makemigrations users
  7. Recreate any data migrations.
  8. Verify that migrations run successfully on a clean database.
  9. python migrate users --fake # Run locally
  10. Commit new migrations.
  11. Push changes to all other systems and on each run: python migrate users --fake

Procedure for apps in general (e.g. "myapp"):
  1. Ensure all databases (local, staging, production, etc.) are at the same migration level.
  2. Create backups of all your databases.
  3. Save the code for any data migrations in a temporary file.
  4. Delete migration files for myapp and commit to git.
  5. delete from django_migrations where app='myapp';
  6. python makemigrations myapp
  7. Recreate any data migrations.
  8. Verify that migrations run successfully on a clean database
  9. python migrate myapp --fake # Run locally
  10. Commit new migrations.
  11. Push changes to all other systems and on each run: python migrate myapp --fake

[Linkspam] Monday, October 24

Oct. 24th, 2016 09:51 pm
tim: text: "I'm not offended, I'm defiant" (defiant)
[personal profile] tim
I noticed a theme emerging as I assembled today's links: emotionally manipulative lies you may have been told lately. Gaslighting seems more prevalent than ever: people who want you to include abusers in your social circle, disengage from the political process, or blame yourself for your place in an oppressive socioeconomic order have a lot of tricks up their sleeves. I hope these links will shine light into those corners of your mind where you might be inclined to believe the voices saying you're "just too late and just no good."

Lie: "Isn't calling people out for their abusive behavior just as bad as abusing people?"

  • When is naming abuse itself abusive?, by Valerie Aurora (2016-10-24). This is so good and I want to print out many copies and nail them to various walls:
    "Naming and accurately describing abusive behavior is necessary and powerful at the same time that it makes many people feel uncomfortable.... Being uncomfortable is not in and of itself a sign that you are doing something wrong. I encourage people to think about what makes you uncomfortable about naming and describing abusive behavior, or seeing other people do it. Is it compassion for the person engaging in abusive behavior? Then I ask you to apply that compassion to the targets of abuse. Is it fear of further abuse by the person being called out? Then I urge you to support people taking action to end that abuse. Is it desire for a lack of overt conflict – a “negative peace“? Then I suggest you raise your sights and aim for a positive peace that includes justice and consideration for all. Is it fear that the wrong person will be accidentally targeted? Then I invite you to reflect on the enormous risk and backlash faced by people do this kind of naming and describing. And then I invite you to worry more about the people who are remaining silent when speaking up would benefit us all."
Lie: "You need to tolerate people who think you shouldn't exist -- not just tolerate them, but collaborate with them. Diversity of opinion is sacred."
  • Peter Thiel, YC, and hard decisions, by Ellen Pao (2016-10-17). "Giving more power to someone whose ascension and behavior strike fear into so many people is unacceptable. His attacks on Black, Mexican, Asian, Muslim, and Jewish people, on women, and on others are more than just political speech; fueled by hate and encouraging violence, they make each of us feel unsafe."
  • Part-Time Power, by Leigh Honeywell (2016-10-19). 'We all get to make a choice as to what constitutes “intolerable intolerance”. YC has made it clear that Thiel’s actions and words are tolerable enough to them to continue to give him power over people in their organization, and I find this unconscionable.'
  • When the Genius Men of Silicon Valley Suddenly Don't Seem So Smart, by Sam Biddle for The Intercept (2016-10-19).
  • The hypocrisy of Facebook's silence on Peter Thiel's support for Donald Trump, by Julia Carrie Wong for the Guardian (2016-10-18). "Money talks, and in Silicon Valley, it seems, money can say whatever it wants as long as one’s public statements (be they convention speeches or Washington Post op-eds) obfuscate the bigotry that lies beneath."
  • “Emotions are Running High…” by Arlan Hamilton (2016-10-21). "This week, another entity was set to make a very generous investment in my company. This was a deal a few weeks in the making, and at approx $500k would have made a huge impact on what we’re building at Backstage. Because this entity has close business ties to Thiel, I was faced with the decision to be a hypocrite and take the cash, or not be a hypocrite and respectfully decline it. I chose the latter."
  • Twitter Fires Its VR Project Manager After Homeless Rant Resurfaces, by William Turton for Gizmodo (2016-10-19). Sometimes there's justice in the world.
Lie: "Sure, maybe he's a serial abuser, but he does such good work and that's the important thing."
  • [CW: sexual harassment; universities; but I repeat myself.] From Texas to the Smithsonian, following a trail of sexual misconduct, by Michael Balter for The Verge (2016-10-24). Systemic sexual harassment and professors' and administrators' insistence on making sure it keeps happening. So familiar.
  • Why I won’t be attending Systems We Love, by Valerie Aurora (2016-10-22). "Even if Bryan doesn’t attack me, people who like the current unpleasant culture of systems programming will. I thought long and hard about the friendships, business opportunities, and social capital I would lose over this blog post. I thought about getting harassed and threatened on social media. I thought about a week of cringing whenever I check my email. Then I thought about the people who might attend Systems We Love: young folks, new developers, a trans woman at her first computing event since coming out – people who are looking for a friendly and supportive place to talk about systems at the beginning of their careers. I thought about them being deeply hurt and possibly discouraged for life from a field that gave me so much joy."
Lie: "You're not allowed to be glad that Hillary Clinton will be the next president -- just look at all the awful things she's done."
  • [CW: abuse] Hillary: My President, my Patronus, by Tierney Wisniewski (2016-10-21). I really related to this article about finding vindication as a child of a narcissist from watching Clinton succeed by exposing Trump for who he is: "I’m an only child. I had no witnesses inside the family. It was my word against that of two unreliable adults. Now, watching one more very unreliable adult, I have millions of witnesses to corroborate my perceptions of what is happening, and the documentation to back up our perceptions. And that part feels awesome."
  • The Leftist Case for Clinton, by Milo Beckman (2016-10-19). "Clinton has consistently been as far to the left as a public figure could be in America without being dismissed as a lunatic."
Lie: "Real conservatives aren't like that. He's just bananas."
  • Trumpworld, by Michelle García for Guernica (2016-10-21) "...For much of the campaign season, the press and commentators have branded Trump as an aberration, his rhetoric seemingly a deviation from the political norm, his vision for the country a frightening possibility of the future. In reality, much of Trumpworld already exists." García shows how Trump's white supremacy and anti-immigrant racism are nothing new. Nor are they unique to the right wing: "Partisan differences offer little or no immunity from the violent border paradigm, even among those seemingly supportive of immigrants."
Lie: "Well, anyone could win against Donald Trump."
  • Hillary Clinton’s 3 debate performances left the Trump campaign in ruins, by Ezra Klein for Vox (2016-10-19). While Trump's opinions aren't unusual among conservatives, his strategy (or lack thereof) is, and Clinton has exploited it skillfully: "The dominant narrative of this election goes something like this. Hillary Clinton is a weak candidate who is winning because she is facing a yet weaker candidate. Her unfavorables are high, her vulnerabilities are obvious, and if she were running against a Marco Rubio or a Paul Ryan, she would be getting crushed. Lucky for her, she’s running against a hot orange mess with higher unfavorables, clearer vulnerabilities, and a tape where he brags about grabbing women "by the pussy.""
Lie: "If you're not doing well economically, you're lazy. Just work harder."
  • The myth of personal life under capitalism, by Susan Rosenthal (2015-01). "Transforming inquisitive children into obedient, producing and reproducing machines requires a persistent shaming process that compels us to reject every part of ourselves that might rebel: our curiosity, our need to be heard and valued, and our need to actively shape our lives and our world. As a result, we cannot be complete human beings. When we believe that parts of ourselves are unworthy, we are ashamed to show ourselves, and our relationships remain superficial and insecure."
  • The Gaslighting of the Millennial Generation, by Caitlin Herron (2016-10-17) "The negative opinions directed at millennials are a perfect example, on an enormous societal scale, of cultural gaslighting."
  • Millennials Who Are Thriving Financially Have One Thing in Common… Rich parents, by Gillian B. White for the Atlantic (2015-07-15).
    The study calls this a 'funnel of privilege': Young adults with rich parents soon become rich themselves.

    "Haves are turning their riches or their wealth into bigger wealth because they are investing in the housing market by simply living in a house," says Gudell. This advantage is one that these Millennials will carry forward as they earn more than their degree-less peers, and save more than those who were forced to throw away tens of thousands of dollars on rent due to their inability to buy. In the future, they’ll have wealth to pass down to their own kids, continuing the cycle.

(no subject)

Oct. 24th, 2016 06:12 pm
kaberett: Overlaid Mars & Venus symbols, with Swiss Army knife tools at other positions around the central circle. (Default)
[personal profile] kaberett
(hello folk who normally see me on IRC, the Internet connection I'm using til Friday doesn't like ssh and I can't face using WebIRC or whatever, so if you want me then e-mail/grab me on Telegram/send me a message/etc <3)

Merry Monday #30

Oct. 24th, 2016 06:40 pm
dingsi: Close-up of Norb from Angry Beavers cartoon show. (:))
[personal profile] dingsi
What good, exciting things happened to you last week? What are you looking forward to this week? It can be one thing or many things, something big or small - especially the small things, they don't get enough credit.
If you are uncomfortable commenting publicly, you can leave an anonymous comment instead which will stay screened, and I have turned off Captchas.

♥ Had some friends over for dinner and I was so happy to cook for them!
♥ I got to send and receive some books! [personal profile] shanaqui gave me the second part of the Imperial Radch trilogy and I finished it last week, after that I picked up Nalo Hopkinson's "Sister Mine".
♥ I received an unexpected compliment for my clothing style!
♥ After a long hiatus, our book club finally has a meeting tomorrow.
♥ I put up some things on Ebay (mainly comic books) and hope some people will bite. Relatedly, I'm having more energy to catalog my books and put things up for sale. Also, a friend may be interested in taking my old desktop PC off my hands to use for spare parts.
♥ (link to YouTube) this song which is very 80s (literally) and very uplifting!

(no subject)

Oct. 24th, 2016 06:27 pm
dingsi: The Corinthian smoking a cigarette. He looks down thoughtfully and breathes the smoke out of his nose. (Default)
[personal profile] dingsi
There's going to be some changes in my subscriptions/access this week. I'm still not posting anything access-locked, but mutual access looks more symmetrical. Also I'm going to weed out old journals and lightly shuffle things around in general. No cause for alarm.


Oct. 23rd, 2016 05:46 pm
sasha_feather: Big book of Lesbian Horse stories book cover (lesbian horse stories)
[personal profile] sasha_feather
I have several very nice, older-than-me friends at the dog park, many of whom are about the age of my parents. Today I ran into one of them who was walking with her friend, let's call them Ann and Sue (not their real names). Ann explained that she is moving and her new place isn't ready yet, so she is staying with Sue.

"It's really nice," said Ann. "like having a wife."

There was an awkward pause. "Except better, because... you know... she's my friend."

I had also run into Ann downtown on the day same-sex marriage was legalized and people were getting married in front of the city-county building. Ann was similarly awkward and funny during that encounter, complimenting some young man's funny t-shirt (I don't remember what it said) but then going "I mean... I'm not gay". He charmingly said back, "Oh don't worry honey, it's not catching."

Ann also mentioned today that she'd gone to a Joan Baez concert. When she mentioned it to her young employees, they had no idea who Joan Baez is. I said, oh yeah, I only know because my mom's a big fan. Ann and Sue both made faces at that.

Fixing the IoT isn't going to be easy

Oct. 21st, 2016 11:35 pm
[personal profile] mjg59
A large part of the internet became inaccessible today after a botnet made up of IP cameras and digital video recorders was used to DoS a major DNS provider. This highlighted a bunch of things including how maybe having all your DNS handled by a single provider is not the best of plans, but in the long run there's no real amount of diversification that can fix this - malicious actors have control of a sufficiently large number of hosts that they could easily take out multiple providers simultaneously.

To fix this properly we need to get rid of the compromised systems. The question is how. Many of these devices are sold by resellers who have no resources to handle any kind of recall. The manufacturer may not have any kind of legal presence in many of the countries where their products are sold. There's no way anybody can compel a recall, and even if they could it probably wouldn't help. If I've paid a contractor to install a security camera in my office, and if I get a notification that my camera is being used to take down Twitter, what do I do? Pay someone to come and take the camera down again, wait for a fixed one and pay to get that put up? That's probably not going to happen. As long as the device carries on working, many users are going to ignore any voluntary request.

We're left with more aggressive remedies. If ISPs threaten to cut off customers who host compromised devices, we might get somewhere. But, inevitably, a number of small businesses and unskilled users will get cut off. Probably a large number. The economic damage is still going to be significant. And it doesn't necessarily help that much - if the US were to compel ISPs to do this, but nobody else did, public outcry would be massive, the botnet would not be much smaller and the attacks would continue. Do we start cutting off countries that fail to police their internet?

Ok, so maybe we just chalk this one up as a loss and have everyone build out enough infrastructure that we're able to withstand attacks from this botnet and take steps to ensure that nobody is ever able to build a bigger one. To do that, we'd need to ensure that all IoT devices are secure, all the time. So, uh, how do we do that?

These devices had trivial vulnerabilities in the form of hardcoded passwords and open telnet. It wouldn't take terribly strong skills to identify this at import time and block a shipment, so the "obvious" answer is to set up forces in customs who do a security analysis of each device. We'll ignore the fact that this would be a pretty huge set of people to keep up with the sheer quantity of crap being developed and skip straight to the explanation for why this wouldn't work.

Yeah, sure, this vulnerability was obvious. But what about the product from a well-known vendor that included a debug app listening on a high numbered UDP port that accepted a packet of the form "BackdoorPacketCmdLine_Req" and then executed the rest of the payload as root? A portscan's not going to show that up[1]. Finding this kind of thing involves pulling the device apart, dumping the firmware and reverse engineering the binaries. It typically takes me about a day to do that. Amazon has over 30,000 listings that match "IP camera" right now, so you're going to need 99 more of me and a year just to examine the cameras. And that's assuming nobody ships any new ones.

Even that's insufficient. Ok, with luck we've identified all the cases where the vendor has left an explicit backdoor in the code[2]. But these devices are still running software that's going to be full of bugs and which is almost certainly still vulnerable to at least half a dozen buffer overflows[3]. Who's going to audit that? All it takes is one attacker to find one flaw in one popular device line, and that's another botnet built.

If we can't stop the vulnerabilities getting into people's homes in the first place, can we at least fix them afterwards? From an economic perspective, demanding that vendors ship security updates whenever a vulnerability is discovered no matter how old the device is is just not going to work. Many of these vendors are small enough that it'd be more cost effective for them to simply fold the company and reopen under a new name than it would be to put the engineering work into fixing a decade old codebase. And how does this actually help? So far the attackers building these networks haven't been terribly competent. The first thing a competent attacker would do would be to silently disable the firmware update mechanism.

We can't easily fix the already broken devices, we can't easily stop more broken devices from being shipped and we can't easily guarantee that we can fix future devices that end up broken. The only solution I see working at all is to require ISPs to cut people off, and that's going to involve a great deal of pain. The harsh reality is that this is almost certainly just the tip of the iceberg, and things are going to get much worse before they get any better.

Right. I'm off to portscan another smart socket.

[1] UDP connection refused messages are typically ratelimited to one per second, so it'll take almost a day to do a full UDP portscan, and even then you have no idea what the service actually does.

[2] It's worth noting that this is usually leftover test or debug code, not an overtly malicious act. Vendors should have processes in place to ensure that this isn't left in release builds, but ha well.

[3] My vacuum cleaner crashes if I send certain malformed HTTP requests to the local API endpoint, which isn't a good sign
jesse_the_k: Pill Headed Stick Person (pill head)
[personal profile] jesse_the_k
My doc just told me about a double-blind RCT study showing combo aspirin & acetaminophen was as effective as oral morphine (and both better than placebo) for post-surgical dental pain.

I'm doing it now and it helps )


tim: Tim with short hair, smiling, wearing a black jacket over a white T-shirt (Default)
Tim Chevalier

October 2016

2 34 567 8
9 101112131415
16 171819202122
23 242526272829

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags