Comments

jones November 26, 2021 9:03 AM

I’m trying to imagine people trying to manage the passwords for all the “smart” light bulbs in their homes… and getting jammed up when their “smart” toaster crashes…

Clive Robinson November 26, 2021 9:12 AM

@ ALL,

The usuall warning with regards current UK legislation and BBC reporting needs to be sounded,

“The devil is in the details, read with care”.

I would not be surprised if this is actually anti-EU and anti-China policy driven.

UK Politician Tom Tugendhat has previously argued fairly vehemently that both products and funding for research from China “rarely comes without strings attached” and has made it clear in otherways that anti-China sentiment is very definitely “on the table”.

Others have likewise taken up the same sort of anti-EU stance as well.

Combined, these stances politically draw the UK much closer to US State Dept policy… Which appears to be a significant aim of the current UK PM.

6449-225 November 26, 2021 9:55 AM

This will establish the market for IoT device password setter-resetter/storer devices.

Obviously, a device with such a sensitive role will need to be password protected. Nobody knows how this would be done … ∞

Andy November 26, 2021 10:48 AM

My router from 2Wire (acquired by AT&T ?) from probably a decade ago and all its successors have a random password printed on it. If you do a hard reset on it then it goes to that value. The manufacturer shouldn’t keep a database of serial numbers to passwords for this to be secure. Physical access to the device should be both sufficient and necessary.

Ted November 26, 2021 10:57 AM

I was wondering how likely this PSTI bill was to pass. I’m thinking likely bc it was developed both the DCMS and the NCSC along with industry, academia, standards bodies, and other countries.

That’s a lot of early buy-in.

The ‘top three’ rules mentioned in the original article are also mentioned in the bill’s gov.uk factsheet.

  • Ban default passwords.
  • Require products to have a vulnerability disclosure policy.
  • Require transparency about the length of time for which the product will receive important security updates.

Those are big deals, imo.

https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet

Sumadelet November 26, 2021 12:30 PM

Hmmm. I wonder how this might apply to after-market firmware, such as LineageOS, postmarketOS, and OpenWrt. This might provide manufacturers the weapon needed to close off such things. Microsoft would love it if it gave a way to prevent Linux, BSD, or other libre software distributions being placed on old or repurposed PC hardware, too. It is an easy step between requiring a unique password per device to requiring a unique password certified as such and controlled by the manufacturer on each device, all in the name of improved security.

Call me suspicious.

lurker November 26, 2021 12:55 PM

@nnz, Sumadelet

The default no password is superficially attractive, but, can you ensure that the user/installer sets up a password, any password, better than “fred”?

Years ago I tried an install of netbsd. It rebooted to an open root prompt. Took me a while to realise this was a great idea – if you know what you are doing. What confidence is there that the average user of an IoT device knows what they’re doing?

neill November 26, 2021 4:52 PM

unfortunately the ordinary user will type in that special password once … then reset it to something like ‘letmein123’ for convenience

SpaceLifeForm November 26, 2021 5:35 PM

Top Notch Security Theatre

It does not matter what the password rules are if the password can leak.

Ted November 26, 2021 5:57 PM

It seems like there a lot of concerns that a user won’t set up a sufficiently secure device password. And that is understandable.

I guess moving thousands of devices off a default password of “admin” or whatever is still a step in the right direction.

I was trying to see if there was more specific guidance on the default password ban and did see that there are more details at the link below under the section: “Key Policy Position 6 – Security Requirements.”

The text says: “We intend to create two routes to conformity within the intended legislative framework.”

One route looks like it follows the provisions set from ETSI European Standard (EN) 303 645. For passwords this relates to provisions 5.1-1 and 5.1-2.

Ted November 26, 2021 5:58 PM

(continued…)

Here is the explanation of intent:

“Our intent is to cover all passwords within the device, including those not normally accessible by the user, such as passwords on administrative interfaces, or within firmware of sub-components. Pre-installed software applications (Apps), including those that are 3rd party provided but pre-installed on a device, are also in scope. Our intent is also to ban passwords which may be unique per device, but are still easily guessable and therefore still present a risk (for example, if incremental counters are used such as ‘password1’, ‘password2’ and so on).”

I don’t know if a device could force a certain level of password complexity?

https://www.gov.uk/government/publications/regulating-consumer-smart-product-cyber-security-government-response/government-response-to-the-call-for-views-on-consumer-connected-product-cyber-security-legislation

SpaceLifeForm November 26, 2021 8:15 PM

@ Ted, Clive, ALL

Silicon Turtles

Our intent is to cover all passwords within the device, including those not normally accessible by the user, such as passwords on administrative interfaces, or within firmware of sub-components.

Note the OR. It may be an /AND.

s/cover/recover/

Ted November 26, 2021 8:58 PM

@SpaceLifeForm, Clive, ALL

Note the OR. It may be an /AND.

So it looks like the start of the list of applicable devices is…

  • Smartphones
  • Connected cameras, TVs and speakers
  • Connected children’s toys and baby monitors
  • Connected safety-relevant products such as smoke detectors and door locks

It sounds like manufacturers and ‘economic actors’ will have a foundational role in complying with security standards, publishing declarations of conformity, and complying with enforcement activity.

I am kind of confused as to what role consumers will have in all this. I wonder what percentage of the default password ban will be invisible to the consumer. And if consumers do have to manage device passwords, what kind of system or platform is going to handle this?

Ted November 26, 2021 9:11 PM

@SpaceLifeForm, Clive, ALL

Re: Checking smart devices for default passwords

According to a report[1] “Those aged 75+ are the least likely to have checked (8%) [for a default password] and also the most likely to say ‘Don’t know’ (14%) which may reflect less awareness and knowledge of technology.”

What do you think of this?

[1] “Consumer attitudes to IoT security” report

https://www.gov.uk/government/publications/regulating-consumer-smart-product-cyber-security-government-response

6449-225 November 26, 2021 10:28 PM

“Those aged 75+ are the most likely (93%) to have left the router published default password in place and set up a honey-pot to lure computer crackers to their doom.”

Adage: “Old age and treachery will always beat youth and skill.”

Dave November 26, 2021 11:04 PM

Good to see the fines also given as “x% of turnover” rather than the standard fixed amount, looks like governments are finally waking up to the fact that for many tech giants it’s far easier to just pay a fixed-amount fine and ignore the problem than to actually fix it.

JonKnowsNothing November 27, 2021 12:42 AM

@All

re: “Those aged 75+ are the most likely (93%) to have left … default password in place

Remember this is what has been taught to consumers:

  DO NOT TOUCH THE CONFIGURATION

A) When an I-Provider(USA) shows up, the installation persons blast in and out as quickly as possible. They spend the least amount of time and rig up the worst connections (1) because the installers only drop the equipment and move to the next drop and someone else is in charge of making it work.

More than often, they never test the connection beyond the link from the closet to the exterior junction (OK I got a green led… Let’s go…). There is no documentation and no explanations as everything is configured from the Central Office.

At most, they may show you how to power cycle the system.

B) We have taught end users to CLICK A LINK and now expect them to NOT To Click.

C) We have obscured over and over how things work, made things look “magic like”, over engineered every aspect of the system and wonder how come folks cannot complete something that is “dead easy” but requires hundreds of clicks and hours of configuration file settings while reading up on the differences between PNG v JPG v GIF v BMP and JSON v HTML v RTF v TXT.

They still need to call Tech Support because the vendor forgot to install a required software update package or worse, they didn’t install the correct application software at all.(I cannot find the letter typing program. I am supposed to be able to type a letter. You ordered what? I don’t see anything on your manifest… Yes I ordered it shows on my invoice. I want to write a letter! Oh… you don’t have a letter typing program, you have an email program, but you didn’t buy the ISP connection.)

It is not easy

D) Passwords are not intuitive. Much already said about this.

Guard: Caesar, What is the password for tonight?

Caligula: Give us a kiss….

E) Then there is the ladder problem. (2)

===

1) RL tl;dr

An team of installers left the router hanging by the incoming fiber optic line. When I pointed it out, they pull out common double sided sticky tape and taped it to the wall. The tape held less than 15 minutes after they left.

An installer setup the 4 pair CAT wire outlets. All worked except 1 outlet. The second level Tech Support Installer found the first installer had miss punched the wire order. It took a long time to sort that out because the Telco only provided the tech installer a 2 wire LED tester.

2)

h ttp s:/ /ww w.wh o.int/new s-r oom/fact-sheets/detail/falls

26 April 2021

Falls are the second leading cause of unintentional injury deaths worldwide.

Each year an estimated 684 000 individuals die from falls globally of which over 80% are in low- and middle-income countries.

Adults older than 60 years of age suffer the greatest number of fatal falls.

37.3 million falls that are severe enough to require medical attention occur each year.

An estimated 684 000 fatal falls occur each year, making it the second leading cause of unintentional injury death, after road traffic injuries.

JonKnowsNothing November 27, 2021 1:04 AM

@ Sumadelet

re: I wonder how this might apply to after-market firmware, such as LineageOS, postmarketOS, and OpenWrt. This might provide manufacturers the weapon needed to close off such things.

Many manufactures use “tattoos” or “dongles” intended to prevent other hardware, firmware or software from being installed.

Some proprietary systems may list “standard name brands” for specs but these maybe customized version that have “hidden locks”.

Attempts to exchange, repair or fix the item fails because replacement does not have the secret sauce code required.

iirc(badly) tl;dr

A refurbisher of old computers, legally obtained, lost a court case brought by M$.

Each system had legal rights to a copy of the OS. The refurbisher would download a copy of the OS using the correct authorized code for a set of installation CDs. They would clean the system and reinstall a the OS and use the correct serial number for that machine.

M$ claimed that the rights to the serial number and downloaded OS copy only applied to the initial purchaser and could not be transferred to another owner.

The refurbishing company pointed out that these were old machines and M$ no longer provided retail copies of the OS.

Didn’t help.

M$ won the case and afaik, the recycled machines could no longer use M$ OS so the refurbisher switched to Option-L.

SpaceLifeForm November 27, 2021 3:19 AM

@ JonKnowsNothing

DO NOT TOUCH THE CONFIGURATION

LOL

That is the first thing one should do in order to properly secure.

I actually have fun with installer techs. They learn something. If it is a new install, I watch them like a hawk, and make sure they are doing it right. If it is a new issue with existing kit, I usually have already diagnosed the problem, and can save a bunch of time for both of us.

Tech: You know more about this stuff than I do. You could do my job.

Me: Probably, but I do not want to.

JonKnowsNothing November 27, 2021 10:32 AM

@SpaceLifeForm @All

re: DO NOT TOUCH THE CONFIGURATION

LOL

That is the first thing one should do in order to properly secure.

Precisely the problem.

Rhetorical Question:

  • WHY do you NEED to mess with the CONFIG file at all?

One the hallmarks of tech-types is our innate (or learned) ability, to smell where the faults lie in setting up a system. We either learn by failure or sometimes someone else shows us God Mode or we actually read and learn what’s needed.

It’s what makes us LEETS and it’s also what makes our designs fail when handed out to NOOBs. We presume and assume that “It is clear that…” and it’s anything but clear. (1)

We cannot unlearn our knowledge so we presume everyone else has the same. They are not.

CONSIDER

Look at the configuration of the Internet Explorer Browser. There are the first panels with gross-level choices but nothing clear about what they do or do not do. Then click your way to the Advanced Tab, scroll down the list of stuff. You might have 100% full knowledge of every item on the list but the consumer will not. Some of those items are important to “secure” the browser, that’s not saying much but it’s the best one can do with that config file.

Open up the FireFox. Their base setup pages of @ 5 tabs is similar to IE. Some generalized information but nothing too deep and some of defaults are WRONG. Then open the Config file (try to pretend you don’t know how to do that either) and scroll down the many pages of options. Some of those are important too. It isn’t probable that a Gran, Grad, FarmerJane or a 5yo, will be able to fill in the required blips. (2,3)

afaik, there isn’t a good answer to WHY and there isn’t a good prospect that this will change anytime soon.

CONSIDER

  • IF you need a Registry File to run a system why would you EXPECT someone to know how to edit it?

===

1) My most hated textbook phrases:
  “It is clear that A follows B … ”
and
  “It is left as an exercise to the reader to …”

2) RL tl;dr:

Not long ago, I wanted to “enable” a feature in FF. Normally such a feature is on the main 5 tabs but it wasn’t listed. I looked in the CONFIG file for the option to enable it. I found the line and made the toggle. NOTHING HAPPENED. NOTHING CHANGED. (repeat edit/test several times). After DDG for what’s going on, it turned out that feature had been “deprecated” but the CONFIG option was still there.

You can turn it on, but there’s no one home.

3) RL tl;dr:

[PreCOVID]
A friend with a very old computer that had not been powered up for a long time, needed help. The system insisted that there was NO OS installed. They asked me if they should reinstall the OS. I went to their home and they had a shoe box full of software ready for use. I turned on the computer, saw the error flash then power cycled the machine and entered the Hardware Config.

I switched the PRIMARY BOOT from the A: Drive to the C: Drive.

JonKnowsNothing November 27, 2021 9:20 PM

@SpaceLifeForm

No. The option I was expecting to see had been removed from the release. Only the config options were there for those who had not previously disabled it.

So,

  1. If you had it enabled and then upgraded you kept the option.
  2. If you had disabled it and then upgraded and then tried to enable it, it no longer works.

fwiw: IF you are so inclined, you can copy-paste from an older FF profile or CutNPaste part of the profile configuration to rebuild the UI component. Since only the UI portion is actually missing. The functionality remains like deadwood in the code. The old problem of Legacy Support.

SpaceLifeForm November 27, 2021 10:33 PM

@ JonKnowsNothing

Now I am curious. If you hit ‘ALT’, and then go to about:config does the behaviour change? Or the reverse (about:config, then ALT)?

What exactly are you NOT seeing?

JonKnowsNothing November 28, 2021 12:45 AM

@SpaceLifeForm

re: What’s not there?

It is 100% trivial item, it doesn’t affect the browser. It was a “Recently Visited History” list (not the one in the History section) and was displayed in the Bookmark Library and on the Menu Bar/Bookmarks and Search Bar.

In the Library layout, you can delete categories and folders you don’t want. I had deleted the 2 “Recent Tags” and “Recently Bookmarked” sections. When I attempted to restore them it was a bigger Rabbit Hole than expected.

The feature was removed from Firefox. There is nothing to see unless you happen to have an older version of the browser.

When attempting to restore the missing layout, it didn’t work even though an initial FF suggestion was to enable the Recently Visited options in the Config File. When the options did not return to the UI, I dug deeper and it turns out that feature was removed from the baseline code.

To get the old UI version back, the settings are supposed to be archived in one of the profiles. You have to do some digging if you really want it back. But “what’s the point?” because the option is No Longer Supported.

There are plenty of other history listings, there’s no shortage.

===

h ttp s:/ /suppo rt.mozil la.org/en-US/questions/1293515

ht tp://k b.mo zillazi ne.org/Viewing_the_browsing_history_-_Firefox

Search On:
FF 77 / how-to-display-most-visited-pages-in-firefoxs-address-bar/

  • Mozilla released Firefox 77 last week and with it came another change of functionality affecting the web browser’s address bar.
  • When you activate the address bar, e.g. by clicking on it, you used to get the list of most visited pages displayed to you; this changed with the release of Firefox 77 as Firefox displays the top sites now
  • Firefox 77 comes without options to undo the change. There is no option or advanced configuration preference to restore the old functionality in the address bar.

lurker November 28, 2021 11:29 AM

@SpaceLifeForm, JonKnowsNothing

DO NOT TOUCH THE CONFIGURATION

The Configuration Editor (about:config page) lists Firefox settings known as preferences that are read from the prefs.js and user.js files in the Firefox profile and from application defaults.

[1. presumably “application defaults” are hard-wired in the code and not necessarily visible in ~/.mozilla/…/prefs.js

[2. ~/.mozilla/…/user.js contains only stuff that the user has changed from default. If it wasn’t in there at upgrade time, and the new version UI config editor doesn’t include it, then pasting from an archived profile might or might not…

[3. prefs.js says

// DO NOT EDIT THIS FILE.
//
// If you make changes to this file while the application is running,
// the changes will be overwritten when the application exits.
//
// To change a preference value, you can either:
// – modify it via the UI (e.g. via about:config in the browser); or
// – set it within a user.js file in your profile.

user.js if it exists is available for tinkering but…

[4. user.js? no longer a plaintext file? DO NOT TOUCH unless you have at least half a clue about .js formatting. Go back to the Desktop with the pretty UI Config Editor and use just what the vendors thought was fit for you…

name.withheld.for.obvious.reasons November 28, 2021 2:34 PM

I assume that commercial consumer facing routers provided by ISP is within the classification of IoT devices the UK would target, as such, and anecdote:

Funny thing, back a few years ago when router and ISP’s had hardware agreements for consumer/customer devices, the default password would often be the MAC address but that is advertised vi ARP requests. At a co-worker’s home, I set about the task of setting up the router and computer systems. As I went to secure the configuration, I noticed something was amiss. Having made the changes to some of the default account and service account I could not see the change to the local router’s addresses and gateway through the physical LAN interface. The wireless link worked though…hum…

Oops, the neighbor’s router which was identical, both were using the local ISP provider for services, and I had inadvertantly reconfigured his neighbors device. I apologized to the co-worker and busily restored the neighbor’s router back to the original config. It was amazingly embarrassing to have made such a mistake but a clear indication of just how poorly the ISP/router vendor relationship did not work. Or, depending on your perspective, just how well it did work.

Clive Robinson November 28, 2021 2:43 PM

@ 6449-225, JonKnowsNothing, lurker, SpaceLifeForm,

Re Amazon link to the book,

Projection Factorisations in Partial Evaluation

There is no need to buy the book.

It’s an over thirty year old PhD thesis from John Launchbury, that you can as with many thesis download. One download for it is from Glasgow University in the UK where he submitted it,

http://theses.gla.ac.uk/78055/1/11007334.pdf

I skim read it back in the 90’s as part of preping for doing ny own PhD, it’s not a difficult read and actually does not require very much pre-knowledge. I was in particular looking at what was back in the early 90’s called “Mixed Computation”(MC) where you develop small programs that are tightly bound to extracting information large data sets (something we sometimes do with ML these days).

I was looking at using MC to develop “tasklets” that would run “securely” on world wide spanning databases each of which only held a partial data set. The aim was that amongst others that researchers could gather their data with minimal information leak to others such as the iwner/operators of the data sets (talk to drug company researchers about how paranoid they are about research leakage and how it prevents them from using large online databases or even citation DBs like MedLine unless they fully control it).

I won’t go into the dull details, but I could not find a sufficiently adventurous supervisor and reader[1] untill to late when other factors in my life precluded me going forward.

It’s a shame, because some of the ideas I worked out are still not realy “found” by others yet, and I suspect that has a lot to do with the likes of a small number of Silicon Valley Corps, where the last thing they want is you to be able to do things without them knowning…

Oh for those that do not know “Mixed Computation”(MC) and “Partial Evaluation”(PE) had a great deal in common. Though coming from different view points and with some significant differences such as PE was a chase for “efficiency” where as MC could be used to find efficiency or other requirments like security and side channel elimination. Back in the late 80’s and 90’s everything was about “efficiency” not “security” so many regarded MC and PE as equivalent…

If you ever wondered where I came up with the meme “Security-v-Efficiency” well now you have a clue 😉

Be warned though it is a “rabbit-hole” domain / field of endevor. It realy requires you to have a very very broad cross domain knowledge both in breadth and depth (which both the research and academic career paths tend to dissuade).

[1] In essence getting a PhD was at the time a bit of a con. In essence you had to do somebody elses “research” they published the results (as they had a PhD). And… as a reward if it was felt you had “played the game” you got a PhD which was your entry level token into “publishing” and “Conference Speaking” that would alow you to start a career in research or academia (neither of which particularly interested me as career options, something I’m thabkfull for seeing how people are treated in those career paths these days).

Ted November 28, 2021 6:24 PM

Finally it seems someone has found and made available a draft copy of the UK bill.

https://regmedia.co.uk/2021/11/26/psti_bill.pdf

Some of the real kickers for me are seeing how the reporting, compliance, and enforcement processes work out.

The Register had this to say:

As for enforcement of these new regs, UK.gov isn’t messing around. A government statement said: “This new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.”

The bill’s third chapter deals with Enforcement. I have been searching for iot enforcement or compliance examples in the US as they relate to California or Federal laws, but haven’t found much that is publicly available.

https://www.theregister.com/2021/11/25/product_security_telecoms_bill_parliament/

SpaceLifeForm November 28, 2021 10:24 PM

@ name.withheld.for.obvious.reasons

Obviously, the neighbor never secured their router.

If you always configure router (disconnected from WAN), via ethernet cable, you normally catch any problems immediately.

Lsuoma November 29, 2021 9:10 AM

@ 6449-225 , Clive Robinson

6449-225 added an associates tag to the URL, so someone will get money if anyone does buy it.

Also, people should stop using the “exec/obidos” version of URLs – that was made obsolete over a decade ago.

Makes me wonder how long this person has been hawking the monetized version of the URL.

bassman1805 November 29, 2021 9:50 AM

When I was in college, I went on a school trip to Peru. We visited a tech school while we ere there, and spent a decent time stuck waiting in some kind of lounge room. None of us had cell connection, and the wifi was protected (you could connect without a password, but got redirected to a university sign-on page that we had no login for). Being facebook-addicted millennials, this was a serious conundrum. One of the students (a geology major) tried connecting to 192.168.1.1 and using “admin”/”password” to log into the router. It worked, they created a new admin account (under the name of our band director XD) and we got our fix of precious facebook likes until it was time to move on to the next portion of our visit.

Moral of the story: If your security is hackable by a geology student, maybe it’s not even worth calling it “security”

6449-225 November 29, 2021 11:03 AM

@ Lsuoma @ Clive Robinson

Re: bad URL

My apologies, I just grabbed the first link I saw when searching, which happened to be Amazon.

I’ll stick to author, title and ISBN from now on !

6449-225 November 29, 2021 11:12 AM

@ bassman1805

hackable by a geology student

In a lecture years ago, someone who new about these things said that out of all technical disciplines, geologists made the best anti-submarine warfare specialists, because their geology training thematically consisted of finding reasonable ways to complete a picture when only partial information had been supplied as data. The same kind of thinking would now seem to be fruitful in computer security.

ResearcherZero December 2, 2021 5:25 PM

@bassman1805

The local restaurants and cafes all have better security than the many of the state government departments. Important departments too, ones that handle finances, and the kinds of departments that may contain important information.

Hopefully other countries will follow the UK with their own laws, and there will be further improvements to these laws. There are some government security laws, but little governing consumer products.

There is also the Telecommunications (Security) Act in UK which will give Ofcom new powers to monitor the security of telecoms networks. Fines of up to 10% of turnover or £100,000 a day can be issued for those that fail to meet standards.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.