Please don't. With some funding from China, I'm currently running a massive worldwide operation, which allows me to spy on hundreds of millions of unsuspecting Master Lock users; allowing me to track, among other things, where every bike user is at all time, as well as record what they are doing.
If only it weren't for you meddling kid.
Analogies, aren't they great?
(Since it's apparent that sarcasm can't be read: "Stealing bikes" isn't the same bloody thing. Why even make that analogy?)
If this danger is real, isn't it best to inform the consumer, or perhaps use a lawsuit to force a recall, rather than destroying other people's hardware?
Does this concept apply to software? When the next large-scale RCE 0-day drops, does it make sense to use exploitation to destroy as much as possible in order to pressure the developers to ship a secure product? Since, the hacked machines certainly could allow an attacker lateral movement to sensitive data.
a lawsuit requires people 'smart' enough to even know they were hacked, and for a recall they need to decide if the cost of a recall is cheaper than legal/settlement fees, ( i learned this from Fight club) lol -- however -- WARRANTY replacements of devices because a hacker breached security and bricked it--this could be a LOT faster way to force them to recall.
How, like 5% of people that buy electronics actually turn in the warranty cards. No, they will sit on the shelf for years polluting the internet with DDOS attacks and spam.
>es it make sense to use exploitation to destroy as much as possible in order to pressure the developers to ship a secure product?
Yes. That is also why I backup data using multiple methods including off line ones.
Vigilante or blackhat doesn't matter. The next RCE will gladly spit copies of CryptoLocker everywhere if they could get ahold of it.
The internet is a dangerous and well connected place. If lived China, I would think it's funny if I wiped a few large US corporations off the map because they used a DLINK webcam. And there is only a tiny chance in hell they would ever find me.
There's a few things missing in this comparison, most notably the bike manufacturer isn't claiming the bike is already secure ("auto-locking" bikes) or making additional security challenging (bikes that locks are very hard to install on) or generally profiting from an environment of misinformation about bike theft and bike safety.
Additionally theft of property has a personal gain for you.
I'm not sure I ethically support the hacker's actions, but I don't think the bike example has the market/awareness effects that make it at all defensible.
What kind of stupid person would think that we could have a cooperative, functional society where I can just be careless with my bike, right?
What's the problem with these people?
Sarcasm aside, I live in Brazil, ask any Brazilian who stayed on an European country what was the biggest difference: "I could feel safe anytime, without worrying about my stuff".
That really shapes the mind and behaviour of people.
Which is great, in theory. But devices in Europe are just as accessible to Brazilians as they are to anyone else. Unless a device is locked down to local access, you can't have "safe neighborhoods".
> What kind of stupid person would think that we could have a cooperative, functional society where I can just be careless with my bike, right?
Isn't this actually a really common sentiment, though? I've lived in several places where leaving a bike unlocked for 5 minutes, or sloppily locked for an hour, means you're going to lose it.
That doesn't make the theft acceptable, but if a friend borrowed your bike and left it unlocked you'd still get mad at them.
Reshaping society so this stuff doesn't happen is great, but on an inside-view level we treat crime as sort of an inevitable "someone will do it" force.
> Reshaping society so this stuff doesn't happen is great, but on an inside-view level we treat crime as sort of an inevitable "someone will do it" force.
I don't disagree with you, however I think there are some levels to this concept, e.g. how two different locations would differ if it was: a lost wallet, a somewhat clear opportunity for embezzlement, a bike stopped in front of a coffee shop?
I understand what you're implying, but no one is "allowing" their hardware to be used criminally. At least in the U.S., our personal property system is permissive i/e you may not use my things without permission. So, using an IoT device as provided by the manufacturer is "allowing" its misuse so much as leaving my backyard gate unlocked is "allowing" criminals to park their stolen goods in my backyard.
Ok, but we do have "attractive nuisance" laws. If you leave out a trampoline next to barbed wire, you can be accountable even if you didn't actually permit anyone to use it.
This actually seems much closer to the IoT issue than theft. The maker and user of the device have created an inviting target which will cause harm to someone other than themselves. Even if the eventual attack is illegal, they can still be held accountable for making it so likely.
Honestly, I've never heard of a law like that. The U.S. is a big place; whereas that may be the case in parts of the country, in the south where I'm from, that's never become known to me, especially in the rural areas where I grew up. Instead, the people using your things without permission are at the very least trespassing.
IANAL, and I can't find a definitive statement of where the doctrine applies, but I see it referenced in cases in many US southern states (AL, GA, AR, KY, FL, TX). I know that the particulars vary in many states, based on precedent and statute, but I'm not aware of anywhere it's absent entirely. Hopefully someone more knowledgeable will come along and clarify.
Note that "attractive nuisance" is specifically about trespassing children.
It's a very well entrenched common law concept. The same goes for swimming pools: if you build a swimming pool and don't put an adequate fence around it, and a kid comes by, jumps in and drowns, you're probably going to be found liable (not criminally, but you can be successfully sued for it)
The only attractive nuisance laws I've heard of applied to children. If you have a swimming pool without a fence, and a child sneaks onto your property and drowns you are liable.
IANAL, and it's hear say, but I had thought this was something everyone knew.
A poor choice of words on my part. That aside, the point remains: poorly secured IoT devices cause real harm to others in a way that a poorly secured bike does not.
Very different. If you can bust an insecure lock you can steal a bike. If you bust an insecure IoT device, you can steal data from potentially thousands or millions of people.
I am not sure this is a good analogy. Stealing a bike only effects one person. an IoT device that brings down the internet in a DDOS attack impacts everyone.
Well, the manufacturer provided lock is a piece of string connected to an index card that says "do not open", and the bikes are being regularly used in crimes against the public at large.
Given the owner of the bike could conceivably be held liable for the use of their bike to commit crimes, the janit0r who decided to clean up this crap comes across as the lesser of two evils.
I feel like a more accurate analogy is that you are going to start breaking into poorly secured garages and destroy people's bikes so that the owner can't ride them anymore.
While I am on the fence with a lot of what is happening, I would have thought a more appropriate analogy would be to: Break into a poorly secured garage, that has been sold as a single unit to the customer, seal the door and any other access via welding so that no one can ever use the garage ever again.
