Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
, 11 tweets, 2 min read Read on Twitter
Among the many reasons IoT security isn't important is because your threat model is messed up. You are thinking in terms of Mirai-style worms, but that's because you haven't paid attention to the technical details.
"But Rob, 10 billion new IoT devices will be attached to the Internet in the next couple years, the Mirai-type threat is real!!"

Um, IPv4 has only 4-billion possible addresses.
IoT devices are overwhelmingly being put behind NATs or random IPv6 addresses, which means a Mirai-style worm can't infected them.
Mirai infected Telnet services, exposed port tcp/23. The number of exposed tcp/23 on the Internet is trending downwards, not upwards, as billions of IoT devices are attached to the Internet.
This is generally the case for all ports: those that are trending upward are associated with Internet services, not IoT devices. Billions of IoT devices have been added to the Internet since Mirai AND I CAN'T SEE THEM WITH MASSCAN.
In government policy circles, "DDoS" has been synonymous with "IoT" since Mirai. Fun fact: we've had many worse DDoS attacks since Mirai's, and none of them were based on IoT.
In government policy circles, "Botnet" has been synonymous with "IoT" since Mirai. Fun fact: infected Windows machines comprising botnets are orders of magnitude larger than infected IoT. "Botnets" are still a Windows problem, not IoT.
Yes, it's true that in the IoT product space there's batshit crazy insecurity going on.
Yes, it's true billions of these things are being added to the Internet.
But the conclusion isn't there's some massive looming security problem.
The solution policy makers most want is "auto-update" on IoT devices, so vulns can be patched quickly. This is because policy makers don't pay attention. It means a hacker can compromise a vendor and push out a botnet autoupdate.
The most costly hacker attack ever is the NotPetya worm. It was launched as an autoupdate from a compromised vendor. Mirai was around 200,000 infected machines. Even a small vendor can have millions of customers.
So what you are doing is trying to solve lots of low-grade problems with a smaller number of really huge problems. Low grade Mirai-style infects are much preferable to one big NotPetya infection.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
1/ Boeing is shipping a software patch for the MCAS system implicated in the two 737 MAX crashes. Many people are calling the problem a "software bug". This is incorrect. It's a design flaw, not software flaw.
2/ I mention this because there people who want the government to regulate software bugs/vulns. They cite disasters where software is involved to justify their desire to regulate. However, much of the time, a software bug/vuln isn't at fault.
3/ Such is the case here. The software is behaving exactly as design. However, the design was to rely upon a single sensor to control the tail fins, and if that sensor was faulty, to cause the plane to dive.
Read 4 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
It's important to note in this "Facebook plain-text password" story that the passwords are being stored with salted scrypt hashes, that's not the issue. Instead, the issue is inadvertent logging of web requests -- which happen to contain clear-text passwords.
2/ The analogy is that Facebook has all the proper locks on the doors -- but somebody left the window open.
3/ It's a common problem that all companies have. It should be one of the first things you audit in your security architecture. Don't simply verify passwords are hashed, also verify with the web team that they don't get logged along with all the other web input.
Read 6 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
So I'm reading the @DevinNunes butthurt lawsuit.
BTW, calling somebody a "treasonous cowpoke" is not defamation, even if it weren't true.
I'm not sure if the @DevinCow misleads or confuses anybody into believing it's actually Devin's Cow. If you feel mislead by this, please respond to this tweet so I know that such people exist.
Read 4 tweets

Related threads

Profile picture
Alexandra Erin
@alexandraerin
So, one thing I have to say about Season 3 of @OneDayAtATime is that they clearly have a vision for the show. It's a 22 minute sitcom, and if you caught an episode at random somehow it would stand on its own, but each major beat is set up in previous episodes.
And it's really interesting as someone who grew up watching 26 episode seasons written by large groups working in teams, with characterization varying wildly and more scattered callbacks than continuity and a lot of asynchronous/anachronic stuff...
...to watch a 13 episode sitcom where the ratio of "topical/very special" episodes to other ones is so much higher but it *works* because the issues have weight and presence that begins before the spotlight episode and continues after it.

But it's still a sitcom.
Read 13 tweets
Profile picture
Alex Hardy 🦊🦔
@CantHardyWait
Wow. "How to be Successful" by @sama is simply one of the best career guides I have ever read.

I'll summarize Sam's tips below but DEFINITELY check the full post out.
1 Compound yourself
2 Have almost too much self-belief
3 Learn to think independently
4 Get good at “sales”
5 Make it easy to take risks
6 Focus
7 Work hard
8 Be bold
9 Be willful
10 Be hard to compete w/
11 Build a network
12 You get rich by owning things
13 Be internally driven
1. Compound yourself 📈

Make your career compound—most careers are linear

Each unit of work should generate more & more results. Get your leverage from capital, tech, brand, network effects & managing people

Try to add another zero to whatever you define as your success metric
Read 32 tweets
Profile picture
T. Greg Doucette
@greg_doucette
Without diving into this particular case, this type of attorney letter is a stall tactic when you think you're going to lose on the merits
The latter. Assume this were a run-of-the-mill Title VII case; typically Plaintiff's attorneys strike at the point they have maximum leverage, which Ford had. You delay when you hope some external event will turn up useful info instead

She may very well be telling the truth. But the FBI is not going to investigate, because even if we assume she's telling the 100% truth, there's no *federal* crime that took place. It's a dodge.

Read 200 tweets
Profile picture
Mr. Ø
@mr_z_ro
Just had quite an interesting experience with @verisart's #blockchain for securing authenticity certificate, provenance, and other metadata around a recent purchase of art that I made, and now have a few thoughts to document for later reflection. 1/
First, while my honest initial impression was "huh, shame that someone's gone and blockchained something as pure as art as part of this DAPP money grab," it is in the end quite nice to have a cert ostensibly locked in, & useful if I ever decide to sell it, give as a gift, etc. 2/
That said, there are some hiccups along the way that need to be kept in mind when trying to convince people to flow with this "Don't want to trust humans? Easy, just trust #blockchain and peripheral technology [that was developed by humans]!" cognitive dissonance. 3/
Read 11 tweets
Profile picture
Olufemi Osasona
@OsasDapheel
Many people are too consume with the idea of owning a plot of land so sometimes feel too elated to do due verifications before making payment. In this thread, i will tell you how a survey plan search, an essential land check can save you from land trouble. THREAD👇👇👇
Before i go ahead, it is essential we understand what a survey plan means: A #Survey plan is a document that measures the boundary of a parcel of land to give an accurate measurement and description of that land #RealEstate #LandDebate
The people that handle #Survey issues are Surveyors and they are regulated by the office of the Surveyor general in #Lagos as it relates to survey issues in Lagos. #RealEstate
Read 18 tweets
Profile picture
Larry Schweikart
@LarrySchweikart
1) As you see the latest Twitter war between Trump and Father Ball, it is useful to revisit a strategy that I believe Trump has used since January.

In the past I called this "cheese in the maze."

2) I believe it is DELIBERATE, that Trump/Bannon landed on this in December.
3) It is a strategy that has to date continued to baffle many of Trump's supporters and virtually all of his detractors.

4) The premise was that the media was so hostile to Donald Trump that it would not remotely cover any policy or initiative or achievement fairly.
5) Indeed, the era of "news" was over, as was shown in the campaign. There is only vile, blind hatred by the "media"---even Faux.

6) Trump knew early on NO policy of his would get reasonable coverage of the facts.
Read 15 tweets

Trending hashtags

#MacroResearch #IoT #Hitman #ThiefTDP #Security #DrlytleNG #BeepBeep #agricultural #OK05 #StopBrexit #AMAZE #founders #ICCPR #MSI #Tariffs #LandDebate #Survey #sitg #DisabilityTwitter #IntellectualProperty #Syria #genY #Ikorodu #threats #RealEstate
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!