Hacker News new | ask | show | jobs
by alias_neo 2678 days ago
It's a difficult choice. In a way, you can see it as a free pen-test on your network.

I don't even think it's a case of trusting them, because if they get access to webcam data or something else that they shouldn't, assume someone with less well-meaning intentions can and has also done so.
2 comments
arcaster 2678 days ago
Yeah - this is exactly the root of what I'm getting at. Nobody really know's who "the government" really is. They're so bad at keeping their own secrets secure and in the right place - I sure as hell don't trust the least common denominator among gov't employees when it comes to privacy and ethics to have anywhere near the kind of observation into my life they already have from a squad car filled with feds and a telephoto lens...
link
alias_neo 2678 days ago
Well, in this case, it's the NIICT (National Institute of Information and Communications Technology) and it sounds like their efforts will stop at rainbow-tabling the devices such as IP cameras etc, to see which have default credentials or weak credentials.

The problem is that the normal, every day people who run these devices, on the most part, don't understand that not only are they open to the internet, most manufacturers provide Dynamic DNS making it painfully easy to search for them. Further still, these manufacturers set the same default password for every device. Some have been known to leave the "empty" credential slots usable. Due to poor programming, you could simply login with no credentials at all.

I have to agree, I'd be hard pressed to decide whether I would or wouldn't accept this "survey", but, with notice, like people are being given here, you can mitigate the risks (cover the cameras, remove the data etc) and be told there are weaknesses in your system, or alternatively, not know and have some unknown accessing them at any point they wish, for any reason they wish.

link
icebraining 2678 days ago
Yeah, but all information they might gather here is already available for anyone else who wants to run a scan.
link
ya30a 2678 days ago
What would happen if a plebeian performed this free pen testing? I think we have several examples.

In several countries pen testing tools for plebeians are even illegal.

link
alias_neo 2678 days ago
Sure, it's one rule for them, and another for everyone else.

But, lets be reasonable for a second, Japan is concerned that if people's networks aren't secured before the Olympic games, these vulnerable devices will be used to disrupt systems by outside attackers and potentially costing the country significantly.

It's well known that IoT devices on the market are poorly implemented and poorly secured and rarely-to-never updated by the manufacturer.

link
icebraining 2678 days ago
People run pen testings every day. You might know https://www.shodan.io/ ?
link
achillean 2678 days ago
Note that Shodan doesn't try to authenticate with the devices - not even using default credentials. This is different than what Japan is proposing; they want to try various default credentials to identify devices that could be used for various attacks (ex. Mirai).
link
woolvalley 2678 days ago
So is arresting someone unless your a police officer...
link