Many consumer devices can be selectively targeted for updates. The entities that control the update servers are controlled by the states that they are a part of. People seem to have forgotten that companies once felt the need to invent warrant canaries to warn when they had received non-public court orders. Presumably they can also be forced not to remove the warrant canary.
Edit: My first read had me interpret backdoor as any undetected means of gaining access to a device/system. I have updated by definition to mean using a flaw in the system left intentionally to gain access. This somewhat negates the need for my previous comment, but I'll leave this for illustrative purposes.
How user antagonistic changing code on IoT devices should be is highly dependent on the threat model for the devices. I'm happy to trust home users to flash their lightbulbs and door locks (though the company might not see that as acceptable to their brand reputation if their lock is compromised nonetheless), but I would prefer not to trust the hundreds of IT departments and engineering teams to properly vet the code they are flashing onto industrial control systems when lives are at stake - centralized authority and accountability with high visibility on the code base that is flashed to the devices is what is needed there.
Are you familiar with the academic field of security and the notion of trust in trusted computing? The IoT devices that is being discussed in the article are for industrial control systems, not necessarily your home lightbulb. The threat model is different. Do you want every municipal power company to be trusted to properly vet the code they are putting on these devices, or do you want to trust the device manufacturer to be the one who can put code on the devices?
Owner is still owner, be it someone who lives in a single family residence, or that of a municipality.
In my area, tornado sirens are unencrypted aand a simple recordable and replayable frequency. The cost to add an encrypted radio connection is $100k for the base station, and $25k per siren. There are 80+ sirens.
If this were open source, then a simple computer could he retrofitted to do this. But because they are highly proprietary, the county would be on the hook for $2.1M just to defend against an asshole with a HackRF.
FLOSS and open principles should matter to governments as well as individuals. Trading temporary easiness for no long term usability is utterly ridiculous. And you end up with a doorstop in the end either way.
And who can push new code after the manufacturer's bankruptcy? I've worked in IoT and I'd say the biggest security problems are in this order:
- Devices requiring Internet access for functionality that could have been done locally
- Hardware SDKs which are basically abandoned forks by manufacturers so IoT companies ship stone-age kernels and device drivers
- The usual stuff: too much complexity, lack of tests, bad documentation, meaning old parts of the software get forgotten (but remain exploitable)
Theoretical waxing about trusted computing and remote attestation does seem disingenuous when problems with non-certified firmware is probably not even in the top 10 in the real world. Notice how the article author mentions some scary attacks but conveniently omits how the attackers actually gained access?
What alternatives come to mind when asking that question? Not being in the PKI world directly, web of trust is what comes to mind, but I'm curious what your question hints at.
I honestly don’t know enough about it to have an opinion, have vague thoughts that dns is the weak point anyway for identity so can’t certs just live there instead but I’m sure there are reasons (historical and practical).
While YMMV, a fear response is a choice. You can have all the rational reasons to be afraid (like the bottom of your hierarchy of needs being unmet) and choose to act out of cold rationality rather than fear. Then it becomes a self-fulfilling prophecy - if you can act without fear even when there is justified reason to be afraid, you will be able to easily do so when it isn't justified.
"... is called a delusion". What I am suggesting is not delusion, it is mindfulness and cutting through delusion. When one is presented with something that elicits a fear response (whether the stimulus is rational or not) the goal is to quiet all of the "lizard brain" reactions, and instead formulate a well reasoned response. "Fear is the mind-killer" - while from fiction, still rings true to me - if you react out of fear you will short-circuit internal processes that are far better at long-term reasoning even when at the expense of short-term comfort.
It's really just about giving yourself enough time to think before you respond. That's the entire difference between a reaction and a response. You can use dialectical and cognitive behavioral therapies to help develop the tolerance to do that. Mindfulness and meditative practices like those in zen buddhism have proven helpful to me as well.
Perhaps you're taking an extreme interpretation of my using the word "logic" and instead you could use "wise mind" or even just "considered thought" as the response in lieu of an emotional one.
As someone who is more in the middle of my career rather than the end of it, I would like to echo your sentiment. I have had plenty of roles where I was tasked with things that were out of my depth, and the answer is to just not let it be. There is always a path to get the answers/skills you need to do what is asked of you, you just might not know the path yet, so the core skill (and where I think fear comes into the process) is accepting that not knowing something now is never a hinderance so long as once can do self-directed learning. The rest is reality testing if what you just learned is actually able to solve your problem. If it isn't, then repeat ad infinitum until it is.
More than a decade ago I was hired as an intern at Colgate-Palmolive as a software developer. Turns out they were(are?) one of the largest SAP deployments in the US. The entire company revolved around SAP. Due to lack of college graduates knowing SAP, they took great pains to treat me extremely well and train me (a CS major) in ABAP using SAP Netweaver.
My project was more ambitious than the rest of the group because I had enough courage and bravado to be assigned a project like that. In fact I made it a point to be 'brave' and make myself look really good in front of the upper level managers. I tried to know everyones name, even in other departments and to be super polite and humble around any sort of manager there. When I finally got some tasks to do, I was so miserable that I finished multiple days without getting anything done. I felt so depressed thinking that I slogged through four years of CS for this?
In the end I managed to finish last in the cohort and Colgate took the rare(at the time)decision to not extend me a full time offer. I felt like a complete failure because I didn't put in 100% and I felt like I let my mentor down.
At the same time I know that I truly hated it. To this day seeing pictures of SAP GUI gives me anxiety and makes my stomach turn. How do you overcome something like that and push on? It does not always seem like a sure thing. I sometimes think what if I had pushed through and gotten the offer? I'd probably still be at Colgate like my mentor was.
With the benefit of hindsight I have learned to be super appreciative and thankful for them treating me so well but im glad circumstances led me to not ending up there. But really who knows if it would have been better in the long run? Whenever I see Colgate it actually evokes positive memories of that time. But the biggest thing I learned was to not bite off more than you can chew and if you don't truly love what you are doing there is another path out there.
"How do you slog through something you truly hate?" - I don't.
When signals that a role is not aligned with my needs start cropping up, I begin searching for a new role passively, and as the situation develops I speed up my search.
"I felt like a complete failure because I didn't put in 100% and I felt like I let my mentor down" - to thine own self be true. I have failed to put in 100% at some jobs, and sometimes i regret it more than others. I have narratives that legitimize my laziness or lack of commitment based on some previous slight from the company, or a missed promise on their part, but I hold myself accountable.
"How do you overcome something like that and push on? It does not always seem like a sure thing"
Resilience is a wildly varying trait of folks, and depends on your emotional and mental state. "First world problems" are a great example, one when is socialized at a certain comfort level, missing that causes distress. Some working conditions are truly untenable, in which case do what you have to do, but otherwise do the best with the situation you're given.
Same here. I've worked really hard to not end up in miserable position. I also realize there are things not in my control. If work changes, you can either change work or just leave. Leaving is often the much better option.
This reminds me of the Zen Koan where the teacher holds a stick.
The teacher says to the student, “If you tell me this stick is real, “I will hit you with it. “If you tell me it is not real, I will hit you with it. If you say nothing, I will hit you with it.”
And so, the student reaches out, grabs the stick, and breaks it.
I have a similar tale. A semester before college ended, I got a professor who worked for a large company in the poultry business. I was one of the few people who was doing well in the Java 101 class and I was also going out of my way to help a few people struggling with it. Because of my tenacity, he decided to give me a
short internship in IT.
Long story short, it didn't go well. I struggled to fit in, they threw me straight into the fire, and the people around me did not want to help. After 90 days, the manager called me into the office and told me I didn't make the cut. It was the first time I had been fired from a job and I felt terrible.
Looking back this was the lesson I learned. Things happen for a reason and sometimes, things that look bad are actually a blessing in disguise.
The company I was interning at had an awful culture where no one help anyone else. People were constantly getting fired and due to that there was a dog eat dog mentality there. The software was old stuff, SAP and other stuff like that. In retrospect, I'm really glad that I was fired; I dodged a major bullet.
I ended up finding another job quickly right after I graduated with an amazing company in a more amazing city.
The monetization of social and parasocial relationships (from advertising in social media to the industry around influencers and celebrities of all types) might be one of the cruelest things in modern capitalism.
In your first scenario, any connections established through the ISP-A's IP address would be routed back through the VPN connection that they came in on. If that server were to establish it's own connections to external resources, it would feasibly be able to use the 10g connection from ISP-B. It would not be able to dictate what source address was used with connections coming from ISP-B.
It could work the way OP described if they routed all outbound traffic via ISP-A regardless of source address, and ISP-A allowed spoofing. I think that's what they meant.
It is common practice for business subscribers (around UK) to get a /29
On the router we add a single /32 via the tunnel.
I think even the cheapest 100bucks business plans from many ISPs come with /28 or /29.
It is a complete waste because we had like 10 offices with 3-5 persons with laptops and NO servers. The common question from the ISPs is: Do you need some IPs? When we answer no, they give us /29.
