![[info]](http://l-stat.livejournal.com/img/userinfo.gif?v=92.2){kind=small}
Why is it that morons who prefer to make things simple, despite the massive ramifications, are allowed to implement systems?
We've had attachments and automatic execution in Microsoft mailers give us worldwide computer viruses. We've had unnecessary, unprotected services on Windows 2000 give us worldwide computer worms. There are numerous other examples, especially relating to wireless (most recently Bluetooth) devices. It appears that many hotels have set up systems through their TV sets which are almost totally controlled from the TV remote end, allowing anyone with a portable TV tuner and a correctly programmed infrared port (such as in a laptop) to access content they haven't paid for, other people's hotel bills, hotel guest lists, and even other people's net access. An article about this is here in Wired.
July 31 2005, 10:40:50 UTC 6 years ago
Doing a "point of attack" or "single point of failure" analysis of something appears to be a very rarely taught skill which is most unfortunate in many areas of life, not just technology. (Law being the other area obvious to me since I spent a while studying it -- lots of laws are passed apparently without anyone considering "if we pass this what will people do to (legally) get around it" leading to counterproductive results when passed. Sometimes they get it right the second time, sometimes they don't.)
As to how to solve the problem, I'm not sure. Making everyone as cynical as I am about such things has other disadvantages.
FWIW, as security risks go, I'd take "access content they haven't paid for" over "multi-year distributed denial of service attack" (email worms, viruses, spam, all largely (now) being launched from insecure end-user systems). It's at least contained, and has a built incentive for the people causing the problem to fix it.
Ewen
July 31 2005, 19:01:15 UTC 6 years ago
Certainly, access to content someone hasn't paid for is not a big deal. Indeed, the only loser there is the hotel responsible for the system that allows it. Access to lists of who is in the hotel, what is on their bill and what they are doing online are all rather insidious. From a personal privacy and security point of view, they are worse than DDoS: They victims have no idea it is happening and no way to find out who is accessing the data.
July 31 2005, 21:30:52 UTC 6 years ago
About the only way to change that would be to impose some fairly heavy penalties for leaking private information as part of a general set of privacy laws. Then those people (doing the hiring) would have an active reason to ask "this won't leak private information will it?". It's possible that New Zealand's Privacy Act might be usable for such a purpose (although IIRC there's not much in the way of penalties, at least being actively applied), but the US is notably lacking in such things.
Finally while I agree that leaking private information is worse than a DDoS (although after 5 years of DDoS I'm starting to think that N years of DDoS is equal to leaking private information), it's important to remember that along with the same holes that made this DDoS possible is that possibility of private information leaking (and indeed some of the worms did precisely that).
Ewen
July 31 2005, 16:19:38 UTC 6 years ago
July 31 2005, 19:13:00 UTC 6 years ago
July 31 2005, 19:15:43 UTC 6 years ago