Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you: No adverts like this in the forums anymore. Times and dates in your local timezone. Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance. Email notifications for threads you want to watch closely. Being a part of the oldest wargaming community on the net. If you are already a member then feel free to login now.

From the BBC.

http://www.bbc.co.uk/news/technology-42030109

The ban is on two grounds, privacy, and information security.

Is it time for some kind of international regulation on network-enabled devices, to ensure adequate standards of security?

I firmly believe in information security, especially if I'm strapping an unencrypted GPS device to my child's wrist. I'm surprised people are buying them in such large quantities, or maybe I'm just being paranoid.

If they can put better security measures in place, I'd be slightly more supportive of having them. And in the defense of parents, I'm completely OK with spying on their lessons in school, we have issues with our public education over here.

There's a few fundamental problems here:

- These devices are made for children. Any sort of unique characteristics present in them will be detected and exploited for the purposes specifically of targeting children for whatever ends, more specifically than, say, just "these kids nowadays with their smartphones."

- Network security is an arms race. You're never going to have a device that's perfectly secure, particularly with the way that most device manufacturers decide to stop sending security updates to phones after 18 months or so after the phone was announced. And anyone who does try to convince you that the device is perfectly secure is either lying, or referring to a closed system.

- Relevant to the above, something we really need to get used to is the notion that just because something can be connected to a network does not mean that it should. You REALLY want GPS on your kid that bad, fine (not really) but it needs to be something that they push the button on to activate when they're lost or something. It shouldn't be constantly leaking data.

- It should also not be some general purpose device that lets them install whatever software they desire, because that's the single thing that can be done to undermine your security the most.


Automatically Appended Next Post:
Also, worth mentioning, GPS (by the traditional definition, not the "it tells me where I am" modern definition) is a PASSIVE system. No one knows when you're using it by virtue of using it alone, you can access it without cell or wireless signal, and it works about as well as when you do have signal.

The problem is that we just can't resist having the damned things screaming out where we are to anyone who is listening as loudly as possible.

I appreciate there are no perfectly safe systems, and can't ever be, but it seems to me that at the moment there are a lot of systems going on the market which are wide open for security, such as having out of the box logins of "admin" and "admin" for the administrator. A lot of users never bother to change these, and leave the system vulnerable. These systems can then be infected and recruited into botnets that become more powerful for recruiting other systems.

I think a core part of the problem is the attitudes of software developers at present. They are increasingly wanting to have your software online at all hours and sending feedback as well. They also want you to use their specific software on hardware units so often as not lock certain options into the installer.

Much of this can be gotten around, but not by your average user plus it generally voids all warranties on the device itself.


I think that so long as marketing pushes for devices to keep sending out data and for our hardware to essentially be owned by the company that made it; we will continue to see items like this that constantly broadcast data and information.

We are shifting from our hardware and software working for us into one where it works for the company producing it - and aiming toward the extreme of software running more and more on cloud based systems; where its impossible to run without connecting up.



To me the issue is one of choice - as outlined above; the idea is sound but it should only need to broadcast when used on the owners terms; rather than on the software companies choice.

Thing is its an attitude that's crept in that is going to be hard to push out without strict legislation. Even services like Facebook will mess with and often disable security/shared settings and set them back toward more open default values whenever they update the software (To say nothing of crafty hiding of settings behind big interface changes)

 Kilkrazy wrote:
I appreciate there are no perfectly safe systems, and can't ever be, but it seems to me that at the moment there are a lot of systems going on the market which are wide open for security, such as having out of the box logins of "admin" and "admin" for the administrator. A lot of users never bother to change these, and leave the system vulnerable. These systems can then be infected and recruited into botnets that become more powerful for recruiting other systems.

Oh, yeah, totally. I didn't intend for my point to be "we shouldn't even bother". Not sure if it came across that way. We should be bothering many times more over again than we are now. It's a Big Deal.

What I guess I'm saying is that people don't really sufficiently think about what they're doing when it comes to Internet-capable devices, and that's user education, which is often one of the hardest obstacles to overcome when trying to do something.

Is Dakka liable for personal information we provide to access its functions?

That's a Legoburner/Yakface question.

I know there is a new data privacy law coming into the EU next year, as I'm working on some compliance issues to do with that.

DakkaDakka is headquartered and incorporated in the USA, and I'm not sure how that affects things.

The amount of personal information required here is minimal. I think it's only an email address.

Most of the liability that I'm aware of in the US concerning personal data is limited to government/medical systems. There may be more, but it'd be in less common fields.

I notice that other small time niche entities that have had data breaches typically get off just fine with something occasionally briefly mentioned on news sites if at all. I think one called 'Equifax' was most recent. Not sure what they're into. Think it's a horse site or something.

Forums can hold and hide dates of birth so that and your email are likely the only critical bits of private personal data.

Kilkrazy wrote:I appreciate there are no perfectly safe systems, and can't ever be, but it seems to me that at the moment there are a lot of systems going on the market which are wide open for security, such as having out of the box logins of "admin" and "admin" for the administrator. A lot of users never bother to change these, and leave the system vulnerable. These systems can then be infected and recruited into botnets that become more powerful for recruiting other systems.

That's just silly, nobody uses "admin" and "admin", that's just not secure. Everybody uses "admin" and "password".

Kilkrazy wrote:That's a Legoburner/Yakface question.

I know there is a new data privacy law coming into the EU next year, as I'm working on some compliance issues to do with that.

DakkaDakka is headquartered and incorporated in the USA, and I'm not sure how that affects things.

I don't think there would be any problems as long as the servers stay in the USA (or rather outside the EU). If they were to put some server inside the EU they would have to comply with those laws. I think the USA/NSA recently (as in: at some point after the Snowden leaks) wanted access to all of Microsofts data (including datacentres inside the EU) but Microsoft had to fight it as they would have broken a number of EU laws if they had given the USA access to that data.

The Apple warehouse I worked in 11 years ago had that on the computer system in the warehouse (PCs). Admin access was "Admin; password".
(they had a whole lot of stuff disabled at admin level, except the CLI was still able to be used if you knew enough about it.).

When they got hit by the "bad capacitor" issue, and I got given the job of identifing which components were potentially bad,I HAD to access the net to do so (because the PC world being hit by the same issue 4-5 years earlier had been well documented). Getting the browser up and running was surprisingly easy as a result.

When the head IT guy came down to check on something, he noticed that I had the browser up and working and wondered how. They hadn't thought that they might have someone working there who would know how to do it because none of the mac-using staff ever needed to know how (all of the "upstairs" machines were macs).

 Inquisitor Lord Bane wrote:
I firmly believe in information security, especially if I'm strapping an unencrypted GPS device to my child's wrist. I'm surprised people are buying them in such large quantities, or maybe I'm just being paranoid.

If they can put better security measures in place, I'd be slightly more supportive of having them. And in the defense of parents, I'm completely OK with spying on their lessons in school, we have issues with our public education over here.

I'm surprised, really, that I haven't heard if these things have been banned in classrooms via school policies. If kids could use graphing calculators, flip phones, and pagers back in the day,in creative attempts to cheat, it wouldn't be a stretch that they would with smart wristbands (among all the other mobile, "smart" devices we have today). To uninformed teachers, these things can pass for a stylish novelty digital watch.

 Overread wrote:
I think a core part of the problem is the attitudes of software developers at present. They are increasingly wanting to have your software online at all hours and sending feedback as well. They also want you to use their specific software on hardware units so often as not lock certain options into the installer.

As a software developer, i'd like to highlight we don't want it either; it's the middle management. More often than not callback systems are a phenomenal headache to implement with no end-function value; but instead are a means of having something to put in a chart during the quarterly reports - which are then ignored.

At least, in above board organisations. I can't speak for Igor Igorski Totally Not Scam Software Service For Make Benefit End User, or Microsoft.

 Kilkrazy wrote:
That's a Legoburner/Yakface question.

I know there is a new data privacy law coming into the EU next year, as I'm working on some compliance issues to do with that.

DakkaDakka is headquartered and incorporated in the USA, and I'm not sure how that affects things.

Theres a new UK data protection act
But that mainly just changes consent rules. Bans pre ticked options. Clear statement of who, what uses data and a people now will have to be extremely precise on there stuff and wording.

But a US based site not be effected by UK law most likely. N