HN Theater @HNTheaterMonth

"115 batshit stupid things you can put on the internet in as fast as I can go"

https://youtu.be/hMtu7vV_HmY

The presentation mentioned below in the thread is not bad.Sounds like its the one you were referring to, but for complete madness and awe I recommend to watch this one:

"115 batshit stupid things you can put on the internet in as fast as I can go" by Dan Tentler

https://youtu.be/hMtu7vV_HmY

There is a point where they find a large Dam in France with water gates control available in the Internet. They use the US Embassy to contact the French government department responsible and urgently do something about it. They are told: "Not right now, we are currently on holidays..." :-)

So did anyone of your deployments feature on one of the presentations of @viss - https://youtu.be/hMtu7vV_HmY

Not sure if it'll help, since I don't have any teaching experience, but coming at this from the perspective of a student, thinking of what your students might be thinking given what they're saying:

First, "not dry" doesn't necessarily mean "not prepared" or "spontaneous". Consider things like the SR-71 story [1] or the unprotected VNC endpoints presentation [2].

Second, keep in mind what you can give students that they can't get from a textbook or another lecture that they find on youtube. The best professors I had weren't the ones that could quote the textbook; the best professors I had were the ones that could provide context for the textbook, or tell stories that illustrated important edge cases or institutional knowledge that isn't written in any textbook. There's a huge amount of wisdom that could never be "professional" enough to make it into a textbook but is nevertheless fantastic for helping a student understand or remember the material. For example, consider the "Things I Won't Work With" series; would never get past a textbook review committee, but absolutely riveting on top of the information transfer.

Third, and finally, how these relate to helping students absorb knowledge. Consider spaced repetition and the method of loci [4] and what they mean about how the human brain forms knowledge: People remember networks of knowledge, not single facts. That's why I cite war stories above - giving students a story to wrap around an idea lets them link to it from multiple angles, each one reinforcing the memory or giving the brain a second or third chance to successfully record it. Interactive discussions are the same way; remembering a monologue is much harder than remembering the same information packaged as a socratic dialog with a few good jokes thrown in. That's why everyone else is recommending question-and-answer sessions and cold-calling; human memory is better at handling conversations than it is at speeches.

[1] https://oppositelock.kinja.com/favorite-sr-71-story-10791270..., https://www.youtube.com/watch?v=Lg73GKm7GgI [2] https://www.youtube.com/watch?v=hMtu7vV_HmY [3] http://blogs.sciencemag.org/pipeline/archives/2010/02/23/thi... [4] https://en.wikipedia.org/wiki/Method_of_loci

115 batshit stupid things you can put on the internet in as fast as I can go (Dan Tentler) - https://www.youtube.com/watch?v=hMtu7vV_HmY

https://www.youtube.com/watch?v=hMtu7vV_HmY&t=31m25s

It's not even "show you the ropes", it's "shooting fish in a barrel"

It's much worse than just passive webcams. Some devices which were never meant to be connected to the internet are out there.

Stoplights? HVAC Systems? Carwashes? Ice Rinks? POWER PLANTS?

Yes!

https://www.youtube.com/watch?v=5cWck_xcH64

EDIT: I looked at his more recent talk from last November ... the situation has not improved

"115 batshit stupid things you can put on the internet in as fast as I can go by Dan Tentler"

https://www.youtube.com/watch?v=hMtu7vV_HmY

Featuring Spanish Chicken Controls

⬐ s_kilk

This, along with the topic link, give me the impression that the Internet of Things can't possibly work, not in the medium/long run. Not without a huge shift in how manufacturers and developers think about security and maintenance of devices deployed in the field.

As long as the general approach remains "take a device, slap some nodejs on it, deploy" then the whole endeavour is doomed to a spectacular (and potentiall bloody) failure.

⬐ jessriedel

The situation will slowly improve with time as wisdom and expertise with software diffuses throughout industry. Right now, software is a crude tool in most industries, with little understanding among the decision makers. That's why the best software is found in pure software companies. (However good or bad Microsoft software may be, it's still true that Microsoft >> Ford >> Honeywell.) Over the coming years, better software practices will suffuse through non-software industries, and the CEO of the company that makes your toaster will need a gut level understanding of software in the same way he currently understands inventory management.

⬐ skywhopper

Indeed, lots of smart people have been saying that the Internet of Things vision is naive, counterproductive, and potentially dangerous. Some recent polls have indicated that most consumers at least have a sense that random cheap Internet-connected devices are problematic, so these sorts of stories are at least making an impact.

For better or worse, this trend is going to keep going until something truly egregious happens and either market forces or government regulation steps in. Hopefully we'll see a pattern similar to that we've seen with desktop computers, where there'll be some messy worms or viruses that infect enough people that the big players in the field start taking these threats seriously.

⬐ elorant

How about smart TVs? Give it a few years and you’ll have hundreds of millions of TVs with a camera on them exposed to the wild.

⬐ bostik

This is tge reason I pushed down hard on our design for TV walls and monitoring screens. We have set up a number of TV screens around the office (some as walls, some individuals). I refused to have any of them plugged in to our office network, because I don't trust the smart TVs to either remain secure or not to spy on us "accidentally".

So each TV will be a dumb screen. Output is provided by two Raspberry Pies - one for each of the first two HDMI inputs. HDMI 1 = monitoring, HDMI 2 = office IPTV. The TV feed network is physically separated from everything else, and connected to a dedicated switch. With no uplink to internet.

And to give some context, we discussed our setup with some of the Cloudflare engineers in London. They consider our setup "pretty hardcore". From a company that lives by security, we consider that a compliment.

⬐ qb45

> How about smart TVs? Give it a few years and you’ll have hundreds of millions of TVs with a camera on them exposed to the wild.

Without available firmware updates, you forgot to add.

⬐ achillean

FYI: you can already find smart TVs connected to the Internet. Here is a search query for Vizio TVs:

https://www.shodan.io/search?query=port%3A8099+unknown+messa...

⬐ icedchai

Aren't most people at least putting their TV behind a firewall / NAT box?

⬐ Silhouette

The disturbing thing today about smart TVs in particular is that it's increasingly difficult to buy a TV without those features. Personally, I have no interest in them even without the obvious security and privacy concerns. I want my TV and speakers to be as good as possible at showing pictures and making sounds, and to accept signals from whatever sources I want to use in sensible ways. Everything else is just more cost, more scope for failure, and less future-proofing.

The really disturbing thing about a lot of these IoT devices with sensors and remote communications in the future will be when they no longer rely on an explicit Internet connection being provided via the home network, and instead use some sort of mesh arrangement where they can get online independently and you won't even know about it. At that point, I think robust laws about both disclosure and the ability to opt out will probably be necessary.

⬐ hughw

Any device could have its own connection to the mobile network, a la Kindle.

⬐ rangibaby

Have you considered using a PC monitor instead of a TV? Honestly, their biggest feature when used as a TV is their lack of "features".

⬐ gambiting

It's a bit hard to buy 50" PC Monitor though.

⬐ j2981190

Yeah, why did they decide to stop at 40"?

⬐ Silhouette

Unfortunately, PC monitors tend to be missing a few too many features that really are basic TV functionality -- remote control, sound, large numbers of switchable inputs (particularly HDMI) on high-end models, etc.

They also tend to be physically smaller but often with a higher native resolution than TV/movie standards, so not the best fit for efficiently showing that kind of content.

⬐ walterbell

How about a short-throw projector?

⬐ golergka

Everything but size is solvable by building a small PC to use it as TV controller, no?

⬐ kbenson

The cost difference of this theoretical setup is now reaching laughable proportions (in time, money, or both)

⬐ tdkl

Don't plug it in the LAN ? Set the firewall rule for the TV to block internet on the router ? (I agree with you, the "smart TV" bonanza is going too far)

⬐ izacus

Well, that works until the smart TV refuses to set up without internet connection like modern STBs and mobile phones.

⬐ None

None

⬐ pdkl95

At some point - probably sooner than we expect - the hot new system-on-a-chip will have a built-in baseband processor and (probably software) radio. Once that is available, negotiating for off-peak/low-priority use of the cellular network will suddenly become very popular and the analytics (spyware) will no long needs your permission when it wants to spy on you.

⬐ tzs

A few years ago, DHS and DOE set up a test power plant using similar equipment to what is actually in widespread production use, and invited select hackers to see what they could do to it.

Here are the results: https://www.youtube.com/watch?v=fJyWngDco3g

There was some discussion of this on the excellent Nova episode "Rise Of The Hackers", where they mentioned that the damage to the generator was extensive enough that it would not be just a quick in place repair. It would have to be replaced, which could take months (they don't have these things lying around in stock...). If someone did a successful coordinated attack on several power plants, it quite possibly could knock a very large number of people off the grid for many months.

We need to stop allowing this. If this trend of putting everything online without paying serious attention to security continues, two things are going to happen:

1. The bad guys are going to succeed at some point in causing a major disaster. If we are lucky it will just cause widespread economic loss and inconvenience. More likely, though, there will be widespread loss of life too.

2. You think 9/11 prompted too big a swing in the wrong direction on the "safety vs. civil liberties" scale? That will seem quaint and mild in comparison once an attack knocks a large region off the grid for months, or causes a chemical plant to release a large toxic cloud, or takes down air traffic control, and so on.

⬐ TheOtherHobbes

Agreed 100%. IT'S A NATIONAL SECURITY ISSUE.

There's no grey area here. Get this wrong and there's potential for foreign state or terrorist attacks that are as destructive - in their own way - as 9/11.

Currently IOT has the makings of the next Pearl Harbour. It would be good if that didn't happen.

⬐ superuser2

It's disingenuous to suggest that the solution is simply keeping them off the internet. Their own proprietary network cables/radio comms can be spliced into and reverse engineered when running through public places. Low-level employees can be tricked into plugging in flash drives (i.e. Stuxnet).

When you're building a target, security aneeds to be designed for across the board. If you want to shortcut your way out of that, don't use general-purpose operating systems and don't build networks.

⬐ tptacek

One of the problems is that SCADA has its own software culture and its own security culture. There are specialty SCADA security firms (for no good reason I can come up with) and it sometimes feels like software security research is progressing in parallel on two (or three, or four) separate tracks.

Industrial control software doesn't get the attention that normal software does because it takes a specially-seasoned consulting sales person to get industrial software on the docket for a consultancy. The really good consultancies are overbooked anyways (the big 5 Internet firms buy consultant/years the way smaller firms buy consultant/hours), so there's not much incentive for the best talent to get applied to these projects.

If Charlie Miller and Chris Valasek hadn't gotten on stage in track suits to talk about car hacking, the same might be true of automotive, but now every consultancy wants a car-hacking practice.

I've managed a few energy-sector projects. The targets were really, really bad.