Why It is Stupid to Buy a SmartTV

There are no regulations concerning what information can & cannot be collected with smart devices, nor how that information is transmitted. This article from the BBC explains how LG’s SmartTV sends the names of his family members in clear text across the internet— something that most people would be uncomfortable having publicly available.

Besides selling your private information to any and all advertisers or 3rd party entities willing to pay for it, none seem to have anyway to prevent those 3rd parties from transferring it to others (aside from legal clauses — which would be hard to prove & a lengthy process to fix). Nor it there anyway to redact information once released to 3rd parties.

But this is only part of the threat to personal security because it would be trivial for a person with the technical ability or a warrant to obtain any and all information collected by such devices. Smart devices — those with convenience features tied to internet connectivity — are trojan horses for violations of privacy far more invasive and covert than anything else and rely of consumer ignorance to operate unfettered:

http://www.bbc.com/news/blogs-echochambers-29826642

The only solution is to either never connect the devices to the internet, block all traffic or not purchase them at all.

Crackers are getting help from sloppy updates to web sites… change your passwords

I was going to push an article about something completely different that has been on the back burner for a good amount of time, but this is more important. Sorry for the lack of detail and my terse tone, but I expect better of large sites making amateur moves. I’m not saying I have never messed up: I have, but I learned from it* (“never push prototypes”) and never at this scale. The basics I sent to the site admins are enough for them to act on.  I sent this out tonight. (Note: this is also why I don’t use email addresses for half of an account’s login credentials.)

Hi,
Upon trying to login today to create a *******, I got a warning that the login page (now a pop-over) is not running through port 443 (SSL encrypted). I have decided to abort the login process because my email and password would be transmitted over the internet in the clear. My previous visits did have encrypted login. So thanks to someone who updated the site without running a regression test nor searching for glaring security hole you guys probably have a some users whose passwords have already been mined and exposed (LPH * HSU to calc how many people have been exposed) to allow crackers to get more pieces of info on account holders in order to steal their identity.

Combined with enough info (such as the recent Chase crack, Yahoo crack, or Sony crack) the crackers can try collected emails and passwords attached to them against known accounts with the same email to see which users use the same password on multiple sites. Then it is a simple matter to just run a script to try to login to all the popular sites — FB, G+, Amazon, Bank sites etc. to get into people’s accounts. Good job ;\
Very sloppy update.

About all I can say is that no matter how good your password is, reusing the same password on multiple sites means if someone else is sloppy with it, as above, you are exposed to having someone take over every account that uses this same password, and any account linked to an email with this recycled password. And since it is difficult to come up with unique passwords and not write them down, using a password manager such as 1Password is recommended (just use a good unique password for your password manager).

Obscurity and Encryption are not the only tools, just a few layers of in-depth defense I myself learn a bit more about every day. If you want to learn more about securing your site, check out SecurityPatterns.org.

(*The mistake I mentioned above didn’t cause a data breach, but still: now even my prototypes sanitize the input because I formalized a utility class with a static input filter method.)

UPDATE: this article published today http://appleinsider.com/articles/14/10/14/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach and my prior article on Dropbox Email Scams could be inter-related as well as the above. Again, this could very well be an example of what happens when you use the same password on multiple accounts. So, be safe and don’t do it. Other than making myself type that a thousand times on a blackboard page of my site, (which would be cool if the Simpson’s opening used this BTW), I can’t emphasize strongly enough how dangerous using the same password (or dictionary words with a few numbers like “protected123”) is.

Oh yeah: I forgot my usual sign off in my haste to post last night: Thanks for reading.