![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Luddite sysadmin
Jun. 21st, 2017 01:52 amThis post was originally going to be a comment on another post about sad smoke detectors. It got long and ranty, so I put it over here instead with significant edits.
I'm a systems administrator[1]. I'm also a luddite about a lot of technology. These two things are not in conflict; in fact, one leads to the other.
I wear the security hat at work. Wearing the security hat means I'm the one responsible for making sure that our systems are reasonably secure, and I'm also the point of contact for any security issues (such as malware, breakins, attacks originating from our systems, or anything else related). Wearing the security hat also means that I regularly look over the log files produced by our systems, to try to make sure that there's nothing bad happening on them. In looking over those log files, I have come to one inescapable conclusion: the tendency toward the Internet of Things is exposing the fact that an awful lot of software out there is crapware (which includes stuff that isn't securable), poorly secured, or both.
Those log reviews show me the end result of the crapware and/or refusal to lock down devices: constant portscans from around the world, hundreds of thousands of failed login attempts on our systems, coordinated attacks of all sorts coming in from disparate parts of the world, and who knows what else I'm missing. Every now and then, one of the attacks succeeds. (We recently had someone's email account get broken into due to that user's bad password practices. The attackers used the broken account to try to send tens of thousands of pieces of spam. Fortunately, they failed. I've set up defense in depth on our systems; one of the other layers caught it all.)
Most[2] of the attacks I see in the logs are because entirely too many manufacturers can't be bothered to write good software, and entirely too many people can't be bothered to actually use the software properly even if it is (beyond any reasonable expectation) good.
Given all the shenanigans we've had with even high-end consumer electronic manufacturers bollixing up incidental Internet connectivity (never mind the number of point-of-sale systems using default passwords or the vulnerability of SCADA systems on critical and/or hazardous infrastructure), I want as little Internet-connected stuff as I can get. Perhaps unsurprisingly, the only Internet-connected stuff I have actually connected to the Internet are things whose primary job is to do so: smartphones, tablets, computers, and networking hardware.
I've only vaguely thought about a Nest, but have consistently rejected the idea. The rejection is in no small part because I am probably running my own thermostat at further extremes than anyone non-malicious on the other end would think of. Last winter I had the heat set to 50F (10C for those of you in the sensible part of the world); I believe it never turned on all winter. When I'm away in summer — including at work — the AC is off. It's also off most of the time I'm home. (I have windows and I'm not afraid to use them!)
My smoke (CO, heat, and any other) alarms should sound an alarm when they detect the thing they're supposed to detect. They should also tell me — with beeps, dammit! — that there's something wrong with them. I keep the manuals for precisely this reason. Those alarms should not be reporting anything at all to anyone other than me when I am home. If I'm not home, they can report all they want, but nobody's going to pay them any mind. Certainly there's nobody else who would be in any sort of position to do so if they did hear the alarms.
If someone offers me a new whizzy toy that wants Internet connectivity — for example, my new washing machine — I will not set up that Internet connectivity. If someone offers me a new whizzy toy that requires Internet connectivity despite being a thing that shouldn't need it, I will not buy that device. And if someone offers me a new whizzy toy that will let me order things by voice recognition over the Internet (I'm looking at you, Amazon Echo), I want nothing whatsoever to do with it.
[1] For those who don't know, being a systems administrator means I break computers for a living. (I also have to fix them afterward, but the goal is to break them then fix them so they run better afterward.)
[2] Another major reason behind attacks is overly-permissive Internet service providers, but that's beyond the scope of this rant.
I'm a systems administrator[1]. I'm also a luddite about a lot of technology. These two things are not in conflict; in fact, one leads to the other.
I wear the security hat at work. Wearing the security hat means I'm the one responsible for making sure that our systems are reasonably secure, and I'm also the point of contact for any security issues (such as malware, breakins, attacks originating from our systems, or anything else related). Wearing the security hat also means that I regularly look over the log files produced by our systems, to try to make sure that there's nothing bad happening on them. In looking over those log files, I have come to one inescapable conclusion: the tendency toward the Internet of Things is exposing the fact that an awful lot of software out there is crapware (which includes stuff that isn't securable), poorly secured, or both.
Those log reviews show me the end result of the crapware and/or refusal to lock down devices: constant portscans from around the world, hundreds of thousands of failed login attempts on our systems, coordinated attacks of all sorts coming in from disparate parts of the world, and who knows what else I'm missing. Every now and then, one of the attacks succeeds. (We recently had someone's email account get broken into due to that user's bad password practices. The attackers used the broken account to try to send tens of thousands of pieces of spam. Fortunately, they failed. I've set up defense in depth on our systems; one of the other layers caught it all.)
Most[2] of the attacks I see in the logs are because entirely too many manufacturers can't be bothered to write good software, and entirely too many people can't be bothered to actually use the software properly even if it is (beyond any reasonable expectation) good.
Given all the shenanigans we've had with even high-end consumer electronic manufacturers bollixing up incidental Internet connectivity (never mind the number of point-of-sale systems using default passwords or the vulnerability of SCADA systems on critical and/or hazardous infrastructure), I want as little Internet-connected stuff as I can get. Perhaps unsurprisingly, the only Internet-connected stuff I have actually connected to the Internet are things whose primary job is to do so: smartphones, tablets, computers, and networking hardware.
I've only vaguely thought about a Nest, but have consistently rejected the idea. The rejection is in no small part because I am probably running my own thermostat at further extremes than anyone non-malicious on the other end would think of. Last winter I had the heat set to 50F (10C for those of you in the sensible part of the world); I believe it never turned on all winter. When I'm away in summer — including at work — the AC is off. It's also off most of the time I'm home. (I have windows and I'm not afraid to use them!)
My smoke (CO, heat, and any other) alarms should sound an alarm when they detect the thing they're supposed to detect. They should also tell me — with beeps, dammit! — that there's something wrong with them. I keep the manuals for precisely this reason. Those alarms should not be reporting anything at all to anyone other than me when I am home. If I'm not home, they can report all they want, but nobody's going to pay them any mind. Certainly there's nobody else who would be in any sort of position to do so if they did hear the alarms.
If someone offers me a new whizzy toy that wants Internet connectivity — for example, my new washing machine — I will not set up that Internet connectivity. If someone offers me a new whizzy toy that requires Internet connectivity despite being a thing that shouldn't need it, I will not buy that device. And if someone offers me a new whizzy toy that will let me order things by voice recognition over the Internet (I'm looking at you, Amazon Echo), I want nothing whatsoever to do with it.
[1] For those who don't know, being a systems administrator means I break computers for a living. (I also have to fix them afterward, but the goal is to break them then fix them so they run better afterward.)
[2] Another major reason behind attacks is overly-permissive Internet service providers, but that's beyond the scope of this rant.
