Java Suspected in Level 3 Outage
-
I'm searching now, but I read several articles that pointed to IoT devices and outdated java being the suspected support devices for the attack.
-
As discussed in another thread recently - a complete lack of security and open ports on the internet are what made many IoT things vulnerable.
For example, the flawed implementation of ZigBee on Hues lightbulbs (that along with the 864 microsecond pairing thing). This wasn't a flaw in ZB itself, it was a flaw in the implementation.
But, and I'd have to double check, the ZB framework itself does have some pretty bad security flaws in it, or at least used to.
Just one more reason I haven't deployed any of those IoT things in my home.
-
@DustinB3403 said in Java Suspected in Level 3 Outage:
I'm searching now, but I read several articles that pointed to IoT devices and outdated java being the suspected support devices for the attack.
If that is true, that's a problem with not patching, not a problem with Java. VERY different things.
-
Sadly the cost of maintaining patches for IoT devices would often be higher than the IoT device itself. So it's no wonder they don't update them.
-
@DustinB3403 said in Java Suspected in Level 3 Outage:
I'm searching now, but I read several articles that pointed to IoT devices and outdated java being the suspected support devices for the attack.
I heard about IoT devices being the root - again, the java based ones might have mainly been the DVRs - there was a sorta huge thing in the listening circles I'm part of.. but in the grand scheme, pretty small number on the internet at large, especially when compared to light bulbs.
-
@Dashrender said in Java Suspected in Level 3 Outage:
Sadly the cost of maintaining patches for IoT devices would often be higher than the IoT device itself. So it's no wonder they don't update them.
Not really. Patching is pretty cheap, especially as almost none of it happens for their own code. Including Java when not needed is more costly than patching. Recalling broken devices that broke because you didn't patch is super expensive.
-
@scottalanmiller said in Java Suspected in Level 3 Outage:
@Dashrender said in Java Suspected in Level 3 Outage:
Sadly the cost of maintaining patches for IoT devices would often be higher than the IoT device itself. So it's no wonder they don't update them.
Not really. Patching is pretty cheap, especially as almost none of it happens for their own code. Including Java when not needed is more costly than patching. Recalling broken devices that broke because you didn't patch is super expensive.
I have no idea how often vendors have to redo code because the framework makers fix their own flaws...
In any case, maintaining and managing update servers aren't free - granted they shouldn't cost millions in a situation like updating lightbulbs either, but still they are something.Then the question is how long do you maintain updates and doing updates?
Even Google has quit long before I think they should - they only support Android for something like 2 years after a version is released. Getting 4 years out of a phone, especially a top end phone, isn't unreasonable.
Maybe these companies should just understand and agree that they should have lower profits so they have and maintain updates for at least, say 5 years.
-
@Dashrender said in Java Suspected in Level 3 Outage:
Maybe these companies should just understand and agree that they should have lower profits so they have and maintain updates for at least, say 5 years.
As always, that's a customer issue. If people prioritize that kind of support, they would be on iOS.
-
@Dashrender said in Java Suspected in Level 3 Outage:
Even Google has quit long before I think they should - they only support Android for something like 2 years after a version is released. Getting 4 years out of a phone, especially a top end phone, isn't unreasonable.
Except it's not sensible. Why buy a top end phone to keep it for so long? Financially that doesn't make sense, two phones at half the price gives you a better phone experience. Plus the issue is that it is YOUR responsibility to update to a supported OS, not theirs to maintain the OS you fail to update. It only sounds unreasonable when you assume that Google locks the hardware to the software, they do not. So it's not even kinda unreasonable.
Reverse the question... why is someone not updating the OS on their phone for so long? That's where the problem really lies.
-
@Dashrender said in Java Suspected in Level 3 Outage:
Then the question is how long do you maintain updates and doing updates?
Use an enterprise OS and the updates come from upstream. Issue often solved that easily.
-
@scottalanmiller said in Java Suspected in Level 3 Outage:
@Dashrender said in Java Suspected in Level 3 Outage:
Maybe these companies should just understand and agree that they should have lower profits so they have and maintain updates for at least, say 5 years.
As always, that's a customer issue. If people prioritize that kind of support, they would be on iOS.
yeah - I'm not sure what the right answer is here.
I think that we agree that the typical consumer will NEVER care about this - at least not until the law somehow hold them accountable.
But we are talking about something for the betterment of all, like the universal healthcare you are for - like that we should all want a safer, more secure internet. The only way we are going to get that is if the vendors are forced to provide it, as the consumer will never demand it.
-
@Dashrender said in Java Suspected in Level 3 Outage:
I think that we agree that the typical consumer will NEVER care about this - at least not until the law somehow hold them accountable.
Agreed. And therefore we must also agree that given capitalism, the issue never lies with the vendors.
-
@Dashrender said in Java Suspected in Level 3 Outage:
But we are talking about something for the betterment of all, like the universal healthcare you are for - like that we should all want a safer, more secure internet. The only way we are going to get that is if the vendors are forced to provide it, as the consumer will never demand it.
Yes, so if you can define a standard level of effort and make it a regulatory thing, then by all means. But how will you do that without crippling small companies, interfering with security in bad ways, etc.?