Post AzwE1bKJS1aZW7nCfw by mossman@social.vivaldi.net
(DIR) More posts by mossman@social.vivaldi.net
(DIR) Post #Azw44y0aZscXBtX7dg by randahl@mastodon.social
2025-11-05T08:41:13Z
3 likes, 6 repeats
The most thought provoking article I have read this week:A Norwegian bus company wants to know if their buses could be abused by China in the case of war. So they drive two buses deep into a limestone mine to isolate them from the internet and forensically investigate how they work.In the mine, investigators discover a Chinese kill switch which could destroy all Chinese buses.In Denmark, that is 57 percent of the bus fleet.Source (Danish):https://www.zetland.dk/historie/svNwC3c5-aOPVxA4K-224e5
(DIR) Post #Azw4I4WDgUOl98Zqfw by shironeko@fedi.tesaguri.club
2025-11-05T12:42:16.678694Z
0 likes, 0 repeats
@randahl china china china, tbh probably all modern cars have this.
(DIR) Post #Azw7XHWZuY6zgngmhM by danimo@chaos.social
2025-11-05T12:50:40Z
0 likes, 0 repeats
@randahl Sorry, unless we suddenly start to take non-elective OTA updates without safeguards such as independently reviewed, reproducible source code builds as the theoretical but very possible general threat that they are, I fail to see how this is special. Even more so because @briankrebs boosted it.Vendor-forced OTA updates are an accepted practice. Attack the practice, not the practitioner.
(DIR) Post #Azw7XIrAxSBLoyKkRU by briankrebs@infosec.exchange
2025-11-05T12:54:07Z
0 likes, 0 repeats
@danimo @randahl I see your point. OTOH, this doesn't seem like one of those single-cause problems. Both things can be true and needful.
(DIR) Post #Azw7XJe61ZJWGhDoh6 by danimo@chaos.social
2025-11-05T13:00:42Z
0 likes, 0 repeats
@briankrebs @randahl point taken, but the article is baity to the point of being false. They did not find a backdoor, unless all auto-OTA devices are considered backdoored (which is an assumption most of us professionals work under, but not the articles' general public audience). With a headline like this, I would expect an actual remotely triggerable reverse shell tbh.
(DIR) Post #Azw7XKawUmNxDCkoPw by shironeko@fedi.tesaguri.club
2025-11-05T13:18:33.089365Z
0 likes, 0 repeats
@danimo @briankrebs @randahl yeah it's just blatant xenophobia
(DIR) Post #Azw7YCFX0bLPcR9TXc by randahl@mastodon.social
2025-11-05T12:59:01Z
0 likes, 0 repeats
@shironeko very true. But that is not the point. From a security perspective, it is more likely that NATO could end up in a military conflict with China which could lead to kill switches being engaged, than for example NATO ending up in a war with Germany, and Volkswagen disables all cars in NATO countries.
(DIR) Post #Azw7YDSKWVAzMQ9D84 by shironeko@fedi.tesaguri.club
2025-11-05T13:18:46.216307Z
0 likes, 0 repeats
@randahl if you have a backdoor, anyone can use it
(DIR) Post #Azw8vAM4Joj8MEj572 by briankrebs@infosec.exchange
2025-11-05T13:30:30Z
0 likes, 0 repeats
@shironeko @danimo @randahl i wonder if you think the US govt's pending ban on TP-Link devices is also xenophobia vs. an unacceptable threat?
(DIR) Post #Azw8vB69YTaefAHswa by shironeko@fedi.tesaguri.club
2025-11-05T13:34:08.959985Z
0 likes, 0 repeats
@briankrebs @danimo @randahl of course it is, are TP-Link routers that much worse than all the other routers on the market? If the goal is security, setup a standard test for it.
(DIR) Post #Azw8zzA1Mlkb5SOBLU by randahl@mastodon.social
2025-11-05T13:30:58Z
0 likes, 0 repeats
@shironeko if that was true, all iPhones would have been bricked by hackers already.
(DIR) Post #Azw9004NzCpxuGlCCW by shironeko@fedi.tesaguri.club
2025-11-05T13:35:01.156161Z
0 likes, 0 repeats
@randahl do you really think state backed hackers cannot possibly do it?
(DIR) Post #Azw9UQyyUQjO3vk1FQ by briankrebs@infosec.exchange
2025-11-05T13:38:42Z
0 likes, 0 repeats
@shironeko @danimo @randahl I think the honest answer to your question is the entire industry is a race to the bottom, and comparing the relative security of devices does not offer a very wide range. That said, not all router makers, e.g., ship devices w/ years-old Linux vulnerabilities, or make major updates but use the same revision numbers etc. Or have a history of including undocumented user accounts, etc. Not saying TP-Link is guilty of all that, but the truth is most consumer-grade devices are best wiped and equipped w/ open source firmware. It's a horrible market all around.
(DIR) Post #Azw9USUCtnJAj5MTZI by shironeko@fedi.tesaguri.club
2025-11-05T13:40:31.271766Z
0 likes, 0 repeats
@briankrebs @danimo @randahl right, put all these e.g. into a standard (however low it may be), ban anything that doesn't meet the standard. it's how everything else works.
(DIR) Post #AzwE1ZGL7pDr7Dv0Cm by jesterchen@social.tchncs.de
2025-11-05T08:52:48Z
0 likes, 0 repeats
@randahl To be honest: I'd love a broad scale analysis of this. Few days ago it as a vacuum cleaner, now buses...Test this in all things. From mobile phones to cars (don't care if Chinese, US or German), smart beds (well... actually leave these ones out. Who buys a bed that needs internet?!), switches, routers, water pumps, ....I bet they'll find stuff in too many places.
(DIR) Post #AzwE1aM345NoVDb4k4 by janvenetor@mastodontti.fi
2025-11-05T09:24:57Z
0 likes, 0 repeats
@jesterchen @randahl here's one, everthing is Chinese: solar panel infrastructure: https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/There were suggestions badly managed solar inverters contributed to the widespread blackouts around Spain this summer.
(DIR) Post #AzwE1bKJS1aZW7nCfw by mossman@social.vivaldi.net
2025-11-05T10:26:18Z
0 likes, 0 repeats
@janvenetor @jesterchen @randahl I've also heard from people in the industry that the jump to blame renewables by the usual suspects was predictably completely made up and untrue. I forgetthe details but it was basically under maintained older infrastructure in the interconnectors between regions and countries.
(DIR) Post #AzwE1cEK5mOMJpzvyi by publius@mastodon.sdf.org
2025-11-05T14:31:04Z
0 likes, 0 repeats
@mossman @janvenetor @jesterchen @randahl The former head of the Spanish grid operator, a big renewables proponent, said explicitly afterwards that he had been telling the government all during his tenure that the additional grid stress caused by wind and solar coming on and off were going to require substantial investments in transmission and switching, or there were going to be spectacular large-scale failures ; and every budget year the treasury kept putting him off.
(DIR) Post #AzwEQQTkv4ab752yYq by mossman@social.vivaldi.net
2025-11-05T14:35:37Z
0 likes, 0 repeats
@publius @janvenetor @jesterchen @randahl Okay, that may be true but I think we're mixing up *potential* problems with what the actual cause of that blackout was, which was an unrelated switch failure or something.
(DIR) Post #AzwH4OYtfNA2evdcy8 by randahl@mastodon.social
2025-11-05T14:57:36Z
0 likes, 0 repeats
@shironeko if it was possible, do you really believe there would not be a single news story about this happening?
(DIR) Post #AzwH4PYZy2V7kEUt72 by shironeko@fedi.tesaguri.club
2025-11-05T15:05:27.426087Z
0 likes, 0 repeats
@randahl what kind of argument is that? do you defend against stuxnet after it had hit the news?
(DIR) Post #AzwUJxk6RizzWBdJlQ by reverendrobodummy@dobbs.town
2025-11-05T17:33:56Z
0 likes, 0 repeats
@randahl surprisingly not surprised
(DIR) Post #AzwcCmKTHXNvj5jHyi by rotopenguin@mastodon.social
2025-11-05T12:53:22Z
1 likes, 0 repeats
@ben @randahl it is possible to not start a war, and yet still be in one.
(DIR) Post #AzwcTTz0kHn9kXemMS by hyc@mastodon.social
2025-11-05T10:41:21Z
1 likes, 0 repeats
@ArtHarg @randahl meanwhile, the inverter for my solar panel installation is also remotely controlled by its Chinese manufacturer. I had to email them to request access to its Settings menu. Bugs the hell out of me.
(DIR) Post #AzwcXWrE05hfp4wbZY by peteriskrisjanis@toot.lv
2025-11-05T08:53:59Z
1 likes, 0 repeats
@randahl there is a little thing called a specification when you buy something. You need to be absolutely sure you have full control over your technology you own.Some people might find open hardware and open source guys annoying but this what they talk about.
(DIR) Post #AzwcgEbzCuN9qBy3n6 by Niall@mastodon.nz
2025-11-05T09:54:33Z
1 likes, 0 repeats
@peteriskrisjanis they're at least twice as annoying when they're saying 'I told you so' :)@randahl