back to article Web devs want to make the Internet of S**t worse. Much worse

Vendors including Google have spent a few years crafting an API they hope to push into browsers that will make this month's Internet of Things conflagrations pale by comparison. There's not been much noise about the Web Bluetooth API, and thankfully it's not yet accepted as a standard. It probably should never be one, if you …

Page:

  1. Ole Juul

    If this takes off

    There will be security conscious people looking for a Commodore 64 on Ebay.

    1. Triggerfish

      Re: If this takes off

      I'm thinking if your technical you will be going crude in the future, y'know locks with real keys, dumb fridges, kettles whose only switch is on and off etc.

      1. Pen-y-gors

        Re: If this takes off

        @Triggerfish

        I'm thinking if your technical you will be going crude in the future, y'know locks with real keys, dumb fridges, kettles whose only switch is on and off etc.

        You mean like I do now? I'm already suspicious with remote locking on the car, and don't get me started on pay-by-bonk...

        1. Triggerfish

          Re: If this takes off

          I agree, the thing is I think there is a boiling the frog effect going on with a lot of people. I commented on another thread about how I have techs here (I'm the least techy I'm more engineer turned PM and such, than a computer bod, the techs here have computer degrees, and cisco quals etc), who absolutely have no qualms about Win 10 spyware (I have been accused of tinfoil hattery), or leaving themselves logged into facebook and the commenting on how products they have browsed on their pc are now being advertised on their phones. Their response to these issues is mainly meh, or I just live with it. (Seriously even things like the Xbox app on win 10 start menu being greyed out in add/remove programs - unistall, five minutes google for the powershell script sorted it FFS).

          There was a guy here who wants his Cisco security and his response to a conversation about IOT I brought up was I was worrying to much and it wont happen, non issue etc

          I genuinely think they have been trained by companies and the world around them that this is the new normal, and us older buggers are just paranoid.

          1. Doctor Syntax Silver badge

            Re: If this takes off

            "I genuinely think they have been trained by companies and the world around them that this is the new normal, and us older buggers are just paranoid."

            It's simply the old "experience is a dear teacher but there are those who will learn by no other". They'll learn. They'll also discover the truth of the complementary saying: "experience is something you need just before you get it".

            1. Anonymous Coward
              Anonymous Coward

              Re: If this takes off

              "It's simply the old "experience is a dear teacher but there are those who will learn by no other". They'll learn. They'll also discover the truth of the complementary saying: "experience is something you need just before you get it"."

              I can think of two COUNTER-sayings.

              One, "If there are those who will learn by no other, what happens when a situation requires prior knowledge to live through it?"

              Two, "What about those who don't get it even WITH experience?"

              1. Ken Hagan Gold badge

                Re: counter-sayings

                That's easy. Experience hands the case over to her husband, Mr Darwin.

              2. Doctor Syntax Silver badge

                Re: If this takes off

                One, "If there are those who will learn by no other, what happens when a situation requires prior knowledge to live through it?"

                Two, "What about those who don't get it even WITH experience?"

                They become examples for others to learn from.

                "Those who don't learn from history are condemned to repeat it."

          2. Wade Burchette

            Re: If this takes off

            "Their response to these issues is mainly meh, or I just live with it."

            I find that younger people with no experience or wisdom in life have the "so what?" attitude. Tell the same thing to an older person and you will get the exact opposite response. The younger generation has been conditioned to accept "free" content. They happily go to the street and protest a 3 letter organization tracking us while telling Facebook all about it.

            I started to word things differently. I started saying that large multi-billion dollar for-profit corporations have no business knowing anything about my personal life. Do you really think big businesses can be trusted with your personal information?

        2. Triggerfish

          Re: If this takes off

          RE the car one of our guys had his car robbed recently parked in Mayfair, BMW no smashed windows, when he went to the police they asked the model and said it would have been thieves who had cracked the remote locking system.

          1. Anonymous Coward
            Anonymous Coward

            Re: If this takes off

            >would have been thieves who had cracked the remote locking system.

            Most vehicles, not just BMW, are borked by the same flaw - also gates and doors etc with rolling codes. They just jam the receiver and copy the code sent by the fob - as long as the car etc doesn't receive the code, it can still be used.

    2. TheVogon

      Re: If this takes off

      "kettles, toasters"

      Just why??

      See https://www.youtube.com/watch?v=LRq_SAuQDec

  2. redpawn

    I've always dreamed

    of websites connecting to my TV and refrigerator. Think of the wonderful targeted ads based on the contents of the fridge and my viewing habits. Much better than Superfish. Keep up the good work. Waiting with bait like breath for the next great idea.

  3. Anonymous Coward
    Anonymous Coward

    I'm glad to be a curmudgeon.

    My desktop doesn't even have any wireless functionality at all, so good luck trying to turn on a BlueTooth antenna that doesn't exist. That plus the fact that I've only got a feature phone & have disabled the BT on it (don't need it, don't have any BT devices to pair to it), so even if I did have an antenna on the computer the only thing that might talk to it is intentionally deaf.

    If I had a laptop with BT I'd turn it off for the same reason as my phone, since I don't want to sync my laptop & phone, & it's much easier to plug in the USB3 crossover cable for data transfers that scream by at speeds unlikely to be reached over wifi. Oh wait, I don't have any wifi on the desktop either, so the desktop & the laptop couldn't communicate that way either.

    Damn I hate to be smug, but I'll bask in the glow of being a crotchety old fart for a change.

    *Moons the web devs*

    Kiss my wrinkly furry ass!

    =-)p

    1. John Brown (no body) Silver badge

      Re: I'm glad to be a curmudgeon.

      "My desktop doesn't even have any wireless functionality at all, so good luck trying to turn on a BlueTooth antenna that doesn't exist."

      It seems to me that most of the general computer using population at home these days are on laptops and tablets. And from what we see and hear about average mobile phone users, all the wireless options are on be default to connect to whatever source they happen to be near at the time. I bet most of them have barely even registered the fact most if not all laptops have Bluetooth, never mind how to switch it off.

      Of course, Bluetooth isn't a huge target for hackers because of the proximity requirements, but if a Bluetooth Web API goes ahead, suddenly it becomes immensely more attractive if you can hack someone's phone from the other side of the world just by scanning for vulnerable PCs.or infecting popular websites.

  4. FF22

    Wrong

    Author is simply wrong. Why? Just think about it!

    You want to use Bluetooth - for whatever reason. If you can't use/access it from your web browser, then you will have to download a native app for that. Native apps have obviously far less restrictions applied to them, than anything running inside a web browser, right? Right.

    So, providing access to Bluetooth from the web browser, too, obviously can not make things any worse than they are. Actually, on the contrary: it provides a more secure environment for running Bluetooth-based apps, than that was previously available. With this, you don't have to download and install an app for that purpose any more, but can use your far more secure and restricted browser environment to do some things over Bluetooth.

    And don't even get me started about how obviously there will be tons of security prompts in the browser before any web site or app can actually access the Bluetooth API or transfer any data from or to a Bluetooth device.

    So, then what exactly is your problem with it? Besides your limited understanding of the browser, the web and security, that is.

    1. Kernel

      Re: Wrong

      You forgot the Joke Alert icon - I hope.

      1. FF22

        Re: Wrong

        You "forgot" to supply any counterarguments.

    2. m0rt

      Re: Wrong

      "Author is simply wrong. Why? Just think about it!"

      Ok, first off you make a very bold, decisive statement. So we are going to look at your following comments with interest.

      "You want to use Bluetooth - for whatever reason. If you can't use/access it from your web browser, then you will have to download a native app for that. Native apps have obviously far less restrictions applied to them, than anything running inside a web browser, right? Right."

      Straight away you assume that Bluetooth is being used for applications. There are other reasons why bluetooth will be on. Silly mac wireless keyboards, for example. In car connectivity. Bluetooth being on doens't mean that there is a 'app' need/want.

      "So, providing access to Bluetooth from the web browser, too, obviously can not make things any worse than they are. Actually, on the contrary: it provides a more secure environment for running Bluetooth-based apps, than that was previously available. With this, you don't have to download and install an app for that purpose any more, but can use your far more secure and restricted browser environment to do some things over Bluetooth."

      Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web, with items that you previously didn't contaminate, possibly, in some cases have nothing to do with the actual web. Look up bluetooth and medical devices.

      "And don't even get me started about how obviously there will be tons of security prompts in the browser before any web site or app can actually access the Bluetooth API or transfer any data from or to a Bluetooth device."

      Ahh yes. And those security prompts will always be there? Because of, you know, no exploited bugs, malware being present. (Imagine - a world without spam! I want this utopia.)

      "So, then what exactly is your problem with it? Besides your limited understanding of the browser, the web and security, that is."

      I think the author was pretty clear what his problem was.

      For the record I also think the author was wrong to approach this in a journalistic fashion, (ok, there is a little bit of the 'Sun what done it' in it but hey. )

      He should have just stated 'This is fucking ludicrous.' and left it at that.

      1. FF22

        Re: Wrong

        "Straight away you assume that Bluetooth is being used for applications"

        I did nothing alike. Not that assuming it would have been wrong. Just sayin'.

        "Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web"

        Over your head. My whole point was that with some or most Bluetooth access potentially moved to the browser the overall attack surface will be reduced, because now you won't need to download and install native apps permanently anymore for a lot of Bluetooth-related stuff, but can simply run them on-demand from the much safer browser environment.

        "Ahh yes. And those security prompts will always be there? Because of, you know, no exploited bugs, malware being present. "

        There might be bugs and exploits, but they will be definitely less available from a browser environment, than they were from the native environment. So, all in all - as already explained - the attack surface and the risks will be reduced, even then when there will be some new exploits and bugs introduced.

        "I think the author was pretty clear what his problem was."

        You're obviously confusing two things here. Being clear about something doesn't mean being right about it. I've questioned the latter, and you're talking about the former.

        1. frank ly

          Re: Wrong

          "There might be bugs and exploits, but they will be definitely less available from a browser environment, than they were from the native environment."

          A native application can be 'bad' of course but that's always been the case and some effort has to be made at each PC to get it installed.

          For the browser, if it has a bluetooth API, that's a whole new class of malware vectors that can be installed on a webserver. That can be done by an evil webmaster or a hacker contaminating a webserver. A victim could be exposed by following interesting links in innocent webpages, as we all do. If a website is known and proven to be 'innocent' and you use it, it could be compromised in the future, etc, etc.

          1. Swarthy
            Mushroom

            Re: Wrong

            You thought those Flash ads auto-playing videos was bad, wait until the advertisers can ping your phone/fitbit/watch.

            1) Tracking by devices - Ghost/Privacy mode won't help, They could ID your device and ID you at any machine, no FB login, no cookies required.

            2) Ad now plays on your phone/BT speakers - across the room so you have to get up to make it shut up.

            3) Malvertisements can now connect to your phone, send a subscribe text to a premium-rate "service" and you are a proud member of the £24.99/month Flagellation Of The Day message service.

            3a) Malvertises can call premium rate numbers - £5.99/minute (or part thereof) - Dial, connect, hang up, repeat, all of the audio cues happen over BT this can go on for as long as you have that tab/window open (unless something gets borked in the implementation and closing the tab/window doesn't close the BT connection) and you may have no idea.

            This is a very bad idea.

          2. This post has been deleted by its author

        2. Doctor Syntax Silver badge

          Re: Wrong

          "Straight away you assume that Bluetooth is being used for applications"

          I did nothing alike. Not that assuming it would have been wrong. Just sayin'.

          "Ok...so with all the current insecurities doing the rounds, opening up an attack vector that crosses strewn with malware web"

          Over your head. My whole point was that with some or most Bluetooth access potentially moved to the browser the overall attack surface will be reduced, because now you won't need to download and install native apps permanently anymore for a lot of Bluetooth-related stuff, but can simply run them on-demand from the much safer browser environment.

          So the second bit I've emphasised is saying that with Bluetooth in the browser you won't need to download the apps that, in the first bit I've emphasised, you're denying were being used without Bluetooth in the browser? Somehow I don't think you've got your own head round your own arguments. Maybe that's why the rest of us have problems with them.

        3. Anonymous Coward
          Anonymous Coward

          @FF22

          You truly are the epitome of the current generation of morons who believe they're technical but don't have the first fucking clue. You shouldn't be let anywhere near any a computer except under supervision of a competent adult.

    3. Christian Berger

      Re: Wrong

      Well unfortunately browser sandboxes aren't any more secure than any other kind of sandbox. For most users they don't protect anything as most things are happening in the browser anyhow.

      Yes, native apps are a problem, but since people are aware that those are shit, people might stop buying shitty devices that don't adhere to simple public protocols.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrong

        No, native application aren't shit by default (they could be, of course). The problem with a browser is it became a generic host for code downloaded from remote mostly each time - and also too often that code includes third party code got without much control just to make money.

        Users have much more control upon native applications than web ones.

    4. Filippo Silver badge

      Re: Wrong

      There is a much higher barrier to installing an application compared to visiting a web page. Most people still wrongly assume that websites are always innocuous. If a moderately competent user installs an application, it will be from a reasonably trusted source - the manufacturer's website, or the CD that comes with the gizmo. Yes, it is possible to get users to install malware; doing so is not nearly as easy as getting them to visit a malicious website.

      Also, the fact that data from the device has to go through the Internet rather than just to the app opens up all sorts of additional attacks; MITM, etc. Finally, the fact that even when everything is working as intended, the data has to go to the manufacturer's cloud has awful implications. I really don't see why Google needs to know how I set my thermostat, and I really don't want it to stop working because my Internet connectoin is down.

    5. Anonymous Coward
      Anonymous Coward

      Re: Wrong

      Can I have some of what you're smoking, it seems very strong indeed

    6. bombastic bob Silver badge
      Flame

      Re: Wrong

      "If you can't use/access it from your web browser, then you will have to download a native app for that."

      so: PART of the fix is some _REAL_ security on the IoT device end, to _PREVENT_ unauthorized bluetooth-level access from an unauthorized client, PARTICULARLY a web browser running javascript exploit code downloaded from an infected embedded advertisement...

      (or whatever)

      seeing as I'm involved directly with TWO different bluetooth applications that run on android, and the device(s) that the android device controls, it's a major concern.

      I can foresee unauthorized firmware loads happening... so THAT much has to be protected against.

  5. Steven Roper

    "Imagine a world where every web site can connect to devices near you – or on you.”

    Shudder. When I imagined that, my instinctive response was: There's a small cave up in the hills not far from my parents' place. I'm seriously thinking of taking up permanent residence in it.

    1. Anonymous Coward
      Anonymous Coward

      "Shudder. When I imagined that, my instinctive response was: There's a small cave up in the hills not far from my parents' place. I'm seriously thinking of taking up permanent residence in it."

      I thought of that, too. Then I remembered modern ground surveillance satellites can be equipped with infrared cameras...

    2. Anonymous Coward
      Anonymous Coward

      Good thought. Put the tea on, we'll pop over later.

  6. Triggerfish

    Why the F...

    Do I need a bluetooth kettle and toaster anyway?

    1. Neil Barnes Silver badge

      Re: Why the F...

      My toaster died yesterday.

      I hit it. Hard.

      Now it works again. I bet there isn't a bluetooth API for that...

      I'm constantly baffled by people coming up with IoT solutions for problems that simply don't exist, and that in the vast majority of cases have simple, effective, debugged, and secure solutions already - like, er, physical keys, physical switches, thermostats...

      1. Pen-y-gors

        Re: Why the F...

        @Neil Barnes

        thermostats

        With winter coming, I tried to switch the heating on. No joy. Thermostat was correctly set - but the batteries had gone flat! (admittedly after about six years, show me a Li-Ion that can do that!) - I think I need something even lower-tech - light up the wood-burner?

      2. Sgt_Oddball
        Flame

        Re: Why the F...

        Surely the talkie toastertm should have been warning enough, especially what happens to it. Twice....

        Yes it's a work of sci-fi but that's where this is going.

        On a side note, the people that thought of this stuff were never around public spaces when bluetooth first came onto the market and had no authentication at all - cue childish pranks involving sending rude pictures to unsuspecting yuppies in train stations just to see who looked at their phones and pulled an odd face.

        Now that was just at a local level.....

    2. Michael Thibault

      Re: Why the F...

      Is there an IoT gubbins that is better than a Leatherman? An SAK? Ha! Thought not.

      I'm fairly certain I've come across a beer mug that could be used wirelessly with an associated app. Didn't look into it,--as the thing seemed to be made of plastic, and I'd never drink from it,--but it may have been connecting 'wirelessly' some other way... The point of it eludes me. Anyway, what I'm wondering is: how bad, or absurd, does IoT get?

      1. Pen-y-gors

        Re: Why the F...

        @Michael Thibault

        Anyway, what I'm wondering is: how bad, or absurd, does IoT get?

        I think we can be confident that we have a long way to go yet on the bad and absurd scale.

        But on the bright side, they won't last for ever (see recent report on 50% drop in sales of iWatches), then we can crawl out of our caves, blink in the sunlight, and take our rightful places as rulers of a newly-analogue world.

    3. Christian Berger

      Even if I wanted...

      I'd rather want one that speaks WIFI as that would reach through the access point from my kitchen to where I want to know its status.

      We live in a world where even single chip WIFI solutions have enough horsepower to provide a simple webserver you can talk to directly with your browser.

    4. BongoJoe

      Re: Why the F...

      Quite.

      Sends message to toaster: makeToast TWO_SLICES, LIGHT_MEDIUM_BROWN

      Error message received: ERROR_BREAD_STILL_IN_BAG

      So unless I want dried bread being toasted and left hanging above the toaster over night and folding over so it won't go in automatically when the toaster starts its best that I do it myself. Manually.

      Unless of course I get a toaster which has a magazine for bread above and which keeps the flies off then this isn't going to work and I am going to have a massive ugly hunk of metal/plastic in my kitchen.

      And since toast takes about a minute to make; you know the amount of time it takes to locate a plate, a knife, butter and spread of choice then there is no reason to have this automated because bone has to be there to eat it still warm.

      Idiot idea.

      1. Triggerfish

        Re: Why the F...

        I am not one for wearing a hairshirt for environmentalism, while still thinking it's a good idea we use a bit less energy etc, so in this time when we are supposed to be worrying about energy usage to some degree, why the hell are we also making devices that suck more power, especially when you are going to hit the ERROR_BREAD_STILL_IN_BAG / WATER_STILL_IN TAP problem as well?

        Also occasionally standing up and moving could be a good thing for you.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why the F...

          "Also occasionally standing up and moving could be a good thing for you."

          Unless, of course, you trip on the camouflaged toy your kid/pet left on the floor and end up getting your throat impaled on the spiky toy just ahead. Given all the risks of moving versus not moving, I'd rather move only when I absolutely HAVE to.

        2. Vic

          Re: Why the F...

          Also occasionally standing up and moving could be a good thing for you.

          There's a nice article on that very subject here.

          Vic.

      2. John Brown (no body) Silver badge

        Re: Why the F...

        "Unless of course I get a toaster which has a magazine for bread above and which keeps the flies off then this isn't going to work and I am going to have a massive ugly hunk of metal/plastic in my kitchen."

        The new HP Toaster.

        Only £5.99 comes with a "starter" cartridge of bread ready for toasting.

        We do not recommend re-filling the bread cartridges with non-HP bread or using non-HP branded cartidges (they won't work anyway, we'll just change the firmware DRM the next time you visit a page on your bluetooth enable laptop/browser)

        Replace HP bread cartidges are available for the low, low price of £29.99 and can make up to 20 pieces of toast.

        (Please not the cartridge expiry dates. For you safety, cartridges inserted after the expiry date will not work. Also not that the HP Toaster self cleaning process will automatically run after each use or every 24 hours if not used and this may use up to to slices of bread per process.

  7. Christian Berger

    Of course Mozilla will implement it

    They have a tack record of implementing and backing every bad idea. APIs like this one (or the USB one, or just about any that came out in recent years) make browsers more complex so it's harder if not even impossible to fork your own browser engine or even write one from scratch.

    This keeps the browser market in an oligopoly, something all players there can live with. For them its good, for the user it's bad... but nobody cares about those anyhow.

    As always, more complexity will mean more bugs and therefore more security problems.

    1. Doctor Syntax Silver badge

      Re: Of course Mozilla will implement it

      "They have a tack record of implementing and backing every bad idea."

      Nice Freudian slip there, Christian. Tack as in tacky. Spot on.

    2. Ken Hagan Gold badge

      Re: Of course Mozilla will implement it

      Rather more likely that Chrome will implement it, since Google are pushing it, and almost certain that Chrome won't make it easy (or perhaps even possible) to disable it.

      This whole thing sounds about as well thought out as UPnP or even ActiveX. Both of those were bad ideas and their badness was clearly explained at the time, ignored, and then borne out by bitter experience. However, they remain in modern products for the sake of backwards compatibility. I suppose a bright young thing with *no fucking clue* about the history might see them there and think "Oh, we could do something like that for IoT...".

  8. Novex
    Facepalm

    Security First

    Jeez. Just how long will it be, and how much pain do we have to go through, before the companies that make any kind of coded kit, from toasters to PCs, realize that the first action in any code is to make it secure? It seems probably never in the case of when, and not even when the pain kills the patient in the case of what has to happen.

    1. Charles 9
      FAIL

      Re: Security First

      "Jeez. Just how long will it be, and how much pain do we have to go through, before the companies that make any kind of coded kit, from toasters to PCs, realize that the first action in any code is to make it secure? It seems probably never in the case of when, and not even when the pain kills the patient in the case of what has to happen."

      In most spheres, security doesn't sell because it gets in the way of getting the job done, which is the first and foremost requirement of ANYTHING. You buy things to get jobs done; if not, you're throwing money away. Security first can ONLY come if a Machiavellian Prince with some scruples takes over the world and demands it with extreme penalties for noncompliance. Otherwise, sovereignty, competition, and overall human stupidity will ensure it'll never happen.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like