This may seem weird, but I think the idea of what they're doing is spot on. If anyone were to get access to my things I'd rather it be the government and then have them disclose it to me. Additionally, if you don't want your information accessible you've had your notice to hire someone to lock it down or lock it down yourself. I would liken the service to the government checking the insulation on your house.
The main issues I see with this is, rather than just "I don't trust the government":
1. They'll do a scan of all devices then ask the ISPs to provide customer information for the vulnerable IPs found so that the government can contact them. So now you'll end up with a big fat list somewhere with names and addresses next to known vulnerability and that list is bound to leak sooner than later. See "My Number" (Japanese equivalent of social security numbers) leaks recently.
2. This makes for great phishing. All newspapers and TV channels have said you might receive notice from the government about security. Now you just have to send emails or letter claiming to be the government, saying "we have found your network to be vulnerable, please run this program to clean it up" and it's way more likely people will run your malware. FREE Advertisement provided by public funds!
I really don't have a rebuttal to your first point. The way people handle PII will always be an issue. My frame of mind comes from the fact that I'd rather some public entity privy to it than a private one like someone lower mentioning Google or Facebook.
The second point seems more like a problem with tech literacy than this program. There should be some way to differentiate a government email from a regular one. That and people should understand how to confirm it. Now I get it, I've had family members believe they have a virus because a pop up told them they did, but sitting down with them for 5 mins and telling them not to stopped that.
I'm curious, lower someone mentioned the idea that the government was already taking this kind of action. How do you respond to that?
I'm with you, seems like a core service for improving digital security of a nation.
Yeah, people don't trust the government. But most of the conspiracists are convinced the government is already secretly accessing their home devices (or trying to). If that's your belief, then really, nothing has changed!
1) don't do it at all. Vulnerable families remain vulnerable to organised crime and we have systemic weakness to state and/or vandal attack (worms, botnets or whatever else.)
2) Government does it, in public, performed by public servants, with appropriate guidelines that are enforced under pain of criminal prosecution. This has the opportunity to shame and possibly sue ISPs who provide default routers that suck giving indirect systemic benefits.
3) Private enterprise does it. Facebrick and Gogglers being the obvious candidates who one would think would just love to get in there, probably with the same checks and balances they've enjoyed so far.
4) Some rumsfeld style unknown unknown, beyond my limited imagination - really keen to hear if anyone has an idea here.
I absolutely agree with you that the number of people in positions of power who are completely f&^ing clueless about the domain over which they make decisions is astounding and a huge, massive problem. It still isn't required to have someone who knows what a usb drive is on your board of directors while they sign billion dollar contracts with Oracle, IBM Global Services, Accenture and whoever else has the best con, for example. Same for public service IT consulting contract ripoffs of which ripoffs utterly dominate the space.
So the "expert" minister thing you raise is really bad. Just as you say it is in fact and must be remedied across the board in all countries.
And I'm still going with (2) govt. doing it, with public scrutiny as the best of the available options.
Although I agree with the base of your point, I think it is worth noting that there are likely plenty of folks underneath him with the knowledge to sway policies and implement them. In other words, a department can still be functional and even successful if their boss listens and applies the ideas offered.
>Although I agree with the base of your point, I think it is worth noting that there are likely plenty of folks underneath him with the knowledge to sway policies and implement them.
True, and while I understand that high level officials do not necessarily need to be able to write code or explain the difference between public and private key crypto, they should have a base level of understanding to make decisions on the materials prepared by their employees.
I don't think someone who isn't familiar with the concept of a USB drive is at that base level of understanding.
I agree - nobody needs to be a crack in any area, but whoever will take decisions needs at least a base understanding of the theme to judge the validity of the foundations on which those recommendations are based upon; anybody could be a manager if blindly following recommendations by subordinates would always end up in the best choice.
EDIT: but "Gpetrium"'s statement is actually still correct ("a department can still be functional and even successful if their boss listens and applies the ideas offered") - maybe from this perspective it's more a "must" for a successful manager, but, after the "listening" comes the "judging" and that MUST be based on own know-how.
Recently saw a pentester post stating that entry occurred when she asked a person to print something from usb which required showing the employee how to identify the usb once plugged in etc. (Baseline may be terrifying)
> As long as you trust your gov.... I think Japan is probably in better relations with its citizens than most countries...
I'd trust any democratic government doing a preventative security scan for vulnerable devices, over some hacker who's only out to exploit them for personal gain.
Most people have never patched their router nor even know how to. Someone needs to proactively inform that group that they're vulnerable, at scale, if we're even going to have a chance to solve a lot of network problems.
If you're competent enough to manage your digital security, you're fine (99% of the population isn't). If you're not, you're endangering the society you live in (by providing attackers with a device they can use). That's one way of looking at it.
Agree. Skillset and response will determine the success. Japan govt has a good precedence of centralized security scanning for country’s Internet, so hopefully it is a positive.
Vast majority of Internet users are not security savvy. Doing a baseline scan with appropriate remediation guidance will go a long way.
You don't need to trust the government - just secure your devices and they won't be able to get in. It's not like they are requiring that you supply them passwords - they are hacking into your devices the same way anyone else in the world can.
Id trust them more than my own government just by them admitting that they are doing it. The US government for example would never admit to hacking random people's shit, but we know they can and that they do and they have been exposed doing even more shady shit without oversight and with zero public reports about it. Instead we get PR campaigns to try and cover up the shit that got leaked.
Based on what I've heard from some natives I befriended online, there is allegedly rampant corruption, many people don't really trust the government, and there's a big problem with organize crime (the Yakuza). I'll note that I'm not Japanese and I've never lived in Japan, so I am unable to ascertain the veracity of this claim, thus I would suggest taking this statement with a gigantic grain of salt.
"If anyone were to get access to my things I'd rather it be the government and then have them disclose it to me."
In the United States, I'm inclined to think that the former has already taken place and the latter will only happen after an extensive FOIA battle and enough years to make disclosure useless to the average citizen.
The way I see it: Democratic states are institutions that enslave people in ways that the majority of people living there decided. If you think the same way as the majority then it doesn't feel like enslavement to you. Anyway, the state has complete physical domination over you.
Cyber-criminals, on the other hand do not have the power to exercise physical violence over you, they can only harm you in non-violent ways.
Practically speaking, you are more likely to be harmed by cyber-criminals than by your country's state, but if tomorrow there's a new law against certain political ideologies (not uncommon in third world countries), or against encryption, or against privacy and they happen to know that you're interested in those things, the consequences could include physical violence.
I agree with you philosophically with regards to democratic totalitarianism. But it's a moot point when we're talking about devices that are already vulnerable. The government is in the same position as any other Internet background radiation - if you want to keep them out, then just secure your shit.
There is a philosophical point to be made about one's right to willfully violate what are considered best practices (eg toad.com), but we're not debating penalties for running "insecure" devices. The sheer majority of vulnerabilities they find are going to be due to straight cluelessness.
Some trust is not blind trust and there are areas where I do trust government.
It’s why I don’t worry the medication I take is not genuine, why the water that comes out the tap is safe to drink and why if I get run over I’ll get medical treatment.
It’s why I can walk down the street without unduly fearing I’ll get robbed etc.
Blind distrust is as silly as blind trust is what I’m saying here.
The government taking cyber security seriously is a good thing if you trust that government and the Japanese government is pretty good in that specific area.
Also given that Japan is a regional and major economic competitor to China which along with Russia and the other major powers is currently waging and undeclared series of wars in the global networks it seems like a pretty smart move to me,
As for medicine, water and medical treatment... Your government makes the medicine, your government runs the water company and your government runs your hospitals? Seems like a recipe for disaster. Just out of curiosity, what country do you live in?
Yes. Japan is a regional and major economic competitor to china, russia and korea and the US. But what's your point? They are also a major trading partner to all those countries.
Sure, blind mistrust is bad as blind trust. But there are plenty of reasons for people to distrust governments. It's why we have rights to protect ourselves from the government. And the last government I'd trust is the japanese government if I were the japanese people considering how they were so willing to throw their citizens lives away on kamikaze missions and endure endless firebombings and nukes.
As the poster of the original comment, it's not blind trust of the government. Rather, it's a preference because I don't trust the ability of any single person, or private entity to handle this sort of thing. I get my stance is political, but I don't understand what isn't "hacker" about it. To me hacking means attacking a situation with the intent to solve it. In this situation, if the government is good, I am willing to see how they solve this issue.
> When did blind trust in government become the norm on "hacker" news?
I agree with you 100% and up voted you too. Furthermore people speak of "Government" as if it were a thing--akin to say an apple, as opposed to what it is in reality: a random group of random people with possibly, if not probably, virtually unlimited ideas on the nature of what the citizens under their thumb (or hopefully stewardship) have the right to see, hear, think, say or do.
This seems like exactly what some commenters were asking for in the "I Scanned Austria"[1] post 9 days ago.
This seems like the digital version of checking for locked doors. Here in Montreal you can get a ticket for leaving your car door unlocked. This seems like a similar initiative, but one that protects against greater threats while being less punitive.
> you can get a ticket for leaving your car door unlocked
What is the reasoning behind that law? I know plenty of people who live in areas where they don't lock their house because they believe it's safe enough not to have to lock it. And besides, anyone who really wanted in could bust the door down or break a window.
Same with cars. I've had my car broken into 5 times in LA/SF. They busted the window each time. Not locking would have solved nothing although maybe it would have saved me having to pay to get the window replaced.
Ideally if the law is about preventing crime it seems like they should actually try preventing the crimes rather than tell citizens to change their lives. Here in Japan pull out car stereos are not a thing and they have large car stereos that are not available in the USA. They are not available in the USA because they're too large to carry and would get stolen. I'd prefer to live in a society that protects it's people's lifestyles than one which tells them "that's the way the world is, lock your stuff up"
Not sure that made any sense. There's plenty of things you can do in Japan you can't do other places because the crime level is high in those other places. The attitude of those other places is "crime exists, there's nothing to be done about it, so suck it up". Living somewhere where the crime doesn't exist (or is low enough to ignore it) opened my eyes that I was in a a bubble of "crime is the way things are". Now I see that no, it's the way we let them be. I'm sure it's more complicated than that.
> I've had my car broken into 5 times in LA/SF. They busted the window each time. Not locking would have solved nothing although maybe it would have saved me having to pay to get the window replaced.
Tangential story: I know someone who used to have a soft-top convertible. He would purposefully leave it unlocked because he didn't want someone to tear open the top to get in, which they could very easily do. Someone still tore it open one time to get some change out of the center console.
The idea is that you are costing the police valuable resources for something you could have easily avoided by locking the car. Many countries have such laws. You have to take the proper precautions or face a fine.
An open door is seen as an invitation even for a thief that normally wouldn’t risk breaking a window. Basically for crimes of opportunity. And this applies to houses, cars, etc. Insurance companies will see it the same way.
I'm sorry to put it this way but I don't know how else to convey it but ... I feel like you might be living in a bubble and can't imagine a world outside the bubble in the following way.
In Japan if you go to a coffee shop like Starbucks which might be 3 stories tall (each floor rather small though), the norm is you go first see if there is a seat available. If there is you leave your stuff there. By stuff I mean your $1k-$3k notebook, or you phone, I've even seen people leave their wallet and just take $10 out (equiv). You then go to the floor where you can order and order your stuff, wait for your order, then go back to the place you reserved and your items are still there.
AFAICT you think that's wrong because you live in a world where that stuff would be stolen and it's therefore your responsibility to make sure it's not stolen.
I live in a world where I don't worry about it being stolen. This has lots of advantages. One I can reserve a seat. Another I can use the toilet without giving up my seat and without worrying about my stuff being stolen. I can leave stuff in my car from car stereos to cameras to whatever.
I'd prefer to live in my world. To put it in modern terms, in your world the terrorist have won. They've managed to remove your freedoms and you're so deep in you can't imagine it could be any other way.
I stepped out of that bubble. Now I see the places where I have to guard my stuff as 3rd world (in that particular area, Japan has plenty of other issues).
I don't know how to do it but I want to find a way to encourage people not to let the terrorists/thieves win. I don't want our daily lives where instead of just enjoying our lives with each other we have to be on constant guard for the bad guys and the things they might do. The problem is most places are so used to theft they can't imagine a society without so much of it that they always have to be on guard. So they don't press to make their place better. They just assume it's as good as it gets already. Well, it's not.
> There's plenty of things you can do in Japan you can't do other places because [...]
That’s you. How about that bubble... I guess in “your world” there are no locks on cars and houses. No need you say, right?
But the OP was talking about Montreal. And my answer applies basically to all western world. It’s literally in the law of most of those countries and it makes sense. You don’t need to agree with it but rejecting my explanation will not make it any less accurate and true to the reality of far more than “my bubble”.
P.S. If you don’t want to let the thieves/terrorists in just lock the doors like I suggested.
My point is Montreal could be as theft free as Tokyo but it never will be as long as the people that live their keep accepting the existence of so much theft as the norm. It's not the norm. It's the way they continue to let it be. But they can't see it's not the norm because they've never experience a place where it's not the norm.
That's irrelevant, you're just moving the goalposts. The point is you are the one who lives in a bubble, not everyone else, and I just answered your question to the point. Since theft still exists (and the numbers aren't exactly trivial, they're half what Montreal has) it means you should still lock your doors. That's why they come with a lock.
On the other hand please refrain from judging others for their choices and opinions, and also stop assuming only you've seen the truth. The same justice and policing system that lowered the crime rate is also responsible for suspects being considered guilty until proven innocent, routinely coerced into confessing even when being innocent [0], and sometimes investigating crimes only if a conviction is almost guaranteed otherwise treating it as an accident to keep those stats looking good [1] [2].
Not only will it cost the police more, but it also costs the car insurance and by proxy everyone that is insured.
If 100 people leave the car unlocked and are robbed and on average the car costs $30,000, this will cost $3,000,000 + insurance resource + customer hassle + police resources + judicial resources. That is a steep cost to all parties.
(Dis)incentives are more successful when it considers all actors.
'Smashing a window' is unlikely to incur costs of $30,000, perhaps $300 is a better estimate.
I would also argue that insurance resources, customer hassle, police resources and judicial resources are also all roughly equal for handling stolen items from a car, versus stolen items from a car + window broken.
You’re ignoring the fact that an unlocked door greatly increases the chance of the crime happening in the first place. It won’t cost more but it will make it happen more times.
Many opportunistic thieves will simply try the door and only go in if it opens.
In what world does a broken window total a car? While we're at it, in what world does your insurance premium not increase drastically after you collect on a claim? Your math is incredible flawed?
My example implies that some cars will be broken into for items that are in it while other cars will be taken by the assailant, the $30,000 example is for visual purposes. Do you expect all cars that are left open or broken into, to be just for a 'car stereo'? Do you expect all assailants to go to court and incurring the judicial cost I listed?
"As an example, while a simple automobile case may resolve quickly after case initiation and incur less than $10,000 in fees, the total costs of such a case can also exceed $100,000 per side if the case goes to trial." - IAALS.Du.EDU
In some parts of the US, you get your window broken when you leave your car locked. Unlocked, your stuff just gets ruffled because you know not to keep anything worth money in the vehicle.
People just break your windows anyways because they don’t expect the door to be unlocked. Have heard this anecdote from friends twice. Also the people breaking into cars aren’t typically the most sober or mindful of detail. I had my car broken into a little while ago and they stole a bag of tools on the seat but ignored a like new MacBook Pro on the floor of the car. The point is that you can’t win and should enjoy losing.
It's true - when I used to park on the street in SF, I left my doors unlocked after multiple break-ins through the windows. I had nothing of value in the car (not even a car stereo, it was stolen and I never replaced it), but apparently they didn't believe me and wanted to break in and check the glove compartment and center console to be sure.
This is an interesting and innovative approach. It is essentially a grey hat operation carried out by the government to raise individual awareness about cybersecurity. Considering that the article mentions a "constitutional right to privacy" I'm assuming that citizens would have significant recourse if one were to prove that one's data were leaked. It is ethically dubious but as an American whose phone calls can be tapped at any time without a warrant I am open to the idea that it is time for radical measures to improve privacy.
Have you ever had a device responding to ping that documentation says runs an old version of Windows NT, while the last version was released 10 years ago, and you have no idea where the machine is physically located?
I could imagine a lot of businesses will open a closet to find the source of that infernal beeping, and discover a computer they forgot about.
"The huge question is what happens if, as many experts suspect, the experiment reveals major vulnerability throughout Japan. Even that shock may not do the trick. There is an awful lot of complacency to shake off and while Japan is far from alone in that, all the top-down, Society 5.0 posturing makes it hard to shift. Even with the government’s pro-IoT drumbeating in the background, said Itsuro Nishimoto, the president of Japanese cyber security group LAC, the business of IoT security is not yet growing in Japan. There remain deep, unresolved questions of whether manufacturers of IoT devices or their users should have responsibility for ensuring security and a nagging concern that the government’s mega-hack will not conjure up an answer."
What this says of course is that software vendors and security vendors are not able to or not incentivized enough protect their users, to the point the government needs to become more involved.
The biggest issue I see with almost all security software is that they have no idea what should or shouldn’t happen and the just punt to the user asking them to be a SME on the right behavior, and with enterprise software that’s so complex there’s no way to know if the millions of settings are what the business really intended, and very little software even allows you to express intentions beyond a low level allow deny rule. Google docs is a little better in that they talk in terms of what you’d do with a doc, but very little software is even at that basic level.
> What this says of course is that software vendors and security vendors are not able to or not incentivized enough protect their users, to the point the government needs to become more involved.
I think it says something more specific to Japan than that. If you go on Shodan or do your own scans and compare Japan to other technologically advanced nations, you'll find a hell of a lot more random internet-exposed IP cameras, printers, etc. Do a quick search for the Server response header from a Brother printer, and you'll see what I mean. The way that people use computers in Japan is very different from how people use them in the West. I suspect that the way the organizations are structured, and the way that crime works in Japan, are a likely source of this difference.
They allow for high level intentions like “only share this doc within my company”, or “share only with specific people”. Connecting the permissions to the way someone thinks about it, going more in this direction is what’s lacking IMO.
Those who don't trust the government must already be assuming this is happening without their consent and taken the appropriate measures.
So I don't really see a problem, if it results in citizens getting informed by someone other than their paranoid neighborhood tech-obsessed geek that their negligence is part of the problem.
I've been that guy in the past, there's a substantial portion (majority?) of the American population that will pay far more attention to a government notice of vulnerability than a fellow citizen they perceive as a paranoid extremist dreaming up invisible threats.
Well the five eyes, Chinese, Russians, Israelis, French and many private actors are doing this all the time anyway. May as well see what happens if a Democratic government tries to do this for a positive reason.
It is not a big leap from this to "you have connected an unapproved device, we have blocked you from the network" to "you have been fined for connecting an unapproved device to our network" or worse... some of you here may be old enough to remember the monopoly Bell had on telephones and the times when it was illegal to connect anything they did not approve of.
> Institute researcher Daisuke Inoue says the project's aim is to increase the safety and security of people's devices. He says the institute will ensure that no data is leaked.
Why would anyone ever be okay with this? Regardless of the country or soft the culture is - this should never be seen as "okay" or "passive" in any way.
It's a difficult choice. In a way, you can see it as a free pen-test on your network.
I don't even think it's a case of trusting them, because if they get access to webcam data or something else that they shouldn't, assume someone with less well-meaning intentions can and has also done so.
Yeah - this is exactly the root of what I'm getting at. Nobody really know's who "the government" really is. They're so bad at keeping their own secrets secure and in the right place - I sure as hell don't trust the least common denominator among gov't employees when it comes to privacy and ethics to have anywhere near the kind of observation into my life they already have from a squad car filled with feds and a telephoto lens...
Well, in this case, it's the NIICT (National Institute of Information and Communications Technology) and it sounds like their efforts will stop at rainbow-tabling the devices such as IP cameras etc, to see which have default credentials or weak credentials.
The problem is that the normal, every day people who run these devices, on the most part, don't understand that not only are they open to the internet, most manufacturers provide Dynamic DNS making it painfully easy to search for them. Further still, these manufacturers set the same default password for every device. Some have been known to leave the "empty" credential slots usable. Due to poor programming, you could simply login with no credentials at all.
I have to agree, I'd be hard pressed to decide whether I would or wouldn't accept this "survey", but, with notice, like people are being given here, you can mitigate the risks (cover the cameras, remove the data etc) and be told there are weaknesses in your system, or alternatively, not know and have some unknown accessing them at any point they wish, for any reason they wish.
Sure, it's one rule for them, and another for everyone else.
But, lets be reasonable for a second, Japan is concerned that if people's networks aren't secured before the Olympic games, these vulnerable devices will be used to disrupt systems by outside attackers and potentially costing the country significantly.
It's well known that IoT devices on the market are poorly implemented and poorly secured and rarely-to-never updated by the manufacturer.
Note that Shodan doesn't try to authenticate with the devices - not even using default credentials. This is different than what Japan is proposing; they want to try various default credentials to identify devices that could be used for various attacks (ex. Mirai).
So what's the alternative? No one does pen testing and then any government (or motivated individual) can access your data? I'd rather my own government do it than no one at all.
It is particularly hairy, and I don't think there's a perfect solution for the average person.
Most people who care about such things have already come to terms with the fact devices they expose to the internet are scanned by botnets/hackers several times an hour.
Once the avalanche is in progress, a government plan to add an extra snowflake scarcely matters.