Security Issues Dumping Ground


(Geko) #1

Continuing the discussion from Abusing the Internet of Things:

Wow! Good job @slagle. Just dump all “inconvenient” discussions into one thread, out of order, so no one can meaningfully follow the discussion. Next best thing to sweeping it under the carpet. BTW, I’ve seen this happen quite often recently with other discussions that raise various concerns about SmartThings platform.


#2

The new thread is here for anyone who wants to follow along:

I’m not sure how these conversations are “inconvenient”. We get these questions to our support team all the time and it’s great that we can facilitate that conversation on a public forum.


(Geko) #3

I don’t know. You tell me. I see multiple threads discussing other topics that never get forcefully merged, but I see this happen routinely with threads discussing SmartThings platform-related issues. Merging threads creates chaos, particularly because they’re merged out of chronological order and out of context. Even if your intentions are pure, the end result tastes sour.


#4

The only thing inconvenient for me is trying to track similar conversations across multiple threads. The strategy of merging threads is meant to be helpful - not hurtful to the conversation.

I’d be interested in hearing any other feedback you (all) have about our strategy of merging threads.

I’d also like to move this thread to the “Meta” category as it’s about our forum practices and policies, and not “SmartApps”. I’ll hold off on that for a bit though.


#5

I agree that when the merging pushes year old messages to the end of a more current thread, it’s counterproductive. But when the newer messages end up at about the right chron point, it’s just a topic by topic decision.

For safety and accuracy I prefer not to mix discussions of different device models together unless it’s intended as a comparison discussion.


(Geko) #6

May I suggest using bookmarks for tracking multiple threads? Also, if you really mean it when you say “we are taking this stuff seriously over here”, may I suggest creating a separate Platform Security category and let users freely discuss security issues there without heavy-handed policing? There’re many aspects to security and dumping them all into one thread is not the solution. Just my 2c.


#7

I also agree “Security and Privacy” might make a good category. There are so many different aspects to this, some high level, some granular. For example, issues involving a specific thermostat’s cloud to cloud integration don’t really belong in the same topic with a discussion on voice controls for door locks.

And a discussion of best practices for a homeowner to use when setting up their ST installation would be confusing if mixed with an announcement on a platform vulnerability of significance to developers.

FWIW


(Jody) #8

I don’t actually agree with the content of the initial post, but I agree that the conversation is still important. I agree that there should be a security section and that these questions need to be answered.


#9

Also wanted to say I do like having an individual topic to discuss a specific book or news report without necessarily mixing it in with larger discussions. If Security were a category, the existing topics could be linked to as appropriate. But often discussion of an individual author/reporter’s work gets into details of their qualifications/biases which are irrelevant to the wider topic but very appropriate to the evaluation of that specific article.


(Ben Edwards) #10

There might be a way to merge in different order or somehow alleviate this issue. We will look into it. But I also agree that merging similar threads is important as it cleans up the forums, directs discussion, and aggregates the people interested in a particular topic.


(Geko) #11

Dear Ben,

With all due respect, this thread was about security issues raised in a newly published book, and was crudely shoved in the middle of an unrelated thread, thus interrupting an active discussion that could benefit many SmartThings users by making them aware of potential security issues not only with SmartThings, but also with other existing smart home solutions.

I don’t see you merging two hundred different threads discussing Thermostats in order to “clean up the forums” and “aggregate the people interested in a particular topic” only because they’re related to thermostats. Therefore I question the stated reasons and can only qualify it as a veiled form of censorship.

I will go on record to say that I strongly disagree with and object to the recently adopted by SmartThings staff practice of interfering with Community Forum discussions unless they violate published Policies and Terms of Use.

I thereby implore you, as a VP of Community, to demonstrate your leadership and adherence to the principles of free speech and unhindered exchange of opinions between the members of this Forum by abandoning this appalling practice.

I invite other members of this Forum, including active participants of the affected discussions @JDRoberts, @tgauchat @pstuart, @jody.albritton and @schettj to support me in this call.

Respectfully,

Geko


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #12

I feel that there appears to be a possible disagreement as to the importance of particular Security related issues and also the most effective way to to ensure each issue that is of importance to a Community member is heard and explored through relevant discussion.

The Forum has many meandering Topic Threads (partially due to Discourse which does not automatically spinoff sub-threads or allow users to split or merge their own Topics after posting…); but, overall, I think the risk of Topic redundancy is not outweighed by the risk of reformatting missteps or the perception of excessive moderation. In other words, the Community seems to do “OK” with minimal management.

The proposal to the use a few more Categories and/or implementation of Discourse’s “tagging” options, seems like an appropriate or even optimal solution. Such methods deliver improved organization of discussions (both information and participation) while minimizing moderator effort and impact (moving an entire specific Topic from one Category to another is trivial, and adding or editing Tags is only slightly more effort).

IMHO. Thanks for your consideration.


(Patrick Stuart [@pstuart]) #13

Frankly, the state of the forums is in a sad state.

I have adopted a try to be positive attitude and just not get pulled into these types of issues.

ST owns and operates this forum, they can do whatever they want. If we like it, we stay, if we don’t, either get over it, or move on.

There are things that can be improved, but having to track 10 different threads about the same damn topic is as annoying as all hell. Trying to find who said what, etc. is insane.

Merging them into one thread, or better yet, moving them into a separate category if critical mass is reached are great ideas that just didn’t get done correctly or exposed a flaw in discourse in organizing how threads are merged.

I don’t know how merging threads on similar (or exactly the same thing) are in any way breaking any rules of openness or free speech…

The fact that this debate is even occurring is proof of the great openness of this community. It would be nice if we had more community moderation, heck I have even suggested before that a separate developer forum be created from a user to user forum. Maybe this could be part of the ever expanding developers section of the website?

Lastly, discussing security issues in the open is the worst place to do it. I asked awhile back for official channels to submit security flaws or issues, and nothing has come of that. Now, we have a full on actual vulnerabilities discussion, even a pseudo whitepaper on how our data is protected, but when any questions are asked, ST goes quiet in answering it.

My only ask is that ST respond to some of these things. Remove them if you have to, merged them if it helps keep in organized, lock it and bury it if it gets out of hand, but please, please, respond to the questions the community asks, especially when someone from ST comes out of the woodwork, publishes a document and then disappears for weeks…

I know many ST folks are taking vacations and gearing up for the craziness that is going to occur launching hub v2 and platform changes soon*. But managing the flow of questions and comments from users vs needs of developers will be a massive undertaking.

Split the forums into two groups, users and developers. Let the user forums be SEO optimized and let the developer one be private. Then we can discuss these issues without the casual user or potential customer seeing these exchanges in the raw.

Just my two cents…


(Geko) #14

Wow, Patrick! Didn’t expect this kind of response from you. So should the books like “Abusing the Internet of Things” be burned then because they discuss security issues? Or should CERT be shut down because they publish list of known vulnerabilities?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #15

Nope.

But there are professional / industry recommended procedures for disclosures.

For example:


(Patrick Stuart [@pstuart]) #16

@geko you clearly confuse first party source and third party.

SmartThings talking about their own issues in a community forum is much different then someone publishing a book or CERT website.

I am a huge believer in free speech, but I also understand the role of libel in publishing. I am not a lawyer, and like to avoid them at all costs.

However, this forum isn’t run by the users, its run by ST, and ST can do whatever the heck they want to protect their platform.

If you read the entire post, I am trying to help. What are you trying to do here? Trying to equate merging a few threads about security issues (which are really user vulnerability issues) into one complete thread to some violation of free speech and openness and drawing my name and others into it to support you is ridiculous.

Read my entire post, and Yes, I do believe that discussing known vulnerabilities in the open is the worst place to do it.

I am also a user of this system. Yes I want it more secure, but if there are known vulnerabilities, I’d like to give ST a chance to fix it before someone exploits it.

If you read my entire post, you would see in the context of what I was talking about I suggested a separate private developers forum where these issues could be discussed with ST involvement.

Please quote me in the proper context. Don’t cut out the important parts to try to prove your point.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #17

Known to whom, and define “a chance”…?


(Patrick Stuart [@pstuart]) #18

Known to the person who found it, or if someone already published it on a 3rd party website or publication.

Zero day exploits should be given to the proper channels to fix before publication and a reasonable enough time to fix (again, what is reasonable).

If ST willingly ignores the reasonable time to fix a vulnerability prior to publication, then yes, its out in the open and should then serve as a warning to end users that a vulnerability exists.

The whole issue right now is there are many potential user based vectors of attack on ST. The non-expiring (well 50 years) access token that can’t be revoked isn’t a zero day issue, but an issue none the less, that I would like to see answers on.

Since it has been discussed on these forums since Oct 14. It isn’t that big of a deal apparently. But since Black Hat is going on this week, it hit the geek news cycles…

Every system that has a user involved in it has vulnerabilities. Every system can be hacked.

But it is about being responsible in reporting vulnerabilities to protect the users, instead of being the “first” to point out the failures of others.

Again, the freedom of speech does have its limits. You can’t yell fire in a crowded theater if there is no fire. You can, and should be held accountable for creating a scare.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #19

I think that’s the keystone of this discussion that shouldn’t be glossed over.

We’ve talked about a few different vulnerabilities with differing levels of impact and practical risk, and there are probably a “few” undisclosed ones as well.

So is it too soon for them to be discussed in public? Perhaps it’s a case by case basis, though the Rain Forest Puppy principle is based on the belief that the users, customers or potential users of a system should be given as much knowledge as possible, as soon as possible (leaning towards “sooner than later”) so that they can self-educate and self-mitigate. It is not the responsibility of the vulnerability finder to assume it is not of concern to users, nor to assume the vendor will resolve the problem “imminently” if the “reasonable period” after due notification to the vendor has passed unheeded.

The “Vendor” can actually take an active / proactive approach in this regard by using or providing their communication channels to help self-mitigation (eg, recommending that users initiate their own frequent password changes if the system doesn’t automatically force them; reminding folks to be very cautious in authorizing third-parties to access their devices because tokens are irrevocable… or educate them that uninstalling a SmartApp is necessary and advisable if the user is concerned about an existing authorization, etc.).


(Jody) #20

Totally agree. This is yet another reason to split the consumer and developer communities. Right now, if you want to point out a security fall in a smartapp the best way to do that is a private message or an email to support.

They can and should interfere when the topics are redundant or unnecessarily inflammatory. @geko that book you keep linking to has an entire chapter filled with out of date, and hyperbolic information. The book is out there. Anyone is free to go look at it. SmartThings has no obligation to maintain this forum as some absolute freedom of speech zone. You can start a blog if that is what you want.

No, but SmartThings is under no obligation to endlessly promote a book that is needlessly inflammatory on its consumer face forums.

I would love to see the developer and consumer communities separated. And now this is a redundant thread because I have said it elsewhere. End users who are not developers can have a bad first impression of SmartThings by visiting these forums. Look at the most recent announcement about Github. Because the announcement about the announcement happened in the consumer forums, many users who are not developers went over to the facebook page that is clearly labeled as the SmartThings Developers Facebook page and were disappointed when the big reveal something only developers would be excited about. As it stands, for the average consumer it is very hard to discern when a topic is about something that is officially supported or something that is only supported by the community. This has an impact on discussions about security issues as well.

Agreed.