
Japanese government will access home devices in security survey - sprague
https://www3.nhk.or.jp/nhkworld/en/news/20190125_44/
======
NZiozis
This may seem weird, but I think the idea of what they're doing is spot on. If
anyone were to get access to my things I'd rather it be the government and
then have them disclose it to me. Additionally, if you don't want your
information accessible you've had your notice to hire someone to lock it down
or lock it down yourself. I would liken the service to the government checking
the insulation on your house.

~~~
azinman2
As long as you trust your gov.... I think Japan is probably in better
relations with its citizens than most countries...

~~~
ardy42
> As long as you trust your gov.... I think Japan is probably in better
> relations with its citizens than most countries...

I'd trust _any_ democratic government doing a _preventative security scan for
vulnerable devices_ , over some hacker who's only out to exploit them for
personal gain.

Most people have never patched their router nor even know how to. Someone
needs to proactively inform that group that they're vulnerable, at scale, if
we're even going to have a chance to solve a lot of network problems.

~~~
johnisgood
Why do we have to choose? Personally I don't trust either.

~~~
Thorrez
You can't nicely ask the hacker not to do it. The hackers are constantly
scanning the internet regardless of what you want.

~~~
johnisgood
Same goes for most Governments though.

------
jbeales
This seems like exactly what some commenters were asking for in the "I Scanned
Austria"[1] post 9 days ago.

This seems like the digital version of checking for locked doors. Here in
Montreal you can get a ticket for leaving your car door unlocked. This seems
like a similar initiative, but one that protects against greater threats while
being less punitive.

[1]
[https://news.ycombinator.com/item?id=19113147](https://news.ycombinator.com/item?id=19113147)

~~~
tokyodude
> you can get a ticket for leaving your car door unlocked

What is the reasoning behind that law? I know plenty of people who live in
areas where they don't lock their house because they believe it's safe enough
not to have to lock it. And besides, anyone who really wanted in could bust
the door down or break a window.

Same with cars. I've had my car broken into 5 times in LA/SF. They busted the
window each time. Not locking would have solved nothing although maybe it
would have saved me having to pay to get the window replaced.

Ideally if the law is about preventing crime it seems like they should
actually try preventing the crimes rather than tell citizens to change their
lives. Here in Japan pull out car stereos are not a thing and they have large
car stereos that are not available in the USA. They are not available in the
USA because they're too large to carry and would get stolen. I'd prefer to
live in a society that protects it's people's lifestyles than one which tells
them "that's the way the world is, lock your stuff up"

Not sure that made any sense. There's plenty of things you can do in Japan you
can't do other places because the crime level is high in those other places.
The attitude of those other places is "crime exists, there's nothing to be
done about it, so suck it up". Living somewhere where the crime doesn't exist
(or is low enough to ignore it) opened my eyes that I was in a a bubble of
"crime is the way things are". Now I see that no, it's the way we let them be.
I'm sure it's more complicated than that.

~~~
close04
The idea is that you are costing the police valuable resources for something
you could have easily avoided by locking the car. Many countries have such
laws. You have to take the proper precautions or face a fine.

An open door is seen as an invitation even for a thief that normally wouldn’t
risk breaking a window. Basically for crimes of opportunity. And this applies
to houses, cars, etc. Insurance companies will see it the same way.

~~~
Gpetrium
Not only will it cost the police more, but it also costs the car insurance and
by proxy everyone that is insured.

If 100 people leave the car unlocked and are robbed and on average the car
costs $30,000, this will cost $3,000,000 + insurance resource + customer
hassle + police resources + judicial resources. That is a steep cost to all
parties.

(Dis)incentives are more successful when it considers all actors.

~~~
codefined
'Smashing a window' is unlikely to incur costs of $30,000, perhaps $300 is a
better estimate.

I would also argue that insurance resources, customer hassle, police resources
and judicial resources are also all roughly equal for handling stolen items
from a car, versus stolen items from a car + window broken.

~~~
close04
You’re ignoring the fact that an unlocked door greatly increases the chance of
the crime happening in the first place. It won’t cost more but it will make it
happen more times.

Many opportunistic thieves will simply try the door and only go in if it
opens.

------
porphyrogene
This is an interesting and innovative approach. It is essentially a grey hat
operation carried out by the government to raise individual awareness about
cybersecurity. Considering that the article mentions a "constitutional right
to privacy" I'm assuming that citizens would have significant recourse if one
were to prove that one's data were leaked. It is ethically dubious but as an
American whose phone calls can be tapped at any time without a warrant I am
open to the idea that it is time for radical measures to improve privacy.

~~~
ganzuul
Have you ever had a device responding to ping that documentation says runs an
old version of Windows NT, while the last version was released 10 years ago,
and you have no idea where the machine is physically located?

I could imagine a lot of businesses will open a closet to find the source of
that infernal beeping, and discover a computer they forgot about.

------
kmlx
the following article puts it in context a lot better:
[https://www.ft.com/content/7d57b8d8-294e-11e9-a5ab-
ff8ef2b97...](https://www.ft.com/content/7d57b8d8-294e-11e9-a5ab-ff8ef2b976c7)

"The huge question is what happens if, as many experts suspect, the experiment
reveals major vulnerability throughout Japan. Even that shock may not do the
trick. There is an awful lot of complacency to shake off and while Japan is
far from alone in that, all the top-down, Society 5.0 posturing makes it hard
to shift. Even with the government’s pro-IoT drumbeating in the background,
said Itsuro Nishimoto, the president of Japanese cyber security group LAC, the
business of IoT security is not yet growing in Japan. There remain deep,
unresolved questions of whether manufacturers of IoT devices or their users
should have responsibility for ensuring security and a nagging concern that
the government’s mega-hack will not conjure up an answer."

------
argd678
What this says of course is that software vendors and security vendors are not
able to or not incentivized enough protect their users, to the point the
government needs to become more involved.

The biggest issue I see with almost all security software is that they have no
idea what should or shouldn’t happen and the just punt to the user asking them
to be a SME on the right behavior, and with enterprise software that’s so
complex there’s no way to know if the millions of settings are what the
business really intended, and very little software even allows you to express
intentions beyond a low level allow deny rule. Google docs is a little better
in that they talk in terms of what you’d do with a doc, but very little
software is even at that basic level.

~~~
cced
Can you expand on Google’s approach to “allowing users to do X with a Doc” ?

~~~
argd678
They allow for high level intentions like “only share this doc within my
company”, or “share only with specific people”. Connecting the permissions to
the way someone thinks about it, going more in this direction is what’s
lacking IMO.

------
newnewpdro
Those who don't trust the government must already be assuming this is
happening without their consent and taken the appropriate measures.

So I don't really see a problem, if it results in citizens getting informed by
someone other than their paranoid neighborhood tech-obsessed geek that their
negligence is part of the problem.

I've been that guy in the past, there's a substantial portion (majority?) of
the American population that will pay far more attention to a government
notice of vulnerability than a fellow citizen they perceive as a paranoid
extremist dreaming up invisible threats.

------
mef
> the institute will ensure no data is leaked

that’s a relief

~~~
DINKDINK
"We take your privacy and security very seriously"

------
secfirstmd
Well the five eyes, Chinese, Russians, Israelis, French and many private
actors are doing this all the time anyway. May as well see what happens if a
Democratic government tries to do this for a positive reason.

------
userbinator
It is not a big leap from this to "you have connected an unapproved device, we
have blocked you from the network" to "you have been fined for connecting an
unapproved device to our network" or worse... some of you here may be old
enough to remember the monopoly Bell had on telephones and the times when it
was illegal to connect anything they did not approve of.

"The road to hell is paved with good intentions."

~~~
general8bitso
...or the movie, ‘Brazil’?

------
_bxg1
I interpreted this headline very differently at first

------
hatmatrix
> Institute researcher Daisuke Inoue says the project's aim is to increase the
> safety and security of people's devices. He says the institute will ensure
> that no data is leaked.

Classic example of "what could go wrong"?

------
achillean
For an overview of Japan's current Internet exposure check out:
[https://exposure.shodan.io/#/JP](https://exposure.shodan.io/#/JP)

------
kgwxd
"The institute says it will keep under wraps any data obtained in the survey."

Unless someone better at scanning for vulnerabilities finds a hole in their
system.

------
arcaster
Why would anyone ever be okay with this? Regardless of the country or soft the
culture is - this should never be seen as "okay" or "passive" in any way.

~~~
alias_neo
It's a difficult choice. In a way, you can see it as a free pen-test on your
network.

I don't even think it's a case of trusting them, because if they get access to
webcam data or something else that they shouldn't, assume someone with less
well-meaning intentions can and has also done so.

~~~
ya30a
What would happen if a plebeian performed this free pen testing? I think we
have several examples.

In several countries pen testing tools for plebeians are even illegal.

~~~
icebraining
People run pen testings every day. You might know
[https://www.shodan.io/](https://www.shodan.io/) ?

~~~
achillean
Note that Shodan doesn't try to authenticate with the devices - not even using
default credentials. This is different than what Japan is proposing; they want
to try various default credentials to identify devices that could be used for
various attacks (ex. Mirai).

------
DINKDINK
Searches and Inspections in Noncriminal Cases
[https://law.justia.com/constitution/us/amendment-04/05-searc...](https://law.justia.com/constitution/us/amendment-04/05-searches-
and-inspections-in-noncriminal-cases.html)

~~~
comex
The Fourth Amendment to the US Constitution is not terribly relevant to
actions being performed by the Japanese government.

~~~
DINKDINK
I provided the link for jurisprudence context, not to support an argument of
transgression of the Japanese legal structure.

