Slashdot Mirror
Tech Firms, Retailers Propose Security and Privacy Rules For Internet of Things
chicksdaddy writes: As the Obama Administration and the rest of the federal bureaucracy hem and haw about whether and how to regulate the fast-growing Internet of Things, a group representing private sector firms has come out with a framework for ensuring privacy and security protections in IoT products that is lightyears ahead of anything under consideration inside the Beltway. The Online Trust Alliance — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation, and wearable health/fitness technologies.
We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders)...
Oh, should I have sugar-coated that?
The Commerce Clause, is there anything it can't do?
This is just an attempt to forestall real regulation in the area because they will have something to point to when someone proposes maybe keeping them accountable for real. What we need is a law with teeth that allows customers and the government to body slam any company which skims on protecting customer's data. Something along the lines of the type of penalties seen in copyright lawsuits I think. I mean surely the industry would never argue those are disproportionate...
A customer data breach on the order of what happened at Target should rightly be a bankruptcy-level event.
There are rules or agreements for security. The internet of crappy things is either secure or it isn't. Since they are still bucking any attempts at incorporating security, there is no hope of security.
The IoT is a botnet of unprecedented proportions and people are regularly installing 3-6 members of the "botnet" inside their firewalls.
Companies have been releasing subpar devices for a long time. The reality is companies put profits ove security. Hopefully this will start to change things.
On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.
Some good things are in the proposal.
Beyond that, manufacturers must conspicuously disclose all personally identifiable data types and attributes collected. A health or fitness band would need to inform potential buyers that it harvests data such as their physical location and biometric data like heart rate, pulse, blood pressure and so on.
That word, harvests, is becoming a maddeningly common place term to describe the taking of many different things that are not crops. It seems like a misleadingly benign way to describe taking private information, African animals, or human organs for transplant.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Apparently you don't understand who runs USA Inc. in 2015, do you? You need to wander down to Starbucks and get a venti Wake The Fuck Up.
The Fox and Weasel Consortium has proposed standards for henhouse design and construction.
Nobody needs or wants an "internet of things." There is really no need to connect a fridge to the internet, let alone other household appliances.
Don't help creating the next internet bubble, create some real products and some real business.
Lately, I have experience the greatest pain wasting enormous amounts of time flashing installing phones with different versions of Android, then different versions of Ubuntu touch. I also wasted time on small arm-based tv boxes and wanna-be-mini-pc-but-not arm-based boards. They all have something in common: kernel updates seem to require entire re-installs on their internal memory in order for them to behave as expected. THE BIGGEST PROBLEM is there are no consistent generic vanilla flavor kernels that run on all these small-form factor devices/boards making the updates and security/privacy a nightmare because these ARM-SOC manufacturers are not diligent about providing an easy to upgrade without re-install for ANDROID or GNU / Linux. ALL OF THEM HAVE DIFFERENT KERNELS. ALL OF THEM REQUIRE A DIFFERENT BUILD RECIPE WHICH IN MY EXPERIENCE HAVE ALL FAILED TO BUILD because of their entirely different build requirement personalities.
UNTIL ALL THE ARM DEVICE MANUFACTURERS GET THEIR ACT TOGETHER, I'M GOING TO CONTINUE BUYING INTEL/AMD DEVICES NOT ONLY FOR DESKTOP AND SERVER, BUT START BUYING INTEL/AMD FOR INTERNET OF THINGS DEVICES BECAUSE THEY SUPPORT GNU/LINUX AND EASILY UPGRADE WITHOUT RE-INSTALLING THE ENTIRE SYSTEM. For the sake of security, it's the only sane thing to do, otherwise you will be at risk and you will be exposed to present and upcoming ARM security vulnerabilities and the "take it or leave it" attitude that arm-based manufacturers have.
There is one excepion I have respect for Applied Micro ARM-based stuff is server quality, but VERY EXPENSIVE and in a different market.
At the opposite side of the spectrum: ROCKCHIP has a lot of work to do to make me buy their hardware and recommend it to others.
You are all cows. Cows say moo. MOOOOOOOO! MOOOOOOO! Moo cows MOOOOOOO! Moo say the cows. YOU COWS!!
Especially with all these big companies jumping on the bandwagon.
LOL that's laughable... especially considering the first thing that comes up when you google "Microsoft" is "windows 10 privacy concerns"
FFS, even the abhuman shitweasels over in 'behavioral advertising' have a ponderously longwinded, self-important, and oh-so-virtuous set of 'best practices' that they allegedly use to self-regulate.
Between the fact that these 'IoT' vendors have incentives dangerously similar to advertising and surveillance peddlers; and a track record for software quality that would make vendors of cheap crap routers cry; what possible reason for optimism is there?
ARM is trying to crack down on that to some degree(mostly at the high end, in recent-design 64 bit devices designed to not be laughed out of the datacenter. Unfortunately, they decided that UEFI was clearly a good idea...
As for the low end, the cost and minimal power budget are pretty attractive; but touching an ARM platform that lacks a robust community, a very competent BSP, or both, hurts. Sometimes a lot.
1 - a sticker that states, "will not work at all without internet" Home alarm systems that fail when the internet is out needs to have a huge red sticker warning customers away from them as a very very crap design.
I have been through several of these IOT security systems. So far the all are 100% crap if internet is down, you dont even get the siren going off.
Do not look at laser with remaining good eye.
What's the second one?
What's the point of having a IoT if people have no choice in their broadband providers? Many places have only one, sometimes two, providers. The rest are not there or are so expensive that they're prohibitive.
Priorities, people!
Yeh, c'mon Lumpy, don't leave us hangin! Some of us have work to get back to!
...actually securing transactions and the databases that house this information. Nobody gives a flying fuck about home automation, consumer health and fitness wearables, which is what this article is talking about. The problem Target faced was their transaction database was hacked. It wasn't about some lame internet consumer device.
I have no interest in having a single device in my house, other than my TV, my PC, my laptop, my phone and my tablet, on the internet.
See? I already have half a dozen devices on the net, that cover all of my use cases and probably already represent a security hazard to my privacy despite my best efforts.
I don't need or want a Nest(tm) on the net that some hacker can use to turn off the heat and freeze my pipes while I'm away. The programmable thermostat I have already, with no network, is enough to set up reasonable settings for intra-day, overnight, vacation, etc. and it is secure by design. Ditto for my oven, my stove, my refrigerator, my lights, and every other fucking thing in my house.
Pretty soon a baby rattle will be networked and hackable, which will make it a surveillance, and therefor governance, device. Just the kind of world no one with an ounce of sense wants to live in.
So to those wanting to make the "Internet of Things", I would just like to say: I don't trust your security as far as I can throw it, and I won't be buying any of the malware-ridden, passively surveillant, buggy, vulnerable, finichky, and above all privacy-invading shit your selling. Move on to the next Rube, and may you meet an early and unpleasant demise.
The Future of Human Evolution: Autonomy
Open Source and No Tivoization
It doesn't have to be Free Software, though that would be good. But if you buy any IoT devices without at minimum OSS and the ability to actually use the code, you're part of the problem
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
you have no privacy rights - We retain all rights to monetise the data in any way we can to make another $!
In the typical sans-serif font it also looks suspiciously close to lol.
A good portion of the talks at Def Con were about hacking IoT devices. In some cases, it was as easy as accessing an open wifi access point on the device. Quite a number of devices were running telnet.
If you don't know what 'running telnet' means, it means "don't trust the IoT."
"First they came for the slanderers and i said nothing."
Here,s mine, short and to the point. Free opt-out, Paid for opt-in. Why are we allowing business to tell us what we can and cant do and tell us its their data when its not? Want my data pay me for it when i PAY for a product.
Jack of all trades,master of none
Some good stuff in there, and at the very least it's a starting point for manufacturers that actually care about consumer privacy and trust. Whether any such manufacturers exist is still an open question...
The only way this is going to turn into something consumers can use is if the Online Trust Alliance sets up a certification program. Certification would involve demonstrating that care has been taken to meet each of the points in the framework, and a passing grade gets you the right to paste a shiny "OTA Certified!" logo on your widget. That'd be good, until the Association of Trusted Onlineness comes out with its much weaker set of standards and its own "ATO Certified!" logo. How's the consumer to know which privacy certification is worth the pixels it's printed on?
(Maybe it would work out. I often wonder why Underwriter's Laboratories has a near-monopoly on safety certification, and why no one has come up with a much more "manufacturer-friendly" certification process. Maybe there's regulation involved, I don't know.)
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
These systems have to be voluntary, policed by people in the industry/white hats, and highly adaptive.
Make it a government regulation and what is and is not security will be something lobbyists decide. Fuck that.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
So this is about promoting "consumer confidence"... so you feel better about giving them your data?
Perhaps aspects of what they achieve can be leveraged for actually empowering users, but this just seems backwards.
-7783