Slashdot Mirror
Schneier: We Need a New Agency For IoT Security (onthewire.io)
Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."
The people have spoken. The desire for stupid government is strong. Stupid government involvement is the only allowable course.
Say what you will about IoT, bottom line is that it would be impossible on the scale being discussed w/o IPv6. That's not something that works fluently w/ NAT, especially given that for a lot of these things, auto-configuration would be required.
So far from any 'agency', what is required is expertise in IPv6 security. Especially how to keep IPv6 nodes either secure, and/or undetectable to anything but approved agents. This would have to work in tandem w/ access controls as well as IPv6 address management mechanisms
Use the modern Appernet of Apps, NOT LUDDITE Internet of Things, and everything will be super appy!
Apps!
We can't have different rules if a computer makes calls or a computer is in your body? I hope there are different rules. More generally it would seem that since computers are used everywhere, this new department would usurp power from every previously established regulatory body. The way this works everywhere else is that a standards body comes up with standards and they are adopted by different government agencies.
Well, start a business doing that. Leave my tax dollars out of it.
Department of Stuff Security? Matches the other silly name...
Ezekiel 23:20
They should be manufactured in the United States!
TRUMP TRUMP TRUMP!
Off to a great start! CRUZ for AG! Make everyone suffer!
Can someone explain why this shouldn't fit under the domain of the FCC?
Every piece of electronics you can get already has an approval sticker which says "compiles with FCC regulations blah blah blah..".
Why not require devices pass a basic security audit?
use this technology.
Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.
Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.
It's a distraction. A bad one. And if the recent mega-botnet attacks are any indication it's not good for the health of the internet either. So let's get rid of them before someone in a position of abusable power decides that they're evil and gets rid of them for us. With us doing it, it at least leaves the door open for getting it right next time. Not so certain that others would give the tinkerers a second chance on something like this. I've already had to deal with parents panicking over their children's laptop cameras.
That wasn't a fun conversation in the least.
Short answer: We need manufacturers of so-called 'Internet of Things' to get their HEADS out of their ASSES and stop skimping on (or skipping altogether!) security of their gods-be-damned devices! It would also be nice if they didn't make every damned thing to use 'the cloud' or otherwise require connection to one of their damned servers in order to work AT ALL.
We totally don't. Just fuck off already.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Intelligent Design does not work; it is magical thinking; the world is too complex to be tractable.
Please, allow the world to evolve under real-world selective pressures; if you try to design it "properly", you'll just end up with nothing but a weak ecosystem that can be obliterated in one catastrophe!
Schneier wants a cushy government job to ride out his retirement on.
I really like Schneier's work in general, but if there's one answer that has to be nearly always wrong it's "We need a new government agency."
It's also patently false that because a thing isn't manufactured here, we can't regulate it. We can (and do) regulate the import of things that aren't manufactured here. If he's talking about regulating things that are manufactured, sold, and used elsewhere but also happen to be on the internet, then we just shouldn't be doing that at all anyway.
Most electronics in the United States are (Underwriters Laboratory) UL approved. That is because there are various non-governmental rules that strongly influence people into buying UL approved products. One is that vendors often refuse to stock products that are not approved by some standards body, because otherwise they may face liability for the product. Another is that homeowners insurance will not cover you if a non-UL approved device started the fire. Hospitals and laboratories will not buy medical devices that are not UL approved.
We need something like UL for security.
It would be great to have a system like that in place, rather than to have the government directly involved. The toughest part is that so much electronics is purchased online, from overseas manufacturers, that this free-market solution may not work. Really, the free market is optimizing around it. It would be awesome to see Amazon and Newegg refuse to sell products unless they had some kind of security approval.
When we have weekly reports of massive security breaches of entities (governments, banks, etc.) who must and should be capable securing their internet-facing infrastructure, what kind of fool thinks it's even possible to secure the gillions of devices that will be internet connected because of IoT?
Hell, networking companies can't even secure their devices which form the backbone of the internet infrastructure itself.
The whole idea of the IoT must go!
I warned everyone years ago that we were coming to a time when only GOVERNMENT APPROVED devices would be allowed to connect to the Internet. Everyone scoffed, but this is the first step. Truly the end of personal computing is coming, fast.
So, otherwise intelligent folks (Schneier isn't generally 'dumb' on the scale of intelligence) can't figure out a way OTHER than to use government to fix something? Seriously? He sees no other avenue? I guess this is what you get when you rely on government to fix everyone's problems, as more problems crop up more government...yeah that's worked out SO well already....
Short answer is we need to hold people accountable. This is a case where there absolutely should be not quite a strict liability situation but maybe negligence level where you are responsible for shit that a computer you own does unless you can show you took appropriate and reasonable precautions.
Once that is True people will install patches, they will learn to install and configure firewalls, or they will turn the shit off and unplug the Ethernet wire from the smart tv because its to much hassle to deal with.
Once that happens people will stop buying shit for the manufacturers who A) don't bother with security and B) abandon products well inside their useful lives. Nobody is going to want drop 1K on a fancy TV and then be afraid to use it lest they get sued or prosecuted because it became a bot and they had no idea.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Government involvement is not needed and will be counterproductive. Something like UL (https://en.wikipedia.org/wiki/UL_(safety_organization) ) will be appropriate. There are a number of analogous examples that work well, like the ANSI, API, ICANN, IMO.
Prove anything by multiplying Huge Number times Tiny Number
And that agencies first power should be to force product recalls on companies who produce insecure products.
Security of things that can be connected to the internet can't be done until they actually are connected to the internet. How does an internet enabled home security system know whether it's being accessed by a legitimate controller or an intruding agent? This job needs to belong to the Firewall/Gateway
Something like UL, but focused on security, would be great.
Insurance companies established Underwriters Laboratories and the National Fire Protection Association in order to reduce their costs stemming from fires, injuries, and death. I don't see an obviously similar group for information security. Google, Amazon, and Comcast would all benefit from reducing attacks, so perhaps they could found an organition similar to Underwriters Laboratories.
Allow reverse hacking if an IP is identified as part of a botnet.
Make automatic notification to the ISP a standard protocol so they can be held responsible. (IP spoofing aside which doesn't show majority of numbers as the problem).
Give everyone a 100 gigabit connection to the premise and update the backbone to petabits of speed. Just throw bandwidth at the problem so sites just say "take it."
This is a case where there absolutely should be not quite a strict liability situation but maybe negligence level where you are responsible for shit that a computer you own does unless you can show you took appropriate and reasonable precautions.
Another solutions would be to hold the ISP responsible. Then, if a device on the network is behaving badly, the ISP would be motivated to disconnect it.
So every device that connects to the Internet would need to pre-approved by a group founded by Google, Amazon and Comcast? And you think this is a good idea?
Agreed, that was a stupid comment. Of course an autonomous car, which os hurling toward me at 75 MPH, should have different standards than an IoT refrigerator, and biomedical devices implanted in my body should another set of standards. Perhaps the standards for biomedical implants could include also the standards for consumer electronics by reference - "In addition to the 60 points listed below, medical devices must also meet consumer electronics standard #1235 ".
Just like electronic devices must be certified to operate within FCC or CRTC guidelines, these kinds of products should pass through a similar system to ensure compliance. All IoT devices should also conform to some network management scheme for enumeration and auditing. This just a new twist on an old system that has worked well for some forty plus years.
And the existing government is sooo exceptional at following it's current policy and security (re: OPM ) that we need yet ANOTHER layer of confusing, cross responsibility, finger pointing bureaucracy... ya that will solve it.
Governments are predominantly good at policing things: regulation is someting of a misnomer (regulators keep voltages stable: police arrest people).
The UL-like body need to be backed up by real police powers, like the power to have the local police seize dangerous goods, and be financially independant of the people who make the products being certified as safe to import and use.
Ontario famously tried to get the crooks (waterworks operators) pay for the police (drinking-water inspectors). That promptly killed seven people and infected thousands in the Walkerton E Coli outbreak, so simple user-pays is not a good model.
Probably a fixed fee for the first one licenced, paid to customs, and a tiny one per each 1000 additional devices of the same type. Then add a sampling process to make sure the manufacturer had not changed what's inside the box. Sampling is done at the retail store as well as at the border or plant. Customs pays the UL-like body, and if something is dangerous, customs and the police impound them.
All seizures require a warrent, and the courts handle appeals against the decision to seize.
davecb@spamcop.net
Let us bloat the government even more since security is obtainable.
The router/gateway has a part to play too. However regardless of whether the user accessing the system is legitimate, buffers should not overflow, sql should not get injected, etc. Defense in depth.
Duh.
https://www.youtube.com/c/BrendaEM
Why? UL isn't, and fire is a more serious problem than the IoT running amok. Liability for manufacturers would sort this out, just as it did for fire safety.
Socialism: a lie told by totalitarians and believed by fools.
Most people have trouble just putting the SSID and password in for their equipment. Talking about VLANs and firewalls is a lost cause. Then you have mischievous devices that try to use open wifi systems to at least phone home to allow remote configuration as a fallback. The only thing that works is making things secure by default, and even that is easy to screw up. Also, who are you trying to secure it from... because it is all relative.
Trump: "It'll be a Yuuuuuge agency, and we'll make the Internets pay for it!"
Table-ized A.I.
We do NOT need a 'new agency'. Indeed, perhaps, maybe, we can use legislation to establish FTC or other regulations that require Internet-connected devices be minimally secure, as in requiring a nontrivial admin password be set, that they not be susceptible to 'trivial' attacks, and that they be manageable by owners to reestablish control.
All of this is, sadly, patchwork, and will not solve the real problems, and establishing financial penalties will just drive manufacturers offshore where we can't reach them.
But some minimal security requirements in law may, may make it harder. And I've failed. 'Harder' is not a fix for a security issue.
deleting the extra space after periods so i can stay relevant, yeah.
Pacemakers.
davecb@spamcop.net
Shorter answer: [insert standard alt-right rant]
Rats, I forgot the word "beautiful". My Trumpology slipped
Table-ized A.I.
Then you have mischievous devices that try to use open wifi systems ...
If we make ISP's responsible, then there won't be any open networks anymore. Instead, the ISP's will make sure that every device is carefully registered before it is connected. It's the same procedure that is used inside many corporate networks.
Speaking of non-sequiturs.
Socialism: a lie told by totalitarians and believed by fools.
Bruce is wrong. When say well, we're going to get it whether we like it or not we will end up with it. The reality is those who want to live free are living in a world that is a dead end. We have no hope of achieve that short of migrating enough people together in one region that can be controlled by those who aren't willing to sacrifice freedom and liberty for a little temporary safety. The Free State Project is actually doing that and has reached its goal of getting 20,000 people to move. I'm in New Hampshire now- but there is a lot that needs to be done. Fortunately you don't need a majority- just an active minority. So there is a lot getting done. We've got reps elected at all levels of governments and have successfully stopped bad legislation on BitCoin and other crypto currencies. We're getting bad amendments to prior regulation removed as well. If you don't want to live as a slave come up to New Hampshire, because we've got the only real world example of people coming together for liberty and liberty being demonstrated in a liberty hostile world. https://www.freekeene.com/ http://www.freestateproject.org http://www.porcfest.org/ (and yea- there are a lot of liberty-friendly tech startups here and one migrating)
100% correct! Someone gets it...
Is "alt-right" the new term for "non-progressive"?
If the EU got onboard as well the whole problem would be solved within 5 years.
Sure this means chinese and others could steal the designs, but that is just an excuse for moving manufacturing back domestic (so you won't be giving the chinese the exact hardware specs to copy your software directly onto, making turnaround much longer.) And designing hardware instead of relying on generic foreign made designs and just rebadging them (like 99/100 IoT devices are) would help immensely also.
Do that and IoT insecurity isn't an issue, and we have less offshoring of manufacture. Win Win.
Shut UP, faggot
If there were an organization similar to UL, but testing for safety and security of IT products, it's value would depend on what the group DID, not who provided the initial funding.
Note again I didn't say these companies would test and approve products. Rather, they have an interest in having the internet secure for everyone, so they might put up some cash to seed an independent testing organization. (Example: IoT ddos attacks flow through Comcast's network, costing them money.
History shows that they can and do produce valuable, open standards when they work together and agree. See for example OpenStack.
Would every device be *required* to be tested and certified? No, requirements, forcing people to do things, is the domain of governments. People choose to buy UL listed products because UL has earned their trust. Corporations additionally use UL listed and certified products because they know choosing otherwise is intentionally choosing products that may not be safe - exposing them to liability. People would choose routers, ip cameras, and IoT thermostats certified by Internet Laboratories only if IL earned their trust, like UL has.
The problem is this though. The people that are attaching these devices are largely unaffected by this. They got some cheap device of some sort that at least somewhat does what the purchaser wants, and their own device isn't attacking their own machines.
And the manufacturers don't care either. And even if they did, what are the chances that they would have any amount of success getting people to upgrade firmware?
Requirements aren't only the domain of governments. So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on. And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all. Are you guys really that dense? What do you think is happening here? At some point you will be only allowed to use a locked down computer running pre-approved software running in the cloud. Don't think it will happen? That is the logical conclusion to this madness.
1. Get anti virus software, free and subscription to scan a users networks by default. Find every device and test them with common pw/usernames and see what fails.
Report that to the user and tell them to replace or update the device until it is safe on any network facing the internet.
2. Ban the branded control software from cell phone and all app stores. If your device can be used as part of a swarm, its app gets banned and the world told why a brand cant be trusted.
3. Work with isp. A IoT device broadcasting to an ip with all bandwidth 24/7 on a strange port is worth an automated email to that account.
Most home user accounts should not be running networks 24/7 pushing data up.
4. Educate the next generation of designers about crypto, passwords, user gui's to ensure set up is easy and results in a secure network connection.
5. Name the brands design teams that fail. Promote good brands with really great staff who can code and design to a good standard and keep devices updated.
6.. Talk to insurance companies. When a policy is offered, have a chat about good anti virus for the computer to scan and secure the IoT in the home.
7. Create an open website with short video jargon filled clips that show the errors in many of the chips and hardware that caused the IoT issues.
Is it a chip issues, factory issue, design policy or app and software issue. Educate the designers and developers with fun video clips on what can be done better.
Find and support the good hardware. The good software and apps. The teams that offered great encryption and support that secure their devices.
Find the hardware that works and make sure developers globally know about it.
Domestic spying is now "Benign Information Gathering"
Hillary: "Can't we just wipe it with a cloth?"
So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on
Almost. We are proposing something similar to how it works with electrical devices and telecommunications devices. In those cases, it isn't the power company or the phone company that gets a say, it is the insurance companies and retailers. So no: Comcast would not be able to approve things. They simply have no way to enforce this even if they wanted to.
And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all.
No, that is not logical, and it is not how the industry we are comparing it to works.
At some point you will be only allowed to use a locked down computer running pre-approved software running in the cloud. Don't think it will happen? That is the logical conclusion to this madness.
If that is the logical conclusion, then why has it not happened already? This is how communications devices and electrical devices work in the at least the US and Europe. Yet people are still allowed to tinker with those devices. Perhaps this is the point of confusion: Your computer is *already* approved by a national testing agency today. Pretty much anything that plugs into a power plug is. All we are saying is that those organizations should also do security testing as well.
You can "legislate it" if Verizon/Comcast/ATT all required that only "approved" devices are allowed on their network. Most corporations do that already for their internal networks (if they are concerned about security). You don't think that can happen? It will eventually. It sounds like most people here are OK with it too.
Read your Verizon/Comcast/ATT terms of service and acceptable use policies. This is already in place. Sure it blatantly contradicts all the flowery language the FCC uses to talk about network neutrality. Oh well, whatever.
"They simply have no way to enforce this even if they wanted to." Um, sure they can. Corporate networks already do this.
"All we are saying is that those organizations should also do security testing as well"
So some national testing organization is going to test every device that connect to the Internet? And then the device cannot run new software (after all, new software may make it insecure). Really I have a hard time believing people are so stupid here.
> 1. Get anti virus software, free and subscription to scan a users networks by default.
> Find every device and test them with common pw/usernames and see what fails.
Go one step further. Have a government body scan the net and try to pwn and *BRICK* internet-connected everything (IOT/smartphones/tablets/desktop-PCs/servers). If it withstands the break-in attempts, it's secure. If it doesn't withstand the break-in attempts, it had no business being on the net in the first place.
Before anybody starts yelling-and-screaming, compare the options...
1) Your desktop gets pwnd and bricked. You're out several hundred dollars for a new machine, or possibly a few hundred paying a consultant to get your machine working again, and a new OS installed.
2) Police raid your home because your machine is dispensing child-porn, under the control of a foreign bot-herder. Your home gets torn apart by the police "looking for evidence", your name gets dragged through the mud as a "child-porn distributer", and you're unemployable for the rest of your life, even if found not guilty.
I'd take door #1. Make the consequences of having insecure stuff on the net damn expensive, and damn inconvenient. That's the only thing that'll get people's attention.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
No, what we need is a new law requiring IOT companies to be liable for the costs of repairing the damage their devices cause, from DDOS to identity theft. Too much of this crap is flooding in and folks have no idea how dangerous it is.
Allow an ISP to sue manufacturers for network costs incurred as a result of compromised IoT devices.
The ISP pays for the bandwidth that is being used.
This encourages the ISP to improve their network at the expense of the badly behaving IoT manufacturer. Any manufacturer who does poorly in security will be financially removed from the market.
You will need sufficient import regulation to cover foreign manufacturers so that they cannot simply ignore judgments against them and continue shipping without penalty. That is probably already in place, however.
Bruce is calling for another federal agency, which will perform just as well as the TSA he rails against. No we don't need more government.
World: We need better tech reporters than Schneier
That is all.
I don't think we need to grow the Government any further.
We do need more STEM related professions so that we can make better laws.
Most technology including ioT has Engineering Organizations that is able to make better intelligent decisions on how to secure & create a defensive system.
Example Organization might including anything within Linux, IEEE, ISA, and many other organziation including companies that specilaizes in Cyber Security.
Within Linux you/we might want to look into Red Hat, SuSe, Linux Foundation, Ubuntu, any many more companies that is based in America.
The iOT might be part of the future for automated homes including Vehicles, and other related smart devices.
If we create the right type of laws, then the ioT industry will grow.
Fire is local, and the source can usually be determined. IoT problems are global (literally), and it's going to be more difficult to assign liability. Moreover, appliances are judged on not starting fires during normal use. IoTs would need to be secure from attacks, including attacks nobody's thought of yet.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Corporate networks already do this.
No they don't. They wish they could, and they try. Here's how they try:
First of all, corporate IT has physical access to everything in the building. Comcast has no access to the devices in my house. That's an important difference. Second, corporate IT achieves most of their security by demanding that all devices on the network be Windows boxes that are on their domain. Comcast can't require this either.
Ultimately though, even corporate IT can'achieve this because they have to allow non-Windows devices onto the network. The fact that I could buy an insecure IOT camera and plug it into the network jack in my cube is what scares the heck out of IT admins. The best they could do is apply mac-address filtering, which would require that I either modify the MAC address, or take the device to IT so they can add it to their whitelist.
So some national testing organization is going to test every device that connect to the Internet?
organizations plural. They already do test most of them. They just don't bother to test security. The point about new software is interesting: currently, when companies make hardware changes it is up to them to notify the testing lab and submit it for certification. I suppose it would be the same for software.
Really I have a hard time believing people are so stupid here.
This is the 3rd time you've said something like that to me. I reply in the hopes that another person reading the thread will learn something, but I am going to stop replying at this point. I hope you get modded down to -1 on all these. It's annoying to write a paragraph explaining something, and get a single line reply like "That doesn't work and you are an idiot."
Should be ICT - Internet Connected Technology.