Slashdot Mirror
Schneier: We Need a New Agency For IoT Security (onthewire.io)
Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."
Say what you will about IoT, bottom line is that it would be impossible on the scale being discussed w/o IPv6. That's not something that works fluently w/ NAT, especially given that for a lot of these things, auto-configuration would be required.
So far from any 'agency', what is required is expertise in IPv6 security. Especially how to keep IPv6 nodes either secure, and/or undetectable to anything but approved agents. This would have to work in tandem w/ access controls as well as IPv6 address management mechanisms
We can't have different rules if a computer makes calls or a computer is in your body? I hope there are different rules. More generally it would seem that since computers are used everywhere, this new department would usurp power from every previously established regulatory body. The way this works everywhere else is that a standards body comes up with standards and they are adopted by different government agencies.
Department of Stuff Security? Matches the other silly name...
Ezekiel 23:20
They should be manufactured in the United States!
TRUMP TRUMP TRUMP!
use this technology.
Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.
Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.
It's a distraction. A bad one. And if the recent mega-botnet attacks are any indication it's not good for the health of the internet either. So let's get rid of them before someone in a position of abusable power decides that they're evil and gets rid of them for us. With us doing it, it at least leaves the door open for getting it right next time. Not so certain that others would give the tinkerers a second chance on something like this. I've already had to deal with parents panicking over their children's laptop cameras.
That wasn't a fun conversation in the least.
The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement.
The people have spoken. The desire for stupid government is strong. Stupid government involvement is the only allowable course.
The right answer here is a non-governmental agency like UL. That can have greater reach (and, frankly, more credibility) than anything US government-specific. This would have to be coupled with a firm stance from the sever side of IOT (like AWS) requiring the certification.
Socialism: a lie told by totalitarians and believed by fools.
Short answer: We need manufacturers of so-called 'Internet of Things' to get their HEADS out of their ASSES and stop skimping on (or skipping altogether!) security of their gods-be-damned devices! It would also be nice if they didn't make every damned thing to use 'the cloud' or otherwise require connection to one of their damned servers in order to work AT ALL.
We totally don't. Just fuck off already.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I really like Schneier's work in general, but if there's one answer that has to be nearly always wrong it's "We need a new government agency."
It's also patently false that because a thing isn't manufactured here, we can't regulate it. We can (and do) regulate the import of things that aren't manufactured here. If he's talking about regulating things that are manufactured, sold, and used elsewhere but also happen to be on the internet, then we just shouldn't be doing that at all anyway.
Most electronics in the United States are (Underwriters Laboratory) UL approved. That is because there are various non-governmental rules that strongly influence people into buying UL approved products. One is that vendors often refuse to stock products that are not approved by some standards body, because otherwise they may face liability for the product. Another is that homeowners insurance will not cover you if a non-UL approved device started the fire. Hospitals and laboratories will not buy medical devices that are not UL approved.
We need something like UL for security.
It would be great to have a system like that in place, rather than to have the government directly involved. The toughest part is that so much electronics is purchased online, from overseas manufacturers, that this free-market solution may not work. Really, the free market is optimizing around it. It would be awesome to see Amazon and Newegg refuse to sell products unless they had some kind of security approval.
I warned everyone years ago that we were coming to a time when only GOVERNMENT APPROVED devices would be allowed to connect to the Internet. Everyone scoffed, but this is the first step. Truly the end of personal computing is coming, fast.
Short answer is we need to hold people accountable. This is a case where there absolutely should be not quite a strict liability situation but maybe negligence level where you are responsible for shit that a computer you own does unless you can show you took appropriate and reasonable precautions.
Once that is True people will install patches, they will learn to install and configure firewalls, or they will turn the shit off and unplug the Ethernet wire from the smart tv because its to much hassle to deal with.
Once that happens people will stop buying shit for the manufacturers who A) don't bother with security and B) abandon products well inside their useful lives. Nobody is going to want drop 1K on a fancy TV and then be afraid to use it lest they get sued or prosecuted because it became a bot and they had no idea.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Government involvement is not needed and will be counterproductive. Something like UL (https://en.wikipedia.org/wiki/UL_(safety_organization) ) will be appropriate. There are a number of analogous examples that work well, like the ANSI, API, ICANN, IMO.
Prove anything by multiplying Huge Number times Tiny Number
When Government agency fails, or is wasteful, what happens? "Hey, lets toss more money at the problem"
When Private entity fails, it goes away, and is either replaced or is no longer needed. Waste is generally frowned upon.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Security of things that can be connected to the internet can't be done until they actually are connected to the internet. How does an internet enabled home security system know whether it's being accessed by a legitimate controller or an intruding agent? This job needs to belong to the Firewall/Gateway
So basically every device you connect to the Internet would need to be pre-approved by this new non-governmental agency. Even things you built yourself. So where this is headed?
Something like UL, but focused on security, would be great.
Insurance companies established Underwriters Laboratories and the National Fire Protection Association in order to reduce their costs stemming from fires, injuries, and death. I don't see an obviously similar group for information security. Google, Amazon, and Comcast would all benefit from reducing attacks, so perhaps they could found an organition similar to Underwriters Laboratories.
Not if it's a bank.
At the bottom of the
More like everything you want to sell to the general public should be approved.
Anything you want to build yourself, you build it yourself as usual.
So every device that connects to the Internet would need to pre-approved by a group founded by Google, Amazon and Comcast? And you think this is a good idea?
Agreed, that was a stupid comment. Of course an autonomous car, which os hurling toward me at 75 MPH, should have different standards than an IoT refrigerator, and biomedical devices implanted in my body should another set of standards. Perhaps the standards for biomedical implants could include also the standards for consumer electronics by reference - "In addition to the 60 points listed below, medical devices must also meet consumer electronics standard #1235 ".
And THAT is the engame here: only locked down, pre-approved devices will be allowed to be connected to the Internet. I said that was going to happen 10 years ago, but it sounds like people are OK with it now.
Just like electronic devices must be certified to operate within FCC or CRTC guidelines, these kinds of products should pass through a similar system to ensure compliance. All IoT devices should also conform to some network management scheme for enumeration and auditing. This just a new twist on an old system that has worked well for some forty plus years.
Or a major auto manufacturer.
And the existing government is sooo exceptional at following it's current policy and security (re: OPM ) that we need yet ANOTHER layer of confusing, cross responsibility, finger pointing bureaucracy... ya that will solve it.
Governments are predominantly good at policing things: regulation is someting of a misnomer (regulators keep voltages stable: police arrest people).
The UL-like body need to be backed up by real police powers, like the power to have the local police seize dangerous goods, and be financially independant of the people who make the products being certified as safe to import and use.
Ontario famously tried to get the crooks (waterworks operators) pay for the police (drinking-water inspectors). That promptly killed seven people and infected thousands in the Walkerton E Coli outbreak, so simple user-pays is not a good model.
Probably a fixed fee for the first one licenced, paid to customs, and a tiny one per each 1000 additional devices of the same type. Then add a sampling process to make sure the manufacturer had not changed what's inside the box. Sampling is done at the retail store as well as at the border or plant. Customs pays the UL-like body, and if something is dangerous, customs and the police impound them.
All seizures require a warrent, and the courts handle appeals against the decision to seize.
davecb@spamcop.net
Precisely. You don't get to operate an unapproved motor vehicle on public roads. Why should the internet be any different?
I don't see how viperidaenz's statement leads from your question to your answer. "if you're selling it get it approved; if you're not don't" doesn't read to me "keep it off the internet". How would that be enforced? It seems like it would be difficult for the rest of the internet to tell whether your device is certified...
The router/gateway has a part to play too. However regardless of whether the user accessing the system is legitimate, buffers should not overflow, sql should not get injected, etc. Defense in depth.
Duh.
https://www.youtube.com/c/BrendaEM
The bar is very low for a car you build yourself though.
Pwnt IoT devices are a problem because of scale. I'm not sure there will ever be enough hand-built "things" to matter.
Socialism: a lie told by totalitarians and believed by fools.
It is the first step. Every computer/device would now need to be pre-approved by some agency/consortium before being allowed to be put on the Internet. You would need to approve the software too of course, all of it. Because software is what is the issue, not the hardware. Are you guys not thinking clearly here? This is the intent, and this is the future. So long to the personal computer!
So you are ready to make sure that EVERY software package you put on YOUR COMPUTER OR DEVICE is pre-approved by some agency? Because that is what would be required. I'm just making sure you guys are OK with that. It sounds like you are. So it is the end of personal computing as we know it.
Why? UL isn't, and fire is a more serious problem than the IoT running amok. Liability for manufacturers would sort this out, just as it did for fire safety.
Socialism: a lie told by totalitarians and believed by fools.
Most people have trouble just putting the SSID and password in for their equipment. Talking about VLANs and firewalls is a lost cause. Then you have mischievous devices that try to use open wifi systems to at least phone home to allow remote configuration as a fallback. The only thing that works is making things secure by default, and even that is easy to screw up. Also, who are you trying to secure it from... because it is all relative.
What is the difference between an IoT device and a Linux computer connected to the Internet? Nothing. You guys aren't thinking clearly.
Trump: "It'll be a Yuuuuuge agency, and we'll make the Internets pay for it!"
Table-ized A.I.
Here's a list of 547 banks that have failed since 2000.
Maybe it's just the ones that didn't donate enough to those in political power. You know... the ones that weren't too big to fail.
Irony: Agile development has too much intertia to be abandoned now.
We do NOT need a 'new agency'. Indeed, perhaps, maybe, we can use legislation to establish FTC or other regulations that require Internet-connected devices be minimally secure, as in requiring a nontrivial admin password be set, that they not be susceptible to 'trivial' attacks, and that they be manageable by owners to reestablish control.
All of this is, sadly, patchwork, and will not solve the real problems, and establishing financial penalties will just drive manufacturers offshore where we can't reach them.
But some minimal security requirements in law may, may make it harder. And I've failed. 'Harder' is not a fix for a security issue.
deleting the extra space after periods so i can stay relevant, yeah.
Pacemakers.
davecb@spamcop.net
Sounds like a job the Dept of Homeland Security could handle.
What could go wrong?
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Rats, I forgot the word "beautiful". My Trumpology slipped
Table-ized A.I.
Let's be a little more precise: Every computer/device for sale in the United States.
The more obvious result is that it does next to nothing to curb the issues related to security while greatly increasing the barrier to entry, plus costing the taxpayers a whole bunch of money.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
Speaking of non-sequiturs.
Socialism: a lie told by totalitarians and believed by fools.
So ever computer/device for sale in the United States that is to be connected to the Internet MUST run only pre-approved software? Think about it guys: this would be the end of personal computing. I guess people don't care at this point though.
You wish.
All hardware is required to be NRTL approved before it can be sold *commercially*. The buyer or builder accepts all liability
Here's a good read on it.
http://electronics.stackexchan...
The problem isn't the software so much as the purchaser that rarely bothers to change default passwords or settings. Manufacturers are somewhat to blame for trying to make things as simple as possible and people are lazy.
The bottom line here is the consumer generally has no concept of the risk and everyone operates on the attitude 'I saw it on the news so it can't *possibly* happen to me. In reality the ISP should be blocking all RFC 1918, and spoofed traffic from a subscriber.
https://tools.ietf.org/html/rf...
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
"The problem isn't the software so much"
Wrong. The problem IS THE SOFTWARE. That is what is insecure. Think about it. If you needed to prove that a system is secure you would need to certify the SOFTWARE AND HARDWARE. And you wouldn't allow new software would be installed, unless THAT was approved as well. Otherwise the system wouldn't be secure. It is really sad people are ready to trade "safety" for a walled garden. But I guess that why Apple is the richest corporation in history.
The "follow the RFC" mantra sounds nice here in a forum, but the admins at ground zero of these issues will tell you a different story.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
100% correct! Someone gets it...
Because the Internet is a "road" that connects to everywhere in the world, plus satellites. Kind of changes the effectiveness of local legislation.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
Not sure what kind of Axe you have to grind, but the weakest link is *always* the meat-Popsicle.
Technology is easy. It can be automated and made ubiquitous. It's the person that has to be able to understand and use it with about an 8th grade education.
I never mentioned Apple, but they do a fantastic job of catering to the least educated and most educated denominator equally. Really impressive actually even if I do hate and refuse to use their products. Mostly because I refuse to accept vendor lock-in.
Good luck with your cause there.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Lets hear those stories.
If it increases understanding of the issue, lets have it!
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
So find one and ask away.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
Brawndo has got what IoT needs.
If there were an organization similar to UL, but testing for safety and security of IT products, it's value would depend on what the group DID, not who provided the initial funding.
Note again I didn't say these companies would test and approve products. Rather, they have an interest in having the internet secure for everyone, so they might put up some cash to seed an independent testing organization. (Example: IoT ddos attacks flow through Comcast's network, costing them money.
History shows that they can and do produce valuable, open standards when they work together and agree. See for example OpenStack.
Would every device be *required* to be tested and certified? No, requirements, forcing people to do things, is the domain of governments. People choose to buy UL listed products because UL has earned their trust. Corporations additionally use UL listed and certified products because they know choosing otherwise is intentionally choosing products that may not be safe - exposing them to liability. People would choose routers, ip cameras, and IoT thermostats certified by Internet Laboratories only if IL earned their trust, like UL has.
When a public service fails, and there are private alternatives, it is compared to them and eventually de-funded.
When a private oligopoly fails, or is wasteful, what happens? "We'll just raise prices" ...
Hello PSTN & Cable Co's. I
The problem is this though. The people that are attaching these devices are largely unaffected by this. They got some cheap device of some sort that at least somewhat does what the purchaser wants, and their own device isn't attacking their own machines.
And the manufacturers don't care either. And even if they did, what are the chances that they would have any amount of success getting people to upgrade firmware?
I guess you don't get it. The idea is to increase the security of "IoT" devices by requiring approval from some agency before the device could be sol and connected to the Internet.. How would you do that? You would need to certify the hardware and the software of the device and make sure it is locked down so no modifications could be made to the device to make it insecure. What is an "IoT" device? It is a computer. You figure out the rest.
Requirements aren't only the domain of governments. So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on. And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all. Are you guys really that dense? What do you think is happening here? At some point you will be only allowed to use a locked down computer running pre-approved software running in the cloud. Don't think it will happen? That is the logical conclusion to this madness.
There's a quick and easy answer to that.
"Oh HELL no."
If you haven't noticed, there is a very large segment of consumers that go out of their way to find hardware that's customizable, and you cannot legislate that away unless you're a Govt agency in North Korea.
Keep your fingers out of my hardware Tyvm.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
You can "legislate it" if Verizon/Comcast/ATT all required that only "approved" devices are allowed on their network. Most corporations do that already for their internal networks (if they are concerned about security). You don't think that can happen? It will eventually. It sounds like most people here are OK with it too.
Well, IMHO (being a Libertarian) I would have let the banks fail. Additionally, I would have locked up the CxO of banks that were practicing fraud, or otherwise weren't doing their do diligence in protecting the assets under their leadership. Heck, I would also go after the Board of Directors.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
This goes back to that conversation about 3 strikes and ISP's not willing to cut off their customer base and risk going out of business.
Not going to happen.
Toodles. It's been fun.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
1. Get anti virus software, free and subscription to scan a users networks by default. Find every device and test them with common pw/usernames and see what fails.
Report that to the user and tell them to replace or update the device until it is safe on any network facing the internet.
2. Ban the branded control software from cell phone and all app stores. If your device can be used as part of a swarm, its app gets banned and the world told why a brand cant be trusted.
3. Work with isp. A IoT device broadcasting to an ip with all bandwidth 24/7 on a strange port is worth an automated email to that account.
Most home user accounts should not be running networks 24/7 pushing data up.
4. Educate the next generation of designers about crypto, passwords, user gui's to ensure set up is easy and results in a secure network connection.
5. Name the brands design teams that fail. Promote good brands with really great staff who can code and design to a good standard and keep devices updated.
6.. Talk to insurance companies. When a policy is offered, have a chat about good anti virus for the computer to scan and secure the IoT in the home.
7. Create an open website with short video jargon filled clips that show the errors in many of the chips and hardware that caused the IoT issues.
Is it a chip issues, factory issue, design policy or app and software issue. Educate the designers and developers with fun video clips on what can be done better.
Find and support the good hardware. The good software and apps. The teams that offered great encryption and support that secure their devices.
Find the hardware that works and make sure developers globally know about it.
Domestic spying is now "Benign Information Gathering"
Hillary: "Can't we just wipe it with a cloth?"
Further, what's the difference between an IoT device and a $2 8-bit embedded controller that I can push some form of an IP Stack onto? Will it be illegal to plug said controller onto a network? Which network will be illegal?
It all depends on where it's enforced. My suggestion was for the IoT cloud backends to enforce this. IoT-specific that way.
Socialism: a lie told by totalitarians and believed by fools.
So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on
Almost. We are proposing something similar to how it works with electrical devices and telecommunications devices. In those cases, it isn't the power company or the phone company that gets a say, it is the insurance companies and retailers. So no: Comcast would not be able to approve things. They simply have no way to enforce this even if they wanted to.
And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all.
No, that is not logical, and it is not how the industry we are comparing it to works.
At some point you will be only allowed to use a locked down computer running pre-approved software running in the cloud. Don't think it will happen? That is the logical conclusion to this madness.
If that is the logical conclusion, then why has it not happened already? This is how communications devices and electrical devices work in the at least the US and Europe. Yet people are still allowed to tinker with those devices. Perhaps this is the point of confusion: Your computer is *already* approved by a national testing agency today. Pretty much anything that plugs into a power plug is. All we are saying is that those organizations should also do security testing as well.
You can "legislate it" if Verizon/Comcast/ATT all required that only "approved" devices are allowed on their network. Most corporations do that already for their internal networks (if they are concerned about security). You don't think that can happen? It will eventually. It sounds like most people here are OK with it too.
Read your Verizon/Comcast/ATT terms of service and acceptable use policies. This is already in place. Sure it blatantly contradicts all the flowery language the FCC uses to talk about network neutrality. Oh well, whatever.
Famous last words. Oh by the way, 3 strikes is already in place (6 strikes in the US) and being enforced. What an idiot.
Exactly. Unfortunately people here are too shortsighted to recognize this. There is no difference between "IoT" devices and their laptop from a network perspective.
There is no "IoT cloud backends". They are just server computers like any other cloud. There is no difference between an "IoT" device and your computer.
"They simply have no way to enforce this even if they wanted to." Um, sure they can. Corporate networks already do this.
"All we are saying is that those organizations should also do security testing as well"
So some national testing organization is going to test every device that connect to the Internet? And then the device cannot run new software (after all, new software may make it insecure). Really I have a hard time believing people are so stupid here.
Yes, there really are. https://aws.amazon.com/iot/ https://www.microsoft.com/en-u...
Just throwing some servers up doesn't scale to a billion devices. A secure connection is a very difficult process on a low-end "thing". There's lots of specialist problems still being solved.
Socialism: a lie told by totalitarians and believed by fools.
Uh, no one has a billion IoT devices. Most IoT "clouds" are a couple of servers in China. The point is there is no difference between "IoT" and your Linux computer. Most "IoT" things are just Linux computers.
The CEOs you want to lock up for "practicing fraud", however, were acting in response to community groups using the justice department as a bludgeon to either force the loans or be sued for discrimination. If they didn't have similar percentages of approved loans over their entire service area it was defacto proof of discrimination. The fact that some neighborhoods tend to be working class with people who couldn't afford home loans wasn't relevant, so the rules had to change to allow those loans to be approved anyway. Once those loans were approved, where does the bank get money to make more loans? By selling the ones it has. "Community Reinvestment" stops when the bank has loaned out all it can, unless it sells loans to get more to loan.
The problem of measuring compliance with anti-discrimination laws using simple statistics is ongoing. For example, it is defacto proof of Title IX violation if the percentage of girls at a school participating in sports is not the same as the percentage of boys. If you run a school where 20% of the boys are on sports teams but only 10% of the girls, then you either need to coerce a lot of girls into joining a sports team or cut your boy's teams in half.
And similarly, if your bank is approving 50% of the loans from a neighborhood that is predominantly rich people but only 10% of loans from a poorer neighborhood, you either have to lose 2/3 of your loan business by refusing 80% of the "rich people" loans (losing out on the interest payments from well-secured, low-risk loans), or relax the rules so you can approve 40% more of the apps from poor people (increasing your risk by a large amount). And the answer is almost always based on the demands of the local community activists who want more loans to poor people.
> 1. Get anti virus software, free and subscription to scan a users networks by default.
> Find every device and test them with common pw/usernames and see what fails.
Go one step further. Have a government body scan the net and try to pwn and *BRICK* internet-connected everything (IOT/smartphones/tablets/desktop-PCs/servers). If it withstands the break-in attempts, it's secure. If it doesn't withstand the break-in attempts, it had no business being on the net in the first place.
Before anybody starts yelling-and-screaming, compare the options...
1) Your desktop gets pwnd and bricked. You're out several hundred dollars for a new machine, or possibly a few hundred paying a consultant to get your machine working again, and a new OS installed.
2) Police raid your home because your machine is dispensing child-porn, under the control of a foreign bot-herder. Your home gets torn apart by the police "looking for evidence", your name gets dragged through the mud as a "child-porn distributer", and you're unemployable for the rest of your life, even if found not guilty.
I'd take door #1. Make the consequences of having insecure stuff on the net damn expensive, and damn inconvenient. That's the only thing that'll get people's attention.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
No, what we need is a new law requiring IOT companies to be liable for the costs of repairing the damage their devices cause, from DDOS to identity theft. Too much of this crap is flooding in and folks have no idea how dangerous it is.
They will pretty soon. What do you think the big names will need as a back end? How many Android phones are there? How many smart TVs are there? There will be 10x as many "things" in a few years, given it's a much cheaper market. Heck, Amazons goofy "dash button" is moving like crazy just for the novelty value.
AWS and Azure are building out at massive scale now, trying to land contracts with the big names already. And security is definitely part of the pitch - the future liability risk is being taken seriously, though no one has a clear answer yet.
The point is there's a real difference between a button to re-order Tide and a general purpose Linux computer.
Socialism: a lie told by totalitarians and believed by fools.
UL? I'm glad they stopped the endless stem of fake products which can provide fatal shocks with shoddy engineering and construction. I mean they have the UL logo on them so it must be good right?
Government regulation, or agencies such as UL won't do anything about a global problem that is caused by a race to the bottom.
The right answer is for the FCC to handle the security standards and practices of networked consumer electronics. If you want to sell your webcam in the USA, you must meet a list of rules: passwords, encryption, test of hackability etc.
Well, in a perfect world the, the government would not have created ghettos in American cities. Since the did, don't you think they should be obligated to help remove them?
Citations that will be requested, although I'm sure they will be disregarded:
http://www.npr.org/2015/05/14/...
http://www.thedailybeast.com/articles/2014/03/13/how-we-built-the-ghettos.html
http://www.theatlantic.com/business/archive/2014/05/the-racist-housing-policy-that-made-your-neighborhood/371439/
Conservatard sources (sorry, my bias is showing, but this fact is not disputed):
http://www.independentsentinel...
http://www.deseretnews.com/article/865633377/How-government-policy-created-ghettos-according-to-one-historian.html?pg=all
Cheap storage VM.
Let's not go to the most aggressive policy. That's unlikely.
What is more probable, is some sort of safe haven that allows ISP's to terminate connections with certain traffic, maybe a clearinghouse for requests, like the DMCA. Maybe some sort of fines.
It's certainly subject to abuse, but not as worrisome as what your concerned about.
Cheap storage VM.
Well, in a perfect world the, the government would not have created ghettos in American cities. Since the did,
Right. Sure.
Citations that will be requested, although I'm sure they will be disregarded:
You managed to make only two of those links into actual links, but the three I reviewed were all based on the opinions of one man. "According to one historian" in the last link was a dead giveaway.
Somehow, I don't think forcing banks to make loans to people who cannot pay them back is a good way of solving the problem you claim the government created. In fact, it is more than "I think". The economic crisis that it created was the obvious result. That obviousness makes it very hard to attribute to stupidity the acts of those who pushed the CRA, denied any brewing trouble with FNMA and Freddie-Mac, and blocked attempts to reregulate those agencies.
Fire is local, and the source can usually be determined. IoT problems are global (literally), and it's going to be more difficult to assign liability. Moreover, appliances are judged on not starting fires during normal use. IoTs would need to be secure from attacks, including attacks nobody's thought of yet.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Corporate networks already do this.
No they don't. They wish they could, and they try. Here's how they try:
First of all, corporate IT has physical access to everything in the building. Comcast has no access to the devices in my house. That's an important difference. Second, corporate IT achieves most of their security by demanding that all devices on the network be Windows boxes that are on their domain. Comcast can't require this either.
Ultimately though, even corporate IT can'achieve this because they have to allow non-Windows devices onto the network. The fact that I could buy an insecure IOT camera and plug it into the network jack in my cube is what scares the heck out of IT admins. The best they could do is apply mac-address filtering, which would require that I either modify the MAC address, or take the device to IT so they can add it to their whitelist.
So some national testing organization is going to test every device that connect to the Internet?
organizations plural. They already do test most of them. They just don't bother to test security. The point about new software is interesting: currently, when companies make hardware changes it is up to them to notify the testing lab and submit it for certification. I suppose it would be the same for software.
Really I have a hard time believing people are so stupid here.
This is the 3rd time you've said something like that to me. I reply in the hopes that another person reading the thread will learn something, but I am going to stop replying at this point. I hope you get modded down to -1 on all these. It's annoying to write a paragraph explaining something, and get a single line reply like "That doesn't work and you are an idiot."
Should be ICT - Internet Connected Technology.
No...
It's like mains powered electrical appliances.
I'm allowed to build my own appliance and plug it in to the mains. I can do what ever I want to stuff I've bought.
I'm not allowed to sell it to the public unless it passes all relevant safety codes.
Thank you for proving me correct, the data is not debated by anyone with a brain. It was clearly a policy of the Fed.
Likewise, your "forcing people to make loans" has been disproved multiple times. The problem was really too much money without clear investment opportunities. The money, basically thought it found somewhere safe to grow, but it was lies, and not government lies, free market lies.
Anyway, I'm wasting my time with you.
Cheap storage VM.
Just because you *want* it to happen, doesn't mean it will.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.