Slashdot Mirror
Schneier: We Need a New Agency For IoT Security (onthewire.io)
Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."
Say what you will about IoT, bottom line is that it would be impossible on the scale being discussed w/o IPv6. That's not something that works fluently w/ NAT, especially given that for a lot of these things, auto-configuration would be required.
So far from any 'agency', what is required is expertise in IPv6 security. Especially how to keep IPv6 nodes either secure, and/or undetectable to anything but approved agents. This would have to work in tandem w/ access controls as well as IPv6 address management mechanisms
What about Department of Secure Homeland Internet Things?
use this technology.
Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.
Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.
It's a distraction. A bad one. And if the recent mega-botnet attacks are any indication it's not good for the health of the internet either. So let's get rid of them before someone in a position of abusable power decides that they're evil and gets rid of them for us. With us doing it, it at least leaves the door open for getting it right next time. Not so certain that others would give the tinkerers a second chance on something like this. I've already had to deal with parents panicking over their children's laptop cameras.
That wasn't a fun conversation in the least.
The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement.
The people have spoken. The desire for stupid government is strong. Stupid government involvement is the only allowable course.
The right answer here is a non-governmental agency like UL. That can have greater reach (and, frankly, more credibility) than anything US government-specific. This would have to be coupled with a firm stance from the sever side of IOT (like AWS) requiring the certification.
Socialism: a lie told by totalitarians and believed by fools.
Short answer: We need manufacturers of so-called 'Internet of Things' to get their HEADS out of their ASSES and stop skimping on (or skipping altogether!) security of their gods-be-damned devices! It would also be nice if they didn't make every damned thing to use 'the cloud' or otherwise require connection to one of their damned servers in order to work AT ALL.
We totally don't. Just fuck off already.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Most electronics in the United States are (Underwriters Laboratory) UL approved. That is because there are various non-governmental rules that strongly influence people into buying UL approved products. One is that vendors often refuse to stock products that are not approved by some standards body, because otherwise they may face liability for the product. Another is that homeowners insurance will not cover you if a non-UL approved device started the fire. Hospitals and laboratories will not buy medical devices that are not UL approved.
We need something like UL for security.
It would be great to have a system like that in place, rather than to have the government directly involved. The toughest part is that so much electronics is purchased online, from overseas manufacturers, that this free-market solution may not work. Really, the free market is optimizing around it. It would be awesome to see Amazon and Newegg refuse to sell products unless they had some kind of security approval.
Government involvement is not needed and will be counterproductive. Something like UL (https://en.wikipedia.org/wiki/UL_(safety_organization) ) will be appropriate. There are a number of analogous examples that work well, like the ANSI, API, ICANN, IMO.
Prove anything by multiplying Huge Number times Tiny Number
When Government agency fails, or is wasteful, what happens? "Hey, lets toss more money at the problem"
When Private entity fails, it goes away, and is either replaced or is no longer needed. Waste is generally frowned upon.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Not if it's a bank.
At the bottom of the
More like everything you want to sell to the general public should be approved.
Anything you want to build yourself, you build it yourself as usual.
Governments are predominantly good at policing things: regulation is someting of a misnomer (regulators keep voltages stable: police arrest people).
The UL-like body need to be backed up by real police powers, like the power to have the local police seize dangerous goods, and be financially independant of the people who make the products being certified as safe to import and use.
Ontario famously tried to get the crooks (waterworks operators) pay for the police (drinking-water inspectors). That promptly killed seven people and infected thousands in the Walkerton E Coli outbreak, so simple user-pays is not a good model.
Probably a fixed fee for the first one licenced, paid to customs, and a tiny one per each 1000 additional devices of the same type. Then add a sampling process to make sure the manufacturer had not changed what's inside the box. Sampling is done at the retail store as well as at the border or plant. Customs pays the UL-like body, and if something is dangerous, customs and the police impound them.
All seizures require a warrent, and the courts handle appeals against the decision to seize.
davecb@spamcop.net
I don't see how viperidaenz's statement leads from your question to your answer. "if you're selling it get it approved; if you're not don't" doesn't read to me "keep it off the internet". How would that be enforced? It seems like it would be difficult for the rest of the internet to tell whether your device is certified...
Well, IMHO (being a Libertarian) I would have let the banks fail. Additionally, I would have locked up the CxO of banks that were practicing fraud, or otherwise weren't doing their do diligence in protecting the assets under their leadership. Heck, I would also go after the Board of Directors.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
The CEOs you want to lock up for "practicing fraud", however, were acting in response to community groups using the justice department as a bludgeon to either force the loans or be sued for discrimination. If they didn't have similar percentages of approved loans over their entire service area it was defacto proof of discrimination. The fact that some neighborhoods tend to be working class with people who couldn't afford home loans wasn't relevant, so the rules had to change to allow those loans to be approved anyway. Once those loans were approved, where does the bank get money to make more loans? By selling the ones it has. "Community Reinvestment" stops when the bank has loaned out all it can, unless it sells loans to get more to loan.
The problem of measuring compliance with anti-discrimination laws using simple statistics is ongoing. For example, it is defacto proof of Title IX violation if the percentage of girls at a school participating in sports is not the same as the percentage of boys. If you run a school where 20% of the boys are on sports teams but only 10% of the girls, then you either need to coerce a lot of girls into joining a sports team or cut your boy's teams in half.
And similarly, if your bank is approving 50% of the loans from a neighborhood that is predominantly rich people but only 10% of loans from a poorer neighborhood, you either have to lose 2/3 of your loan business by refusing 80% of the "rich people" loans (losing out on the interest payments from well-secured, low-risk loans), or relax the rules so you can approve 40% more of the apps from poor people (increasing your risk by a large amount). And the answer is almost always based on the demands of the local community activists who want more loans to poor people.
Well, in a perfect world the, the government would not have created ghettos in American cities. Since the did, don't you think they should be obligated to help remove them?
Citations that will be requested, although I'm sure they will be disregarded:
http://www.npr.org/2015/05/14/...
http://www.thedailybeast.com/articles/2014/03/13/how-we-built-the-ghettos.html
http://www.theatlantic.com/business/archive/2014/05/the-racist-housing-policy-that-made-your-neighborhood/371439/
Conservatard sources (sorry, my bias is showing, but this fact is not disputed):
http://www.independentsentinel...
http://www.deseretnews.com/article/865633377/How-government-policy-created-ghettos-according-to-one-historian.html?pg=all
Cheap storage VM.