NIST is really good at creating security standards that principally benefit very large, cash-rich corporations. Most notably FIPS 140 isn't a sign of any kind of secure product, it's a sign of how much money an organisation is willing to burn in order to qualify for government contracts. Which the new regs, which "would require any federal agency to only buy products from companies that met the new rules", seem to perpetuate. So "it doesn't suck as badly as it could have" is appropriate in this case.
And before you think "who cares if the government knows the temperature I set at home?", imagine being billed even higher for setting your heating system at "temperatures above government approved levels".
It's a slippery slope, unfortunately we already have people buying spying devices with their own money and bringing them voluntarily into their homes.
Soon, people without those spying devices will be offered free ones, then it will be law to own at least one of those in your home. Then it will become illeg
If you think that's crazy, remember that we all thought smart speakers were a crazy idea when they came out and that nobody in their right mind would buy those. Just wait a few years and the crazy becomes the new normal.
Well, they are neither mandatory nor offered for free yet, are they?
On the other hand, being able to summon help by just whispering out "Alexa, call ambulance!" may be a literal life-saver for victims of strokes and heart-attacks, for example.
It is still possible to buy TVs that work fine without any kind of internet connection. Which doesn't matter, since the cable box spies on you anyway. So do all the streaming services.
In fact, it isn't actually possible for them to not spy on you, really.
If you're going to connect to the internet, the internet is going to connect to you. If you don't want that, say in the basement with your old Playboys.
But there is a difference between Apple (via Apple TV) and Netflix (via your subscription) knowing what I watch online and a hardware device with cameras and microphones that can potentially spy on me directly in the physical world.
Power usage may be that well-monitored in your area, but for non-industrial users: a) virtually nowhere is it done in actual real-time, and b) time-of-use billing is not yet ubiquitous, not even in metropolitan areas.
I mean: (1) That proves that smart thermostats aren't even a risk, power is sufficient. (2) Marijuana regulations are totally different from heating a home or a social goal. (3) Grow lights are unique spikes in ways that temperature is not - in fact, this supports my position.
I see your point that marijuana monitoring is a distinct case, But I hope you see the point that it is a precedent for monitoring, and veyr much a step down that slippery slope?
I mean, we also have court rulings that the police cannot (without a warrant) use heat vision to detect grow lights. But "someone using technology to detect what's in someone's home" is on a whole different axis than "the government will control what you do in the privacy of your home". In fact, on the second, we're moving away from that - especially in the bedroom.
While the improvements in some civil rights is laudable, But let's not pretend that law enforcement and other governments or businesses have not engaged in warrant-free direct monitoring, of businesses and citizens, through electronic hacking, cracking, and forced access to private electronics. That was the Clipper chip was designed to allow, and the project was only discarded after it was found to violate numerous patents _and_ it was proven possible to replace the escrow stored keys accessible to the gove
Again, you're focusing on the surveillance, and I'm focusing on the activities deemed illegal that they are trying to uncover. Because those are independent. And I'm still responding to a series of posters (or sock puppets) who made a claim that we're shifting towards the government mandating what temperature you can set in your home. And we seem to be moving the opposite direction.
Power companies are required by law to alert authorities of suspicious power usage, and that notification can be used to get the required warrant. Just FYI.
And yet there are alternatives [theconversation.com]. And having an agenda of getting rid of fossil fuels is a HUGE difference than "outlaw coal usage completely". Thermal coal is already on it's way out.
I wish the alternatives luck. Because aside from its thermal contributions to the steel making process, carbon is an integral component of steel. That's why it is called metallurgical coal.
Yes there are alternative alloys. But good luck paying for them. Or keeping a sufficient strength to weight ratio to produce usable products. In many cases, better structural alternatives are plastics. Which are made from... oil.
It's "optional" but you get a substantial discount for allowing them to monitor your temperatures. So far I've resisted it, but it's only a matter of time before the payment plan that doesn't include it is prohibitively expensive. My car insurance company is doing the same thing.
It's like boiling a frog only the frog is smart enough to jump out of the pot...
I never understood why people get so freaked at gov't doing bad things and then shrug their shoulders when mega corps doing the same thing and sa
I never understood why people get so freaked at gov't doing bad things and then shrug their shoulders when mega corps doing the same thing and say "that's capitalism, you can just move somewhere else, right?".
Not only just shrug their shoulders, but actively oppose regulations that would keep megacorps from doing that.
Requiring Federal agencies to buy IOT devices meeting a minimum security standard creates a market for secure IOT that didn't previously exist.
And now when the Chinese know that the guys in Cheyenne Mountain prefer the temperature to stay between 74 and 78F, they at least won't know which guy keeps setting it to 84.
And requiring that companies' production/perimeter environments employ devices that must meet that standard before cybersecurity insurance providers will cover them, helps cover the private sector side of that coin [theonion.com].
For the Slashdot folks who think a right to repair is very important: You won't like this law!
"secure code, identity management" means cryptographically signed executables and inability to run unsigned executables or executables signed by the wrong identity. If the original equipment manufacturer goes out of business or just doesn't want to provide updates, you are out of luck. Even if the source code is open-source (with a license more permissive than GPL3), you can compile the code, but you still cannot sign it. You are still out of luck.
Right to repair and security are opposing goals. Pick one.
It is very nice to have defect free software and therefore vulnerability free software, but that software does not exist.
Secure code implies you know what code is executing and you trust its source. That is what cryptographic signatures give you. They confirm you are executing unmodified code, and the code comes from an authorized source. If you could self sign executables, then bad guys will self sign malware.
There are lots of situations where not executing improperly signed code makes sense. It is a prima
If you mean unmodified code or signed code, say unmodified code or signed code. Secure code is not synonymous with either.
You can design devices to let the owner sign code and make the device reject code that is not signed by the manufacturer or the owner.
It is technically possible to allow end users to compile, encrypt, and even self-sign, etc., but if a user did that it'd void the warranty. Not allowing unsigned executables is a good thing on a network where my toaster can talk to my neighbor's phone. I should have the option to self-sign everything, of course.
I'd never allow closed-source IoT devices in my house. (Just because it's open-source doesn't mean it won't be spying on you, but you really want that to be out in the open to start with.)
And you're not only competent to read and analyze every bit of code on every device, but have the free time to do that? That's quite amazing, I've never met anyone IRL who did.
Open Source is a religion with some people, it will cure every evil and provide perfect security. How many gigantic security holes have been found just in Linux only after a decade or more had passed?
So, are you saying that if an IoT device is running Linux, and a major security vulnerability if found in Linux, you don't want to patch the vulnerability? If some process contains a bug, you don't want a software update?
I wish they'd include a requirement that all IoT devices must offer their core base functionality over a standard protocol (i.e. MQTT), Independent of the provider's servers.
Of course all will hinge on the trademark. They need a logo like UL or Dolby or WiFi, something somebody would never consider buying a product without.
NIST's security specs and the associated certifications have worked to make patching as difficult as possible. You want to put out a security patch? That'll be $100,000 for a fresh 140-3 certification for the updated software, thank you very much.
They might not be the right body to solve this problem, because they have failed to solve it for their existing spec for the 20 years it has been obvious that is needs solving.
Re: (Score:2)
"bill that doesn't totally suck"...wow, imagine the propaganda value of that!
Re: (Score:2)
Be leery of the standards (Score:2, Interesting)
Backdoors for federal monitoring may be mandated as a requirement.
Re: (Score:3, Interesting)
And before you think "who cares if the government knows the temperature I set at home?", imagine being billed even higher for setting your heating system at "temperatures above government approved levels".
It's a slippery slope, unfortunately we already have people buying spying devices with their own money and bringing them voluntarily into their homes.
Soon, people without those spying devices will be offered free ones, then it will be law to own at least one of those in your home. Then it will become illeg
Re: (Score:2)
Well, they are neither mandatory nor offered for free yet, are they?
On the other hand, being able to summon help by just whispering out "Alexa, call ambulance!" may be a literal life-saver for victims of strokes and heart-attacks, for example.
Re: (Score:2)
It is still possible to buy TVs that work fine without any kind of internet connection. Which doesn't matter, since the cable box spies on you anyway. So do all the streaming services.
In fact, it isn't actually possible for them to not spy on you, really.
If you're going to connect to the internet, the internet is going to connect to you. If you don't want that, say in the basement with your old Playboys.
Re: (Score:2)
But there is a difference between Apple (via Apple TV) and Netflix (via your subscription) knowing what I watch online and a hardware device with cameras and microphones that can potentially spy on me directly in the physical world.
Re: (Score:2)
So only buy devices from companies you're willing to let spy on you. Nobody's forcing you to buy any of this stuff.
Re: Be leery of the standards (Score:2)
Re: Be leery of the standards (Score:2)
It's not 80", but ASUS makes a 64" 4k monitor, Asus ROG Swift PG65UQ. The price is absurd, though.
Re: (Score:2)
I will choose ultra-wide over 4K any day.
Re: (Score:2)
Power usage may be that well-monitored in your area, but for non-industrial users: a) virtually nowhere is it done in actual real-time, and b) time-of-use billing is not yet ubiquitous, not even in metropolitan areas.
Re: (Score:2)
> I've never seen a step down that slippery slop
Please, allow me to introduce you to a step you may not have noticed. Power monitoring has been done for detection of household marijuana farms.
https://www.utilitydive.com/ne... [utilitydive.com]
It's another small step from there to monitoring for any social or political goal a government may have.
Re: (Score:2)
I mean: (1) That proves that smart thermostats aren't even a risk, power is sufficient. (2) Marijuana regulations are totally different from heating a home or a social goal. (3) Grow lights are unique spikes in ways that temperature is not - in fact, this supports my position.
Re: (Score:2)
I see your point that marijuana monitoring is a distinct case, But I hope you see the point that it is a precedent for monitoring, and veyr much a step down that slippery slope?
Re: (Score:2)
I mean, we also have court rulings that the police cannot (without a warrant) use heat vision to detect grow lights. But "someone using technology to detect what's in someone's home" is on a whole different axis than "the government will control what you do in the privacy of your home". In fact, on the second, we're moving away from that - especially in the bedroom.
Re: (Score:2)
While the improvements in some civil rights is laudable, But let's not pretend that law enforcement and other governments or businesses have not engaged in warrant-free direct monitoring, of businesses and citizens, through electronic hacking, cracking, and forced access to private electronics. That was the Clipper chip was designed to allow, and the project was only discarded after it was found to violate numerous patents _and_ it was proven possible to replace the escrow stored keys accessible to the gove
Re: (Score:2)
Again, you're focusing on the surveillance, and I'm focusing on the activities deemed illegal that they are trying to uncover. Because those are independent. And I'm still responding to a series of posters (or sock puppets) who made a claim that we're shifting towards the government mandating what temperature you can set in your home. And we seem to be moving the opposite direction.
Re: (Score:2)
Power companies are required by law to alert authorities of suspicious power usage, and that notification can be used to get the required warrant. Just FYI.
Re: (Score:2)
Biden has already said he will outlaw coal usage completely.
Metallurgical coal [wikipedia.org].
Biden is an idiot.
Re: (Score:2)
Re: (Score:2)
I wish the alternatives luck. Because aside from its thermal contributions to the steel making process, carbon is an integral component of steel. That's why it is called metallurgical coal.
Yes there are alternative alloys. But good luck paying for them. Or keeping a sufficient strength to weight ratio to produce usable products. In many cases, better structural alternatives are plastics. Which are made from ... oil.
My privately run power company already does that (Score:2)
It's like boiling a frog only the frog is smart enough to jump out of the pot...
I never understood why people get so freaked at gov't doing bad things and then shrug their shoulders when mega corps doing the same thing and sa
Re: (Score:2)
And then they totally forget that any time it wants the gov't can buy that data from the megacorps, and they don't need a warrant.
Re: (Score:2)
Not only just shrug their shoulders, but actively oppose regulations that would keep megacorps from doing that.
what went wrong? (Score:2)
Something shady must be going on here, this shouldn't have been allowed to happen! We must dig deeper!
Re:what went wrong? (Score:4, Informative)
Many of these devices are made in China. Of course they're nervous. My bathroom scales send data to Hong Kong if WiFi is enabled.
Re: (Score:2)
Re: (Score:2)
My bathroom scales send data to Hong Kong if WiFi is enabled.
What did you expect, given you ordered the Carrie Lam Signature Edition?
Re: (Score:2)
It's worse, TikTok is sending examples of American teenage angst and acne to the CCP. Just imagine the national security implications.
Re: (Score:2)
Which brand is that scale so that we can avoid it? You should had bought a non-network scale. :P
Re: (Score:2)
Oh wait, my watch says it's 8:23, exactly the time the legislation passed. Of course, the watch hasn't worked in years.
This seems good! (Score:3)
Requiring Federal agencies to buy IOT devices meeting a minimum security standard creates a market for secure IOT that didn't previously exist.
And now when the Chinese know that the guys in Cheyenne Mountain prefer the temperature to stay between 74 and 78F, they at least won't know which guy keeps setting it to 84.
Re: (Score:2)
won't know which guy keeps setting it to 84.
The old geezer [wp.com], obviously.
Re: (Score:2)
won't know which guy keeps setting it to 84.
The old geezer [wp.com], obviously.
If the choice is between the old geezer and the stupid geezer [wordpress.com] I'l pick the old one ever time.
Re: (Score:2)
And requiring that companies' production/perimeter environments employ devices that must meet that standard before cybersecurity insurance providers will cover them, helps cover the private sector side of that coin [theonion.com].
Re: (Score:2)
The market for secure IoT devices DOES exist. It's just not the dumb consumer market. Industrial IoT needs security.
This will prevent a "Right to Repair" (Score:4, Interesting)
For the Slashdot folks who think a right to repair is very important: You won't like this law!
"secure code, identity management" means cryptographically signed executables and inability to run unsigned executables or executables signed by the wrong identity. If the original equipment manufacturer goes out of business or just doesn't want to provide updates, you are out of luck. Even if the source code is open-source (with a license more permissive than GPL3), you can compile the code, but you still cannot sign it. You are still out of luck.
Right to repair and security are opposing goals. Pick one.
Re:This will prevent a "Right to Repair" (Score:4, Insightful)
Right to repair and security are opposing goals. Pick one.
False dichotomy. "Secure code" is not synonymous with "signed code" and "identity management" does not automatically exclude the user.
It is very nice to have defect free software and t (Score:2)
It is very nice to have defect free software and therefore vulnerability free software, but that software does not exist.
Secure code implies you know what code is executing and you trust its source. That is what cryptographic signatures give you. They confirm you are executing unmodified code, and the code comes from an authorized source. If you could self sign executables, then bad guys will self sign malware.
There are lots of situations where not executing improperly signed code makes sense. It is a prima
Re: (Score:2)
Re: (Score:2)
I'd never allow closed-source IoT devices in my house. (Just because it's open-source doesn't mean it won't be spying on you, but you really want that to be out in the open to start with.)
Re: (Score:2)
And you're not only competent to read and analyze every bit of code on every device, but have the free time to do that? That's quite amazing, I've never met anyone IRL who did.
Open Source is a religion with some people, it will cure every evil and provide perfect security. How many gigantic security holes have been found just in Linux only after a decade or more had passed?
Re: (Score:2)
Actually in the industrial world, a lot of customers want this as it is extra security.
Re: (Score:2)
Yes. The iOS and Android worlds also require or allow signed apps. Mac OS complains if apps aren't signed.
It is very nice to have defect free software (Score:2)
So, are you saying that if an IoT device is running Linux, and a major security vulnerability if found in Linux, you don't want to patch the vulnerability? If some process contains a bug, you don't want a software update?
You can't have it both ways (Score:2)
If this was an Oil & Gas industry bill being written by the industry you would be going nuts right now.
Re: (Score:2)
If this was an Oil & gas industry bill being written by the industry, they would make it illegal to use solar.
MQTT (Score:2)
logo (Score:2)
Re: (Score:2)
The bill does include a definition, in Section 2. I don't want to wade thru the legalese to figure out if your objection is justified.
NIST and Patching (Score:3)
NIST's security specs and the associated certifications have worked to make patching as difficult as possible. You want to put out a security patch? That'll be $100,000 for a fresh 140-3 certification for the updated software, thank you very much.
They might not be the right body to solve this problem, because they have failed to solve it for their existing spec for the 20 years it has been obvious that is needs solving.