Schneier: We Need a New Agency For IoT Security

Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."

It all boils down to IPv6 security

[unixisc]

Say what you will about IoT, bottom line is that it would be impossible on the scale being discussed w/o IPv6. That's not something that works fluently w/ NAT, especially given that for a lot of these things, auto-configuration would be required.

So far from any 'agency', what is required is expertise in IPv6 security. Especially how to keep IPv6 nodes either secure, and/or undetectable to anything but approved agents. This would have to work in tandem w/ access controls as well as IPv6 address management mechanisms

Re:

[drinkypoo]

What we need are ISPs willing to shut down participants in botnets.

The other thing we need is a mesh network to permit the internet to actually route around censorship.

And then we're probably going to need yet another new protocol to handle that kind of chaos.

Re:

[unixisc]

Or we could just enhance IPSEC around that

Re:

[thegarbz]

What we need are ISPs willing to shut down participants in botnets.

And how do we do that? Was my smoke detector DoSing the ABS website when the Australian census was last due? Or was I at my computer trying to access the damn website?

This is not a problem that is easily solved. It's difficult to tell this traffic apart from legitimate traffic. If you can route around the problem, so can the attack rendering the new node useless. A new protocol sounds like it may be able to incorporate something in this. I look forward to implementing it in 2045.

Re:

[unixisc]

No, filtering would very much be there - to access any device on IPv6, one would have to reach it via a gateway i.e. a firewall, which has the capability to drop the packets if they're not from an authorized source. The bigger issue is there not being a globally available list of legitimate servers/nodes vs botnet agents

Re:

[account_deleted]

Comment removed based on user account deletion

Yeah that was a dumb thing to say

[raymorris]

Agreed, that was a stupid comment. Of course an autonomous car, which os hurling toward me at 75 MPH, should have different standards than an IoT refrigerator, and biomedical devices implanted in my body should another set of standards. Perhaps the standards for biomedical implants could include also the standards for consumer electronics by reference - "In addition to the 60 points listed below, medical devices must also meet consumer electronics standard #1235 ".

DSS?

[K. S. Kyosuke]

Department of Stuff Security? Matches the other silly name...

Re:

[Fire_Wraith]

What about Department of Secure Homeland Internet Things?

They should be manufactured in the United States!

[Joe_Dragon]

They should be manufactured in the United States!

TRUMP TRUMP TRUMP!

Re:

[Tablizer]

Trump: "It'll be a Yuuuuuge agency, and we'll make the Internets pay for it!"

Re:

[Tablizer]

Rats, I forgot the word "beautiful". My Trumpology slipped

Or, you know, we can just not

[H3lldr0p]

use this technology.

Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.

Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.

It's a distraction. A bad one. And if the recent mega-botnet attacks are any indication it's not good for the health of the internet either. So let's get rid of them before someone in a position of abusable power decides that they're evil and gets rid of them for us. With us doing it, it at least leaves the door open for getting it right next time. Not so certain that others would give the tinkerers a second chance on something like this. I've already had to deal with parents panicking over their children's laptop cameras.

That wasn't a fun conversation in the least.

Re:

[tlhIngan]

use this technology.

Let's be honest. Right now, this stuff doesn't give us anything of real benefit. We don't need an internet connected thermostat. Or lights. Or fridges. Or toaster oven. Or whatever next comes up. Our skateboards reporting how many meters they've covered to some site or another. Useless! The utility of such things are near zero.

Nifty? Yes. Neat? Yes. Useful? Not in the least. And certainly not outside the developed world.

It's a distraction. A bad one. And if the recent mega-botnet attacks

Re:

[AmiMoJo]

You are only seeing the consumer side. On the infrastructure and business side, IoT is huge. From asset tracking, to remote metering (why send people round to read every meter in the country when they can just self report once a month?) to monitoring applications (how much stress is that bridge under, are all my street light bulbs working?) there are many very useful, practical applications for IoT devices.

And that's where the real risk is. Fridge botnets are one thing, taking out infrastructure is another.

Re:

[aaarrrgggh]

The problem is you have no way of knowing if the devices are "secure" without very advanced knowledge. Consumer level DPI helps to a degree, but you need dedicated monitoring systems too. Pretending it is secure because it is "in the cloud" is pure ignorance, and frankly the point of the issue. By being in the cloud, the prospects of a hack mean that they don't just get one device, they can get thousands. While I might think I deserve an A-/B+ for networking knowledge, IPv6 is still pretty hard for me.

We don't need an 'agency', I'll TELL what we need:

[Rick Schumann]

Short answer: We need manufacturers of so-called 'Internet of Things' to get their HEADS out of their ASSES and stop skimping on (or skipping altogether!) security of their gods-be-damned devices! It would also be nice if they didn't make every damned thing to use 'the cloud' or otherwise require connection to one of their damned servers in order to work AT ALL.

Re:

[DarkOx]

Short answer is we need to hold people accountable. This is a case where there absolutely should be not quite a strict liability situation but maybe negligence level where you are responsible for shit that a computer you own does unless you can show you took appropriate and reasonable precautions.

Once that is True people will install patches, they will learn to install and configure firewalls, or they will turn the shit off and unplug the Ethernet wire from the smart tv because its to much hassle to deal w

Re:

[aaarrrgggh]

Most people have trouble just putting the SSID and password in for their equipment. Talking about VLANs and firewalls is a lost cause. Then you have mischievous devices that try to use open wifi systems to at least phone home to allow remote configuration as a fallback. The only thing that works is making things secure by default, and even that is easy to screw up. Also, who are you trying to secure it from... because it is all relative.

Re:

[110010001000]

100% correct! Someone gets it...

Re:

[unixisc]

Security of things that can be connected to the internet can't be done until they actually are connected to the internet. How does an internet enabled home security system know whether it's being accessed by a legitimate controller or an intruding agent? This job needs to belong to the Firewall/Gateway

Re:

[suutar]

The router/gateway has a part to play too. However regardless of whether the user accessing the system is legitimate, buffers should not overflow, sql should not get injected, etc. Defense in depth.

Wrong

[Hognoxious]

We totally don't. Just fuck off already.

Re:

[110010001000]

100% correct. But that is where we are headed. Enjoy your locked down Internet, people! You deserve it.

You know which answer is nearly always wrong?

[SecurityGuy]

I really like Schneier's work in general, but if there's one answer that has to be nearly always wrong it's "We need a new government agency."

It's also patently false that because a thing isn't manufactured here, we can't regulate it. We can (and do) regulate the import of things that aren't manufactured here. If he's talking about regulating things that are manufactured, sold, and used elsewhere but also happen to be on the internet, then we just shouldn't be doing that at all anyway.

Another way

[MobyDisk]

Most electronics in the United States are (Underwriters Laboratory) UL approved. That is because there are various non-governmental rules that strongly influence people into buying UL approved products. One is that vendors often refuse to stock products that are not approved by some standards body, because otherwise they may face liability for the product. Another is that homeowners insurance will not cover you if a non-UL approved device started the fire. Hospitals and laboratories will not buy medical devices that are not UL approved.

We need something like UL for security.

It would be great to have a system like that in place, rather than to have the government directly involved. The toughest part is that so much electronics is purchased online, from overseas manufacturers, that this free-market solution may not work. Really, the free market is optimizing around it. It would be awesome to see Amazon and Newegg refuse to sell products unless they had some kind of security approval.

UL is a great model, created by insurance companie

[raymorris]

Something like UL, but focused on security, would be great.
Insurance companies established Underwriters Laboratories and the National Fire Protection Association in order to reduce their costs stemming from fires, injuries, and death. I don't see an obviously similar group for information security. Google, Amazon, and Comcast would all benefit from reducing attacks, so perhaps they could found an organition similar to Underwriters Laboratories.

Re:

[110010001000]

So every device that connects to the Internet would need to pre-approved by a group founded by Google, Amazon and Comcast? And you think this is a good idea?

Seed money, not day-to-day operations. Openstack e

[raymorris]

If there were an organization similar to UL, but testing for safety and security of IT products, it's value would depend on what the group DID, not who provided the initial funding.

Note again I didn't say these companies would test and approve products. Rather, they have an interest in having the internet secure for everyone, so they might put up some cash to seed an independent testing organization. (Example: IoT ddos attacks flow through Comcast's network, costing them money.

History shows that they can

Re:

[110010001000]

Requirements aren't only the domain of governments. So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on. And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all. Are you guys really that dense? What do you think is happening here? At some point you will be only allowed to use a locked down computer running pre-approved software run

Re:

[MobyDisk]

So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on

Almost. We are proposing something similar to how it works with electrical devices and telecommunications devices. In those cases, it isn't the power company or the phone company that gets a say, it is the insurance companies and retailers. So no: Comcast would not be able to approve things. They simply have no way to enforce this even if they wanted to.

And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all.

No, that is not logical, and it is not how the industry we are comparing it to works.

At some point you will be only allowed to use a locked down computer running pre-approved software running in the cloud. Don't think it will happen? That is the logical conclusion to this madness.

If that is the logical conclusion, then why has it not happened alr

Re:

[MobyDisk]

Corporate networks already do this.

No they don't. They wish they could, and they try. Here's how they try:

First of all, corporate IT has physical access to everything in the building. Comcast has no access to the devices in my house. That's an important difference. Second, corporate IT achieves most of their security by demanding that all devices on the network be Windows boxes that are on their domain. Comcast can't require this either.

Ultimately though, even corporate IT can'achieve this because they have to allow non-Windows devices

Re:

[Anonymous Coward]

And these days UL requirements (generally needed in the U.S.A.) and CE requirements (definitely needed in Europe) mostly line up!
This highlights another potential pitfall, but also goes to show that both the government and private-industry routes have been pretty successful.

I'd lean towards a government approach in this case though (and we have examples of this like Energy Star certification) because there's not the same private incentive. You don't want an insurance claim denied because a non-UL device ca

Re:

[MobyDisk]

So getting some kind of incentive to have devices certified seems like it will be difficult.

Agreed! So to make this work, we need liability.

So how about this: if your device is part of a botnet, or infects another computer - you are liable unless the device was certified by the testing agency. Hmmmm...no, that won't work. The problem there is finding out the source. If there is a DDOS from 5 million devices, nobody is going to sue 5 million people.

So how about this: Hold manufacturer liable. We've been asking for companies (banks, etc.) to be liable for security breaches, and for software com

Re:

[MobyDisk]

So Dell is liable because your Dell computer got infected and is part of a botnet?

If Dell installed an insecure piece of software on it, then yes, they can be.

It only makes sense to you because you are an idiot.

LOL, nice burn dawg.

There is no difference between an "IOT device" and a Linux or Windows computer you install software on.

One key difference is: who installed the vulnerable software and firmware onto the device? With a Dell Laptop, the owner can install whatever they want on it, so *maybe* it was the owner's fault not the manufacturer's. With a Frigidaire refrigerator, or a Honeywell thermostat, or an XBOX 360, or a Shenzhen-Guowei security camera, the owner probably can't install software on it. That's a crucial difference. W

Re:

[argStyopa]

"this free-market solution may not work"

If not, then it's not that important, really.

I admit, I'd pay extra for devices I KNEW had been tested; the problem is what is a "successful test"? I mean, obviously the mfg are going to game around it. Besides that, what about devices that legitimately need to phone home? For example that stupid IoT thermostat that was connected to some Google server. Stupid design, yes. "Failure" (assuming it's not sending personal data) ?

Clippy: "Oh, I see you're on a test ben

Re:

[MobyDisk]

the problem is what is a "successful test"?

That is what the 3rd-party testing lab determines. It's not up to the manufacturer to test it.

what about devices that legitimately need to phone home

The testing agency should not have a problem with a device that needed to phone home. That's a legitimate feature. The testing agency would make sure that the data was encrypted, that failed pasword attempts are limited, that there isn't a single shared password on each device, etc.

For example that stupid IoT thermostat

Yes!!! That's what we are trying to prevent! It had no encryption, send the user's personal information (email account, password,

I warned you

[110010001000]

I warned everyone years ago that we were coming to a time when only GOVERNMENT APPROVED devices would be allowed to connect to the Internet. Everyone scoffed, but this is the first step. Truly the end of personal computing is coming, fast.

Does Not Have to be Government

[Tokolosh]

Government involvement is not needed and will be counterproductive. Something like UL (https://en.wikipedia.org/wiki/UL_(safety_organization) ) will be appropriate. There are a number of analogous examples that work well, like the ANSI, API, ICANN, IMO.

Re:

[unixisc]

Actually, rather than ICANN, this sort of thing should be done by the IETF - that would fall under their 'jurisdiction', or area of both expertise and responsibility

Re:

[R3d M3rcury]

Something like UL (https://en.wikipedia.org/wiki/UL_(safety_organization) ) will be appropriate.

I've heard this a few times. I'm not convinced.

UL is "Underwriters' Laboratories." One of the things they do is look at electric devices and make sure that they won't catch fire in most conditions. This is a good thing and they have the backing of insurance companies. So if you plug in that extension cord that your brother made and it causes an electrical fire which burns down your house, when you go to your insurance company, they'll say, "Nope! We're not paying out because the extension cord wasn't U

Re:

[david_thornley]

In a liability situation, why would UL help? Suppose you used UL-certified light bulbs, and they were used in a major DDoS attack. You get named in the suit, and when you try to pass the liability on back the company has disappeared or gone bankrupt or is out of the country or something. The UL isn't going to indemnify me. Lots of people will have some IoT-type devices without insurance, since (at least in the US) renter's insurance wasn't all that common when I still rented. Unless people have some s

Re:

[R3d M3rcury]

You miss the point. I suppose I got a bit wordy.

Why do you buy UL-certified electric devices? Because if you use them and one of them causes your house to burn down, your fire insurance will cover you. If you use a non-UL-certified electric device and it causes your house to burn down, your fire insurance won't pay.

Thus, I have an incentive to buy UL-certified devices. Uncle Sam does not need to get involved. This is, arguably, a good thing.

Many people are saying that IoT devices need something akin to

Operational allocation isn't a new thing

[Anonymous Coward]

Just like electronic devices must be certified to operate within FCC or CRTC guidelines, these kinds of products should pass through a similar system to ensure compliance. All IoT devices should also conform to some network management scheme for enumeration and auditing. This just a new twist on an old system that has worked well for some forty plus years.

current govt = fail

[sdinfoserv]

And the existing government is sooo exceptional at following it's current policy and security (re: OPM ) that we need yet ANOTHER layer of confusing, cross responsibility, finger pointing bureaucracy... ya that will solve it.

Don't Hook Crap to The Internet Unless You Need To

[BrendaEM]

Duh.

Re:

[toonces33]

The problem is this though. The people that are attaching these devices are largely unaffected by this. They got some cheap device of some sort that at least somewhat does what the purchaser wants, and their own device isn't attacking their own machines.

And the manufacturers don't care either. And even if they did, what are the chances that they would have any amount of success getting people to upgrade firmware?

And this is why we can't have nice things

[rickb928]

We do NOT need a 'new agency'. Indeed, perhaps, maybe, we can use legislation to establish FTC or other regulations that require Internet-connected devices be minimally secure, as in requiring a nontrivial admin password be set, that they not be susceptible to 'trivial' attacks, and that they be manageable by owners to reestablish control.

All of this is, sadly, patchwork, and will not solve the real problems, and establishing financial penalties will just drive manufacturers offshore where we can't reach t

Re:

[110010001000]

"as in requiring a nontrivial admin password be set, that they not be susceptible to 'trivial' attacks, and that they be manageable by owners to reestablish control"

So everyone who creates software would now need to be able to prove that to a governmental agency? Or you wouldn't allow software to be installed on Internet-connected devices unless it was pre-approved? So you couldn't attach your Linux computer (or Windows or Mac) or phone or whatever to the Internet unless it was running this pre-approved s

Re: And this is why we can't have nice things

[rickb928]

I was focused on the device. The software makes this possible...

How to fix this without big gov

[AHuxley]

1. Get anti virus software, free and subscription to scan a users networks by default. Find every device and test them with common pw/usernames and see what fails.
Report that to the user and tell them to replace or update the device until it is safe on any network facing the internet.
2. Ban the branded control software from cell phone and all app stores. If your device can be used as part of a swarm, its app gets banned and the world told why a brand cant be trusted.
3. Work with isp. A IoT device b

Go 1 step further; BOFH mode

[knorthern knight]

> 1. Get anti virus software, free and subscription to scan a users networks by default.
> Find every device and test them with common pw/usernames and see what fails.

Go one step further. Have a government body scan the net and try to pwn and *BRICK* internet-connected everything (IOT/smartphones/tablets/desktop-PCs/servers). If it withstands the break-in attempts, it's secure. If it doesn't withstand the break-in attempts, it had no business being on the net in the first place.

Before anybody starts ye

Re:

[AHuxley]

Hi AC, the US seems to want it both ways.
"CIA Chief: We’ll Spy on You Through Your Dishwasher" (03.15.12)
https://www.wired.com/2012/03/... [wired.com]
"All those new online devices are a treasure trove of data if you’re a “person of interest” to the spy community."
All global AV brands have to do is scan with every common pw/usernames and see what fails. Get users to create their own long pw and unique usernames.
Or make the gateway to the internet hide or mask what the user is running.

Re:The course is clear

[lgw]

The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement.

The people have spoken. The desire for stupid government is strong. Stupid government involvement is the only allowable course.

The right answer here is a non-governmental agency like UL. That can have greater reach (and, frankly, more credibility) than anything US government-specific. This would have to be coupled with a firm stance from the sever side of IOT (like AWS) requiring the certification.

Re:The course is clear

[Archangel Michael]

When Government agency fails, or is wasteful, what happens? "Hey, lets toss more money at the problem"

When Private entity fails, it goes away, and is either replaced or is no longer needed. Waste is generally frowned upon.

Re:The course is clear

[edittard]

When Private entity fails, it goes away

Not if it's a bank.

Re: The course is clear

[ArmoredDragon]

Or a major auto manufacturer.

Re:

[MyFirstNameIsPaul]

Because the Government had nothing to do with that - all just the wacky evilness of pure private enterprise run amok.

Re:

[Hylandr]

Sounds like a job the Dept of Homeland Security could handle.

What could go wrong?

Re:

[Dutch Gun]

Here's a list of 547 banks that have failed since 2000. [fdic.gov]

Maybe it's just the ones that didn't donate enough to those in political power. You know... the ones that weren't too big to fail [forbes.com].

Re:

[Archangel Michael]

Well, IMHO (being a Libertarian) I would have let the banks fail. Additionally, I would have locked up the CxO of banks that were practicing fraud, or otherwise weren't doing their do diligence in protecting the assets under their leadership. Heck, I would also go after the Board of Directors.

Re:

[Obfuscant]

And in the perfect libertarian world there wouldn't have been the Community Reinvestment Act and similar follow-on legislation that forced banks to make unsecurable loans to people they knew couldn't pay them back, creating a market for bad paper, culminating in a large number of defaults when people who couldn't pay back their loans were faced with balloon payments that they knew from the start they wouldn't be able to meet but they signed up for anyway. So yeah, in this ideal world, I'd go along with the

Re:

[pnutjam]

Well, in a perfect world the, the government would not have created ghettos in American cities. Since the did, don't you think they should be obligated to help remove them?

Citations that will be requested, although I'm sure they will be disregarded:
http://www.npr.org/2015/05/14/... [npr.org]
http://www.thedailybeast.com/articles/2014/03/13/how-we-built-the-ghettos.html
http://www.theatlantic.com/business/archive/2014/05/the-racist-housing-policy-that-made-your-neighborhood/371439/

Conservatard sources (sorry, my

Re:

[Obfuscant]

Well, in a perfect world the, the government would not have created ghettos in American cities. Since the did,

Right. Sure.

Citations that will be requested, although I'm sure they will be disregarded:

You managed to make only two of those links into actual links, but the three I reviewed were all based on the opinions of one man. "According to one historian" in the last link was a dead giveaway.

Somehow, I don't think forcing banks to make loans to people who cannot pay them back is a good way of solving the problem you claim the government created. In fact, it is more than "I think". The economic crisis that it created was the obvious result. That obviousness makes it very hard to attribute

Re:

[pnutjam]

Thank you for proving me correct, the data is not debated by anyone with a brain. It was clearly a policy of the Fed.

Likewise, your "forcing people to make loans" has been disproved multiple times. The problem was really too much money without clear investment opportunities. The money, basically thought it found somewhere safe to grow, but it was lies, and not government lies, free market lies.
Anyway, I'm wasting my time with you.

Re:

[anon mouse-cow-aard]

The issue isn't government vs. private, it's an issue of monopolies/oligopoly. In a lot of cases, government services have no "competition" because, frankly, there is no money to be made. competition is good, it brings focus.

When a public service fails, and there are private alternatives, it is compared to them and eventually de-funded.

When a private oligopoly fails, or is wasteful, what happens? "We'll just raise prices" ...

Hello PSTN & Cable Co's. I

Re:

[110010001000]

So basically every device you connect to the Internet would need to be pre-approved by this new non-governmental agency. Even things you built yourself. So where this is headed?

Re:

[viperidaenz]

More like everything you want to sell to the general public should be approved.
Anything you want to build yourself, you build it yourself as usual.

Re:

[110010001000]

And THAT is the engame here: only locked down, pre-approved devices will be allowed to be connected to the Internet. I said that was going to happen 10 years ago, but it sounds like people are OK with it now.

Re:

[suutar]

I don't see how viperidaenz's statement leads from your question to your answer. "if you're selling it get it approved; if you're not don't" doesn't read to me "keep it off the internet". How would that be enforced? It seems like it would be difficult for the rest of the internet to tell whether your device is certified...

Re:

[110010001000]

It is the first step. Every computer/device would now need to be pre-approved by some agency/consortium before being allowed to be put on the Internet. You would need to approve the software too of course, all of it. Because software is what is the issue, not the hardware. Are you guys not thinking clearly here? This is the intent, and this is the future. So long to the personal computer!

Re:

[MyFirstNameIsPaul]

Let's be a little more precise: Every computer/device for sale in the United States.

The more obvious result is that it does next to nothing to curb the issues related to security while greatly increasing the barrier to entry, plus costing the taxpayers a whole bunch of money.

Re:

[110010001000]

So ever computer/device for sale in the United States that is to be connected to the Internet MUST run only pre-approved software? Think about it guys: this would be the end of personal computing. I guess people don't care at this point though.

Re:

[Hylandr]

You wish.

All hardware is required to be NRTL approved before it can be sold *commercially*. The buyer or builder accepts all liability

Here's a good read on it.

http://electronics.stackexchan... [stackexchange.com]

The problem isn't the software so much as the purchaser that rarely bothers to change default passwords or settings. Manufacturers are somewhat to blame for trying to make things as simple as possible and people are lazy.

The bottom line here is the consumer generally has no concept of the risk and everyone operates on

Re:

[110010001000]

"The problem isn't the software so much"
Wrong. The problem IS THE SOFTWARE. That is what is insecure. Think about it. If you needed to prove that a system is secure you would need to certify the SOFTWARE AND HARDWARE. And you wouldn't allow new software would be installed, unless THAT was approved as well. Otherwise the system wouldn't be secure. It is really sad people are ready to trade "safety" for a walled garden. But I guess that why Apple is the richest corporation in history.

Re:

[Hylandr]

Not sure what kind of Axe you have to grind, but the weakest link is *always* the meat-Popsicle.

Technology is easy. It can be automated and made ubiquitous. It's the person that has to be able to understand and use it with about an 8th grade education.

I never mentioned Apple, but they do a fantastic job of catering to the least educated and most educated denominator equally. Really impressive actually even if I do hate and refuse to use their products. Mostly because I refuse to accept vendor lock-in.

Good l

Re:

[110010001000]

I guess you don't get it. The idea is to increase the security of "IoT" devices by requiring approval from some agency before the device could be sol and connected to the Internet.. How would you do that? You would need to certify the hardware and the software of the device and make sure it is locked down so no modifications could be made to the device to make it insecure. What is an "IoT" device? It is a computer. You figure out the rest.

Re:

[Obfuscant]

Read your Verizon/Comcast/ATT terms of service and acceptable use policies. This is already in place.

I see no such terms of service in my Comcast agreement. Can you provide a citation that supports your claim? I am not sure how Comcast could detect unapproved equipment I connect to the network anyway. Once it hits the router/modem and gets NAT, it's all the same MAC and IP address.

Re:

[Obfuscant]

It seems my quote above wasn't entirely applicable as it seems to be about cable modems.

Since the cable modem is the gateway from the home network onto the cable side, I think it's relevant that Comcast needs to approve any devices that attach to THEIR network. Wouldn't it be wonderful if someone was selling cable modems that corrupted the network data for everyone else on that branch? I wouldn't mind a cable modem that I can put into promiscuous mode on the WAN so I can sniff all my neighbor's traffic, but I'd hate to have that same thing accessible to them. This isn't limitation on what dev

Re:

[MyFirstNameIsPaul]

The "follow the RFC" mantra sounds nice here in a forum, but the admins at ground zero of these issues will tell you a different story.

Re:

[Hylandr]

Lets hear those stories.

If it increases understanding of the issue, lets have it!

Re:

[MyFirstNameIsPaul]

So find one and ask away.

Re:

[viperidaenz]

No...
It's like mains powered electrical appliances.
I'm allowed to build my own appliance and plug it in to the mains. I can do what ever I want to stuff I've bought.
I'm not allowed to sell it to the public unless it passes all relevant safety codes.

Re: The course is clear

[dnaumov]

Precisely. You don't get to operate an unapproved motor vehicle on public roads. Why should the internet be any different?

Re:

[lgw]

The bar is very low for a car you build yourself though.

Pwnt IoT devices are a problem because of scale. I'm not sure there will ever be enough hand-built "things" to matter.

Re:

[110010001000]

What is the difference between an IoT device and a Linux computer connected to the Internet? Nothing. You guys aren't thinking clearly.

Re:

[lgw]

It all depends on where it's enforced. My suggestion was for the IoT cloud backends to enforce this. IoT-specific that way.

Re:

[lgw]

Yes, there really are. https://aws.amazon.com/iot/ [amazon.com] https://www.microsoft.com/en-u... [microsoft.com]

Just throwing some servers up doesn't scale to a billion devices. A secure connection is a very difficult process on a low-end "thing". There's lots of specialist problems still being solved.

Re:

[lgw]

They will pretty soon. What do you think the big names will need as a back end? How many Android phones are there? How many smart TVs are there? There will be 10x as many "things" in a few years, given it's a much cheaper market. Heck, Amazons goofy "dash button" is moving like crazy just for the novelty value.

AWS and Azure are building out at massive scale now, trying to land contracts with the big names already. And security is definitely part of the pitch - the future liability risk is being taken s

Re:

[110010001000]

So you are ready to make sure that EVERY software package you put on YOUR COMPUTER OR DEVICE is pre-approved by some agency? Because that is what would be required. I'm just making sure you guys are OK with that. It sounds like you are. So it is the end of personal computing as we know it.

Re:

[pnutjam]

Let's not go to the most aggressive policy. That's unlikely.

What is more probable, is some sort of safe haven that allows ISP's to terminate connections with certain traffic, maybe a clearinghouse for requests, like the DMCA. Maybe some sort of fines.
It's certainly subject to abuse, but not as worrisome as what your concerned about.

Re:

[MyFirstNameIsPaul]

Because the Internet is a "road" that connects to everywhere in the world, plus satellites. Kind of changes the effectiveness of local legislation.

Re:The course is clear, mostly

[davecb]

Governments are predominantly good at policing things: regulation is someting of a misnomer (regulators keep voltages stable: police arrest people).

The UL-like body need to be backed up by real police powers, like the power to have the local police seize dangerous goods, and be financially independant of the people who make the products being certified as safe to import and use.

Ontario famously tried to get the crooks (waterworks operators) pay for the police (drinking-water inspectors). That promptly k

Re:

[lgw]

Why? UL isn't, and fire is a more serious problem than the IoT running amok. Liability for manufacturers would sort this out, just as it did for fire safety.

Re:

[davecb]

Pacemakers.

Re:

[lgw]

Speaking of non-sequiturs.

Re:

[david_thornley]

Fire is local, and the source can usually be determined. IoT problems are global (literally), and it's going to be more difficult to assign liability. Moreover, appliances are judged on not starting fires during normal use. IoTs would need to be secure from attacks, including attacks nobody's thought of yet.

Re:

[thegarbz]

UL? I'm glad they stopped the endless stem of fake products which can provide fatal shocks with shoddy engineering and construction. I mean they have the UL logo on them so it must be good right?

Government regulation, or agencies such as UL won't do anything about a global problem that is caused by a race to the bottom.

Re:

[currently_awake]

The right answer is for the FCC to handle the security standards and practices of networked consumer electronics. If you want to sell your webcam in the USA, you must meet a list of rules: passwords, encryption, test of hackability etc.

Re:

[toonces33]

Brawndo has got what IoT needs.