Top Cybersecurity Experts Unite to Counter Right-to-Repair FUD (securepairs.org) 49
Long-time Slashdot reader chicksdaddy writes:
Some of the world's leading cybersecurity experts have come together to counter electronics and technology industry efforts to paint proposed right to repair laws in 20 states as a cyber security risk.
The experts have launched securepairs.org, a group that is galvanizing information security industry support for right to repair laws that are being debated in state capitols.
Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel. Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security.
"False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws," said Paul Roberts, the founder of securepairs.org and Editor in Chief at The Security Ledger, an independent cyber security blog. "Securepairs.org is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future."
"As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws," said Joe Grand of Grand Idea Studio, a hardware hacker and embedded systems security expert.
The group will counter a stealthy but well-funded industry efforts to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center, which has enlisted technology industry executives and academics to write opinion pieces casting right to repair laws as a giveaway to cybercriminals.
Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.
Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel. Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security.
"False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws," said Paul Roberts, the founder of securepairs.org and Editor in Chief at The Security Ledger, an independent cyber security blog. "Securepairs.org is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future."
"As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws," said Joe Grand of Grand Idea Studio, a hardware hacker and embedded systems security expert.
The group will counter a stealthy but well-funded industry efforts to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center, which has enlisted technology industry executives and academics to write opinion pieces casting right to repair laws as a giveaway to cybercriminals.
Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.
What this is really about! (Score:2, Insightful)
This is really about who owns the things we buy and pay for! Corporations want us to think that we don't really own the things we buy! They want us to think that they still own the things we buy, and we are just renting them. That is not true however. When we buy something, we own it regardless of the non-understandable language in any EULA or license agreements! And when you own something, you have the right to repair it!!
Re:What this is really about! (Score:5, Funny)
The only way to counter this is for consumers to also rent out their money they use for rented products.
If we can't own our devices, why should corporations be allowed to own our money?
Re: (Score:2)
If you repair your tractor, it might not be safe to surf the internet with it any more!
Corporations should stick with the 'for the children" excuse.
Impressive group (Score:1)
As close to a totality of whose-who in the security world coming together as has ever been seen.
This project might be the genesis of something far more influential.
Its the new license (Score:1)
all it states is "We own all your base"
The title is a bit confusing. (Score:4, Informative)
By reading the title it wasn't really clear what the article was about - it could go either way.
How? Why? (Score:5, Interesting)
I still find it amazing that you even need a Right to Repair law. Here in the EU as far as I know all the stuff you buy is yours, except music and the like. We dan tinker with our stuff to our hearts content. OK, your warranty is void and your car may not be road legal anymore after you finished modifying it, but that is just common sense, not some stupid rule a company enforces.
Re:How? Why? (Score:5, Informative)
Its only coming in April 2021 and then for consumer goods and professional repairers get the manuals, not you.
Re: (Score:2, Insightful)
You are just about the only NATO country that keeps starting wars. So it’s logical that you pay the most.
Everything but the key... (Score:2)
Even the group acknowledges (on their site) that the key has to be kept private. Is a device will only execute code signed with that secret key, and only talk to parts which have certificates signed by a private key, you still cannot tinker or repair the device. Let's say the private key is ephemeral and used once at production time to "pair all parts of the device using one time programmable fuses" to secure the device and all its parts as one system. Such as device is still not repairable.
I'm all for tink
Re: (Score:1)
How about adding a physical jumper or switch to the design that needs to be toggled in order to modify? I guess someone could break into your home and manually toggle it, but wouldn't you have greater security issues to worry about then?
It's not secure to have a device you can't update because the company no longer supports it after one year and are unwilling to provide the information on how to do so. What good is it to have a key signed firmware if it's vulnerable to some bot scanning the Internet. At tha
Re: (Score:2)
As someone working for a company which is talking very heavily about digitally securing the code in our products, I fall on the other side of this conversation. I think we should make it EASY to hack our stuff. There are legitimate reasons to do so, but it CAN possibly be dangerous. The law should protect us from whatever people do to themselves in the process.
You should allowed to do whatever you want with stuff you "bought and paid for." But if you "break" it, you void the warranty, and you get to "keep b
Re: (Score:2)
Ok, let's use the stove example. Say the manufacturer published the documentation on how to do that, remotely, it being a IoT stove. Yes, now you can do it by connecting to the stove using the steps provided by the manufacturer, that's on you. But what if someone does this remotely to you stove? Is the manufacturer liable, or can they now say "we would have made it a hard safety requirement not possible to override by requiring signed software only and never releasing the key, but the right to repair law sa
Another Double-Edged Sword (Score:1)
Having the info available to repair (or even modify) consumer goods can be both good and bad:
Consumers can return older, no longer functioning items to working order without having to simply replace them, therefore saving money.
"Bad Guys" will get their hands on the info and use it to exploit vulnerabilities in the items, wreaking havoc.
As I see it, this allows people to patch/close vulnerabilities, and make things more secure. This assumes people put in even a minimum of effort to actually make a positive
a ready market for misleading info (Score:2)
Three politicians out of five regard this as a feature, not a bug. The giant canopy of misinformation assists in covering their lame asses as they lean to the green, which was a foregone conclusion.