Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Botnet United States Wireless Networking

US Congress Passes an IoT Security Bill 'That Doesn't Totally Suck' (theregister.com) 80

Shotgun (Slashdot reader #30,919) shared these thoughts from The Register: Every now and again the U.S. Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President's desk.

As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules. It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration — the arm of the federal government that sources products and comms for federal agencies — to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Industry has also got behind the effort — Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) — and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.

Though it will still be legal sell insecure IoT devices, "for those looking for good, secure products, there will be a baseline standard across the industry..." the article concludes.

"[T]his is an essential first step to getting secure IoT in place."
This discussion has been archived. No new comments can be posted.

US Congress Passes an IoT Security Bill 'That Doesn't Totally Suck'

Comments Filter:
  • Backdoors for federal monitoring may be mandated as a requirement.

    • Re: (Score:3, Interesting)

      And before you think "who cares if the government knows the temperature I set at home?", imagine being billed even higher for setting your heating system at "temperatures above government approved levels".

      It's a slippery slope, unfortunately we already have people buying spying devices with their own money and bringing them voluntarily into their homes.

      Soon, people without those spying devices will be offered free ones, then it will be law to own at least one of those in your home. Then it will become illeg

      • by mi ( 197448 )

        If you think that's crazy, remember that we all thought smart speakers were a crazy idea when they came out and that nobody in their right mind would buy those. Just wait a few years and the crazy becomes the new normal.

        Well, they are neither mandatory nor offered for free yet, are they?

        On the other hand, being able to summon help by just whispering out "Alexa, call ambulance!" may be a literal life-saver for victims of strokes and heart-attacks, for example.

      • before you think "who cares if the government knows the temperature I set at home?", imagine being billed even higher for setting your heating system at "temperatures above government approved levels".

        That's stupid. First, that's not how things work in the US. The government uses things like cap-and-trade to deal with pollution. I've never seen a step down that slippery slope. On the other hand, energy use in the US is already tiered. Using power has non-linear and escalating costs, just like tax brack

        • Power usage may be that well-monitored in your area, but for non-industrial users: a) virtually nowhere is it done in actual real-time, and b) time-of-use billing is not yet ubiquitous, not even in metropolitan areas.

        • > I've never seen a step down that slippery slop

          Please, allow me to introduce you to a step you may not have noticed. Power monitoring has been done for detection of household marijuana farms.

          https://www.utilitydive.com/ne... [utilitydive.com]

          It's another small step from there to monitoring for any social or political goal a government may have.

          • I mean: (1) That proves that smart thermostats aren't even a risk, power is sufficient. (2) Marijuana regulations are totally different from heating a home or a social goal. (3) Grow lights are unique spikes in ways that temperature is not - in fact, this supports my position.

            • I see your point that marijuana monitoring is a distinct case, But I hope you see the point that it is a precedent for monitoring, and veyr much a step down that slippery slope?

              • I mean, we also have court rulings that the police cannot (without a warrant) use heat vision to detect grow lights. But "someone using technology to detect what's in someone's home" is on a whole different axis than "the government will control what you do in the privacy of your home". In fact, on the second, we're moving away from that - especially in the bedroom.

                • While the improvements in some civil rights is laudable, But let's not pretend that law enforcement and other governments or businesses have not engaged in warrant-free direct monitoring, of businesses and citizens, through electronic hacking, cracking, and forced access to private electronics. That was the Clipper chip was designed to allow, and the project was only discarded after it was found to violate numerous patents _and_ it was proven possible to replace the escrow stored keys accessible to the gove

                  • Again, you're focusing on the surveillance, and I'm focusing on the activities deemed illegal that they are trying to uncover. Because those are independent. And I'm still responding to a series of posters (or sock puppets) who made a claim that we're shifting towards the government mandating what temperature you can set in your home. And we seem to be moving the opposite direction.

                • by cusco ( 717999 )

                  Power companies are required by law to alert authorities of suspicious power usage, and that notification can be used to get the required warrant. Just FYI.

                  • Power companies are required by law to alert authorities of suspicious power usage, and that notification can be used to get the required warrant. Just FYI.

                    They can get a search warrant for my hydroponic vegetable farm I have in the winter in my garage. (Yes, it's vegetables not marijuana.) Maybe they'd even do a "no-knock" warrant so they bust in at 5AM and I, not knowing what is going on, burst out of the bedroom with my gun and they shoot me 12 times. Oh wait, they've already done that one. In another "no-knock" raid they threw a flash-bang into a baby's crib resulting in its death.

        • Our water system here charges like everything else by usage. So you pay by the gallon used. But then they do two things:

          1. They tier it, so the first x number of gallons is at price y, then the next x number of gallons are higher, and so on and so forth.

          2. They actually add a surcharge on my bill because of the size of my lot, irrespective of what I use.

      • by PPH ( 736903 )

        imagine being billed even higher for setting your heating system at "temperatures above government approved levels".

        How will they ever know if I shovel a little extra coal into my furnace?

        Yes. I actually know some people with backup coal heat. Just in case the Soviet of Seattle outlaws natural gas.

      • It's "optional" but you get a substantial discount for allowing them to monitor your temperatures. So far I've resisted it, but it's only a matter of time before the payment plan that doesn't include it is prohibitively expensive. My car insurance company is doing the same thing.

        It's like boiling a frog only the frog is smart enough to jump out of the pot...

        I never understood why people get so freaked at gov't doing bad things and then shrug their shoulders when mega corps doing the same thing and sa
        • by cusco ( 717999 )

          And then they totally forget that any time it wants the gov't can buy that data from the megacorps, and they don't need a warrant.

        • I never understood why people get so freaked at gov't doing bad things and then shrug their shoulders when mega corps doing the same thing and say "that's capitalism, you can just move somewhere else, right?".

          Not only just shrug their shoulders, but actively oppose regulations that would keep megacorps from doing that.

      • I recently had to do an interpretive reading and chose a portion of the first chapter of "1984" by Orwell. After the reading I drew parallels with the new "convenience" gadgets in homes. A number of people in the audience were shocked by where things are at today. Sadly, there were also some who couldn't have cared less. The second group is the most concerning.
  • Something shady must be going on here, this shouldn't have been allowed to happen! We must dig deeper!

  • by Frank Burly ( 4247955 ) on Sunday November 22, 2020 @12:05PM (#60754138)

    Requiring Federal agencies to buy IOT devices meeting a minimum security standard creates a market for secure IOT that didn't previously exist.

    And now when the Chinese know that the guys in Cheyenne Mountain prefer the temperature to stay between 74 and 78F, they at least won't know which guy keeps setting it to 84.

  • by EMB Numbers ( 934125 ) on Sunday November 22, 2020 @12:12PM (#60754148)

    For the Slashdot folks who think a right to repair is very important: You won't like this law!

    "secure code, identity management" means cryptographically signed executables and inability to run unsigned executables or executables signed by the wrong identity. If the original equipment manufacturer goes out of business or just doesn't want to provide updates, you are out of luck. Even if the source code is open-source (with a license more permissive than GPL3), you can compile the code, but you still cannot sign it. You are still out of luck.

    Right to repair and security are opposing goals. Pick one.

    • by Arnonyrnous Covvard ( 7286638 ) on Sunday November 22, 2020 @01:06PM (#60754316)

      Right to repair and security are opposing goals. Pick one.

      False dichotomy. "Secure code" is not synonymous with "signed code" and "identity management" does not automatically exclude the user.

      • It is very nice to have defect free software and therefore vulnerability free software, but that software does not exist.

        Secure code implies you know what code is executing and you trust its source. That is what cryptographic signatures give you. They confirm you are executing unmodified code, and the code comes from an authorized source. If you could self sign executables, then bad guys will self sign malware.

        There are lots of situations where not executing improperly signed code makes sense. It is a prima

        • If you mean unmodified code or signed code, say unmodified code or signed code. Secure code is not synonymous with either. You can design devices to let the owner sign code and make the device reject code that is not signed by the manufacturer or the owner.
    • by Dr. Tom ( 23206 )
      It is technically possible to allow end users to compile, encrypt, and even self-sign, etc., but if a user did that it'd void the warranty. Not allowing unsigned executables is a good thing on a network where my toaster can talk to my neighbor's phone. I should have the option to self-sign everything, of course.

      I'd never allow closed-source IoT devices in my house. (Just because it's open-source doesn't mean it won't be spying on you, but you really want that to be out in the open to start with.)
      • by guruevi ( 827432 )

        Many cheap Chinese devices are open source, since they run some variant of Linux and then the rest is literally a combination of Bash scripting and Python. Alternatively, for the really low-end devices, you get either ESP (if it needs WiFi) or Atmel chips which likewise is really easy to dump the ROM and get it back in readable format.

      • by cusco ( 717999 )

        And you're not only competent to read and analyze every bit of code on every device, but have the free time to do that? That's quite amazing, I've never met anyone IRL who did.

        Open Source is a religion with some people, it will cure every evil and provide perfect security. How many gigantic security holes have been found just in Linux only after a decade or more had passed?

    • Actually in the industrial world, a lot of customers want this as it is extra security.

      • Yes. The iOS and Android worlds also require or allow signed apps. Mac OS complains if apps aren't signed.

    • So what? Computer code running on hardware is subject only to breakage of the hardware. That means that unless fucked with (and hardware failure), as it works today so shall it work tomorrow, for all values of today. That means that if properly deployed there is no need to *ever* fart with it after commissioning other than to replace it lock stock and barrel.

      If the deployment requires continuous farting about for any reason other than hardware failure, then the deployment is defective in design.

  • If this was an Oil & Gas industry bill being written by the industry you would be going nuts right now.

    • If this was an Oil & gas industry bill being written by the industry, they would make it illegal to use solar.

  • and it will now move to the President's desk

    As we've seen, the con artist is too busy leeching off the taxpayers by playing his cheating game of golf at his failing golf club rather than doing his job. Just the other day he was supposed to be in a meeting with leaders from around the world but instead chose to ignore the meeting and waste more taxpayer money.

    In his four years, the con artist has golfed for nearly a year of time. Remember when he whined about Obama taking a day off now and then [independent.co.uk] to play gol

  • I wish they'd include a requirement that all IoT devices must offer their core base functionality over a standard protocol (i.e. MQTT), Independent of the provider's servers.
    • It does not matter if the protocol is "standard" so long as it is "documented". All "standard" protocols got that way because they were someone's "documented" protocol that became widely adopted because it was (a) simple and (b) worked.

      And yes, if it will not work on a completely private and isolated network (or without a network) then it is defective from the get go.

      By the way, MQTT is a badly designed protocol in the same way that OPC is a badly designed protocol. It is inherently insecure and unsecurab

  • by Dr. Tom ( 23206 )
    Of course all will hinge on the trademark. They need a logo like UL or Dolby or WiFi, something somebody would never consider buying a product without.
    • by guruevi ( 827432 )

      You can get certificate providers to print a logo like that in China, FCC, CE, UL certs costs like $300.

  • The bill does not include a definition.
    Would a smart white-board meet the definition?
    If a kindle show device meets the definition then why doesn't your average apple ipad? Is it because you have functionality when the device is not connected to the Internet? If that is the case is a Chromebook an IoT device(original devices were all on-line only)?
    • by marcle ( 1575627 )

      The bill does include a definition, in Section 2. I don't want to wade thru the legalese to figure out if your objection is justified.

      • According to Section 2 EVERYTHING which can act from/on the physical world is an IoT device. If a device receives input from or provides output to the physical world, it is an IoT device, whether or not the "Internet" is involved.

        The whole thing (Act) is useless drivel that will accomplish nothing.

  • President Trump will get zero credit for this when he signs it into law.

  • by Anonymous Coward
    Jimmy Bob Consumer will be looking for the cheapest thing to fill his immediate need. He wouldn't know whether it uses DNS or DOH, because he doesn't know what those things are, so he won't care whether or not it supports this new-fangled IoT Cybersecurity Act requirements.
  • by TechyImmigrant ( 175943 ) on Sunday November 22, 2020 @06:17PM (#60755082) Homepage Journal

    NIST's security specs and the associated certifications have worked to make patching as difficult as possible. You want to put out a security patch? That'll be $100,000 for a fresh 140-3 certification for the updated software, thank you very much.

    They might not be the right body to solve this problem, because they have failed to solve it for their existing spec for the 20 years it has been obvious that is needs solving.

  • For me a primary criterion is that the local internet of things and the data it uses and produces should be an internet of MY things with no forced "storage for convenience" on any other site on the Internet. Nor should they require data be transferred back and forth with any other site on the internet except in fully encryption transfers between sites I own.

    I want an IoMT not an IoGT or IoAT (for either big A) or even an Internet of Somebody Else's Things they are letting me use.

    {^_^}

Keep up the good work! But please don't ask me to help.

Working...