back to article Thanks, IoT vendors: your slack attitude will get regulators moving

Last Friday's Mirai botnet attack against Dyn must force everybody's hands – vendors, regulators, and Internet infrastructure operators. It's going to be a while before research gets as far as attribution to an attacker, but in the meantime, there's plenty of culpability to go around. Two things are clear, however: the …

  1. Trevor_Pott Gold badge

    National regulation won't do a damned thing.

    National regulation won't do a damned thing. International regulation is required.

    The problem is, political negotiations get caught up in corruption. There is a very clear goal here, with a defined problem: define security and update standards for devices, as well as labeling, punitive measures and enforcement for networked devices.

    Unfortunately, if the politicians are to be relied upon, they'll end up pissing away a decade trying to fight off the Americans' attempt to extend copyright and patents as part of the treaty, the Europeans' attempts to get a bunch more common goods renamed so that only those coming from a particular region can use the common name, and $deity only knows what India and China will try to worm in. I'm pretty sure Russia would just try to torpedo the whole thing for funsies.

    Sadly, standards bodies are equally ineffectual in these circumstances. It took how long to agree on 802.11n?

    TL;DR: This is why we can't have nice things.

    1. Ole Juul

      Re: National regulation won't do a damned thing.

      Problem is these "nice things" are interfering with normal things. Perhaps some day we'll evolve to where bling is not considered cool.

      1. Elmer Phud

        Re: National regulation won't do a damned thing.

        Nice things become normal things

      2. bombastic bob Silver badge
        Unhappy

        Re: National regulation won't do a damned thing.

        sadly, "more regulations" won't do ANYTHING except

        a) get in the way of new 'little guy' development projects [consider FCC and CE and other things that require expensive certification]. 'small business' killer.

        b) complicate the process, ensuring that L[aw]YERS get all the money.

        There are ALREADY liability laws in the USA. Perhaps they require a bit of tweeking, but if it can be shown (in a *cough* class-action lawsuit) that the IoT vendors were NEGLIGENT with respect to security and WELL KNOWN types of exploits, we'll get some REAL action.

        Sadly again, more L[aw]YERS will be enriched in the process. Dammit.

        Simultaneously, it's time to LIGHT A FIRE under the asses of any industry-based organizations [like the ones mentioned in the article] do do something *BESIDES* going "harumph, harumph, our asses are on the line, we gotta look like we're doing something, harumph harumph" "I didn't get a harumph out of you!" "... harumph" "you watch your ass!" [my recollection of the 'harumph' scene involving 'Gov Le Petomaine' (Mel Brooks) in 'Blazing Saddles']

        1. Charles 9 Silver badge

          Re: National regulation won't do a damned thing.

          "There are ALREADY liability laws in the USA. Perhaps they require a bit of tweeking, but if it can be shown (in a *cough* class-action lawsuit) that the IoT vendors were NEGLIGENT with respect to security and WELL KNOWN types of exploits, we'll get some REAL action."

          Except when it gets INTERNATIONAL. How can American laws get Chinese companies to comply when a lot of them are coming through grey markets that are by design nearly impossible to regulate. And you can't go to the manufacturers because they're in another country: protected by that country's sovereignty.

          1. bombastic bob Silver badge
            Devil

            Re: National regulation won't do a damned thing.

            "How can American laws get Chinese companies to comply when a lot of them are coming through grey markets that are by design nearly impossible to regulate"

            Somehow the Feds are managing to enforce copyright law and FCC regs, grey market or not. I figure it could be similar. And having such regulations violated by 'grey market' items is probably MORE likely if the gummint regs are somehow prohibitive for those who MUST obey them...

            /me considers something about enforcing borders, U.S. Customs, and a wall

      3. Anonymous Coward
        Anonymous Coward

        Re: National regulation won't do a damned thing.

        > Perhaps some day we'll evolve to where bling is not considered cool.

        Perhaps, but that's not the way to bet it.

    2. LDS Silver badge

      Re: National regulation won't do a damned thing.

      If just a few big, rich states move, the other will be forced to follow. It the US or the EU set regulations, they are too rich markets to stay away from with non-compliant products.

      Most safety initiatives and regulations in the past started as national ones. While standards and their harmonization are good, there's really no time to waste when safety is at risk.

      The real issue is generic media and politicians don't understand the thing. Today, in one of the main Italian newspapers ("Corriere della Sera"), their "tech journalist" naively wrote "it's impossible to secure the universe of Internet of Things" - and this is what most people probably believe.

      Companies won't care about safety and security unless forced. We've see it already in many different sectors, from automotive to pharma, from food to electric devices. It's a cost that impacts "shareholders value", and too many still think they have to maximize it even if it means big risks.

      Fees may not be enough. It could still be cheaper to pay a fee when caught, than develop and make safe and secure products.

      1. Charles 9 Silver badge

        Re: National regulation won't do a damned thing.

        "If just a few big, rich states move, the other will be forced to follow. It the US or the EU set regulations, they are too rich markets to stay away from with non-compliant products."

        But China has pressure it can apply, too, and it's on the OTHER side of the line. Think Prohibition when smuggling became such a lucrative game. What's to stop China finding ways to go AROUND any regulation you can whip up, hiding behind their own sovereignty (and their nukes)?

      2. allthecoolshortnamesweretaken

        Re: National regulation won't do a damned thing.

        "Today, in one of the main Italian newspapers ("Corriere della Sera"), their "tech journalist" naively wrote "it's impossible to secure the universe of Internet of Things" - and this is what most people probably believe."

        Of course, securing the 'Universe of IoT'* would be technically possible - if [insert long, long list of conditions - technical, regulatory, legal, economical; a lot of them of the 'ain't gonna happen' variety] would actually come to pass.

        On the day all IoT devices are reasonable "safe" my self-driving, fusion-powered car will take me to my paperless office.

        * Catchy term, BTW.

  2. AnoniMouse

    Après nous le déluge

    Creating IoT security groupings is a sure sign that the tech industry has missed the point.

    Billions of Things will be produced by anonyous vendors who have no interest in IoT security and bought as cheap consumer tat by non-techies who have no consciousness of IoT security.

    1. tfewster Silver badge

      Re: Après nous le déluge

      What we need is for CE marking to be extended to cover IoT security; The framework is there, and it's probably not a huge stretch to extend the Telecomms regulations to cover it.

      No CE mark = no sale in most of the world

      1. Dan 55 Silver badge

        Re: Après nous le déluge

        CE is self certification, i.e. useless.

        1. bombastic bob Silver badge

          Re: Après nous le déluge

          certain aspects of CE, i.e. lead-free, requires that a lab analyze a ground-up device for the presence of certain materials like lead and selenium. FCC regs in the USA are a bit less restrictive, but you still have emissions and interference testing that you have to have done by a lab, for $$$$ [which helps weed out 'the little guy']. Obviously SOME of these regulations are necessary, as we can't have every poorly designed device in existence interfering with wireless reception [from AM radio to wifi], but at the same time it's a stumbling block for legit engineers to overcome.

          That being said, there _IS_ some self-certification involved. In the USA the FCC fines can be incredibly expensive, a million dollars a day in at least one case I remember reading about. I'm not sure how you'd collect it on a foreign company, except maybe to confiscate anything they sell at the border.

      2. Stoneshop Silver badge
        Mushroom

        Re: Après nous le déluge

        What we need is for CE marking to be extended to cover IoT security

        Nope. We need a second UL mark, or to disambiguate, the UL-6FU mark. Which will stand not for Underwriters Lab but for Undertaker's Lab, with the remit to FSCKING BURY any vendor (and their products) that don't conform to the security standards set by a panel of international security experts.

        1. Charles 9 Silver badge

          Re: Après nous le déluge

          "Which will stand not for Underwriters Lab but for Undertaker's Lab, with the remit to FSCKING BURY any vendor (and their products) that don't conform to the security standards set by a panel of international security experts."

          Question: How do you bury a country with more people than any other, nukes, and a not-so-nice attitude toward you?

          1. Anonymous Coward
            Anonymous Coward

            Re: Après nous le déluge

            "Cyber UL" is FAIL. IoT devices will be under constant attack by hackers exploiting vulnerabilities largely unknown to the incompetent "experts" when they certify the devices "cyber safe". The regular old "fire safety UL" does not actually prevent fires, it just extorts money from manufacturers. Manufacturers' real incentive to ensure their products are actually safe is that, unlike botnet IoT attacks, it's obvious when their products regularly catch fire, and with a few exceptions like Samsung, they really don't want their products branded "Death Note 7" and such.

            The only silver lining of a Cyber UL mandate is that it will DESTROY the stupid IoT industry. But the risk of collateral damage to useful hardware makers is too great.

          2. Stoneshop Silver badge
            Holmes

            Re: Après nous le déluge

            Question: How do you bury a country with more people than any other, nukes, and a not-so-nice attitude toward you?

            You keep blabbing about China having nukes.

            However, "Keep buying our shit or we'll turn you into a barren radioactive wasteland" does appear to be somewhat self-defeating as a strategy, because in order to keep a particular export market you have to actually HAVE that export market..

            1. Charles 9 Silver badge

              Re: Après nous le déluge

              "However, "Keep buying our shit or we'll turn you into a barren radioactive wasteland" does appear to be somewhat self-defeating as a strategy, because in order to keep a particular export market you have to actually HAVE that export market.."

              China has nearly two billion people. They could turn INWARD if they wanted to. Plus they have an Eastern attitude towards warfare. Look how fiercely the Japanese fought in World War II, and how many Chinese swarmed in battles in the Korean War. This is an attitude that could well see everyone losing (MAD) as a winning condition.

      3. Elmer Phud

        Re: Après nous le déluge

        CE labels don't cost much to buy . . .

  3. Tony S

    "Mirai botnet attack against Dyn must force everybody's hands – vendors, regulators, and Internet infrastructure operators."

    You'd think so, wouldn't you. But in reality, it won't do a damned thing.

    The only time that anything will change is when it hits the decision makers in their pockets. Then they will do the absolute minimum necessary to address the identified issues; and no doubt, at a later stage, they will get hacked again. Rinse and repeat.

    1. Charles 9 Silver badge

      "The only time that anything will change is when it hits the decision makers in their pockets. Then they will do the absolute minimum necessary to address the identified issues; and no doubt, at a later stage, they will get hacked again. Rinse and repeat."

      Or when it KILLS someone (or demonstrably proves it WILL do so) outside of its purpose. And I mean DIRECTLY. Why was the Edsel pulled? Because a rear-ender could set it ablaze, killing the people inside. Why can't we have lawn darts? Because one ended up in an innocent kid's head. If the squelching of most the Internet results in significant or shocking death, then the lawmakers will HAVE to pay attention because it'll become an election point (meaning if they don't pay attention, they'll be replaced by people who will).

      1. Wzrd1

        The Edsel failed due to reliability problems, a recession and it's flat out weird look.

        You're thinking of the Pinto, the model that was infamous for bursting into flame when rear ended being my wife's very first car. It was never "pulled".

        As for regulation because it killed people, yeah, that'll work in today's US, where ten million in campaign contributions makes everything all better.

        1. Charles 9 Silver badge

          "You're thinking of the Pinto, the model that was infamous for bursting into flame when rear ended being my wife's very first car. It was never "pulled".

          Um...does the term "recall" ring a bell? That's the formal term for pulling a product, either to fix it or to destroy it. There's still the matter of the lawn darts.

          As for campaign contributions, death, especially unexpected death, is expensive to a company. That's why they take it seriously. No amount of campaign contributions will help if a bereaved (and possibly famous) family decides to sue you for bookoo bucks for negligence, wrongful death, and so on. Remember, juries are from the populace and judges are tough to bribe. And we're not even starting on the media circus that could easily ensue. No amount of bribing seems to have helped Volkswagen or Toyota (and note, the latter has a strong American presence, so that's saying something). Burning batteries on an airliner left Boeing with a lighter pocket and a lot of egg on its face.

          1. Anonymous Coward
            Anonymous Coward

            Casualty risks

            I'm still driving around with a recalled airbag because there are hundreds of millions that need to be replaced. There have been tens of deaths, hundreds of injuries. My risk of death is about 1 in a million - while driving, an inherently dangerous activity. I'm not too worried. The magnitude of the problem is ridiculous, but the danger has been overhyped.

            Currently I'd estimate the casualty risk from DDoS attacks as being somewhat less, perhaps contributing indirectly to a few deaths, i.e. vastly overhyped.

            The greater risk is that we'll become so dependent on network technology that future attacks (or plain old failures) will cause famine, anarchy, the collapse of civilization. If these attacks succeed in preventing that future, the hackers will have saved billions of lives.

          2. Anonymous Coward
            Anonymous Coward

            Recall means nothings, see airbag recall

            Recall means little. Millions of air bags are defective and some have already started killing people. Lucky for us some governments in some areas have recalled some of the air bags, and the companies have up to 20yrs to replace them.

            But if we made companies killing people as expensive as it is for people killing people, huge wrongful death costs, jail time for all board members and management...well you might be on to something there except considerable bribing by major companies have shown we are far from that being effective. Volkswagen, Toyota and others are still in business making lots of money for lots of people, in particular board members.

    2. Wzrd1

      "The only time that anything will change is when it hits the decision makers in their pockets."

      Not always. We had a breach in our company network, interest was finally taken when financial servers were breached and a series of Sarbanes-Oxley audits ensued. With the CEO facing potential criminal prosecution, the breach was finally terminated.

      During the post mortem, it was learned that the breach was all of five years in length and started in a computer lab in Canada via a forgotten test server on the DMZ.

      That resulted in a massive inventory being taken...

      Now, here's the million dollar question: Whyinhell does a baby monitor, home security camera or fridge need to be on a DMZ? I'll not even go into routers with standardized username/password combinations.

      Both of which were at the heart of this entire debacle.

      1. Long John Brass Silver badge

        Now, here's the million dollar question: Whyinhell does a baby monitor, home security camera or fridge need to be on a DMZ? I'll not even go into routers with standardized username/password combinations.

        Becuz cloud bruv. Its good innit. Its got wot plantz crave. Cus electrolytes intarwebs

        *sigh*

  4. Anonymous South African Coward Silver badge
    Coat

    Nothing will change, except some daft bugger proposes that ISP's be held responsible for traffic from their networks.

    Mine's the one with the IoT-free internet in the pocket.

  5. Chris Stephens
    Mushroom

    EVERY SINGLE SOFTWARE THING YOU OWN OR AROUND YOu NOW HAS _SERIOUS_ BUGS. Its NORMAL NOW.. *W * T * F *... Since no one seem able to write code that works, and its worse every day, its WELL PAST TIME TO REGULATE THE SOFTWARE INDUSTRY. BUGS ARE KILLING PEOPLE NOW. Its costing the world a trillion a year in lost productivity for crappy code and horrendous GUI's. Lets make it mandatory that software WORK. We have standards for things that plug into power, lets have standards for things that plug into network ports. FURTHER. Lets have standards for SOFTWARE. Lets >> REMOVE THEIR ESCAPE FROM LIABILITY WITH 50 PAGE DISCLAIMERS <<.. Lets simply allow lawsuits. That should do it. WRITE CODE THAT WORKS OR BE SUED.. Sounds perfect. ITS WAY PAST TIME FOR THIS..

    1. Elmer Phud

      I blame the chemtrails

    2. David Roberts
      Facepalm

      Write software that works OR be sued?

      ISTM that someone has written software that works well enough to take out DNS over a large atea.

      So they are in the clear, then?

      Oh, you probably need to make consumer access to compilers and interpreters illegal as well, and ban the sale of small development platforms like the Raspberry Pi.

      1. bombastic bob Silver badge
        Devil

        Re: Write software that works OR be sued?

        (re: making compilers and small dev platforms illegal, snark snark)

        obviously don't want to go THERE either [snarkiness appreciated]. making it hard for independent developers is like removing guns from the hands of honest citizens: it does NOT stop crime [whereas, it could be shown, that people who CAN write software are perhaps MORE security-conscious about their IoT stuff]. Anyway, typical 'merkin '2nd ammendment' argument may apply here.

        But that's kinda what regulations do, right? They make it so you have to be "one of the big boys" to play in the park, forcing you to comply with so many requirements that you can no longer play.

        And, MOST (decent) jobs are created by SMALL businesses here in the USA... [it's what I do, engineering work, for those small businesses]

    3. Tom Wood

      Time, cost, quality

      As with most things, this is the classic trade-off.

      Funnily enough industries such as aviation and nuclear spend a lot more money to find and fix bugs in their software than do people developing consumer grade software (desktop and mobile OSs, TVs, set top boxes etc). Consumers demand quickly-developed, latest and greatest software and it is neither possible nor necessary to deliver your mobile OS to the same standards of quality as you would the control software for a nuclear reactor. If you wanted your mobile phone to be as reliable as a warplane then (1) it would take decades to develop and (2) you wouldn't be able to afford it.

      The same is true for other things, your house was not built to the same quality standards as the Channel Tunnel was because of the typical trade-off between time, cost and quality and the impact of failure. Software is no different.

      And the IoT devices involved in this attack were bargain basement models made as quickly and cheaply as possible, therefore it comes as no surprise that the quality of their software is rock bottom (at least when it comes to security).

      1. Charles 9 Silver badge

        Re: Time, cost, quality

        "Funnily enough industries such as aviation and nuclear spend a lot more money to find and fix bugs in their software"

        Because planes falling out of the sky and an exploding plant in the Ukraine have directly killed people. Killing people tends to put the strongest focus on you. That's why the Edsel was pulled, why lawn darts are banned, and so on. When has the IoT directly and demonstrably KILLED people?

        1. Wzrd1

          Re: Time, cost, quality

          The Edsel was never pulled, it sold so poorly, due to a number of issues, from a poor economy through it was unreliable, that it was shifted over to Lincoln-Mercury, where it did sell under the Comet model name.

          Hell, the infamous flame mobile Pinto was never pulled either, one of the worst models was my wife's very first car.

          The IoT very nearly got someone killed, someone woke me up to complain that Netflix was broken and I was sleeping, as I was on midnight shift. ;)

    4. Wzrd1

      Ah, RaNdOm capitalization, ever so useful. After all, volume proves one's point, rather than logic.

      OK, I'll bite. How do I sue Foscam in China from the United States?

      Hell, who died because DNS failed? They have a stroke because Netflix didn't resolve? Amazon withdrawal?

      50 page disclaimers? WTF are you smoking? Get rid of mandatory arbitration is what you really should have said.

      How about you try two things.

      1: Get a clue about what you're going on about.

      2: Figure out how to make a clear and concise statement about what you just got a clue about.

      It is far better to remain silent and be thought a fool than to open one's mouth and remove all doubt.

      1. Chris Stephens
        Mushroom

        You must write this crappy code all around us

        I am a installer of super high end AV gear and automation. $10M single rooms and completely automated houses. Over the last 5 years firmware bugs and just terrible code has become my #1 issue and typically now costs me most of my profits trying to find work-a-rounds for embedded bugs a mfgr wont ever fix. EVERY device in ALL my clients homes now has a serious show stopping bug. 5 years ago there were none. Its epidemic and going logarithmic in its curve. In consumer electronics its completely out of control. Its costing people like me HUGE amounts of money. This latest DDoS mess is sure NO SURPRISE to me. The crap in consumer electronics is so horrid and 1/8 baked its damn near criminal. As far as poorly written software killing people look no further then Tesla. This DDoS cost the world how much in money ? Just this one single stupid software decision ? And its only the beginning. It used to be that SOME attempt was made to debug software before it shipped. Now its more like Alpha code. I ran into a company that makes $50,000 DAC's that was using MAC addresses for network communications and could not understand why it could not communicate thru a switch.

        Software needs to be treated like a hardware product legally. Its that simple. Why we ever allowed them to escape this liability is just beyond me.

        What im discussing is the future. Its just a matter of time. As the story very clearly points out the industry cant regulate itself. It never has. Its been on a path of getting far far worse in the last 5 years. Its out of control for CE with profit the only thing that counts. Does it need to be NASA level ? no. But we are a LONG LONG way from where we need to be. I would argue its not THAT hard to make software NASA level reliable. We need to hire WAY MORE programmers. Whole industries need to appear that check code. YES it will be more expensive.

        EVERY ONE OF YOU has beat your head in complete frustration, and may be right now, over some horribly obvious just terrible code. Lets all stand up and fix this. If we all just throw up our hands and say nothing and use lower case, NOTHING WILL GET DONE...

        1. Charles 9 Silver badge

          Re: You must write this crappy code all around us

          "Software needs to be treated like a hardware product legally. Its that simple. Why we ever allowed them to escape this liability is just beyond me."

          Simple. China happened. How do you force a country like China to cooperate when it doesn't have to? They're sovereign, after all, with nearly two billion people all by itself.

    5. Sloth77

      Yes, every piece of software has bugs. But not every piece of software is directly accessible from the Internet. And a "horrendous UI" is not a security issue (normally).

    6. bombastic bob Silver badge
      Happy

      "WRITE CODE THAT WORKS OR BE SUED"

      heh, we'll start with Microshaft and Win-10-nic

  6. Drew 11

    We're on the road to DNSSEC

    "It's no surprise, though: another key measure to secure the DNS, DNSSec, was first written in 1997 and after nearly 20 years has gone nearly nowhere."

    The #1 Registrar in New Zealand, 1stDomains, doesn't offer DNSSEC capability. That is despite their claim to offer "the most advanced domain name management tools available"

    When asked (last month) when they would get with the program, the answer was "Unfortunately, we do not have any plans to provide support for DNSSEC at present. Again, we apologise for any inconvenience this may cause for you."

    So that's the kind of stupidity we're up against.

    Perhaps if TLD Registries offered a small registration rebate on each domain that had DNSSEC enabled, things might change?

  7. Catalyst4Change

    Well said - and here's a bit more too

    Can't argue with much of what this article says especially:

    "Operators who have known how to fix the DNS, and IoT vendors who don't care about security, are both inviting the heavy hand of regulation"

    Few want regulation as it may stifle innovation yet blatant disregard for the most basic of security features is simply reckless. And we're seeing a great deal of reckless behaviour from manufacturers who will bolt connectivity in without a second thought for the consequences right now (beyond more profit that is)... others maybe just ignorant to the implications (i.e. not reckless just unaware).

    The implications of a hyper-connected world are profound - international effort is needed (as said by other user comments). However, a large part of that effort needs to be behavioural on the supply side and awareness on the demand side. We cannot expect everybody to become security experts - it needs to be baked in (enforced in some domains) and awareness of security in the digital age needs to become mainstream education (without all the technical details).

    As a classically trained electronics engineer, I see a world of impedance when it comes to making the necessary changes... we need to to lower that impedance if we want to make change more rapid than international legal and cultural systems work. This is part of the challenge and why it is hard to make rapid change (complexity and cost are two more). We can all share the authors frustration as to the speed at which change is happening but hey, this is the real world and, with respect, rather than naively lambasting effort to drive change it might be better to encourage effort to change it - don't throw the baby out with the bathwater.

    The good news is that there is an increasing number of people and organisations who are motivated to make change happen and actually doing something. For disclosure purposes, I declare that I work with the IoT Security Foundation (thanks for the mention) and, as noted, we will be making announcements soon - we're just into 3rd party review stage of our framework and guidelines on consumer/home products which will be both free and consumable.

    We also commend the efforts of our associates - those at the Online Trust Alliance, those at the Industrial Internet Consortium, those at the GSMA and the Cloud Security Alliance to name but a few. Making global change is not easy but we're working on it (as fast as we sensibly can and the world can absorb).

    I will stop there but to conclude - there's a lot of bad actors out there - us good guys need to stick together, see the problems and fix them as they come along. And they'll keep coming as security is a moveable feast.

  8. Steve Davies 3 Silver badge

    with Crimble coming

    lots and lots of totally insecure IoT tat will be bought. The problem we saw last week will be the first of many bigger attacks.

    May I humbly suggest that all readers and commentards of this esteemed forum take it upon themselves to give guidance to their familes so that they don't buy the wrong sort of IoT tat.

    Don't for apply a suitable dose of arse kicking when the get pawned by the malware because the don't follow your advice.

    Or even go beyond that and get your nearest and dearest to not buy the TAT in the first place.

    IMHO, the sooner the Class Action suits against the importers of knowingly insecure IoT tat are started the better but that won't happen before we lose the internet for days at a time.

    I'm sure the DDOS generators are gearing up for the times of peak use and or times when say the IRS or HMRC are getting most traffic from people filing their tax returns, an attack would be big news.

    Try getting round the £100 fine for late filing with 'sorry, the DDOS attack stopped me from filing my return'.

    Perhaps then and only then will governments and the rest take notice and start to realise how serious this is.

    1. Dan 55 Silver badge
      Holmes

      Re: with Crimble coming

      "the wrong sort of IoT tat"

      Is there a right sort?

    2. Wzrd1

      Re: with Crimble coming

      Bleh, other than routers, none of that crap should be on the DMZ.

      If it's inside of the DMZ, the big, bad intertubes can't reach them.

  9. John Smith 19 Gold badge
    Unhappy

    Playing Devils Advocate for a moment.

    Why is BCP 38 and DNSSec not being implemented?

    I'm serious.

    Does it need all ISP/DNS operators to go together?

    Is the software too complicated to do the upgrade easily?

    Is it because no one asks for it so suppliers don't see the point?

    1. EnviableOne Silver badge
      Flame

      Re: Playing Devils Advocate for a moment.

      Cost Benefit analysis:-

      Costs:- makes stuff harder to do, costs money, needs agreement

      Benefit:- Slightly more secure

      the only way it will change is if it costs them when it goes wrong or they can't sell until they do it right. so until either US or EU put regs in place or everyone starts buying based on security ....

      1. Charles 9 Silver badge

        Re: Playing Devils Advocate for a moment.

        Even if the regs are put in place, the grey market will just expand to go around it since the devices are too small to police. It's like trying to insist on an Internet license: how do you police what people do within their own homes?

        As for security first, that only applies when security is the actual industry. Everywhere else, productivity trumps security; who cares about security when the job doesn't get done?

        1. Anonymous Coward
          Anonymous Coward

          Re: Playing Devils Advocate, who cares

          "who cares about security when the job doesn't get done?"

          Excellent point and one we have all experienced. When changing our environmental laws to prevent the dumping of hazardous waste into our environment companies said the same thing.

          Who cars about the environment and worker rights when it means the jobs won't exist?

          Turns out when we couldn't breath the air and knew family that died of workplace diseases we cared. When wet saw the rivers empty of fish and catch fire we cared. Everyone cared and back then we had a government that listened to the people and they brought in laws to protect the environment.

          And for our punishment business bought our politicians and got our countries to sign trade deals that saw our environmentally sound jobs shipped to countries with no concern for the environment and even less for people.

          Who cares? We do!

          Now if only we could afford to buy our governments as businesses have then we could and would do something about that caring.

  10. bombastic bob Silver badge
    Devil

    Why are there so many mostly slow-moving IoT security gatherings?

    they're too busy justifying themselves with eternal meetings, "harumph harumph harumph" outrage, and the typical things that grind committee-based solutions to a 'monolithic' halt.

    they need flames applied to their collective asses, for sure. But I don't think that gummint regulatory bodies are the solution. The only one that makes sense is a class-action lawsuit on behalf of the technology owners and the victims of the DDoS, if some kind of NEGLIGENCE can be proved.

    As I mentioned earlier, the *kinds* of exploits that are involved are well known: hard-coded user/passwords or NONE! AT! ALL! listening on insecure ports (like telnet). Convenience for their firmware engineers is NO excuse for ALLOWING that kind of non-security in a modern intarweb-connected society, SPECIFICALLY if the devices were INTENDED to be "exposed to 'teh intarwebs'" in the FIRST place.

    "A resonable person" would recognize the possibility that these devices COULD be compromised. I've seen several 'El Reg' articles regarding this [making fun of web connected light bulbs with no security, for example] so it hasn't happened in the shadows. It's been IN THEIR FACES for a while.

    So NEGLIGENCE, In My Bombastic Opinion. I'd much rather see the courts fix this than the legislatures. Politicians can cluster-*BLANK* just about anything into 'worse than the problem', given the chance. I don't want to give them that chance.

  11. Chris Stephens

    https://en.wikipedia.org/wiki/List_of_software_bugs

  12. cantankerous swineherd Silver badge

    end of the internet not the end of the world. time to invent a new mass communication medium, the internet is borked.

    1. Charles 9 Silver badge

      But what can you make in its place? Another Internet that'll just get as swamped as the current one? Or a Stateful Internet with no privacy? Hello. Police State.

      1. bombastic bob Silver badge
        Trollface

        the 'next internet' would most likely have all of the censorship that China and Saudi Arabia want, built-in. And the tracking the NSA wants. And ads, ads, ads, ads, ads, everywhere, in our faces, click-through and worse. And it would take over a decade to "plan", with an organization bigger than the U.N. and just as worthless.

        I prefer the anarchy of what we've got, thanks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020