Former libertarian
Or what we adults call "growing up".
We all know the vast majority of Internet-of-Things devices haven’t anything more than a fig leaf for protection. Now the unlikeliest of folks are calling for rules to improve IoT security: libertarians. In a session today at the RSA infosec conference in San Francisco, Olaf Kolkman, the Internet Society’s chief internet …
This post has been deleted by its author
Don't have a problem paying YOU for your book.
Paying an artist directly is perhaps more amenable to me than anything else.
"Information is free" slogan was never really meant to stomp on artistry. It was supposed to however step around censorship and the entities that tried to capitalize on *others* works.
This however gets massively complex when we're discussing say, results from a scientific study done by a private university sponsored by government provided funding.
Its an interesting debate.
"This however gets massively complex when we're discussing say, results from a scientific study done by a private university sponsored by government provided funding."
ESPECIALLY when the study was about sensitive stuff like potential dual-use biological agents, bringing up entirely-proper matters of sovereign security.
Not so much "missing the point" as completely misinterpreting the meaning of "libertarian".
The entire ethos behind libertarianism is proprietary rights, which is exactly why libertarians want a government they can "drown in the bathtub" every time it so much as looks at their money.
Libertarians don't especially want information, your ebook or anything else to be free. The only "liberty" they're interested in is their own freedom to exploit and hoard with a flagrant contempt for any social responsibility. It's "freedom" in the Al Capone sense, not in the hippie sense.
Free and open access to information is not and never has been a libertarian aspiration, or much to do with politics of any kind, it's an academic principle, for reasons that should be obvious.
Schneier is not trying to steal your ebook, he's calling for you to not publish it in the first place, whereas previously he would have said "publish and be damned".
So, as I said, it looks like he finally grew up and realised that social responsibility trumps irresponsible Freedumb®.
Just having an International organization, maybe the IEEE, come up with standards that allows manufacturers of IoT (Internet of Trash) to claim something like "IoT Security 1.0 compliant" on their devices would be a good first step. Maybe add a 3rd party testing requirement for certification. I am sure the likes of TUV would love to add something like this to their testing services. This would quickly get some standards made by people with a clue into place that transcend borders.
This post has been deleted by its author
"Auto regulations have saved countless lives and prevented countless injuries. "
Including mine. If that steel bar which you see at the bottom of lorries at the back wasn't there (I think thanks to a law mandating them) I would probably have been decapitated when I drove my car into the back of one. The car body would have carried on under the lorry while the top would have been sheared off taking my head with it.
I'm very very free market but some things are just necessary.
True libertarians would just say let Darwin sort them out and produce tougher humans.
That only works if they off themselves before they can reproduce. The other way round, you will select for human beings that grow up efficiently without parents and die after spawning, like octopodes.
Including mine. If that steel bar which you see at the bottom of lorries at the back wasn't there (I think thanks to a law mandating them) I would probably have been decapitated when I drove my car into the back of one. The car body would have carried on under the lorry while the top would have been sheared off taking my head with it.
You mean the "Mansfield Bar". So called because that's exactly how Jayne Mansfield died, and prompted the addition of underride guards.
This discussion of car safety rules, especially the part about seat belts, makes me think of a referendum in Massachusetts in the late 80s. The question on the ballot was whether the recently-enacted state law mandating the use (by drivers and passengers) of seat belts should be repealed.
I always used one anyway, as did many of my fellow students, but many of them said they would vote(1) to repeal the law because it should be a matter for each person to choose.
(1) As a (legal) alien(2), I wasn't allowed to vote in the election, but I *would* have voted to repeal, for much the same reason.
(2) In 1981 I entered the US on a 90-day tourist visa. I stayed (legally) for almost nine years. I even got a green card, only to discover that it was slightly pink, and plastic-laminated, and not green at all.
And I had an interesting debate with my mother, who would have voted to keep the law. Her reasoning was by analogy to rules about having to have working brakes. The obvious flaw in that reasoning (obvious to me, anyway) is that rules about brakes are there to protect me from inadequate maintenance of *his* car, while seat belt laws are to force me to protect me from things *I* do.
So the car makers must include seat belts so I *can* protect myself, and they must be in good condition, sure. But don't *make* me use them. I'll use them anyway.
@Steve the Cynic, seat-belts protect you and the people in the car with you, and the people in the other cars. A crash that kills you or cripples you, because of what happened when you wore no belt, leaves a burden upon the state: your family, if you have one, or your medical care. A crash that kills of maims you can effectively destroy the life of the other driver. I know a Tube driver who completely went to pieces when a woman killed herself with his train. He had no chance of preventing it, and yet... She took her own life, and effectively his and his wife's, because one small 'individual choice' ripples out to the injury of many. Once you are in a car on a publicly-maintained road that you share with others, you have to accept rules made for the greater good of the greater number.
Try some facts rather than Koolaid.
"Drain on the state" if you're killed? How exactly?
Proven fact, drivers take more risks when wearing a seatbelt than not.
Proven fact, crash helmets have created more of a "drain on the state" as you so charmingly put it, by creating para/quadriplegics where they would be dead otherwise.
My bet is you also thing smokers are a "drain on the NHS" despite the proven fact they pay more in taxes, [and receive less in pensions, etc. due to shorter lives] than their NHS care costs.
But it's for you're own good! FRO
Where the fuck do you get off telling other people how to live their lives, mind you're own business.
I don't need protecting thank you! I don't care what you do if it doesn't directly impact me so leave me to my beers and sausage breadcake in the morning and a few bowls full of baccy and find a hobby or something.
*I've only ever worn a seatbelt when a passenger in another's car, as I don't feel it's fair to them, as per your train driver example. Also survived a 50mph car crash without a seatbelt that demolished a lamp post before hitting an oak tree and I walked away, Paramedics advised I'd be dead had I been wearing one. And I don't like "bugs in m'teeth" so I'd wear a crash helmet *most* of the time, but it's ossum when you don't. If you haven't you'll probably never understand.
PS
Some illegal [and legal] drugs are also fun! Well they're ALL illegal now thanks to Frau May
""Drain on the state" if you're killed? How exactly?"
Three words: widows and orphans. AKA Wards of the State. If the breadwinner dies, you've got several additional mouths to feed, not to mention psychological issues attached to losing a key parent and so on.
Jesus, which century are you living in! "Widows and orphans" of course only men drive, and if anything happens to them the family will be in the workhouse. And women should be at home. FFS non-argument.
BTW 15-19 yo males are twice as likely to die as anyone else in road traffic accidents accounting for nearly 28% sure they're leaving lots of widows and orphans
But we do have to *make* people use seatbelts. Most people who get in a car don't want to kill themselves. As a society we would rather people don't kill themselves accidentally (right?)
People are not reliable so we have to help them in the easiest, effective, and most obvious cases, of which I would argue this is one. Do you argue against wearing safety helmets on building sites too? (and, more relevantly, on motorcycles?)
"But we do have to *make* people use seatbelts. Most people who get in a car don't want to kill themselves. As a society we would rather people don't kill themselves accidentally (right?)"
Some would say it helps to control the population and raise awareness. IOW, it helps MAKE them reliable since they'll die otherwise.
Firstly in response to pccobbler:
What has where you sit on the libertarian/authoritarian axis of the political got to do with where you thoughts lie on the communist/capitalist axis? https://www.politicalcompass.org/
Regarding the whole seatbelt thing, people have differing risk perception. The trouble with making things safer is those who who felt safe anyway will now behave in a riskier manner.
Put another way, how close would you drive to the car on front if you had a six inch spike protruding from the center of your steering wheel?
@edge_e
Nice quiz. No wonder I generally dislike all candidates.
Oh, I'm thinking a six inch spike would be ill advised as it would likely pop the airbag.
Some level of regulation is needed. I suggest it's to regulate the market, not the development. Companies are free to develop whatever they like. But if they can't pass security testing they can't legally be sold in that market. If you buy it because it's cheap you know it's not even got minimal security.
That makes perfect sense, and it is also why it won't pass muster with President Orange Conspiracy Guy. So, in light of that here is the real solution I just stole from the DHS internal memo system:
"Okay, you assholes, here's the deal. We just pay "protection monies" to Russian "security companies" to monitor our systems and promise not to also hack into them, since they have the keys we just gave them anyway. AND, this is the great part, you guys, we also have them hack anyone trying to hack us! Okay, now give me a better idea... anyone, anyone? HA! Print that proposal out and ship it to the Orange House, STAT! Who's going to Chipotle for lunch?"
That totally just happened, you guys! :P
One of the code review comments I've written: "Please use computer science to solve this problem." The developer had put in a sleep() to solve a resource problem. (He also didn't know the different between a function and a header macro.)
The problem with security is how hard is it to bypass it, and get to the target. Everybody wants something cheap, they want it now, and they want to plug it in and start using it.
We are faced with a paraphrase of what Donald Rumsfeld said, but in software security. There's always some weird crap happening, that some clever monkey has been able to figure out how to break the lock on the cage. ASLR has been broken by some clever JavaScript code. Who saw that one coming? And how about malicious code escaping from virtual machines?
There's a limit to what can be done. If you're one level above the end-user, then you can't do anything about the hardware in the CPU, or the code in the hypervisor. You can put down rules to keep a device from being accessed, but you can't do anything about the actual problem itself.
The manufacturer can do a certain number of things to "secure" the device, but even if they do their job, they still have to use code from someone else. How many IoT manufacturers write their own kernel?
The rules that should be in place are simple things, like requiring a good password the first time the device is used, and only offering additional services by manual configuration, not by default. For instance, if the device has a web UI, then require the consumer to log in via HTTPS, put in a good password, and then manually enable SNMP and SSH.
"The rules that should be in place are simple things." --Brian Miller
Agreed. In order, I think I'd like the following:
1. No default unauthenticated access
2. All devices of the same type to have different credentials
3. Devices must become open to user modification (i.e. rooting, re-flashing) when support ceases.
There's a few others ... I'd like companies that repeat the same old lazy mistakes to be punished, but I can't think of an objective measure that could be used.
How about, give the user full and complete control over hardware they legally own and what software runs on it via the necessary documentation and access to modify it, otherwise no disclaimers or waivers of liabilities allowed?
It won't completely solve the problem. but it will at least stop people from being stuck with vulnerable products with no possibility of fixing them.
There are rather huge problems with that idea: you don't own software, you're licensed to use it.
There's little doubt that if such an idea were turned into law, you'd soon stop being able to own hardware, vendors would turn to long-term leases. Not a new idea, since here in France, even home phones were the property of the phone company until well into the 80s and even 90s, and closer to the IoT world, utilities meters still aren't owned, nor are the Internet appliances.
And technically, the border between hardware and software has become pretty damn elusive those days. There is, literally (meaning literally), no current bit of consumer electronics that would do anything if you removed *all* the software from it - and clearly, it would not allow you to install your own.
The good thing is that here, no contractual waiver of liability is legally possible - vendors are *always* responsible for damages caused by faulty consumer goods, no matter what they claim.
"require the consumer to log in via HTTPS, put in a good password, and then manually enable SNMP and SSH"
Reasonable requirements for 2017, but not so good to set in concrete legislation for the next 20+ years. Set down general principles in the law, and supplement with guidelines that can be updated more regularly.
That's part of the problem: current consumer electronics need software upgrades for the duration of their usable life, which is rather longer than what manufacturers provide right now.
I'd like them to be compelled them to provide security *software* upgrades for 10 years, and publish full source code if the company folds without being bought. Added bonus: if the software assets are bought, then the responsibility will go to the buyer, that would help discourage patent trolls to buy them for pennies at fire sales.
By now, that does not seem like a huge stretch.
The other approach is strict accountability. If your firm makes a device that causes financial damage, the firm must pay the damages. If a life is lost, the Board and Executives are criminally resposible and are sentenced to prison, or death if your nation does that kind of thing.
Aside from China, it won't happen as we know who puts money in legislative and regulators pockets. Even in China, you have to be pretty egregious to get to that point (e. g. baby formula). It could very well start here in California courtesy of our propositions.
Broken record time: my code was delivered secure with zero defects (bugs) because a prison cell in a Federal facility was in my future if it wasn't, and that was true of the people above me as well. Think about it.
In the UK Health and Safety at Work Act, CEO is criminally responsible for death relating to a breach.
In the licensing laws, the Pub firm, the Licensee and the server are responsible for breaches of serving regulations.
Similar stipulations can be written for IoT, if you write/package/compile bad code and it gets someone killed, you, the bloke who should have checked your work, and the man responsible for releasing it without the checks, are all liable.
Then the importer carries the burden. And its up to them to have sufficient due-diligence from the folk in China to get off for a genuine mistake, otherwise its massive fines and/or chokey time.
It wont stop every crap device, but if it makes it very hard for Joe Public to buy a shitty insecure camera or video recorder, etc, because none of the shops or sellers like Amazon (who of course would be the importer in this case) then its done its job.
"It wont stop every crap device, but if it makes it very hard for Joe Public to buy a shitty insecure camera or video recorder, etc, because none of the shops or sellers like Amazon (who of course would be the importer in this case) then its done its job."
Unless, of course, Amazon isn't in your jurisdiction, either.
I think the point is you can't. The space around you, the space you live in and move through, is becoming IoTed and you have no way of stopping it happening. If that's happening then regulation is inevitable, but there is still the option to have bad regulation or good (realistically "less bad") regulation. Rather than a bury-my-head-in-the-sand approach, why not get involved and make sure your concerns are represented so that the regulation that we end up with is even less bad?
"The government can pass a law that will magically stop hacking and will remove all unknown unknowns?"
No, but they can pass laws to make sure companies can't just shrug their shoulders and say "not my problem" when their kit gets hacked.
"Let's face it, IoT will kill the internet. It was fun while it lasted, now it is time for the new generation to move on to the next thing."
The Internet won't be killed, but neither will it be the Wild West any more; governments are going to police some aspects of it and corporations will pay for private security within their own networks.
On the whole, the Internet will get a bit more expensive to cover the cost of "good enough" security. People will pay for security when they get enough pain from the effects of not having it, then individuals will do what they can afford to do - rich people will pay for network security services and poor people will be at the mercy of criminals, same as the physical world.
"corporations will pay for private security within their own networks."
Like I said, the internet is dead, long live private networks. Today the internet only works because nearly everything connected to it is based on a small number of regulary updated OSs. IoT will kill this. I've spent 10 years trying to sell security to IoT companies. Most end customers will not spend a penny for security and don't give a s**t about security and privacy (if they did you would not be reading this on your Android phone). The automobile comparison is a false one. It involves protection against known knowns, it is economically viable for devices that cost 15000+€ not 15€ and a country can control nearly all devices connected to its road network (try stopping a rogue IoT device in another country connecting to your countries network)
Libertarians is a fairly wide church. Most libertarians believe that the state should strongly support contract law for instance.
False advertising laws are another reasonable thing to many libertarians. Regulations against devices that are sold with severe defects ( eg: IoT security ) is a reasonable extension to this.
As somebody else pointed out above, if your IoT device is part of a botnet, that doesn't just affect you. It's similar to the difference between allowing people to own guns and allowing them to fire them blindly in public places.
Whereas I am coming to the opinion that what is needed is a small team of government funded hackers to bork all consumer products that fail to secure their nettyness, along with shills to talk up those brands on teh intarwebs making a serious commitment to proper IoTat securage.
Reasoning: If someone buys a baby alarm and babycam that is insecure, they will most likely not know and not care when told. If the said device breaks down they will buy another. After the third breakdown they will buy a better brand and one-star the offender on Amazon. When they come to buying a better brand, there will be an undercurrent of opinion planted out there to guide their uneducated selection.
Yes it is sinister and has serious flaws. But we already lost DNS to the lightbulb and babycam army once. How about we get fucking serious about changing the cheap-and-careless culture before something extremely inconvenient is perpetrated.
"Yes it is sinister and has serious flaws. But we already lost DNS to the lightbulb and babycam army once. How about we get fucking serious about changing the cheap-and-careless culture before something extremely inconvenient is perpetrated."
Because the ONLY way they'll learn is by something extremely inconvenient...if not deadly. The easiest way to shock a culture into changing is through a crisis.