Teach citizens IoT dangers, engineering students cybersecurity, Uncle Sam suggests

Kudos to US Govt Inc.. BUT

You'd never guess any of this concern from the CES show this year, WTF?

The pollyannic coverage on the BBC alone, was pretty hard to understand!

The MSM is blind: LG's robot clusterfuck alone is a screaming warning sign!

The whole IoT & Smart 'Reality Distortion Field' of Tech is just plain nuts???

Whereas 'IoT reality' and VTech's recent fine? That hardly gets mentioned!

This is the same US govt

That on the same day, also in the name of security, they demanded that a backdoor to everyone's phone be given to 1000s of law enforcement agencies ?

Make the producers liable

I know that the USG has this thing about not telling business what it must do and setting sensible requirements stifling innovation, but surely they could legislate for minimum standards to fix defects and automatically update devices for (say) 10 years, and make manufacturers/retailers liable for damages if they don't? Once a few well known names had been sued into oblivion we might see security being taken a bit more seriously.

Dangers of 'Always On'

Children need to learn from an early age the disadvantages as well as the advantages of devices that are connected to the Internet.

They need to learn that these devices are being watched, monitored and recorded by organisations [1] known and unknown and that these organisations are operating for their benefit and not for yours.

Further they need to learn the analogy that an Internet connection is akin to leaving a window open in your house. The longer it is open — and especially when it is left permanently open — the greater the likelihood that someone will come in through it.

[1] God damn it, El Reg, 'organisation' is a valid spelling in English. Either fix your spell-checker or turn it off. These red-wavy lines are annoying.

Incidental firewalls

NAT tools act as an incidental firewall, preventing devices in the home from being directly reached by the sort of mass-scanning tools that spread malware and lead to widespread infection.

The logical answer would be to convert all those "incidental firewalls" into actual firewalls. Sadly, ISP-provided consumer routers have historically been prototypical of IoT security incompetence.

FDA of IoT

I can see this going in several directions, if in fact it goes anywhere at all. One of those would be the creation of a new bureaucratic money pit using the Food and Drug Administration model. The best result of that being the system will still have the occasional bout of digital food poisoning or the worst being that security updates cost as much a cancer treatments.

IPv6 Too Big to Scan?

Isn't the issue with IPv6 that with dedicated address spaces, it will be easier to guess the addresses for certain organizations or manufacturers? Doesn't matter that the IP space is 128 bits if the first 96 bits are always the same for something you're trying to attack.

FAIL

So even the government doesn’t realize that you can firewall IPv6 without having to use NAT?

One request

Could any legislation mandating automatic mandatory updates also include a prohibition of extraneous changes whose purpose is solely to the detriment of the user and benefit of the vendor?

Of course legislatures are pretty good at ignoring their own rules (if any) about "No unrelated riders on must-pass laws", so if the regulated firms "do as government do, not as they say", we are in for bruising time.

Good idea, but...

... thanks to Millennial fashion, it's no longer possible to tell who's a citizen and who's an engineering student.

20 minutes I'll never get back

This report is another example of taxpayer funds wasted. This is a snowflake report written by individuals who apparently believe each corporate community should follow best practices and create common standards.

I believe this sort of thing has been in just about every OMB information security report since 1999.

More so... it addresses the obvious without any mention of risk assessment.

Get a clue guys. Every company with a network pulse would love to have a common guideline to go with and purchase the latest/greatest technology. Here is the problem... 1: This is the USA. You can't force a business to do something without creating law. Since companies own politicians... good luck with this. 2: Pocketbooks aren't unlimited. 3: While corporations have been held accountable, the penalties and punitive damages haven't been costly enough to change risk assessments yet. Target, Google, etc... has just been slapped on the wrist while consumers pay huge costs.

Start chanting accountability and punitive damages along with large legal suit dollars and you just might begin to make traction. Until consumers can overcome political greed from corporate contributions, you will not see a lot of change.

Here's an idea

Teach router manufacturers to not leave UPnP switched on by detault

This would solve 95% of problems where dumb lusers buying some IoT device they barely understand and just plugging it into the network without a clue what the device is doing.

How many of these 'masses of morons' have heard of ShieldsUp

I bet zero, they just dont care, ignorance is bliss, or so they think