Teach citizens IoT dangers, engineering students cybersecurity, Uncle Sam suggests The US Department of Commerce (DoC) and Department of Homeland Security have put out a draft cybersecurity report that recommends, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees. The 38-page report [PDF] …
The 38-page report [PDF] titled "Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats" is the first of many that are heading to the president's desk following an executive order signed in May, following a number of abortive attempts.
Do they really expect him to read 38 pages?
You'd never guess any of this concern from the CES show this year, WTF?
The pollyannic coverage on the BBC alone, was pretty hard to understand!
The MSM is blind: LG's robot clusterfuck alone is a screaming warning sign!
The whole IoT & Smart 'Reality Distortion Field' of Tech is just plain nuts???
Whereas 'IoT reality' and VTech's recent fine? That hardly gets mentioned!
This post has been deleted by its author
I know that the USG has this thing about not telling business what it must do and setting sensible requirements stifling innovation, but surely they could legislate for minimum standards to fix defects and automatically update devices for (say) 10 years, and make manufacturers/retailers liable for damages if they don't? Once a few well known names had been sued into oblivion we might see security being taken a bit more seriously.
"Due to its traditional hands-off approach to industry and the fact that the internet mostly resides in private hands, there is little that the DoC or DHS can do in real, solid terms."
If an electricity supplier switched 11kV onto a domestic feeder, resulting in damage and/or injury; would the attitude be the same?
Children need to learn from an early age the disadvantages as well as the advantages of devices that are connected to the Internet.
They need to learn that these devices are being watched, monitored and recorded by organisations [1] known and unknown and that these organisations are operating for their benefit and not for yours.
Further they need to learn the analogy that an Internet connection is akin to leaving a window open in your house. The longer it is open — and especially when it is left permanently open — the greater the likelihood that someone will come in through it.
[1] God damn it, El Reg, 'organisation' is a valid spelling in English. Either fix your spell-checker or turn it off. These red-wavy lines are annoying.
"[1] God damn it, El Reg, 'organisation' is a valid spelling in English. Either fix your spell-checker or turn it off. These red-wavy lines are annoying."
Or note that it was written by an American person, reporting on an American subject directly quoting an American publication.
NAT tools act as an incidental firewall, preventing devices in the home from being directly reached by the sort of mass-scanning tools that spread malware and lead to widespread infection.
The logical answer would be to convert all those "incidental firewalls" into actual firewalls. Sadly, ISP-provided consumer routers have historically been prototypical of IoT security incompetence.
I can see this going in several directions, if in fact it goes anywhere at all. One of those would be the creation of a new bureaucratic money pit using the Food and Drug Administration model. The best result of that being the system will still have the occasional bout of digital food poisoning or the worst being that security updates cost as much a cancer treatments.
Isn't the issue with IPv6 that with dedicated address spaces, it will be easier to guess the addresses for certain organizations or manufacturers? Doesn't matter that the IP space is 128 bits if the first 96 bits are always the same for something you're trying to attack.
Could any legislation mandating automatic mandatory updates also include a prohibition of extraneous changes whose purpose is solely to the detriment of the user and benefit of the vendor?
Of course legislatures are pretty good at ignoring their own rules (if any) about "No unrelated riders on must-pass laws", so if the regulated firms "do as government do, not as they say", we are in for bruising time.
This report is another example of taxpayer funds wasted. This is a snowflake report written by individuals who apparently believe each corporate community should follow best practices and create common standards.
I believe this sort of thing has been in just about every OMB information security report since 1999.
More so... it addresses the obvious without any mention of risk assessment.
Get a clue guys. Every company with a network pulse would love to have a common guideline to go with and purchase the latest/greatest technology. Here is the problem... 1: This is the USA. You can't force a business to do something without creating law. Since companies own politicians... good luck with this. 2: Pocketbooks aren't unlimited. 3: While corporations have been held accountable, the penalties and punitive damages haven't been costly enough to change risk assessments yet. Target, Google, etc... has just been slapped on the wrist while consumers pay huge costs.
Start chanting accountability and punitive damages along with large legal suit dollars and you just might begin to make traction. Until consumers can overcome political greed from corporate contributions, you will not see a lot of change.
Teach router manufacturers to not leave UPnP switched on by detault
This would solve 95% of problems where dumb lusers buying some IoT device they barely understand and just plugging it into the network without a clue what the device is doing.
How many of these 'masses of morons' have heard of ShieldsUp
I bet zero, they just dont care, ignorance is bliss, or so they think
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2021
