back to article IoT needs security, says Microsoft without even a small trace of irony

Still reeling from criticism over the WannaCrypt attack, Microsoft has stuck its hat on a stick and raised it out of the trench to see how its proposals for Internet of Things security might be received. Since IoT security is almost uniformly awful, it's probably a good thing that the creator of Windows XP Embedded wants to …

  1. Anonymous Coward
    Anonymous Coward

    Oh look over there, a squirrel.

    This is a nice deflection and I'm glad they mentioned "provide secure upgrade paths" thought they missed the "at a price" from the end of that.

    I don't think it is governments place to tell companies to implement security, government should be there to do something about if they don't and actually do something rather than fines which are a waste of time.

    There's two things that may fix IoT security in my mind.

    Mandatory stated life of product updates when you buy it.

    A system where a company gets a score out of 5 depending on how much security testing the device has had based on common vulnerabilities that really should not be a problem these days, e.g. hard coded passwords, no encryption, access from the internet when not needed to name a few.

    1. Jason Bloomberg Silver badge

      I don't think it is governments place to tell companies to implement security, government should be there to do something about if they don't

      That seems to be contradictory, or more nuanced than I can figure out.

      I am entirely happy for governments to tell companies what minimum requirements they are expected to meet through regulation and legislation; it is in the public interest that they do that and governments are there to ensure people get what they want but are unable to secure as individuals themselves.

      Most complaints I have are that regulations are often too weak, not properly enforced, and punishment for non-compliance is not enough to bring about change in attitudes.

      1. Anonymous Coward
        Anonymous Coward

        What I was trying to convey was that it's not going to be possible for government to legislate the actual security only what happens when they don't implement standard security to stop DDOS, data breaches etc... The government doesn't understand encryption anyway (allegedly).

        I call it standard security because that's what they should all be striving for, in fact I would go as far as say they should be using it for marketing by saying "our security is the best on the market", which is odd that they aren't when you think of the opportunity.

        1. Naselus

          "by saying "our security is the best on the market", which is odd that they aren't when you think of the opportunity."

          It's not odd that they aren't, because on aggregate consumers don't care. They really don't.

          Oh, if you ask them if they want their stuff to be secure, they say they do. But if you market the product as 'the most secure on the market', then watch it sink like a stone in the face of a rival who instead markets their product as 'and it comes in black!' or 'look, it has rounded corners!'.

          This state of affairs will continue until someone actually makes the effort to explain why their security is good, and why best practice security is better than random bullshit. But for the most part, security is explained with magic wands, so is about as meaningful to a consumer as the 'science' portion of a shampoo advert.

  2. short

    Euro NCAP Crashiness stars?

    Would people be more likely to buy stuff that's had a bit of third-party pen testing and promises updates for <n> years?

    Enforcing those updates is a different kettle of fish - but if it was possible to buy non-shit cameras and widgets, I might be tempted. At the moment, it's all shit, and maybe it's time to change before the net just turns into a swamp of DDOS and takeovers?

    (Ah, AC above covered much of this obvious stuff - but some way to find premium products that actually work - surely that's worth something?)

    1. Anonymous Coward
      Anonymous Coward

      Re: Euro NCAP Crashiness stars?

      At my last employer, they put a major product in for third party security testing, once they got the certificate, all pretence of following the guidelines was dropped. Those documented monthly update processes for the Linux server? Didn't happen. Checking new patches to their own software for security? Didn't happen...

      1. Anonymous Coward
        Anonymous Coward

        Re: Euro NCAP Crashiness stars?

        Just like most ISO certs..especially the like of 9001.

        All it shows is you know how to tick a box. For more complex ones, it's how good you fool the inspectors

  3. John Robson Silver badge

    No direct net access

    These things should all be useable on a lan, without internet access.

    Control may need to be from a container running on a generic 'hub', but there should be no need to rely on a specific company still being there in a few months.

    1. short

      Re: No direct net access

      Return of the MS Home server? Maintained, headless, running as backupp, streamer, IoT hub, firewall, AP?

      Most of the parts are in place, and maybe customers would be more amenable to paying a subscruiption to keep that fresh, in a way that they won't for OSes?

      I'd rather have a FreeNAS or whatever box under the stairs, but I can see an MS offering 'to keep you, your kids and your IoT crap safe from the big bad internet'...

    2. DropBear
      Trollface

      Re: No direct net access

      "These things should all be useable on a lan, without internet access."

      Awesome idea, but don't we need to do something about that "I" in "IoT" then...? I propose "LoT" after "LAN"... If it pans out as expected and turns out to be inherently more secure, we could even call it "LoST" for "safe" or "secure"...

      1. John Robson Silver badge

        Re: No direct net access

        "Awesome idea, but don't we need to do something about that "I" in "IoT" then...? I propose "LoT" after "LAN"... If it pans out as expected and turns out to be inherently more secure, we could even call it "LoST" for "safe" or "secure"..."

        The hub can easily be remotely accessible. But it should be it's own VPN endpoint (I don't need to access the lightbulbs in *that* many households) by default...

        I might not need it to be a VPN endpoint, but that's only because I can already VPN into home...

  4. Anonymous Coward
    Anonymous Coward

    IoT - Internet of Threats

    * IoT is the collective series of threats we all face every day through constant Govt & Corporate inaction. M$ is a US corp but the US Govt has given up on regulating IoT before even trying, so where is the greatest threat here?

    * Added to which, why does the NSA not care enough to lock its own barn doors? Thanks for the self-propagating ransomware on a weekly basis! It all just makes me wanna unplug more and use Mint when connected...

    1. big_D Silver badge
      Holmes

      Re: IoT - Internet of Threats

      As the saying goes, the "S" in IoT stands for security.

      1. arrbee

        Re: IoT - Internet of Threats

        As security is apparently not something people worry about, I suggest changing that to:

        the "S" in IoT stands for safety

        - might get a little more attention.

  5. Sgt_Oddball
    Paris Hilton

    hey now..

    Trying not to come across as an ms shill but at least they've got they've taken a stand and said it. They've also avoided aying that they've got the solution to it.

    For people not in IT having a giant like MS state it's problem tends to get peoples attention on just how bad it is which can only be a good thing right?

    1. DropBear
      Facepalm

      Re: hey now..

      Absolutely - I even know how to fix it! All we need to do is tweet about it hard enough (maybe even... sign an online petition! *gasp, shock, horror*)...

    2. Naselus

      Re: hey now..

      Agreed. We honestly cannot sit here and spend 20 years whining that MS suck at security, and then complain about them suggesting maybe there should be some effort to do security properly. Especially since MS's security infrastructure is no longer the joke it was in 2003; charges of hypocrisy are a little unfair when the company has been spending a lot of money and throwing a lot of effort into moving away from it's previous bad practices for over a decade now.

  6. Commswonk

    I win!

    Build cross-disciplinary partnerships that encourage public-private collaboration and inter-agency cooperation

    House!

  7. dajames

    IoT needs security, says Microsoft ...

    Seems they've learned to talk the talk, but can they learn to walk the walk?

    1. hplasm
      Devil

      "Seems they've learned to talk the talk, but can they learn to walk the walk?"

      Not with those shot-to-bits feet...

  8. DropBear
    Joke

    But my stuff is already secure! I have completely secure key storage with multiple redundancy by embedding all the keys in every single device and my RNG is absolutely tamper-proof due to being hardcoded to always return the completely random number "4", chosen by roll of a set of fair dice...

  9. John Smith 19 Gold badge
    Unhappy

    Is anyone remembering the phrase "Windows everywhere."

    Those who fail to learn the lessons of history are doomed to step in them again.

    And again.

  10. Wibble

    Bigger organisations would take notice if fined?

    Problem is the cost of adding "intarweb connectivity" to some device is so low that there's no money to fund proper development & support -- especially as it's pushed for by the twitterati marketing-oriented chimps.

    Maybe some 'fines' will work for the larger organisations. For example if Hoover/Dysan/whatever decided to add IoT functionality to their hoover to send updates to an app to remind the operator that the bag's full... Hoover/Dysan/whatever are a big enough to go after when their IoT device is compromised. This would put the brakes on some of the stuck on stupid ideas. Obviously it wouldn't work for "the little people".

  11. adam payne

    Nothing to see here move on, oh look over there at those naughty people says a Microsoft spokesperson.

    "Serve as catalysts for the development of good IoT security practices;"

    Not quite sure how they would do that apart from a new law that means you get prosecuted if you have terrible security on your devices.

  12. Mark 85

    This smacks of an oxymoron: MS calling for more security.

  13. Anonymous Coward
    Anonymous Coward

    There are good security people at MS

    But they have no influence on products or marketing or sevices or much anything else.

    1. Roundtuit

      Re: There are good security people at MS

      What a back-handed compliment!

      It would be easier for the security people if Microsoft became an ethical IT company, instead of a marketing company.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like