UK.gov emits draft IoT and smartphone security law for Parliamentary scrutiny

Re: Way to use the Lingo!

A firewall (usually) still has holes in, either intentionally or unintentionally. As you say, these are fine words and will give a warm fuzzy feeling that things are better and more secure. The trouble is that this is mostly unenforceable.

So much of this stuff is fit-and-forget with no firmware updates from some facility in the Far East that is churning out millions of the same gizmo every month, all with different brand labels on.

You can make fun of the language but it's not as though firewall has always referred to the software on a computer system to restrict network access.

From a quick Wikipedia search:

The term firewall originally referred to a wall intended to confine a fire within a line of adjacent buildings. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment.

The computer use of the word was a metaphor for the physical thing and the MP's usage of the word is too just with a different meaning.

Re: Online Souks

It certainly needs to be drafted to include online market places in those who can be fined. The "fact sheet" ( https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet ) is detailed about the sorts of devices covered but vague about who will be held responsible. It also seems to be handing over enforcement to the Dept. of Culture Media. Perhaps a beefed up Trading Standards service would have been better: we could certainly do with it being strengthened even without this.

Re: Online Souks

It'll just change the way the crooks work. Instead of using the default passwords they'll set up 'helpful' phishing websites to guide non-technical users through the security configuration, and in the process snaffle the password and address info for further use or sale. They may even take the opportunity to open up firewalls and load malware.

"select your thermostat type from the drop-down menu, and enter your new password, we'll do the security setup for you".

Re: Online Souks

The PDF of the Bill is back online. It seems that the Sec of State has the powers to deem products to be relevant which future-proofs it against as yet undeveloped products.

The bad news is that as far as I can see the likes of Amazon other than as a direct seller, eBay and the like escape. Even if there was an attempt to treat them as importers or distributors it looks as if 55(11) gives them the option to plead that they're "ostensible suppliers" and not the "effective suppliers" who are the relevant persons within the meaning of the Bill.

Re: More misdirection...why am I not surprised?

It's even worse than that. When a crime takes place in the street, Plod routinely asks people for CCTV, doorbell and dashcam footage. I assume no-one gets prosecuted for such unregistered cameras?

(And why is it still called footage when no film is used? How about bittage, bytage or streamage?)

Re: More misdirection...why am I not surprised?

A perfectly good point.

I recently proposed something similar in respect of data protection law, which is widely ignored by businesses. Rather than fining organisations, they should be forced to fix the faulty processes that lead to the technology flaws, and that fixing should be audited by the regulator for adequacy. The cost of both the fixes and the audits would be money much better spent than if it were handed over a as fine.

I also suggested that there should be a hierarchy of requirement for qualification and certification of competence, the top of which should be applied where any product has potential life- or livelihood consequences. Another option would-be the equivalent of the BSI kite mark - a voluntary certification that a product meets an objective standard. It worked for electric plugs - raising safety standards by being a market delineator.

However all these ideas (and the current government proposal) fall on the issue of transnational jurisdiction - there really isn't any possibility unless all the key nations agree to coordinate their standards and statutes. Europe did, but that's pretty much it to date.

Re: More misdirection...why am I not surprised?

This always the problem and I'm not sure if it's worse in Britain than other European countries or not.

There's no money or just plain no enforcement in anything you can think of.

Food safety, not enough inspectors

Cre homes, not enough inspectors, laughably easy to rename your failing care home and pretend it's not the same one despite being in literally the same place with same staff.

Traffic, speeding and traffic crime is endemic.n

Litter, holy shit is there to much litter.

Covid masks, we managed it for like a month but two years in and it's a rare sight to see someone in them.

MPs, fuck me do they need more oversight.

On the other hand we're red hot on throwing money at making it shit to claim benefits

Re: "Our Bill will put a firewall around everyday tech"

But . . . but . . . but, going forwards the gubermints far thinking proposals will synergise the security of the emerging digital landscape for all IoT / Tech users in the land, honest! Imagineering Pepper Pig onto the advisory panel and everything!

On second thoughts, no, your right.

Re: The bill imposes duties on consumer product manufacturers

I agree with your point about suing Chinese tat foundries. However to remove things like default passwords would be an update to software and a change to the sticker on the product production line. Not really that much work. Better yet and cheaper make the user set a strong password on first use.

Re: The bill imposes duties on consumer product manufacturers

The Chinese manufacturer will include the required 'Approved by the Ministry of Fun' logo on the box and everyone will be happy. Much like the CE logo now.

Re: How will it work?

Enforcement? This isn't about enforcement.

This is about bieng seen to be doing "the right thing", uttering a quote for the nightly news and getting oneself re-elected. Like everything an MP does.

Re: until the last device stops working, and how would they know?

Well, telecoms companies could compile a monthly list of all phone models that connect to their network and make it public (just the model is not PII or subject to GDPR).

Companies could then base their support towards all of their models on the list.

Of course, that is just a practical idea, so it will likely never see the light of day.

Re: How will it work?

"How do you backdate this against the millions (billions?) of devices already out there."

You don't. Retrospective laws are considered a very bad thing. You don't want to find out that something you did legitimately six years ago is suddenly a criminal act.

Re: How will it work?

"2) You move the goal posts and say it si the sellers responsibility to ensure the IoT toy complies - How many of these sellers will even be aware of the requirements? How can they in turn force the company to implement proper security at point of manufacture?"

No moving of goalposts required for this. The Bill makes it an offence to import or distribute the product. From the point of an individual country it doesn't matter if the tat-makers keep making tat if it isn't imported. Globally, if enough markets enact such provisions then the tat-makers have the options of dealing with shrinking markets or complying.

The fly in the ointment here is that the likes of Amazon Marletplace & eBay seem to be given an out in that they're neither importers nor distributors - if all else fails section 55(11) seems to excuse them. What's missing is recognition of a role of gatekeeper. If it becomes expensive for them to allow non-compliant devices to be sold via their services then they will no doubt close the gates PDQ.

Re: How will it work?

Re your first point about Chinese stuff.

How exactly is this different to the junk and unsecured crap pushed out by amazon, google etc ? I don't mean the stuff they advertise or sell on behalf of others but their own brands of spy-speaker rubbish, unsecure doorbells, baby monitirs etc.

Re: Alternatively...

This idea could be extended. If the fire brigade were equipped with flame throwers they could determine which houses were flammable and rapidly incentivise the owners to improve

Re: Default passwords

But I am sure they provide all the functionality that is required to control the temperature, burn toast or boil water......

Re: But why ?

"So if there is no default password, how do you do the initial login to change the password in a semi-secure manner ?"

Not a problem. On boot from out of box or factory reset it presents a password-setting dialog before it will connect to the net. It shouldn't even matter if there is a default password, password-less login or a dialog without a login at this stage as the user-defined password will be in place by the time it connects. If the password's forgotten then a factory reset allows you to enter a new one. My router works this way so it's not a startlingly novel requirement.

Re: I think Guy Fawkes idea of a firewall was best

Proposal that Mr Fawkes name be added to all ballots. In the event that he gets most votes it is taken as a sign that the will of the people is to blow up parliament, or at least the local constituency office