Posts by Doctor Syntax 40558 publicly visible posts • joined 16 Jun 2014
"Another US conglomerate decides to hike its prices and everyone immediately blames the brexit voters, looking for a scapegoat."
Well, the article clearly says that it's currency related. If we're not to see this as Brexit related should we start referring to the sudden-but-entirely-coincidental-devaluation-of-the-pound?
"The devices come from China and are imported direct. Who gives a damn?"
Market traders if they're importing them when Trading Standards come calling.
ISPs when they're exposed to fines for routing non-compliant stuff. As I said in another post, there are multiple points to apply pressure to make stuff unsaleable.
"Finally - as to the suggestion of arresting USERS because they have insecure IoT kit - that's stupid, there is no way that could ever be proposed to be added to law"
That depends on how bad the problem becomes. There are several points to apply pressure.
One is the market place via the types of regulation and certification that's in place already for electrical safety etc. It gives Trading Standards or the like to deal with vendors in the country and for customs to turn away incoming shipments. There's absolutely nothing novel in principle about this, it's just that govts. need to be kicked into motion to get a round tuit.
Another is the ISPs and through them the users. They can be required to put it into T&Cs that non-compliant kit can't be exposed on the net, either outside of firewalls or via uPnP.
Finally, after due warning, the users themselves if they insist on connecting stuff it can be made an offence. In practice, of course, the ISP would almost certainly deal with it by cutting off the customer but having the illegality as back-up to deal with awkward customers.
All this combined would make non-compliant stuff unsaleable. That would lean on the manufacturers more effectively than trying to negotiate international standards.
That leaves countries that are reluctant to get round to doing such things. "Nice internet connection you have there. Shame if it got disconnected for an hour or two now and again. Or a day or two."
"Then what happens when innocent users SUE for the collateral damage of them not being able to go on the Internet for no fault of their own?"
What happens? The ISPs learn the advantage of making sure it doesn't happen again. Or, to put it another way, they learn the cost of not having made sure it couldn't happen in the first place.
As per another of your posts, we;re dealing with Stupid here so we need to to take actions that don't depend on Stupid understanding things.
"As long as you are happy to pay manufacturer to have support team that will be resetting these passwords 24/7. Are you ?"
The user sets those. The default password is on the label. You reset it to get that and you then have to set a new password before you can get it online.
You, the user, lost the label? Sorry, can't help you, we don't have a record of it.* You'll have to buy a new one. Please look after that better.
* That prevents anyone ringing up trying to get the default password if it transpires the pile of crap device can be reset remotely.
"DNS resolution is needed for a lot more than just the URL you typed into the browser or clicked in Google. Each of the secondary domains that site calls have to be resolved too, and there can be dozens of them on a fairly typical site on the internet."
To say nothing of the tertiary and quaternary domains. OTOH if this forced sites to serve all their own crap this could be seen as a useful by-product
"Do you really want to live in communist utopia where government can control which device you can use to connect to Internet ?"
I didn't see that being suggested. It's not a matter of controlling which device, it's a matter of controlling the safety standards they meet. They'll already by subject to all sorts of safety requirements. For instance the telecoms network operators will already have specs as to what can be connected to ensure it doesn't put harmful voltages on the line or draw excess current. Or are your telecoms providers communist-run?
"This is obvious clickbait, it suggests all IOT devices are vulnerable,biy the reality is, its a single manufacturer (XiongMai Technologies) that had a default password and login."
The answer lies somewhere in between. It might be a single manufacturer in this case and not everything is necessarily vulnerable but there have been enough reports of routers with telnet ports open on the internet side etc. You don't need to look back very far in el Reg to pick up these.
"mostly the same stands for their customers."
It's the customer end that you start with. Does the kit meet UL/CE standards? If not then it becomes illegal to put it on the 'net in the relevant country or, even better, it becomes illegal for the ISPs to route it. It also becomes illegal to offer it for sale so if it's on sale from a local vendor then they get a visit from Trading Standards or whatever in that particular jurisdiction. If it's being offered for sale on eBay from China or wherever then eBay gets a visit.
The manufacturers will get the message without direct action - they want to sell stuff, they meet the standards.
Make no mistake, something will be done, the only questions are what and when.
"I doubt any legislative action will actually be all that effective. The average Congress critter is not noted for critical thinking skills but emotional pandering."
I think a few large corporations being exposed to risk like this will be able to apply as much emotional pressure as is needed to produce results.
"CE-marking and US equivalents are good for purchasers to aspire to buying, but faced with a choice between high-price or low-price, with the difference in features being purely a few regulatory stickers affixed to the casing, which one will the purchaser end up buying?"
The alternative should be between the device being legally offered for sale or not. That doesn't provide the buyer with much of a quandary. If he buys from Del-boy he risks the device being forfeit, and maybe a fine.
"Brick the devices and watch US and European companies go bust very quickly as consumers just stop buying devices with internet connections that can use their subscription services."
As per my comment above, apply a bit of Darwinian selection. Make it worth while to ship secure stuff. Having sold/issued to the subscriber a steaming pile of ordure isn't an excuse for losing business, it's just a reason.
In established fields it simply wouldn't be allowed to sell a dangerous design of electrical equipment or vehicle. If it later transpires that something wasn't fit then the vendor will be expected to recall it for remediation; that option should be available to vendors of insecure IoT devices. The the vendor simply goes bust or the customer refuses to accept the recall then there has to be a mechanism for ensuring it's not exposed on the 'net.
If you want an alternative analogy, consider a contagious disease - of humans or animals. If the disease is sufficiently dangerous TPTB usually have sufficient powers to ensure that humans are isolated and animals destroyed. It's draconian but essential for the wider community.
"You have to take Stupid into consideration."
Stupid is the problem. If the punter is too stupid it has to be their problem rather someone else's. I'm a biologist by training. I see no problem in applying Darwinian selection to the IoT.
How about "Here's your device, there's the password. We have no copy of it. Looking after it is your responsibility."
'As for "illegal".. that part would be ignored as any fines will be relatively miniscule and that's only if a law can get past the corporate lobbyists.'
Fines can be whatever legislation and the courts make them. There's also the possibility of raising sanctions against ISPs who continue to permit their customers to continue to use such devices.
As to lobbying, recent events have resulted in some large corporations having incentives to lobby for action.
In general history shows that eventually potentially bad stuff does get regulated but unfortunately governments traditionally don't operate at internet speed.
"Perhaps it's time those bodies also include network safety standards being met? Companies need to be held to a high standard on these things, and they're clearly not."
Agreed. This is something I've been saying for some time. Also it should be added to CE requirements in Europe.
The trouble is the existing deployed fleet. Those need to be fixed or taken off-line if they're not fixable.
..just maybe this will finally spur TPTB into taking some action.
For a start oblige the manufacturers of IoTs to stop selling vulnerable devices until they're fixed.
At the same time, put out a recall for all those currently installed to be upgraded - or do over the net upgrades if for kit that supports that.
And then make it illegal to run a vulnerable device if it's connected to the net.
The second item might well cost vendors more than the profit they made in the first place - good, it's time vendors were exposed to the costs of cutting corners.
"Oh believe me, some people think councils are responsible for absolutely everything."
Our local council seems to avoiding responsibility for as much as it can except for the PC bits or those which get column inches for the leaders, even if they're not part of the council's remit.
'Quick piece of advice - never look up how the YEAR was "established"'
There's also years BP (before present) in radiocarbon dating, "present" being taken as 1950. We used to round dates to the nearest 5 years but I never took into account the absence of year 0, partly because it would have looked odd to have nice round numbers in the BP version but not in the BC and it didn't really matter until one result came out at 1950 BP. Thanks to the link I now know it wasn't a bug, I was just anticipating ISO 8601.
There are two standard reactions to most new stuff:
1. Seen it done better.
2. Seen it done before and it didn't work then, either.
On the rare occasions that neither of these apply you know you've got something worthwhile.
Sadly there's an almost universal reaction to something that isn't new but has had a make-over, reboot or whatever:
3. It wasn't broken, why did they fix it?
"ISPs and network operators being compelled to police their own user base for illicit traffic on pain of having some of their service access cut off which means, by implication, they have to police their users the same way."
If a large enough number of devices are involved the illicit traffic from any one device might not be easily discoverable. A better variation would be policing their user base for vulnerable internet-exposed devices. Where the device is an ISP-supplied router this would have the immediate effect of requiring the ISPs to be more careful in deciding what kit they supply.
"If *you* are an attack target, it is *your* infrastructure that is going to be targeted,"
For some values of "you". If "you" means the US internet business community then DNS is part of that infrastructure and, from what's happened, appears to be a single point of failure for quite a large portion of "you".
in 74 - but this was around the time that industry experts were saying things like " there will only ever be a need four 4 computers on the planet" and suchlike
I stand by my statement that it seems acceptable for people in tech to not know history. Without checking the exact date I think you're about a quarter of a century out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
