back to article You know IoT security is bad when libertarians call for strict regulation

We all know the vast majority of Internet-of-Things devices haven’t anything more than a fig leaf for protection. Now the unlikeliest of folks are calling for rules to improve IoT security: libertarians. In a session today at the RSA infosec conference in San Francisco, Olaf Kolkman, the Internet Society’s chief internet …

Silver badge
Headmaster

Former libertarian

Or what we adults call "growing up".

13
14

This post has been deleted by its author

Silver badge

Re: Former libertarian

What happens when you DO get a YES AND they volunteer the information?

0
0

Re: Former libertarian

"What happens when you DO get a YES AND they volunteer the information?"

Go shopping?

14
0
Silver badge

Re: Former libertarian

@Oliver Jones, yes what they want is for me to give them my books for free. Because £2.00 for an e-book is equivalent to serfdom of something.

2
1
Silver badge
Go

Re: Former libertarian

Just having an International organization, maybe the IEEE, come up with standards that allows manufacturers of IoT (Internet of Trash) to claim something like "IoT Security 1.0 compliant" on their devices would be a good first step. Maybe add a 3rd party testing requirement for certification. I am sure the likes of TUV would love to add something like this to their testing services. This would quickly get some standards made by people with a clue into place that transcend borders.

1
0
Silver badge
Windows

Re: Former libertarian

Don't have a problem paying YOU for your book.

Paying an artist directly is perhaps more amenable to me than anything else.

"Information is free" slogan was never really meant to stomp on artistry. It was supposed to however step around censorship and the entities that tried to capitalize on *others* works.

This however gets massively complex when we're discussing say, results from a scientific study done by a private university sponsored by government provided funding.

Its an interesting debate.

3
0

Re: Former libertarian

@ Charles 9

Ask Jeremy Clarkson, I think he has an inkling.

0
0
Silver badge
Headmaster

Re: "missing the point"

Not so much "missing the point" as completely misinterpreting the meaning of "libertarian".

The entire ethos behind libertarianism is proprietary rights, which is exactly why libertarians want a government they can "drown in the bathtub" every time it so much as looks at their money.

Libertarians don't especially want information, your ebook or anything else to be free. The only "liberty" they're interested in is their own freedom to exploit and hoard with a flagrant contempt for any social responsibility. It's "freedom" in the Al Capone sense, not in the hippie sense.

Free and open access to information is not and never has been a libertarian aspiration, or much to do with politics of any kind, it's an academic principle, for reasons that should be obvious.

Schneier is not trying to steal your ebook, he's calling for you to not publish it in the first place, whereas previously he would have said "publish and be damned".

So, as I said, it looks like he finally grew up and realised that social responsibility trumps irresponsible Freedumb®.

1
1
Silver badge

Re: Former libertarian

"This however gets massively complex when we're discussing say, results from a scientific study done by a private university sponsored by government provided funding."

ESPECIALLY when the study was about sensitive stuff like potential dual-use biological agents, bringing up entirely-proper matters of sovereign security.

0
0
Silver badge

Being assigned a MAC address...

should bear with it a certain responsibility. The acquisition costs of MAC addresses should incorporate charges for insurance against misuse, and associated clean-up costs in the event of disaster.

10
0
Anonymous Coward

Schneier is a libertarian?

I've been following him and his blog for many, many years. He's about as libertarian as Donald Trump or Barack Obama

9
0

This post has been deleted by its author

Re: Your role in a movie is coming soon

"Auto regulations have saved countless lives and prevented countless injuries. "

Including mine. If that steel bar which you see at the bottom of lorries at the back wasn't there (I think thanks to a law mandating them) I would probably have been decapitated when I drove my car into the back of one. The car body would have carried on under the lorry while the top would have been sheared off taking my head with it.

I'm very very free market but some things are just necessary.

13
1
Silver badge

Re: Your role in a movie is coming soon

True libertarians would just say let Darwin sort them out and produce tougher humans. What better way to raise awareness than a spike on the steering wheel?

4
0
Silver badge

Re: Your role in a movie is coming soon

True libertarians would just say let Darwin sort them out and produce tougher humans.

That only works if they off themselves before they can reproduce. The other way round, you will select for human beings that grow up efficiently without parents and die after spawning, like octopodes.

4
0
Silver badge

Re: Your role in a movie is coming soon

This discussion of car safety rules, especially the part about seat belts, makes me think of a referendum in Massachusetts in the late 80s. The question on the ballot was whether the recently-enacted state law mandating the use (by drivers and passengers) of seat belts should be repealed.

I always used one anyway, as did many of my fellow students, but many of them said they would vote(1) to repeal the law because it should be a matter for each person to choose.

(1) As a (legal) alien(2), I wasn't allowed to vote in the election, but I *would* have voted to repeal, for much the same reason.

(2) In 1981 I entered the US on a 90-day tourist visa. I stayed (legally) for almost nine years. I even got a green card, only to discover that it was slightly pink, and plastic-laminated, and not green at all.

And I had an interesting debate with my mother, who would have voted to keep the law. Her reasoning was by analogy to rules about having to have working brakes. The obvious flaw in that reasoning (obvious to me, anyway) is that rules about brakes are there to protect me from inadequate maintenance of *his* car, while seat belt laws are to force me to protect me from things *I* do.

So the car makers must include seat belts so I *can* protect myself, and they must be in good condition, sure. But don't *make* me use them. I'll use them anyway.

3
4
Silver badge

Re: Your role in a movie is coming soon

@Steve the Cynic, seat-belts protect you and the people in the car with you, and the people in the other cars. A crash that kills you or cripples you, because of what happened when you wore no belt, leaves a burden upon the state: your family, if you have one, or your medical care. A crash that kills of maims you can effectively destroy the life of the other driver. I know a Tube driver who completely went to pieces when a woman killed herself with his train. He had no chance of preventing it, and yet... She took her own life, and effectively his and his wife's, because one small 'individual choice' ripples out to the injury of many. Once you are in a car on a publicly-maintained road that you share with others, you have to accept rules made for the greater good of the greater number.

10
1

Re: Your role in a movie is coming soon

Mansfield Bar: Not a nice end to a nice lady.

0
0
Silver badge
Headmaster

Re: Your role in a movie is coming soon

like octopodes

Have an upvote for a correct plural. Sadly I can give only one upvote.

1
0
Silver badge

Re: Your role in a movie is coming soon

But we do have to *make* people use seatbelts. Most people who get in a car don't want to kill themselves. As a society we would rather people don't kill themselves accidentally (right?)

People are not reliable so we have to help them in the easiest, effective, and most obvious cases, of which I would argue this is one. Do you argue against wearing safety helmets on building sites too? (and, more relevantly, on motorcycles?)

0
1
Silver badge

Re: Your role in a movie is coming soon

@Voyna i Mor In this instance I would expect a true libertarian answer would be to ditch the regulation that makes it illegal to hack the offending IoT device and take it off line.

1
1
Anonymous Coward

Re: Your role in a movie is coming soon

"But we do have to *make* people use seatbelts. Most people who get in a car don't want to kill themselves. As a society we would rather people don't kill themselves accidentally (right?)"

Some would say it helps to control the population and raise awareness. IOW, it helps MAKE them reliable since they'll die otherwise.

0
0
Boffin

Re: Your role in a movie is coming soon

Firstly in response to pccobbler:

What has where you sit on the libertarian/authoritarian axis of the political got to do with where you thoughts lie on the communist/capitalist axis? https://www.politicalcompass.org/

Regarding the whole seatbelt thing, people have differing risk perception. The trouble with making things safer is those who who felt safe anyway will now behave in a riskier manner.

Put another way, how close would you drive to the car on front if you had a six inch spike protruding from the center of your steering wheel?

1
0
Silver badge

Re: Your role in a movie is coming soon

@edge_e

Nice quiz. No wonder I generally dislike all candidates.

Oh, I'm thinking a six inch spike would be ill advised as it would likely pop the airbag.

1
0
Anonymous Coward

Re: Your role in a movie is coming soon

Try some facts rather than Koolaid.

"Drain on the state" if you're killed? How exactly?

Proven fact, drivers take more risks when wearing a seatbelt than not.

Proven fact, crash helmets have created more of a "drain on the state" as you so charmingly put it, by creating para/quadriplegics where they would be dead otherwise.

My bet is you also thing smokers are a "drain on the NHS" despite the proven fact they pay more in taxes, [and receive less in pensions, etc. due to shorter lives] than their NHS care costs.

But it's for you're own good! FRO

Where the fuck do you get off telling other people how to live their lives, mind you're own business.

I don't need protecting thank you! I don't care what you do if it doesn't directly impact me so leave me to my beers and sausage breadcake in the morning and a few bowls full of baccy and find a hobby or something.

*I've only ever worn a seatbelt when a passenger in another's car, as I don't feel it's fair to them, as per your train driver example. Also survived a 50mph car crash without a seatbelt that demolished a lamp post before hitting an oak tree and I walked away, Paramedics advised I'd be dead had I been wearing one. And I don't like "bugs in m'teeth" so I'd wear a crash helmet *most* of the time, but it's ossum when you don't. If you haven't you'll probably never understand.

PS

Some illegal [and legal] drugs are also fun! Well they're ALL illegal now thanks to Frau May

1
1
Thumb Up

Re: Your role in a movie is coming soon

I think it needs to be instead of the airbag :)

0
0
Bronze badge

Re: Your role in a movie is coming soon

Including mine. If that steel bar which you see at the bottom of lorries at the back wasn't there (I think thanks to a law mandating them) I would probably have been decapitated when I drove my car into the back of one. The car body would have carried on under the lorry while the top would have been sheared off taking my head with it.

You mean the "Mansfield Bar". So called because that's exactly how Jayne Mansfield died, and prompted the addition of underride guards.

0
0
Anonymous Coward

Re: Your role in a movie is coming soon

""Drain on the state" if you're killed? How exactly?"

Three words: widows and orphans. AKA Wards of the State. If the breadwinner dies, you've got several additional mouths to feed, not to mention psychological issues attached to losing a key parent and so on.

1
0
Anonymous Coward

Re: Your role in a movie is coming soon

Jesus, which century are you living in! "Widows and orphans" of course only men drive, and if anything happens to them the family will be in the workhouse. And women should be at home. FFS non-argument.

BTW 15-19 yo males are twice as likely to die as anyone else in road traffic accidents accounting for nearly 28% sure they're leaving lots of widows and orphans

0
1
Silver badge

Re: Your role in a movie is coming soon

I don't know about widows but consider the teen pregnancy rate.

0
0

He's no Ron Swanson

But the resemblance is definitely there.

0
0
Gold badge
Unhappy

Ralph Nader and "Unsafe at Any Speed" might have a little bit to do with the debate.

Some level of regulation is needed. I suggest it's to regulate the market, not the development. Companies are free to develop whatever they like. But if they can't pass security testing they can't legally be sold in that market. If you buy it because it's cheap you know it's not even got minimal security.

15
0
Anonymous Coward

Re: Ralph Nader and "Unsafe at Any Speed" might have a little bit to do with the debate.

That makes perfect sense, and it is also why it won't pass muster with President Orange Conspiracy Guy. So, in light of that here is the real solution I just stole from the DHS internal memo system:

"Okay, you assholes, here's the deal. We just pay "protection monies" to Russian "security companies" to monitor our systems and promise not to also hack into them, since they have the keys we just gave them anyway. AND, this is the great part, you guys, we also have them hack anyone trying to hack us! Okay, now give me a better idea... anyone, anyone? HA! Print that proposal out and ship it to the Orange House, STAT! Who's going to Chipotle for lunch?"

That totally just happened, you guys! :P

3
2
Silver badge

Known knowns, known unknowns, and unknown unknowns

One of the code review comments I've written: "Please use computer science to solve this problem." The developer had put in a sleep() to solve a resource problem. (He also didn't know the different between a function and a header macro.)

The problem with security is how hard is it to bypass it, and get to the target. Everybody wants something cheap, they want it now, and they want to plug it in and start using it.

We are faced with a paraphrase of what Donald Rumsfeld said, but in software security. There's always some weird crap happening, that some clever monkey has been able to figure out how to break the lock on the cage. ASLR has been broken by some clever JavaScript code. Who saw that one coming? And how about malicious code escaping from virtual machines?

There's a limit to what can be done. If you're one level above the end-user, then you can't do anything about the hardware in the CPU, or the code in the hypervisor. You can put down rules to keep a device from being accessed, but you can't do anything about the actual problem itself.

The manufacturer can do a certain number of things to "secure" the device, but even if they do their job, they still have to use code from someone else. How many IoT manufacturers write their own kernel?

The rules that should be in place are simple things, like requiring a good password the first time the device is used, and only offering additional services by manual configuration, not by default. For instance, if the device has a web UI, then require the consumer to log in via HTTPS, put in a good password, and then manually enable SNMP and SSH.

6
0
Silver badge

Re: Known knowns, known unknowns, and unknown unknowns

"The rules that should be in place are simple things." --Brian Miller

Agreed. In order, I think I'd like the following:

1. No default unauthenticated access

2. All devices of the same type to have different credentials

3. Devices must become open to user modification (i.e. rooting, re-flashing) when support ceases.

There's a few others ... I'd like companies that repeat the same old lazy mistakes to be punished, but I can't think of an objective measure that could be used.

6
0
Silver badge

Re: Known knowns, known unknowns, and unknown unknowns

"require the consumer to log in via HTTPS, put in a good password, and then manually enable SNMP and SSH"

Reasonable requirements for 2017, but not so good to set in concrete legislation for the next 20+ years. Set down general principles in the law, and supplement with guidelines that can be updated more regularly.

5
0

Re: Known knowns, known unknowns, and unknown unknowns

How about, give the user full and complete control over hardware they legally own and what software runs on it via the necessary documentation and access to modify it, otherwise no disclaimers or waivers of liabilities allowed?

It won't completely solve the problem. but it will at least stop people from being stuck with vulnerable products with no possibility of fixing them.

2
0
Anonymous Coward

Re: Known knowns, known unknowns, and unknown unknowns

There are rather huge problems with that idea: you don't own software, you're licensed to use it.

There's little doubt that if such an idea were turned into law, you'd soon stop being able to own hardware, vendors would turn to long-term leases. Not a new idea, since here in France, even home phones were the property of the phone company until well into the 80s and even 90s, and closer to the IoT world, utilities meters still aren't owned, nor are the Internet appliances.

And technically, the border between hardware and software has become pretty damn elusive those days. There is, literally (meaning literally), no current bit of consumer electronics that would do anything if you removed *all* the software from it - and clearly, it would not allow you to install your own.

The good thing is that here, no contractual waiver of liability is legally possible - vendors are *always* responsible for damages caused by faulty consumer goods, no matter what they claim.

0
0
Anonymous Coward

Re: Known knowns, known unknowns, and unknown unknowns

That's part of the problem: current consumer electronics need software upgrades for the duration of their usable life, which is rather longer than what manufacturers provide right now.

I'd like them to be compelled them to provide security *software* upgrades for 10 years, and publish full source code if the company folds without being bought. Added bonus: if the software assets are bought, then the responsibility will go to the buyer, that would help discourage patent trolls to buy them for pennies at fire sales.

By now, that does not seem like a huge stretch.

0
0
Silver badge

The other approach is strict accountability. If your firm makes a device that causes financial damage, the firm must pay the damages. If a life is lost, the Board and Executives are criminally resposible and are sentenced to prison, or death if your nation does that kind of thing.

Aside from China, it won't happen as we know who puts money in legislative and regulators pockets. Even in China, you have to be pretty egregious to get to that point (e. g. baby formula). It could very well start here in California courtesy of our propositions.

Broken record time: my code was delivered secure with zero defects (bugs) because a prison cell in a Federal facility was in my future if it wasn't, and that was true of the people above me as well. Think about it.

2
0
Anonymous Coward

"Broken record time: my code was delivered secure with zero defects (bugs) because a prison cell in a Federal facility was in my future if it wasn't, and that was true of the people above me as well. Think about it."

What kind of code has that as a law? And how do they enforce it?

0
0
Bronze badge

What kind of code

In the UK Health and Safety at Work Act, CEO is criminally responsible for death relating to a breach.

In the licensing laws, the Pub firm, the Licensee and the server are responsible for breaches of serving regulations.

Similar stipulations can be written for IoT, if you write/package/compile bad code and it gets someone killed, you, the bloke who should have checked your work, and the man responsible for releasing it without the checks, are all liable.

1
0
Silver badge

Re: What kind of code

What if all involved are outside your jurisdiction? Hard to nail the coder and so on if they're all in China, for example...

0
0
Silver badge

Re: What kind of code

Then the importer carries the burden. And its up to them to have sufficient due-diligence from the folk in China to get off for a genuine mistake, otherwise its massive fines and/or chokey time.

It wont stop every crap device, but if it makes it very hard for Joe Public to buy a shitty insecure camera or video recorder, etc, because none of the shops or sellers like Amazon (who of course would be the importer in this case) then its done its job.

1
0
Silver badge

Re: What kind of code

"It wont stop every crap device, but if it makes it very hard for Joe Public to buy a shitty insecure camera or video recorder, etc, because none of the shops or sellers like Amazon (who of course would be the importer in this case) then its done its job."

Unless, of course, Amazon isn't in your jurisdiction, either.

0
0
Silver badge

Re: What kind of code

Unless, of course, Amazon isn't in your jurisdiction, either.

If they trade in the UK they are in our jurisdiction.

1
0
Silver badge

Re: What kind of code

You're talking like an American...

0
1
Silver badge

Internet ID to follow?

How great the world will be when everyone and everything can be policed. Peace and happiness I'd rather not be part of. And until I'm forced to, I'm staying in IoT-free space.

4
2

Re: Internet ID to follow?

I think the point is you can't. The space around you, the space you live in and move through, is becoming IoTed and you have no way of stopping it happening. If that's happening then regulation is inevitable, but there is still the option to have bad regulation or good (realistically "less bad") regulation. Rather than a bury-my-head-in-the-sand approach, why not get involved and make sure your concerns are represented so that the regulation that we end up with is even less bad?

5
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018