back to article 'Well intentioned lawmakers could stifle IoT innovation', warns bug bounty pioneer

IoT security regulations could stifle innovation without addressing the security problems at hand, a well-respected security researcher controversially argues. Compromised IoT devices were press ganged into the Mirai botnet and infamously used in a DDoS attack that left many of the world’s most famous sites unreachable back in …

  1. Paul Crawford Silver badge

    Make the supplier / importer responsible for the consequences of bugs that remain unpatched after, say, 1 month and for 5 years after end of sale. I'm sure it would focus minds on security and patching systems beautifully.

    As for stifling innovation, at what point is collateral damage sufficient to stop marketing muppets from adding ill-thought out and supported features? Financial pain is probably the only incentive. Or jail time.

    1. Credas Silver badge

      Perhaps if manufacturers/suppliers were liable indefinitely, and devices were required to automatically disable themselves if they hadn't been updated for (say) 6 months, then there'd be some incentive for them to take security seriously and be honest with their customers from the start about the lifetime of the product they were buying. At the moment all the incentives are to just shove any old shit out of the door as fast as possible and never mind about fixing defects.

      1. Mark 85 Silver badge


        Not a bad idea but it would be easy for many companies that make this stuff to just fold up at the of the time period and then restart under a new name. Maybe a bond paid for each unit sold that after X time, is refunded to the company?

      2. LDS Silver badge

        "devices were required to automatically disable themselves"

        So just force the customer to rush to buy a new one, if the disabling didn't kill him already? I think they could accept such kind of regulation - forced obsolescence, no need to just slow down your device or throw strange errors.

        Regulations should enforce maintenance for a reasonable lifetime of the product - and for some product "reasonable" means several years, when they are no longer gadgets.

    2. GIRZiM

      Re: Or jail time

      Jail time every time. A minimum of ten years with an extra month for each IoT device and no upper limit. Solitary confinement. Hard labour. No conjugal visits. No belts or shoelaces. Strapped in for the night and not allowed to die. Daily ice baths. Forfeiture of all assets - their families can live on the streets.

      Feel free to add to the list.

    3. Christian Berger Silver badge

      "Financial pain is probably the only incentive. Or jail time."

      That only works if you can still find that company or that company still exists then.

    4. Claptrap314 Bronze badge

      Thus ensuring M$ immediately stops selling product.


  2. Kev99 Bronze badge

    And the downside to stifling IoT? None that I can think of.

    1. Anonymous Coward
      Anonymous Coward


      We can only hope.

      1. Steve Knox Silver badge

        Title should be

        Well intentioned lawmakers should stifle IoT innovation

        1. Anonymous Coward
          Anonymous Coward

          Re: Title should be

          I wish my local lawmakers would stifle the IoT. Not a chance. They just love smart meters and CCTV cameras.

    2. Filippo

      I was wondering why that was considered a "warning" as opposed to "hope". Although I do realize that for a "bug bounty pioneer", IoT means job security.

    3. Terry 6 Silver badge

      well intentioned lawmakers could stifle innovation.

      Agreed. yes Pleeeease.

  3. Doctor Syntax Silver badge

    Member of the bug bounty industry opposed to regulation to discourage release of buggy products. Wow!

  4. ST Silver badge

    Yeah. Security advice from Microsoft

    > Katie Moussouris [ ... ] veteran infosec researcher who created Microsoft's bug bounty programme

    I don't take security advice from anyone who is now, or has ever been, employed at Microsoft. Period. Their track record on security speaks for itself.

    Instead of lecturing the world about IoT, Katie Moussouris should have stayed at Microsoft and should have found some security bugs in Microsoft's products. There are plenty of them to be found.

  5. redpawn Silver badge

    Stop regulating cars too

    I want a Mad Max car and random IoT objects in my house. It would be real cool to have large metal spikes protruding from all sides of my vehicle and to have 21st century pirates in my appliances. Let the free market regulate traffic and tech. End the nanny state and give people the freedom to protect themselves.

    1. Anonymous Coward

      Re: Stop regulating cars too

      IoT killer drones don't kill people, they just follow orders.

    2. mbck

      Re: Stop regulating cars too

      Wait. Doesn't the 2nd Amendment apply to AI-equipped IoT too?

      1. Anonymous Coward
        Anonymous Coward

        Re: Stop regulating cars too

        Only if the Supreme Court declares them to be "people".

  6. Anonymous Coward
    Anonymous Coward

    YES all digital devices are insecure

    ...and mostly due to negligence and incompetence. Allowing Microsoft or anyone else to sell massively defective, insecure OSs is the prime reason why all consumer digital devices are insecure. Allowing lazy, incompetent software makers to knowingly sell insecure software contributes to the problem. Allowing social networks / enterprise to not properly secure their systems exposing personal data to criminals is one more reason why all digital devices are insecure. Allowing rushed-to-market autonomous vehicles with virtually no safety, security, design, engineering, maintenance or operational minimum standards is why these devices will be totally insecure. Gross negligence for huge financial gains is why almost all digital devices are all insecure.

    1. Anonymous Coward
      Anonymous Coward

      Re: YES all digital devices are insecure

      YES all digital devices are insecure.

      Since when has "Digital" suddenly become to mean "internet". It the same as muppets that go "digital economy".

      I have a digital alarm clock and I'm pretty sure it's not going to be part of a botnet anytime soon.

      1. Alister Silver badge

        Re: YES all digital devices are insecure

        I have a digital alarm clock

        That's So last century, darling...


        1. Anonymous Coward
          Anonymous Coward

          Re: YES all digital devices are insecure

          actually it's Retro, so it's bang on trend....just like Cassette Tapes (vinyl was so last week) and instant cameras

  7. Milton Silver badge

    "Well intentioned lawmakers could stifle IoT innovation"

    "Well intentioned lawmakers could stifle IoT innovation"

    The first three words tend to make the last four irrelevant. Especially if by "well intentioned" the speaker is implying "thoughtful, well-informed, honourably motivated": I think you'll find that the minority of politicians fitting that description finally became extinct between 1980 and 2001.

    So a more accurate statement would be:

    "Politicians who know remarkably little about anything, and are especially clueless when it comes to technology and science, acting in the interests of themselves and well-funded lobbyists, pursuing narrow political and party advantage for shabby, squalid motives, could stifle IoT innovation ... insofar as this is in any way distinct from their entirely routine misunderstanding and ignorance of all issues before them and the exercise of reflexive dishonesty, hypocrisy and moral cowardice in the essentially quotidian practice of fucking up simply everything that they touch."

    Unfortunately as an expectations-settings phrasing, it's a bit wordy to include everywhere it belongs i.e. in every article discussing politicians' behaviour. Perhaps we need an acronym in the spirit of Heinlein's TANSTAAFL? As a starter for two I offer:

    People Of Little Integrity, Tiny Intelligence, Colossal Incompetence, Achieving Nothing.

    I have no doubt it could be greatly improved upon, and there should be generous virtual beer for the best acronyms to be used as trigger warnings in El reg articles ...

    1. GIRZiM

      Re: "Well intentioned lawmakers could stifle IoT innovation"

      >People Of Little Integrity, Tiny Intelligence, Colossal Incompetence, Achieving Nothing


    2. doke

      Re: "Well intentioned lawmakers could stifle IoT innovation"

      "People Of Little Integrity, Tiny Intelligence, Colossal Incompetence, Achieving Nothing."

      Milton wins!

  8. trevorde

    Easiest solution

    not buy any of this cr4p in the first place

    1. Paul Crawford Silver badge

      Re: Easiest solution

      For the legion of commentards on El Reg, yes. But then all of the rest of the population they will still buy "oh shiny thing!" and we still suffer from the botnets and friends & family pestering us to sort out the shit storm they have brought upon the digital world.

      So really you have to make the manufacturers somehow responsible with enough clout that they act.

  9. LDS Silver badge

    "IOT devices that often can't be patched - but don't pose a particular risk"

    If it's connected, it's a risk. And if it can't patched, a bigger one. What may look a little risk in the beginning, could be found to be a far bigger one later. History is full of big cock-ups because someone thought there were no particular risks..

  10. Anonymous Coward
    Anonymous Coward

    IoT devices should have in their design specs that they will be used at the next operation of the creator or any of their relatives.

  11. Scoured Frisbee

    No love for IoT...

    ...but I find

    > governments would be prohibited from buying IoT kit with known vulnerabilities as ill conceived

    as eminently reasonable. Cisco didn't patch its switches for Meltdown/Spectre, but they are known to be vulnerable, for example.

    I've worked in enterprise embedded software for nearly 20 years, releases that have shipped without known exploitable bugs were usually found to be under-tested by the field.

    There's definitely a spectrum but drawing a bright line just means companies will lawyer up until vulnerabilities can't be disclosed, not that IoT kit will suddenly become impenetrable where the rest of the software industry has failed.

  12. Christian Berger Silver badge

    My favourite would be the way it's done with electrical appliances...

    ... just have a set of evidence based measures the device has to do. For example there has to be input valiation which satisfies some constraints. Depending on your language, the compile could even check for such constraings automatically. So in the ideal case you would have a log from your compiler. If something bad happens you just have to show the log as well as the source code so you can proof that you did everything correctly, satisfying the rules of the time you shipped out the box.

    For appliances this works a bit differently. For example there is a rule in the German regulations that no dangerous situation may occur if a single part fails. This is checked by laboratories looking at the schematics and trying to find the parts which would get closest to a dangerous situation. They then break those parts and test the safety again.

  13. JohnFen Silver badge

    Innovation at all costs?

    Innovation is a great and wonderful thing, but as a society we seem to have fetishized it to a dangerous degree. Innovation must be balanced against other things, such as security and the impact on society.

    The idea that anything that slows down innovation is automatically a bad thing is an erroneous, and dangerous, concept.

  14. andyp-random-number

    'Well intentioned lawmakers could stifle IoT innovation' (title)

    I didn't read much past that and thought...yep, why not? Seems like a plan to me.

  15. Rol Silver badge

    Let's get physical

    A three-way switch on the IoT device that controls access.

    Position 1:- Input locked. Firmware cannot be flashed or the device accept any input beyond negotiating with predefined networks. Effectively it will only broadcast its data to the users network at a refresh rate previously set by the user.

    Position 2:- Input guarded. As position 1, but with a whitelist of user defined input parameters. A soft option position 3, if enabled at set-up, will allow the device to operate as if in position 3 mode, but this would only activate on receipt of the correct 256 bit password from authorised networks.

    Position 3:- Input open. Intended for initial set-up and update use only,

    In general, domestic users would not enable soft mode 3, as they would normally have access to the device to physically flick the switch to position 3.

    And basically, if I can't have a degree of physical control over the IoT device, in a manner like the above, then I'm not having it.

    And yes, I've told my electricity supplier exactly where they can stick their smart meter.

  16. Cynicalmark

    Uhhhh heffalump in the room.

    Who on earth wants a connected kettle? Before you spout how wonderful it is to be able to remote operate it wonder why average Joe would want to...get off your arse and go switch it on. It is a 2 kilowatts plus device and requires supervision during use just like an iron. Grrr this IoT garbage is just.......rant rant rant.

    Yes I have Hue and SmartThings and Tridium (Know how vulnerable they can be if not managed correctly) but the garbage from vendors that requires your Amazon password or your Hue password to work in their own iFTTT shite app? Mind you, most users probably have unpatched routers at home arrrggggh all pointless. Why bother.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019