> to develop best practices that would "not hinder innovation."
aren't business process patents already valid in the US of A?
Congress provided a masterclass in selective hearing Wednesday when urged by experts to do something about the increasing risk posed by poor IoT security. At a session of the House's Energy and Commerce Committee into last month's attack on DNS provider Dyn that caused widespread disruption to online services, several security …
> Cheap and cheerful, negative externality-exporting ActiveX is dead (is it? is it? at least in the browser, then?) Combined with cheap and cheerful, negative externality-exporting Internet Explorer and cheap and cheerful, negative externality-exporting Windows it was the cancer-creating Cannibal Nonhumanoid Internet Dweller.
> Flash is being "killed" by being replaced by HTML5 gimmicks and none too fast. We need a postmortem analysis paper on what went wrong. Will the new gimmick implementations be more secure? Time will tell.
> Silverlight is still being pushed by Microsoft in spite of the dev team having been gassed (AFAIK). No-one is convinced, luckiyl The last time I encountered it was for streaming a 2016 mathematics conference in Potsdam. Good work, Microsoft salesdroid - your next target will be children with disabilities, here is a jar of candies.
> Java Applets are rare, rare, rare. Good. But Java itself is alive and well, as it should be. Hapless civilians who can't distinguish between the two are unfortunately plentiful. I still don't know why the "Applets" turned out to be so hackable, the sandbox idea was absolutely the right thing to do. Even more so as the idea was from 1995 (good times, anyone remember Inferno/Limbo?)! The goal initially was to shift code over the Internet to the computing nodes (why anyone would do that outside of the context of HPC where it easier to move the program to the data than thje reverse will remain a mystery). Additionally you can have jar signing. And you are running the code on a VM, not the bare metal. You can't do much better, the next step in security is a complete virtual machine. Breakouts may have been possible because of bad API choices and cross-abstraction attacks on the JVM (aka "optimizing the byte code verifications"), and likely because a lot of changes occurred between simple Java 1.1 and Java 8. Need another postmortem paper.
> Native code in the browser: Get off my lawn!!
John Hinckley Jr.'s attempted assassination of Reagan did nothing for gun control...
In this new Trump world they should have stressed American jobs for Americans...
"Them Chinese don't know security, we do... make good security a legal requirement and they can't sell into the US market. We can. Even when they catch up and can add security they will become less competitive. In the meantime we establish US brands and sell to those liberal Europeans who will be demanding security regulation!"
Doesn't matter if it's true or not, it plays on their fears and aspirations. Isn't that what Trump taught us?
John Hinckley Jr.'s attempted assassination of Reagan did nothing for gun control...
Well, there is "gun control" at various levels in the various states (and this was more about a nutcase doing his nutty stuff), but apart from that:
Panicky law reaction for cheap virtue signalling in response to child-killer-maim-rapist-horror-show: BAD
Panicky law reaction for cheap virtue signalling in response to attempted Reagan assassination: GOOD
You can't have it both ways,
Absolutely. Congress has a deaf ear because no Congresscritter has been negatively impacted by the problem.
Just wait for one of them to have their IoT fridge order 5 tons of milk and have the driveway blocked due to the 10 delivery trucks, plus the bill.
THEN legislation will get pushed through faster than the result of a Taco Bell lunch two hours later.
"Now, if before testifying Schneier and Co. had hired DDoS R' Us to take down U.S. political fundraising websites, THAT would have engendered a sufficient sense of urgency."
True, a similar campaign worked before, even if it wasn't the intended effect.
But now you can harvest 100K people from the safety of your office.
"Slack Hacks", innit?
Just re-reading Neal Stephenson's "Diamond Age". Luckily, we will have to survive to "consumer IoT" age before stepping into the nanotech age. Or so we hope.
There's a difference in kind between script-kiddie 'hacking' and social engineering.
One requires someone - an actual, living person - to be aware of your existence. To take an interest in you. To contact you in some way.
The other - doesn't.
That's an important difference, because it affects how they scale. Face to face, you can con one person, or a hundred, or a thousand, within a given year. But to hit 100,000 you need to automate it. And that's what the IoT makes possible.
And that works both ways. Face to face, you probably don't get conned more than once or twice a year. Online, it could be once or twice per hour - and you wouldn't even know.
There needs to be some serious suing of any IoT company that ignores sequrity.
Why doesn't EU quickly whip up some laws that would be useful for IoT?
It's tragic when any half decent techie knows, as soon as he hears about something called "IoT" for the first time, that it will be a security disaster. Even before it has taken off.
The same way you deal with "Germany", or rather Volkswagen. You publish standards that manufacturers have to meet and then let someone else sues their arses off if they don't meet them.
Lax security is very much like pollution. For any polluting device, the seller gains because they've cut a corner and the buyer wins because that makes it cheaper and the pollution of one single device is far outweighed by the benefit of possessing it. The cost is borne by the rest of society. Markets will not fix that and anyone who actually *understands* the trendy free-market mantras rather than merely being able to *spout* them will see why that is the case.
Sadly, we've bred a generation of politicians who know that the market is better than government, but haven't a clue why. Even sadder, those politicians are frequently the same ones who will argue at length that market forces do not act on genetic variation. Maybe they're just fucking stupid.
"Most of the Chinese tat is sold direct form China, usually through the gray markets."
You keep rabbiting on about gray markets. What do you mean by them? Presumably you don't mean someone sidling up to folk in the street saying "If you want to buy some IoTat stuff I can order it from China for you.".
Gray markets have to advertise, otherwise customers couldn't find them. And the big advertising routes such as eBay do usually have legal presences in the US, EU etc, where they can be leaned on.
But eBay and the like are multi-national. They're like gel. If one country applies pressure, it'll just ooze to another. That's why ships rarely flag in US or European countries. Plus some of the sellers like Alibaba are already based in China and the like and out of western regulatory reach.
They are literally paid to spout bullshit and do as little as possible to rock the boat.
Until someone causes a Senator to drop dead on national TV by screwing with the firmware of their pacemaker they will do nothing.
* for those who didn't vote for Donnie T Rump that was NOT a suggestion.
although "those 2nd Amendment people could do something"
Getting my coat,that'll be the one with the tin foil lining.
The Senate are largely idiots. I despise them all, the difference between R and D is just the things they misunderstand.
Also, I am not surprised Homeland Security are keen on taking over IoT security. They will be well aware that as soon as someone decides to have a good look at what they really do for a living they are very vulnerable.
That's a killer for anything right there and then there's new group coming. Hitting Congress to do something at this time is just plain stupid as it would take more than a couple of months to set this up.
Then there's the new group coming in. For all we know, they'll end up banning everything on the internet except for the Jesus sites and the sites that have well-heeled lobbyists.
For all we know, they'll end up banning everything on the internet except for the Jesus sites and the sites that have well-heeled lobbyists.
I really want to know at what place this kind of bullshit is being injected into the memosphere.
Maybe the explanation lies in the fact that journalists are writing hysterical pandering stuff. Here's Jared Taylor of "American Renaissance" (of all things!) on this: Trump: The Media’s Frankenstein Monster
I made that statement simply because many Repubs pander to the Religious Right and some to the extreme. There's been more than one stating that NASA is a waste of money as the Bible says the universe is only 6000 years old. There's others that would like to see any religious site (other than their own taken down) as they "promote terrorism" or untruths in their eyes. Of course, Christianity is perfect in this regard.
There was some facetiousness to my statement but for the NASA example, look to the head of the Science Committee.. former doctor but hardcore Religious Right. However, in the end, the lobbyists will rule all....
Should I add that for the most part, CongressCritters are a joke at this point in time? Holding their breath until they turn blue or having a sit-in on the House/Senate floor because they aren't getting their way? There's no thought, no compromise, no critical thinking. Only reaction and deadlock when they don't agree.
Calling for regulated security on IoT devices is, well, likely to have consequences more far reaching than anticipated.
For a start, when is a CPU + memory + NIC + software an IoT device, and when is it just a computer or smartphone? They're all potentially involved in home automation, especially if you consider the app as being part of the IoT system.
To illustrate the difficulties of trying to make a legal differentiation between IoT and non-IoT, consider the Raspberry Pi. IoT device? Yes. Computer? Yes. Router? Yes. Server? Yes.
So you cannot reasonably apply a bunch of regulations to an IoT device that then don't also apply to smartphones, computers, home routers, smart TVs, back end services, the entire Internet, Thus if the law required IoT devices to meet minimum security requirements, receive regular updates, etc they'd have to apply to everything else too, otherwise there'd be no point.
That would be a problem for Android in particular.
So you cannot reasonably apply a bunch of regulations to an IoT device that then don't also apply to smartphones, computers, home routers, smart TVs, back end services, the entire Internet,
Isn't this sort of the point? The Dyn attack was supposedly driven by generic "IoT" devices like fridges which are internet connected without any security but the problem is anything internet connected without security is creating a risk.
Smart TVs without security are just as much of a problem.
The problem, as Schneier has said, is that the manufacturers dont care and the purchasers of each item dont care but the attacks affect everyone. This means that deep down the manufacturers & customers are actually paying a bit more for everything else as the security controls have to be implemented in more expensive areas.
And that right there is why I can't watch Youtube on my TV.
It comes with that option. All I have to do is hook it up to the home wifi network, and we could use it to browse and watch on demand, like - well, like we once imagined we could.
But then I looked for documentation on "how to change the root password". No mention of it. No mention of there even being such a thing.
And so, that device is not getting the password to my home wifi network. We'll watch TV the old fashioned way, use computers for the internet, and never the two shall meet.
Shame there's no standard that it could comply to that would give me confidence in it.
a gummint "solution" is likely to breed PROBLEMS that require MORE "solutions" from gummint, yotta yotta. It's like an INFECTION with cyclic mutations.
Instead, do this: pass laws that put the BLAME for 'lack of security' on the producers of insecure hardware and software, making them responsible for ANY liabilities caused by NEGLIGENCE when it comes to security. This would include DDoS attacks, mass infection/intrusion on IoT devices [requiring expensive 'fixes' on the part of end-users], and so on. Then, let the class action lawsuits fix it. I know, it's like calling down a napalm strike on your own head. Just make sure you duck for cover.
And simple fixes by IoT vendors might include simple things like holding a button while changing settings or flashing new firmware.
Food police, maybe not. But food advertiser, lots of them.... and diet/health/etc....
Unless his fridge isn't participating in DDoS attack, of course.... gullible senators are the perfect customer for some stupid IoT stuff to show off (paying with taxpayers money, of course).
I promise I won't keep saying 'I told you so', but I did point out in comments on the laughable Adobe fine (http://forums.theregister.co.uk/forum/1/2016/11/16/adobe_breach_settlement/) that corporations get best value for money by purchasing politicians:
"A well-fattened pol is a wonderful asset to the enterprise. Whether you need a quick under-handed favour to make an investigation go away, or some cover for dodgy foreign dealings, or just a nice new law with some small print relaxing environmental protection or your customers' rights, it's all available in one plump, sweaty package."
It's actually possible that some of the politicians present are not quite as stupid and ignorant as they seem, but if you're being paid to obstruct something irrefutably sensible, you're pretty much forced into fibbing, bullshitting, changing the subject, delaying and introducing irrelevancies and distractions. So you end up with grown men looking and sounding like idiots or liars or usually both. Welcome to Congress.
When a politician says "We've had enough of experts" (like that little moron Gove, before Brexit) what he's really saying is, "I lost the argument to people who know more than I do, so now I'm gonna stick my fingers in my ears and cry."
To grown, rational adults, they're a pathetic sight and they would be quite funny—if they weren't so damned dangerous.
... and let the airplane industry self-regulate. Then say them they need to fly around more often.... or shutdown the FDA, and let the pharmaceutical industry self regulate (oh well, it probably already does...).
Yes, I'm afraid we need casualties before they act. Then you will see one of them swearing "I was saying it since 2016!!!!!"
"But it fell to security guru Bruce Schneier to argue outright [PDF] for legislation. "Like pollution, the only solution is to regulate," he stressed. "The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care."
"The Mirai malware which is used to create the botnet can be cleared by simply restarting affected devices. But there are so many hacked devices on the internet that a vulnerable system will likely be reinfected within five minutes of restarting, unless some other protection is put in place."
~ We get it, the Reds and Trump are in charge now..
~ But how about legislating fines against any US corp that imports and sells IoT shit which is known to cause DDOS chaos on US soil?
~ If Amazon knows they'll be fined for selling Xiongmai, maybe they'll stop selling it. Same goes for sales of vulnerable routers by Asus etc which can easily be hacked.
~ Also why doesn't congress fund research to explore ways of blocking DDOS at a country / continent / continental fiber link level. If they can put NSA sniffers on these lines, how about adding filters that detect / filter net-traffic-pollution...???
Sniffing data (copying them for out-of-band processing) is a little easier than processing data in real time and decide they have to be blocked or not (especially at the fiber links bandwidth and speed). Moreover DDoS attacks are often based on traffic that looks legitimate and being spread over many connections it is not so easy to identify. I's when it "aggregates" at the endpoint that is shows its malignity. Even pushing down and processing filters to cut off thousands of endpoints after the attack has been identified is not so easy - especially since remember the Internet is designed to use multiple routes to destination... something can be done, but it would be alike increasing car safety putting big cushions around. Or counter electric hazards letting company to include a pair of rubber gloves in the box of dangerous devices.
Devices must be made safer, and those that doesn't implement a given baseline must be banned.
Even blocking traffic or banning unsafe devices would need a legal framework - ISPs won't take the risk of being sued for banning traffic or devices without a law allowing them to do so and protecting them. That's also a reason why industry self-regulation is impossible.
~ Granted, but when I mentioned an NSA like tap-in before, I was hinting at past Reg articles that demonstrated a break down in this 'internet redundancy'. An obvious example is the severing of an underwater cable, but there are other examples. Want me to hunt around?
~ Plus once reports come in, based on the above limitation, shouldn't it be possible to block certain traffic spreading to all regions. The mother of all corporate firewalls etc. One area might get hit badly, but not everywhere.
A DDoS attack is designed to hit a single endpoint (or a few ones), but which is an important one. It's not something the spreads around. One way to minimize the effects of a DDoS is exactly a redundant infrastructure where even if some nodes are flooded others will keep on working - but that's not always feasible, moreover some redundant architectures are also designed for load balancing, therefore a number of user can still be affected until they are redirected other nodes (but the DDoS attack too may be redirected).
Internet routing tables can be modified (without severing cables...), and sometimes it happened for strange reasons (IIRC there were routes announced which made traffic going through Pakistan and China....), but it could also worsen the situation, when a surge of traffic is routed through a single link.
IMHO thinking to stop DDoS attacks only at the backbone tier is very difficult, and the spreading of unsafe IoT devices will make also less relevant - the possible sources will be many. many more scattered around many, many connections.
It's expensive to make multiple versions of code for an IoT device. So imposing security standards for selling into the US will cause the IoT developers to improve their code in products released worldwide.
The same thing happened when Europe legislated Reduction of Hazardous Substances. It took a few years, but now virtually all consumer electronics meet RoHS, regardless of the country they're sold into.
So what happens when two regions give conflicting mandates, meaning you have no choice but to create two versions since one version WILL violate the other and vice versa?
Like, for example, radio equipment where frequency allocations differ from region to region and different bands are off-limits for security reasons?
Biting the hand that feeds IT © 1998–2019