back to article You know IoT security is bad when libertarians call for strict regulation

We all know the vast majority of Internet-of-Things devices haven’t anything more than a fig leaf for protection. Now the unlikeliest of folks are calling for rules to improve IoT security: libertarians. In a session today at the RSA infosec conference in San Francisco, Olaf Kolkman, the Internet Society’s chief internet …

  1. Oh Homer
    Headmaster

    Former libertarian

    Or what we adults call "growing up".

    1. This post has been deleted by its author

      1. Charles 9

        Re: Former libertarian

        What happens when you DO get a YES AND they volunteer the information?

        1. Anonymous Blowhard

          Re: Former libertarian

          "What happens when you DO get a YES AND they volunteer the information?"

          Go shopping?

        2. Trigonoceps occipitalis

          Re: Former libertarian

          @ Charles 9

          Ask Jeremy Clarkson, I think he has an inkling.

      2. Hollerithevo

        Re: Former libertarian

        @Oliver Jones, yes what they want is for me to give them my books for free. Because £2.00 for an e-book is equivalent to serfdom of something.

        1. Alistair
          Windows

          Re: Former libertarian

          Don't have a problem paying YOU for your book.

          Paying an artist directly is perhaps more amenable to me than anything else.

          "Information is free" slogan was never really meant to stomp on artistry. It was supposed to however step around censorship and the entities that tried to capitalize on *others* works.

          This however gets massively complex when we're discussing say, results from a scientific study done by a private university sponsored by government provided funding.

          Its an interesting debate.

          1. Charles 9

            Re: Former libertarian

            "This however gets massively complex when we're discussing say, results from a scientific study done by a private university sponsored by government provided funding."

            ESPECIALLY when the study was about sensitive stuff like potential dual-use biological agents, bringing up entirely-proper matters of sovereign security.

      3. Oh Homer
        Headmaster

        Re: "missing the point"

        Not so much "missing the point" as completely misinterpreting the meaning of "libertarian".

        The entire ethos behind libertarianism is proprietary rights, which is exactly why libertarians want a government they can "drown in the bathtub" every time it so much as looks at their money.

        Libertarians don't especially want information, your ebook or anything else to be free. The only "liberty" they're interested in is their own freedom to exploit and hoard with a flagrant contempt for any social responsibility. It's "freedom" in the Al Capone sense, not in the hippie sense.

        Free and open access to information is not and never has been a libertarian aspiration, or much to do with politics of any kind, it's an academic principle, for reasons that should be obvious.

        Schneier is not trying to steal your ebook, he's calling for you to not publish it in the first place, whereas previously he would have said "publish and be damned".

        So, as I said, it looks like he finally grew up and realised that social responsibility trumps irresponsible Freedumb®.

    2. The Man Who Fell To Earth Silver badge
      Go

      Re: Former libertarian

      Just having an International organization, maybe the IEEE, come up with standards that allows manufacturers of IoT (Internet of Trash) to claim something like "IoT Security 1.0 compliant" on their devices would be a good first step. Maybe add a 3rd party testing requirement for certification. I am sure the likes of TUV would love to add something like this to their testing services. This would quickly get some standards made by people with a clue into place that transcend borders.

  2. Ken Moorhouse Silver badge

    Being assigned a MAC address...

    should bear with it a certain responsibility. The acquisition costs of MAC addresses should incorporate charges for insurance against misuse, and associated clean-up costs in the event of disaster.

  3. Anonymous Coward
    Anonymous Coward

    Schneier is a libertarian?

    I've been following him and his blog for many, many years. He's about as libertarian as Donald Trump or Barack Obama

  4. This post has been deleted by its author

    1. TheTick

      Re: Your role in a movie is coming soon

      "Auto regulations have saved countless lives and prevented countless injuries. "

      Including mine. If that steel bar which you see at the bottom of lorries at the back wasn't there (I think thanks to a law mandating them) I would probably have been decapitated when I drove my car into the back of one. The car body would have carried on under the lorry while the top would have been sheared off taking my head with it.

      I'm very very free market but some things are just necessary.

      1. Charles 9

        Re: Your role in a movie is coming soon

        True libertarians would just say let Darwin sort them out and produce tougher humans. What better way to raise awareness than a spike on the steering wheel?

        1. Anonymous Coward
          Anonymous Coward

          Re: Your role in a movie is coming soon

          True libertarians would just say let Darwin sort them out and produce tougher humans.

          That only works if they off themselves before they can reproduce. The other way round, you will select for human beings that grow up efficiently without parents and die after spawning, like octopodes.

          1. Arthur the cat Silver badge
            Headmaster

            Re: Your role in a movie is coming soon

            like octopodes

            Have an upvote for a correct plural. Sadly I can give only one upvote.

          2. Eddy Ito

            Re: Your role in a movie is coming soon

            @Voyna i Mor In this instance I would expect a true libertarian answer would be to ditch the regulation that makes it illegal to hack the offending IoT device and take it off line.

      2. DeVino

        Re: Your role in a movie is coming soon

        Mansfield Bar: Not a nice end to a nice lady.

      3. jelabarre59

        Re: Your role in a movie is coming soon

        Including mine. If that steel bar which you see at the bottom of lorries at the back wasn't there (I think thanks to a law mandating them) I would probably have been decapitated when I drove my car into the back of one. The car body would have carried on under the lorry while the top would have been sheared off taking my head with it.

        You mean the "Mansfield Bar". So called because that's exactly how Jayne Mansfield died, and prompted the addition of underride guards.

    2. Steve the Cynic

      Re: Your role in a movie is coming soon

      This discussion of car safety rules, especially the part about seat belts, makes me think of a referendum in Massachusetts in the late 80s. The question on the ballot was whether the recently-enacted state law mandating the use (by drivers and passengers) of seat belts should be repealed.

      I always used one anyway, as did many of my fellow students, but many of them said they would vote(1) to repeal the law because it should be a matter for each person to choose.

      (1) As a (legal) alien(2), I wasn't allowed to vote in the election, but I *would* have voted to repeal, for much the same reason.

      (2) In 1981 I entered the US on a 90-day tourist visa. I stayed (legally) for almost nine years. I even got a green card, only to discover that it was slightly pink, and plastic-laminated, and not green at all.

      And I had an interesting debate with my mother, who would have voted to keep the law. Her reasoning was by analogy to rules about having to have working brakes. The obvious flaw in that reasoning (obvious to me, anyway) is that rules about brakes are there to protect me from inadequate maintenance of *his* car, while seat belt laws are to force me to protect me from things *I* do.

      So the car makers must include seat belts so I *can* protect myself, and they must be in good condition, sure. But don't *make* me use them. I'll use them anyway.

      1. Hollerithevo

        Re: Your role in a movie is coming soon

        @Steve the Cynic, seat-belts protect you and the people in the car with you, and the people in the other cars. A crash that kills you or cripples you, because of what happened when you wore no belt, leaves a burden upon the state: your family, if you have one, or your medical care. A crash that kills of maims you can effectively destroy the life of the other driver. I know a Tube driver who completely went to pieces when a woman killed herself with his train. He had no chance of preventing it, and yet... She took her own life, and effectively his and his wife's, because one small 'individual choice' ripples out to the injury of many. Once you are in a car on a publicly-maintained road that you share with others, you have to accept rules made for the greater good of the greater number.

        1. Anonymous Coward
          Anonymous Coward

          Re: Your role in a movie is coming soon

          Try some facts rather than Koolaid.

          "Drain on the state" if you're killed? How exactly?

          Proven fact, drivers take more risks when wearing a seatbelt than not.

          Proven fact, crash helmets have created more of a "drain on the state" as you so charmingly put it, by creating para/quadriplegics where they would be dead otherwise.

          My bet is you also thing smokers are a "drain on the NHS" despite the proven fact they pay more in taxes, [and receive less in pensions, etc. due to shorter lives] than their NHS care costs.

          But it's for you're own good! FRO

          Where the fuck do you get off telling other people how to live their lives, mind you're own business.

          I don't need protecting thank you! I don't care what you do if it doesn't directly impact me so leave me to my beers and sausage breadcake in the morning and a few bowls full of baccy and find a hobby or something.

          *I've only ever worn a seatbelt when a passenger in another's car, as I don't feel it's fair to them, as per your train driver example. Also survived a 50mph car crash without a seatbelt that demolished a lamp post before hitting an oak tree and I walked away, Paramedics advised I'd be dead had I been wearing one. And I don't like "bugs in m'teeth" so I'd wear a crash helmet *most* of the time, but it's ossum when you don't. If you haven't you'll probably never understand.

          PS

          Some illegal [and legal] drugs are also fun! Well they're ALL illegal now thanks to Frau May

          1. Anonymous Coward
            Anonymous Coward

            Re: Your role in a movie is coming soon

            ""Drain on the state" if you're killed? How exactly?"

            Three words: widows and orphans. AKA Wards of the State. If the breadwinner dies, you've got several additional mouths to feed, not to mention psychological issues attached to losing a key parent and so on.

            1. Anonymous Coward
              Anonymous Coward

              Re: Your role in a movie is coming soon

              Jesus, which century are you living in! "Widows and orphans" of course only men drive, and if anything happens to them the family will be in the workhouse. And women should be at home. FFS non-argument.

              BTW 15-19 yo males are twice as likely to die as anyone else in road traffic accidents accounting for nearly 28% sure they're leaving lots of widows and orphans

              1. Charles 9

                Re: Your role in a movie is coming soon

                I don't know about widows but consider the teen pregnancy rate.

      2. David Nash Silver badge

        Re: Your role in a movie is coming soon

        But we do have to *make* people use seatbelts. Most people who get in a car don't want to kill themselves. As a society we would rather people don't kill themselves accidentally (right?)

        People are not reliable so we have to help them in the easiest, effective, and most obvious cases, of which I would argue this is one. Do you argue against wearing safety helmets on building sites too? (and, more relevantly, on motorcycles?)

        1. Anonymous Coward
          Anonymous Coward

          Re: Your role in a movie is coming soon

          "But we do have to *make* people use seatbelts. Most people who get in a car don't want to kill themselves. As a society we would rather people don't kill themselves accidentally (right?)"

          Some would say it helps to control the population and raise awareness. IOW, it helps MAKE them reliable since they'll die otherwise.

    3. edge_e
      Boffin

      Re: Your role in a movie is coming soon

      Firstly in response to pccobbler:

      What has where you sit on the libertarian/authoritarian axis of the political got to do with where you thoughts lie on the communist/capitalist axis? https://www.politicalcompass.org/

      Regarding the whole seatbelt thing, people have differing risk perception. The trouble with making things safer is those who who felt safe anyway will now behave in a riskier manner.

      Put another way, how close would you drive to the car on front if you had a six inch spike protruding from the center of your steering wheel?

      1. Eddy Ito

        Re: Your role in a movie is coming soon

        @edge_e

        Nice quiz. No wonder I generally dislike all candidates.

        Oh, I'm thinking a six inch spike would be ill advised as it would likely pop the airbag.

        1. edge_e
          Thumb Up

          Re: Your role in a movie is coming soon

          I think it needs to be instead of the airbag :)

  5. Synonymous Howard

    He's no Ron Swanson

    But the resemblance is definitely there.

  6. John Smith 19 Gold badge
    Unhappy

    Ralph Nader and "Unsafe at Any Speed" might have a little bit to do with the debate.

    Some level of regulation is needed. I suggest it's to regulate the market, not the development. Companies are free to develop whatever they like. But if they can't pass security testing they can't legally be sold in that market. If you buy it because it's cheap you know it's not even got minimal security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ralph Nader and "Unsafe at Any Speed" might have a little bit to do with the debate.

      That makes perfect sense, and it is also why it won't pass muster with President Orange Conspiracy Guy. So, in light of that here is the real solution I just stole from the DHS internal memo system:

      "Okay, you assholes, here's the deal. We just pay "protection monies" to Russian "security companies" to monitor our systems and promise not to also hack into them, since they have the keys we just gave them anyway. AND, this is the great part, you guys, we also have them hack anyone trying to hack us! Okay, now give me a better idea... anyone, anyone? HA! Print that proposal out and ship it to the Orange House, STAT! Who's going to Chipotle for lunch?"

      That totally just happened, you guys! :P

  7. Brian Miller

    Known knowns, known unknowns, and unknown unknowns

    One of the code review comments I've written: "Please use computer science to solve this problem." The developer had put in a sleep() to solve a resource problem. (He also didn't know the different between a function and a header macro.)

    The problem with security is how hard is it to bypass it, and get to the target. Everybody wants something cheap, they want it now, and they want to plug it in and start using it.

    We are faced with a paraphrase of what Donald Rumsfeld said, but in software security. There's always some weird crap happening, that some clever monkey has been able to figure out how to break the lock on the cage. ASLR has been broken by some clever JavaScript code. Who saw that one coming? And how about malicious code escaping from virtual machines?

    There's a limit to what can be done. If you're one level above the end-user, then you can't do anything about the hardware in the CPU, or the code in the hypervisor. You can put down rules to keep a device from being accessed, but you can't do anything about the actual problem itself.

    The manufacturer can do a certain number of things to "secure" the device, but even if they do their job, they still have to use code from someone else. How many IoT manufacturers write their own kernel?

    The rules that should be in place are simple things, like requiring a good password the first time the device is used, and only offering additional services by manual configuration, not by default. For instance, if the device has a web UI, then require the consumer to log in via HTTPS, put in a good password, and then manually enable SNMP and SSH.

    1. John H Woods Silver badge

      Re: Known knowns, known unknowns, and unknown unknowns

      "The rules that should be in place are simple things." --Brian Miller

      Agreed. In order, I think I'd like the following:

      1. No default unauthenticated access

      2. All devices of the same type to have different credentials

      3. Devices must become open to user modification (i.e. rooting, re-flashing) when support ceases.

      There's a few others ... I'd like companies that repeat the same old lazy mistakes to be punished, but I can't think of an objective measure that could be used.

      1. sdaugherty

        Re: Known knowns, known unknowns, and unknown unknowns

        How about, give the user full and complete control over hardware they legally own and what software runs on it via the necessary documentation and access to modify it, otherwise no disclaimers or waivers of liabilities allowed?

        It won't completely solve the problem. but it will at least stop people from being stuck with vulnerable products with no possibility of fixing them.

        1. Anonymous Coward
          Anonymous Coward

          Re: Known knowns, known unknowns, and unknown unknowns

          There are rather huge problems with that idea: you don't own software, you're licensed to use it.

          There's little doubt that if such an idea were turned into law, you'd soon stop being able to own hardware, vendors would turn to long-term leases. Not a new idea, since here in France, even home phones were the property of the phone company until well into the 80s and even 90s, and closer to the IoT world, utilities meters still aren't owned, nor are the Internet appliances.

          And technically, the border between hardware and software has become pretty damn elusive those days. There is, literally (meaning literally), no current bit of consumer electronics that would do anything if you removed *all* the software from it - and clearly, it would not allow you to install your own.

          The good thing is that here, no contractual waiver of liability is legally possible - vendors are *always* responsible for damages caused by faulty consumer goods, no matter what they claim.

    2. Allan George Dyer

      Re: Known knowns, known unknowns, and unknown unknowns

      "require the consumer to log in via HTTPS, put in a good password, and then manually enable SNMP and SSH"

      Reasonable requirements for 2017, but not so good to set in concrete legislation for the next 20+ years. Set down general principles in the law, and supplement with guidelines that can be updated more regularly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Known knowns, known unknowns, and unknown unknowns

        That's part of the problem: current consumer electronics need software upgrades for the duration of their usable life, which is rather longer than what manufacturers provide right now.

        I'd like them to be compelled them to provide security *software* upgrades for 10 years, and publish full source code if the company folds without being bought. Added bonus: if the software assets are bought, then the responsibility will go to the buyer, that would help discourage patent trolls to buy them for pennies at fire sales.

        By now, that does not seem like a huge stretch.

  8. Anonymous Coward
    Anonymous Coward

    The other approach is strict accountability. If your firm makes a device that causes financial damage, the firm must pay the damages. If a life is lost, the Board and Executives are criminally resposible and are sentenced to prison, or death if your nation does that kind of thing.

    Aside from China, it won't happen as we know who puts money in legislative and regulators pockets. Even in China, you have to be pretty egregious to get to that point (e. g. baby formula). It could very well start here in California courtesy of our propositions.

    Broken record time: my code was delivered secure with zero defects (bugs) because a prison cell in a Federal facility was in my future if it wasn't, and that was true of the people above me as well. Think about it.

    1. Anonymous Coward
      Anonymous Coward

      "Broken record time: my code was delivered secure with zero defects (bugs) because a prison cell in a Federal facility was in my future if it wasn't, and that was true of the people above me as well. Think about it."

      What kind of code has that as a law? And how do they enforce it?

      1. EnviableOne

        What kind of code

        In the UK Health and Safety at Work Act, CEO is criminally responsible for death relating to a breach.

        In the licensing laws, the Pub firm, the Licensee and the server are responsible for breaches of serving regulations.

        Similar stipulations can be written for IoT, if you write/package/compile bad code and it gets someone killed, you, the bloke who should have checked your work, and the man responsible for releasing it without the checks, are all liable.

        1. Charles 9

          Re: What kind of code

          What if all involved are outside your jurisdiction? Hard to nail the coder and so on if they're all in China, for example...

          1. Paul Crawford Silver badge

            Re: What kind of code

            Then the importer carries the burden. And its up to them to have sufficient due-diligence from the folk in China to get off for a genuine mistake, otherwise its massive fines and/or chokey time.

            It wont stop every crap device, but if it makes it very hard for Joe Public to buy a shitty insecure camera or video recorder, etc, because none of the shops or sellers like Amazon (who of course would be the importer in this case) then its done its job.

            1. Charles 9

              Re: What kind of code

              "It wont stop every crap device, but if it makes it very hard for Joe Public to buy a shitty insecure camera or video recorder, etc, because none of the shops or sellers like Amazon (who of course would be the importer in this case) then its done its job."

              Unless, of course, Amazon isn't in your jurisdiction, either.

              1. Paul Crawford Silver badge

                Re: What kind of code

                Unless, of course, Amazon isn't in your jurisdiction, either.

                If they trade in the UK they are in our jurisdiction.

                1. Charles 9

                  Re: What kind of code

                  You're talking like an American...

  9. joed

    Internet ID to follow?

    How great the world will be when everyone and everything can be policed. Peace and happiness I'd rather not be part of. And until I'm forced to, I'm staying in IoT-free space.

    1. choleric

      Re: Internet ID to follow?

      I think the point is you can't. The space around you, the space you live in and move through, is becoming IoTed and you have no way of stopping it happening. If that's happening then regulation is inevitable, but there is still the option to have bad regulation or good (realistically "less bad") regulation. Rather than a bury-my-head-in-the-sand approach, why not get involved and make sure your concerns are represented so that the regulation that we end up with is even less bad?

      1. Anonymous Coward
        Anonymous Coward

        Re: Internet ID to follow?

        Because getting involved would be WORSE than sticking your head in the sand. Speak up and you stick out. And sticking out just gets you hammered.

  10. Boring Bob

    Laws can't solve this

    The government can pass a law that will magically stop hacking and will remove all unknown unknowns?

    Let's face it, IoT will kill the internet. It was fun while it lasted, now it is time for the new generation to move on to the next thing.

  11. Anonymous Blowhard

    "The government can pass a law that will magically stop hacking and will remove all unknown unknowns?"

    No, but they can pass laws to make sure companies can't just shrug their shoulders and say "not my problem" when their kit gets hacked.

    "Let's face it, IoT will kill the internet. It was fun while it lasted, now it is time for the new generation to move on to the next thing."

    The Internet won't be killed, but neither will it be the Wild West any more; governments are going to police some aspects of it and corporations will pay for private security within their own networks.

    On the whole, the Internet will get a bit more expensive to cover the cost of "good enough" security. People will pay for security when they get enough pain from the effects of not having it, then individuals will do what they can afford to do - rich people will pay for network security services and poor people will be at the mercy of criminals, same as the physical world.

    1. Charles 9

      Oh? What if companies move out of your jurisdiction? What if they never were in your jurisdiction because they're using gray markets?

    2. Boring Bob

      "corporations will pay for private security within their own networks."

      Like I said, the internet is dead, long live private networks. Today the internet only works because nearly everything connected to it is based on a small number of regulary updated OSs. IoT will kill this. I've spent 10 years trying to sell security to IoT companies. Most end customers will not spend a penny for security and don't give a s**t about security and privacy (if they did you would not be reading this on your Android phone). The automobile comparison is a false one. It involves protection against known knowns, it is economically viable for devices that cost 15000+€ not 15€ and a country can control nearly all devices connected to its road network (try stopping a rogue IoT device in another country connecting to your countries network)

      1. Charles 9

        Whatever happened to just blocking that country wholesale?

  12. Anonymous Coward
    Anonymous Coward

    Libertarians is a fairly wide church. Most libertarians believe that the state should strongly support contract law for instance.

    False advertising laws are another reasonable thing to many libertarians. Regulations against devices that are sold with severe defects ( eg: IoT security ) is a reasonable extension to this.

    As somebody else pointed out above, if your IoT device is part of a botnet, that doesn't just affect you. It's similar to the difference between allowing people to own guns and allowing them to fire them blindly in public places.

  13. Stevie

    Bah!

    Whereas I am coming to the opinion that what is needed is a small team of government funded hackers to bork all consumer products that fail to secure their nettyness, along with shills to talk up those brands on teh intarwebs making a serious commitment to proper IoTat securage.

    Reasoning: If someone buys a baby alarm and babycam that is insecure, they will most likely not know and not care when told. If the said device breaks down they will buy another. After the third breakdown they will buy a better brand and one-star the offender on Amazon. When they come to buying a better brand, there will be an undercurrent of opinion planted out there to guide their uneducated selection.

    Yes it is sinister and has serious flaws. But we already lost DNS to the lightbulb and babycam army once. How about we get fucking serious about changing the cheap-and-careless culture before something extremely inconvenient is perpetrated.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      "Yes it is sinister and has serious flaws. But we already lost DNS to the lightbulb and babycam army once. How about we get fucking serious about changing the cheap-and-careless culture before something extremely inconvenient is perpetrated."

      Because the ONLY way they'll learn is by something extremely inconvenient...if not deadly. The easiest way to shock a culture into changing is through a crisis.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like