Can we please stop trying to force everything to be connected to the internet? I have no issue with those that want to make a smart house, but it seems like it is increasingly more difficult to find certain quality appliances that are not connected, televisions as an example.
I find this whole iot thing very frustrating as a consumer.
I have an ancient programmable thermostat. It allows me to program heating and cooling for the house. It is wired. I do not host my private information on the cloud. I do not have to send wireless data. I do not have to worry about security updates, feature patches, or bugs. It was thoroughly tested under a waterfall development cycle with strict functional requirements.
I don't get the internet connected part of a lot of the devices. Why not just use Bluetooth to smartphone. And have the smartphone proxy all data to the internet.
That just shows how bluetooth is flawed and too complicated.
its easier on the customer and developer for there to be a passwordless local protocol.
I think how the wireless Apple headphones pair is how all these iot devices should be paring with your smartphone. Then its a if you are near it you interact with it.
Very, very, few applications really require remote access vs proximity based access.
I don't find bluetooth headphones, speakers and mice to always reliably and robustly connect. Several times a month the solution is to force a re-pairing. An informal poll amongst friends and colleagues shared the same experiences.
When bluetooth works, it works well. But the failures are very difficult to diagnose and address. Those are what the calls will be about and why they will be lengthy.
wifi gives the device a direct connection to/from the internet. Bluetooth stops that outright, and the application code decides which Bytes get sent to the device.
But i guess if there was a patch to WiFi which gave it a LAN connection only then that'd be cool.
You mean from POV of the smartphone? Fair enough. Though you can route Internet over Bluetooth too. So forcing devices to use BT is not a solution simply because it'll make the devices to ask for Internet connection over BT.
The devices themselves should not need Internet connection, period.
Much like rooting mobile phones to get around restrictions on how you can use them. Problem might be that the IoT market is not as concentrated into two or three products. So you would need to have the know-how to lobotomize across many products.
The ecosystem is going to be huge, so focusing on larger companies, with classical appliance lines (fridge, toaster, TV), that open source their firmware makes sense.
Within a certain product line code gets reused often, so you could work with specific product lines.
Also it really depends on how far you want to go with this and what options the firmware gives you to work with.
The consumer market desires cheap, fast, and push button easy solutions. The manufacturers have to comply, and due to technological and financial constraints they opt to open up ports and use fixed default passwords. It's not going to change until the consumer is aware of the risks, and I can't imagine that happening soon. We might see 100m node botnets before that.
It doesn't desire that in a vacuum, it's been heavily marketed to. Meanwhile there is no marketing to try and extol the value of not connecting your toaster, because of course, that doesn't sell more toasters.
They don't have to do shit. They chose it themselves. IoT market is pretty much pure marketing/hype creation. Current solutions don't make any sense, and are pushed to people who don't understand it.
There are deeper problems here though. Current smartphone model doesn't make any sense either, but this is something even many techies are blind about. Like apps, third of which shouldn't exist in the first place, and another third should be OS-level components. Interoperability sucks because everyone is trying to make a lock-in business out of their small part in the solution.
But I'm just a grumpy techie myself. Until the world gets its shit together (i.e. never), I'll continue to build my smart home out of Raspberry Pis and DIY components, while also telling everyone to avoid anything that's done over cloud.
That's probably what GP is implying, because that's how it works. More and more devices require Internet connectivity for no real reason except ensuring vendor's business.
See e.g. a laser cutter featured once on HN, that offloaded its basic computations to my butt, turning it into $2000-worth big paperweight if you lost your Internet connection.
I mean, I understand that people need to make money, but some of the business models today are so user-hostile that it's no longer funny.
> Are you saying these appliances don't work at all without internet connectivity?
Yep. Can't use my Vizio Smartcast TV without connecting it to the internet for 10 hours of updates. Can't use my Nexus 5 without connecting it to the internet to upload my identity to Google.
The article is taking a rather lack stance against manufacturers with words like "ability" and "interest":
> The IoT is expanding faster than device makers’ interest in cybersecurity
This is just pure bullshit. It has nothing to do with 'expanding' or 'interest' or 'ability'. This type of security has nothing to do with the scale at which it has it deing deployed or growing.
The fact of the matter is that manufacturers are too cheap to provide decent security. This is a profit problem. And dancing around the issue by the media is just weak-ass journalism.
The solution is simple: The government holds them accountable for creating shoddy products. The companies creating these products pay for the damages done. It's really this simple.
Unfortunately, the U.S seems to have this completely unhealthy obsession with keeping the government impotent and companies powerful at the expense of the people. And not just the american people, but the entire world.
Baiscally the only hope we have at this point is the European Union.
There is a solution, and it's called "government" and "law". No, really. We've been dealing with people who don't care from the very dawn of civilization. There's a reason societies always end up creating governments and regulations, and it's precisely that reason.
And they could sue the manufacturer, for selling them a device not fit for use? Exactly how much would each party sue the other for? The damage only takes place in aggregate, when hundreds of thousands of devices become part of a botnet.
Or, how about instead of drowning in lawsuit chains over pennies, we establish some basic rules about how commercial devices connected to the internet are allowed to behave.
That's how this problem is solved by every other industry that manufactures devices that are dangerous when used correctly. Software isn't a special snowflake.
The proposal was mostly tongue-in-cheek. That said, I'm not sure the problem is solved in other industries - there's been plenty of unsafe electrical devices being sold to western markets, for example. It's just hard to police this stuff.
That's a viable solution. Except that it relies on an implicit: The end user must be able to identify the shit devices.
We could help that right away, by bricking all the vulnerable IoT devices. The media will then inform of what manufacturers and models were affected :D
This solution depends on people following it voluntarily, which means it's a bad solution because people don't work like that at scale. Want to coordinate people? You need to change incentives - either encourage them to not buy shit, or discourage them from buying it. The way it's usually done is by fining people selling shit, fining people using shit to do damage, and fining people creating shit so that shit doesn't get created. Ergo, government solution. It should work for IoT just like it works for every appliance you use at home that could technically burn your house down, but somehow it doesn't.
There is no solution where the government is involved. The world is not that place yet, where some government can hold any company in any country accountable for something.
Still, don't worry about it, global ISP market is huge and very competitive, it's in their best interest to solve the problem, once it becomes one. We've been there before with "big and scary" ddoses from five years ago.
The solution is simple: The government holds them accountable for creating shoddy products. The companies creating these products pay for the damages done. It's really this simple.
Which government? The US government, which is the representative body for the affected victims? The Chinese government, which is the representative body for the manufacturer? The different governments of the countries where the actual devices were in use and where the actual traffic came from?
Right now it's considered a tour-de-force of international cooperation when police agencies from two different countries can cooperate enough to arrest scammers who were pretending to be IRS agents over the phone and were doing real damage to peoples' lives. (http://arstechnica.com/tech-policy/2016/10/cops-arrest-hundr...)
Unfortunately, the U.S seems to have this completely unhealthy obsession with keeping the government impotent and companies powerful at the expense of the people. And not just the american people, but the entire world.
Americans understand that even well-intentioned laws and regulations can ultimately be used against citizens and consumers through regulatory-capture. These are all rules being set by democratic states, yes, but dilution-of-interest is a real thing and very few people vote for a president or prime minister based on their telecommunications policy.
I would rather the government just butts-out unless peoples' lives are at risk.
> Which government? The US government, which is the representative body for the affected victims? The Chinese government, which is the representative body for the manufacturer? The different governments of the countries where the actual devices were in use and where the actual traffic came from?
Do it the same way you handle contaminated food, appliances that cause fire and sales of illegal goods. Fine/jail the locals selling dangerous crap, and leverage international law to move against the people who manufacture it. There need to be safety and security standards developed, just as they are for almost everything else you buy.
Do it the same way you handle contaminated food, appliances that cause fire and sales of illegal goods. Fine/jail the locals selling dangerous crap
Were any of these being sold in the US?
and leverage international law to move against the people who manufacture it.
International law really doesn't work the way you think it does. International law, that most diaphanous of concepts and most nebulous of efforts, is just barely effective enough to prevent the sale of materials used in the manufacture of nuclear weapons. $30 IoT routers that can be used to attack silicon valley internet companies isn't on anyone's radar.
And what does move against mean? Fines? Jail time? How long will it take to convince anyone to agree to that? Would anyone even agree on a dollar figure for damages? What was damaged here? Was any equipment broken? Was anyone killed?
There need to be safety and security standards developed, just as they are for almost everything else you buy
This makes sense, but I think it's a long road. Safety standards are imposed and enforced at a national, not an international level, except to harmonize regulations (not unify enforcement!) in some cases. And packets don't respect national boundaries.
I don't think regulation is tractable in this case. I think all we've got is technical solutions or 'internet governance', much like how everyone knows not to allow open mail servers on their networks anymore.
> Safety standards are imposed and enforced at a national, not an international level
That's simply untrue. The European Union and its predecessors have for decennia regulated safety standards of products on an international level.
The entire framework that would be required for regulating security standards on electronic equipment is already in place. It already operates on a global scale. Try looking at some of the packages (or stickers on larger electronics) and look for the CE mark. That's the Conformité Européenne
stamp of approval. We can easily include security in there.
That's simply untrue. The European Union and its predecessors have for decennia regulated safety standards of products on an international level.
Untrue?
Let me know when the United States and China have joined the European Union.
The entire framework that would be required for regulating security standards on electronic equipment is already in place. It already operates on a global scale. Try looking at some of the packages (or stickers on larger electronics) and look for the CE mark. That's the Conformité Européenne stamp of approval. We can easily include security in there.
That's absolutely crazy.
CE can regulate electrical and physical safety because Frenchmen die from roughly the same electrical voltages as Englishmen. There's just not much argument about this, and it doesn't apply to goods not sold in the EU anyways.
Who really agrees about computer security? Really? An open telnet port is BAD. What about an ssh port using a shared key that doesn't require a password reset? What if the network stack hasn't been audited? What about a web interface? Is that secure?
Computer security is so much more complicated and so much more nebulous than electrocuting Frenchmen. And you want to hammer out standards for this at the UN or the OECD or some other body that interfaces to national police? That's insane and it's going to turn into some horrible OSI-esque regulatory Frankenstein monster.
The CE mark isn't a stamp of approval from a regulatory body. It's a claim made by the manufacturer of the product, a claim that says "yes sure we follow these european rules". Anybody can put that stamp on their product. Now do they actually meet the regulations?
There is no international, let alone global "police" checking these products' conformity before they enter the market. In different countries, there are local authorities who might make random inspections, potentially exposing a fraction of the products that do not actually meet the regulations.
True. In case of CE, ensuring that CE-declared products are actually compliant is the responsibility of each EU's member state. They do this mostly on case-by-case basis - and citizens are free to report violations of conformity. So in case that e.g. my CE-labeled charger catches fire, I can report it to appropriate authority, which will then investigate and is free to fine and/or jail the manufacturer (if local) or the importer if the product is found to be non-conforming and is a safety threat.
So yeah, CE may be a self-certification stamp, but if you put one on your product, you open yourself for legal actions if your product doesn't conform to the appropriate standards. Extending this to cover networking safety aspects of devices is the minimum I hope regulators will do.
Well, I think we need less regulation and more accessibility of the technology deployed in this space (e.g. fewer black boxes, more OSS). Regulation, no matter how stringent, can't change the fact that all software breaks eventually. Over regulation of the IoT market will tilt the game in favor of larger players and then leave us vulnerable to their SPOFs. See the recent shadow brokers leaks for some fine examples.
[Edit] perhaps I should add that if any regulation is deployed in this space, its that an IoT device manufacturer must release their source in a publicly accessible manner... end users must be able to patch beyond the support lifetime.. etc.
> end users must be able to patch beyond the support lifetime
That's the kind of thing that gives regulation a bad name.
One of the worst ways an IoT device can get hacked is if it's reflashed with malicious firmware that then can't be reflashed back. You've got a permanent backdoor that requires trashing the device and a lot of users won't throw away a device that still works (for them) even if they know it's infected with something that causes problems (for someone else). That's real money.
A simple way to fix that is locked bootloaders that only runs signed code. Then even if the running image gets hacked, a reboot fixes it and at least the device can't be irreversibly hacked.
A regulation like the one you propose would presumably make signature-locked firmware illegal, or at best, require the checks to be disabled after a certain date (which then requires secure clocks: more stuff to go wrong). It's the sort of thing that sounds good but can cause more problems than it solves, which is the typical problem of regulation.
Very much agreed and good points all around. My proposal wasn't nearly as technically nuanced as such a proposal should be. I suppose I should fall back to my main argument which is that no such proposal can be at this point. Hence regulation will just be a source of burden on everyone involved, except those with deep enough pockets to use those regulations to turn a profit.
> The fact of the matter is that manufacturers are too cheap to provide decent security.
Out of curiosity, imagine I decided to do a Linux based IOT device today. What liberally licensed reasonably mature security and updater framework would I use?
I can find numerous competing communication frameworks, but nothing around doing updates or the higher level platform. It looks like this has to be re-invented by each IOT vendor, which is going to be a lot of work.
We live in an age equivalent to the great Pollution period of industrial revolution. Where any crap steam engine or boiler was built as long as its golden path worked. Boiler explosions killed thousands and damaged businesses for decades. Smog killed perhaps hundreds of thousands - and only government regulation reeled it in.
But we have proved awful at building service based global regulations - TTIP is barely limping now and there is little expectation that "free open global internet" is going to be rallying cry to save the agreements.
I would like to see a framework where the user owns root and so is responsible for the upkeep but the manufacturer is obliged to provide ten years worth of patches for anything sold - or provided funding to an open development process to supply patches and updates.
Routers should be adapting to growing IoT. The ability to easily prevent Internet access or access to certain country IP pools like China. A really easy way to manage routers e.g. through an app will help mitigate the threat somewhat. But it would require a unified API or some sort and not installing CF.
Routers are a joke. Did I ever tell how my current solution at home fetches the DHCP leases (to get the list of devices connected to the network)?
Basically, to access the data you need to send an auth token along with request. How can you get such a token? By logging in, of course. Or, by firing your request anyway, which will cause the router to return you an error page with a cookie containing the auth token you need.
The horizontal progress indicator on this page is funny (a blue strip on the bottom if you look). It looks like it's moving from left to right to meet the scroll bar which is going from top to bottom.
Several online publications have used this web design pattern and it confuses me. What's wrong with looking to the scroll bar position to know how much text is left on a page?
There should be government organization currently responsible for data security. Unfortunately, with the proposed leadership options for the White House, I don't think this will be a priority. The FCC is too concerned with rationing out the electromagnetic spectrum. I doubt UL and CE has enough resources to step up here.
For the device makers who want to provide a secure interface to their cloud servers, I think platform and infrastructure providers should set out an easy to adopt standard that any device maker can follow. The expectations on getting a device to market is already so high that small companies typically do not invest in data security.
The incentive to adopt the security best practices could come from retailers. Retailers who only stock products with this standard would save on returns / lawsuits. In the coming year, DDOS attacks are the least of their worries if hackers can commandeer devices that see into people's homes and monitor people's lives.
ISPs could provide seed funding for UL to spin up a certification for connected smart devices. They certainly have the resources and are kind of mixed up in the problem already.
Couldn't a smarter home router solve a lot of this? Only allow reasonable outbound traffic to whitelist ? Or black hole a lot of the internet for untrusted devices?
Many manufacturers incur liability for their products' defects. How do IoT manufacturers get away without incurring such liability? Is it because the EULAs users sign are airtight? Is it because they are overseas companies? Is it because they are small and would just close up shop if they got sued? Is each incident so tiny that it does not make sense to sue (what about class-actions or ultimate-victim-initiated actions?)
Not that I'm proposing litigation as a solution here, but I don't understand what makes IoT manufacturers so different.
I think there is a great use case for open source software running on our IoT devices, where we are cognizant of features, security and implication of updates. I predict this will be more commonplace in the next 5 years.
At present, we are so blissfully unaware of what runs on our devices that it is scary.
Does anyone know if there are ongoing efforts to reign this in? Like a standards working group for a UL-like certification process for IoT security?
Maybe a group like the Linux Foundation or Core Infrastructure Initiative could take this on and lay out some goals for IoT manufacturers to aspire to (product update guarantees, secure communication, secure coding practices, signed firmware...)
One of the biggest problems now is the free-for-all nature of developing IoT products. Though I personally don't see a complete solution unless there is regulation or a government agency like the FTC steps in. I view this as kinda similar to bans on other not-immmediately-visibly-harmful things like CFCs.
But I don't see them having any traction themselves to get started. I think if the industry developed a standard certification process they could latch on and help manufacturers and distributors solve the problem.
63 comments
[ 3.3 ms ] story [ 130 ms ] threadI find this whole iot thing very frustrating as a consumer.
I'm assuming you always remember?
its easier on the customer and developer for there to be a passwordless local protocol.
I think how the wireless Apple headphones pair is how all these iot devices should be paring with your smartphone. Then its a if you are near it you interact with it.
Very, very, few applications really require remote access vs proximity based access.
When bluetooth works, it works well. But the failures are very difficult to diagnose and address. Those are what the calls will be about and why they will be lengthy.
But i guess if there was a patch to WiFi which gave it a LAN connection only then that'd be cool.
The devices themselves should not need Internet connection, period.
Other than that, most every appliance you can get non internet options. In fact, internet options are rarer / premium items
I am seriously thinking there might be a market for lobotomizing smart appliance. Niche market, but still.
The ecosystem is going to be huge, so focusing on larger companies, with classical appliance lines (fridge, toaster, TV), that open source their firmware makes sense.
Within a certain product line code gets reused often, so you could work with specific product lines.
Also it really depends on how far you want to go with this and what options the firmware gives you to work with.
They don't have to do shit. They chose it themselves. IoT market is pretty much pure marketing/hype creation. Current solutions don't make any sense, and are pushed to people who don't understand it.
There are deeper problems here though. Current smartphone model doesn't make any sense either, but this is something even many techies are blind about. Like apps, third of which shouldn't exist in the first place, and another third should be OS-level components. Interoperability sucks because everyone is trying to make a lock-in business out of their small part in the solution.
But I'm just a grumpy techie myself. Until the world gets its shit together (i.e. never), I'll continue to build my smart home out of Raspberry Pis and DIY components, while also telling everyone to avoid anything that's done over cloud.
See e.g. a laser cutter featured once on HN, that offloaded its basic computations to my butt, turning it into $2000-worth big paperweight if you lost your Internet connection.
I mean, I understand that people need to make money, but some of the business models today are so user-hostile that it's no longer funny.
Yep. Can't use my Vizio Smartcast TV without connecting it to the internet for 10 hours of updates. Can't use my Nexus 5 without connecting it to the internet to upload my identity to Google.
> The IoT is expanding faster than device makers’ interest in cybersecurity
This is just pure bullshit. It has nothing to do with 'expanding' or 'interest' or 'ability'. This type of security has nothing to do with the scale at which it has it deing deployed or growing.
The fact of the matter is that manufacturers are too cheap to provide decent security. This is a profit problem. And dancing around the issue by the media is just weak-ass journalism.
The solution is simple: The government holds them accountable for creating shoddy products. The companies creating these products pay for the damages done. It's really this simple.
Unfortunately, the U.S seems to have this completely unhealthy obsession with keeping the government impotent and companies powerful at the expense of the people. And not just the american people, but the entire world.
Baiscally the only hope we have at this point is the European Union.
Unfortunately, my neighbour did, and now his toaster is used as part of a DDOS attack against a critical piece of internet infrastructure.
How does your solution help?
Or, how about instead of drowning in lawsuit chains over pennies, we establish some basic rules about how commercial devices connected to the internet are allowed to behave.
That's how this problem is solved by every other industry that manufactures devices that are dangerous when used correctly. Software isn't a special snowflake.
We could help that right away, by bricking all the vulnerable IoT devices. The media will then inform of what manufacturers and models were affected :D
Still, don't worry about it, global ISP market is huge and very competitive, it's in their best interest to solve the problem, once it becomes one. We've been there before with "big and scary" ddoses from five years ago.
Which government? The US government, which is the representative body for the affected victims? The Chinese government, which is the representative body for the manufacturer? The different governments of the countries where the actual devices were in use and where the actual traffic came from?
Right now it's considered a tour-de-force of international cooperation when police agencies from two different countries can cooperate enough to arrest scammers who were pretending to be IRS agents over the phone and were doing real damage to peoples' lives. (http://arstechnica.com/tech-policy/2016/10/cops-arrest-hundr...)
Unfortunately, the U.S seems to have this completely unhealthy obsession with keeping the government impotent and companies powerful at the expense of the people. And not just the american people, but the entire world.
Americans understand that even well-intentioned laws and regulations can ultimately be used against citizens and consumers through regulatory-capture. These are all rules being set by democratic states, yes, but dilution-of-interest is a real thing and very few people vote for a president or prime minister based on their telecommunications policy.
I would rather the government just butts-out unless peoples' lives are at risk.
Do it the same way you handle contaminated food, appliances that cause fire and sales of illegal goods. Fine/jail the locals selling dangerous crap, and leverage international law to move against the people who manufacture it. There need to be safety and security standards developed, just as they are for almost everything else you buy.
Were any of these being sold in the US?
and leverage international law to move against the people who manufacture it.
International law really doesn't work the way you think it does. International law, that most diaphanous of concepts and most nebulous of efforts, is just barely effective enough to prevent the sale of materials used in the manufacture of nuclear weapons. $30 IoT routers that can be used to attack silicon valley internet companies isn't on anyone's radar.
And what does move against mean? Fines? Jail time? How long will it take to convince anyone to agree to that? Would anyone even agree on a dollar figure for damages? What was damaged here? Was any equipment broken? Was anyone killed?
There need to be safety and security standards developed, just as they are for almost everything else you buy
This makes sense, but I think it's a long road. Safety standards are imposed and enforced at a national, not an international level, except to harmonize regulations (not unify enforcement!) in some cases. And packets don't respect national boundaries.
I don't think regulation is tractable in this case. I think all we've got is technical solutions or 'internet governance', much like how everyone knows not to allow open mail servers on their networks anymore.
That's simply untrue. The European Union and its predecessors have for decennia regulated safety standards of products on an international level.
The entire framework that would be required for regulating security standards on electronic equipment is already in place. It already operates on a global scale. Try looking at some of the packages (or stickers on larger electronics) and look for the CE mark. That's the Conformité Européenne stamp of approval. We can easily include security in there.
Untrue?
Let me know when the United States and China have joined the European Union.
The entire framework that would be required for regulating security standards on electronic equipment is already in place. It already operates on a global scale. Try looking at some of the packages (or stickers on larger electronics) and look for the CE mark. That's the Conformité Européenne stamp of approval. We can easily include security in there.
That's absolutely crazy.
CE can regulate electrical and physical safety because Frenchmen die from roughly the same electrical voltages as Englishmen. There's just not much argument about this, and it doesn't apply to goods not sold in the EU anyways.
Who really agrees about computer security? Really? An open telnet port is BAD. What about an ssh port using a shared key that doesn't require a password reset? What if the network stack hasn't been audited? What about a web interface? Is that secure?
Computer security is so much more complicated and so much more nebulous than electrocuting Frenchmen. And you want to hammer out standards for this at the UN or the OECD or some other body that interfaces to national police? That's insane and it's going to turn into some horrible OSI-esque regulatory Frankenstein monster.
There is no international, let alone global "police" checking these products' conformity before they enter the market. In different countries, there are local authorities who might make random inspections, potentially exposing a fraction of the products that do not actually meet the regulations.
So yeah, CE may be a self-certification stamp, but if you put one on your product, you open yourself for legal actions if your product doesn't conform to the appropriate standards. Extending this to cover networking safety aspects of devices is the minimum I hope regulators will do.
[Edit] perhaps I should add that if any regulation is deployed in this space, its that an IoT device manufacturer must release their source in a publicly accessible manner... end users must be able to patch beyond the support lifetime.. etc.
That's the kind of thing that gives regulation a bad name.
One of the worst ways an IoT device can get hacked is if it's reflashed with malicious firmware that then can't be reflashed back. You've got a permanent backdoor that requires trashing the device and a lot of users won't throw away a device that still works (for them) even if they know it's infected with something that causes problems (for someone else). That's real money.
A simple way to fix that is locked bootloaders that only runs signed code. Then even if the running image gets hacked, a reboot fixes it and at least the device can't be irreversibly hacked.
A regulation like the one you propose would presumably make signature-locked firmware illegal, or at best, require the checks to be disabled after a certain date (which then requires secure clocks: more stuff to go wrong). It's the sort of thing that sounds good but can cause more problems than it solves, which is the typical problem of regulation.
Out of curiosity, imagine I decided to do a Linux based IOT device today. What liberally licensed reasonably mature security and updater framework would I use?
I can find numerous competing communication frameworks, but nothing around doing updates or the higher level platform. It looks like this has to be re-invented by each IOT vendor, which is going to be a lot of work.
Heck even just trying to do SSL on a LAN is very difficult - https://news.ycombinator.com/item?id=11956088
We live in an age equivalent to the great Pollution period of industrial revolution. Where any crap steam engine or boiler was built as long as its golden path worked. Boiler explosions killed thousands and damaged businesses for decades. Smog killed perhaps hundreds of thousands - and only government regulation reeled it in.
But we have proved awful at building service based global regulations - TTIP is barely limping now and there is little expectation that "free open global internet" is going to be rallying cry to save the agreements.
I would like to see a framework where the user owns root and so is responsible for the upkeep but the manufacturer is obliged to provide ten years worth of patches for anything sold - or provided funding to an open development process to supply patches and updates.
http://arstechnica.com/security/2016/08/nsa-linked-cisco-exp...
Basically, to access the data you need to send an auth token along with request. How can you get such a token? By logging in, of course. Or, by firing your request anyway, which will cause the router to return you an error page with a cookie containing the auth token you need.
That's just... ¯\_(ツ)_/¯.
Several online publications have used this web design pattern and it confuses me. What's wrong with looking to the scroll bar position to know how much text is left on a page?
For the device makers who want to provide a secure interface to their cloud servers, I think platform and infrastructure providers should set out an easy to adopt standard that any device maker can follow. The expectations on getting a device to market is already so high that small companies typically do not invest in data security.
The incentive to adopt the security best practices could come from retailers. Retailers who only stock products with this standard would save on returns / lawsuits. In the coming year, DDOS attacks are the least of their worries if hackers can commandeer devices that see into people's homes and monitor people's lives.
Not that I'm proposing litigation as a solution here, but I don't understand what makes IoT manufacturers so different.
Wait for an attack to Brick the vulnerable IoT devices and then the class actions will begin :D
At present, we are so blissfully unaware of what runs on our devices that it is scary.
Maybe a group like the Linux Foundation or Core Infrastructure Initiative could take this on and lay out some goals for IoT manufacturers to aspire to (product update guarantees, secure communication, secure coding practices, signed firmware...)
One of the biggest problems now is the free-for-all nature of developing IoT products. Though I personally don't see a complete solution unless there is regulation or a government agency like the FTC steps in. I view this as kinda similar to bans on other not-immmediately-visibly-harmful things like CFCs.
But I don't see them having any traction themselves to get started. I think if the industry developed a standard certification process they could latch on and help manufacturers and distributors solve the problem.