Ask HN: Can we solve device security without regulation?

4 points by nitrogen ↗ HN
We've seen an awful lot of stories about various IoT and Smart devices being hacked and used to spread malware, DDoS, and more in the past year. We also talk a lot about better languages and tooling to help prevent vulnerabilities. There has been talk of legislation or regulation to address clear market failures.

As someone whose own startup's devices took longer to develop and ultimately failed in the market due in part to my deep concern for security and code quality (there were lots of other reasons), I welcome some kind of change in developer and manufacturer culture toward strong and effective security. But as we all know, the legal system's past track record is very poor when it comes to technology, and regulation or legislation can have unintended and burdensome consequences that might make it impossible for independent developers, contractors, or startups to enter the market ever again.

So now I have to ask, are there any behind-the-scenes efforts currently underway to draft and propose regulation or legislation that would address all security concerns and protect consumers, while keeping our industry as accessible to newcomers as possible? How can we make sure that if/when governments finally react to the security situation, it's done in a developer- as well as consumer-friendly way? Is there some kind of industry association alternative that could produce voluntary compliance with security best practices, without turning those best practices into a meaningless and ineffective CYA liability shield? Is there any way to make sure that attention is focused on the real issues, instead of placebos meant to appear to be "doing something", or worse, blanket ban all new classes of technology like IoT, cryptocurrencies, etc.?

3 comments

[ 4.0 ms ] story [ 18.2 ms ] thread
Maybe we could create some voluntary logo program, like the old EnergyStar program, that could show that a device meets basic UI/UX standards and has adequate security? Like, all UI actions must respond or display a progress bar within 60ms, device must boot within 5s for dumb display, 10s for smart features, device must not use UPnP to open ports, device must not have default passwords, and so on?
We can't solve device security, period. Regulation isn't going to help and effective regulation would be way too costly.
I would love to see a series of pass-through "device filters" manufactured by a third party.

When purchased, they can be configured to designate what is attached and then they would regularly connect to the filter service to get updated definitions.

For instance, the inline filter could be purchased to be placed in between a router and a smart TV hooked up via ethernet. Then the owner configures the filter and selects the exact TV manufacturer and model that is attached.

The filter device would then connect to the filter service on a regular basis to get the rulesets for that specific model of TV. The rulesets could filter incoming traffic, outgoing traffic, apply whitelists or blacklists, etc.

Basically, inexpensive device-specific firewalls.