Thanks for the thoughtful reply. I encourage you to file an official comment with your ideas.
Thank you for this detailed feedback. In the long-run, it's worth asking whether a business that doesn't make money once externalities have been internalized is a business worth having. But this is a voluntary program,…
One my favorite IoT botnet scenarios is an attacker taking control of thousands of ovens/air conditions/other high-wattage devices and using them to cause power outages.…
Good question. There's some discussion in this thread https://news.ycombinator.com/item?id=37395218
I think you're right that it would be difficult for the FCC to precisely define exactly when security updates are required. This is a problem in law generally, one that is usually resolved by imposing a reasonableness…
It's a voluntary label, so it's open to competition from other standard-setting organizations. When it comes to mandatory regulations generally, our office thinks that broad standards that are used to hold people…
I think if the box says updates until the beginning of 2025, and they've stopped providing updates before then, you have a pretty good contract lawsuit against them. You'd have to show that their failure to issue a…
These are all great points and maybe a good reason why a voluntary program like this is the way to start, so a higher-tier of secure products can begin to emerge. We would also love to see the emergence of platforms…
Thanks for this thoughtful feedback. I encourage you to file an official comment, especially regarding end-user control of update timing. Maybe my response here https://news.ycombinator.com/item?id=37394935 addresses…
This will be a completely optional program. And the proposal is that even for participants of the program, they just have to disclose the update period, whatever it may be (could be zero-length).
This is something that has us worried too. The FCC took some action on this issue last year by outright banning equipment from certain companies (e.g. Huawei), but we haven't even scratched the surface of this pervasive…
I encourage you to file a comment suggesting this. It's actually not irrelevant. The FCC is free to decide that the label (which can include a QR code linking to more information) must include information about cameras…
Hi, the short of it is that I decided to go to law school and then looked for jobs focusing on cybersecurity. If you're interested in jumping over to law, I'm happy to talk about it more. You can find my email in the…
This is being proposed as a completely voluntary program. No need to participate in it if you don't want an FCC cybersecurity label on your product.
If you think stronger action is needed, please share it through an official comment. Even if we don't do what you suggest, thoughtful comments really do influence the rulemaking process. As an aside, it's worth…
>I've purchased equipment, new in the box, after the mfg had discontinued support. Exactly the kind of thing that sounds crazy but still happens. >1. Final date the manufacturer will provide firmware updates & security…
The general rule in tort is that you need physical injury or physical destruction of property to sustain a lawsuit. There's exceptions at the edges of that, but you basically can't sue a device manufacturer for crummy…
Good question. The Notice of Proposed Rulemaking has a Legal Authority section that discusses this issue https://www.fcc.gov/document/fcc-proposes-cybersecurity-labe.... I also touch on it here…
Maybe the presence or absence of this capability could be something disclosed on the label? It's an idea worth thinking about. I encourage you to file a comment with your thoughts on the matter. You probably want to…
Thank you for these thoughtful points. Some relevant responses from other threads: From https://news.ycombinator.com/item?id=37394188 : I think you're right that it would be difficult for the FCC to precisely define…
>And since this is HN - there is a startup hidden in the midst of all of this: an enterprise-grade IoT OS that "does security right." Sell to the device manufacturers, allow them to market it as "enterprise-ready" or…
These could be great suggestions for the criteria a product must meet to quality for a label. I encourage you to file an official comment with your thoughts.
In the 2010s, the FCC began enforcement proceedings against more than one hotel chain for using Wi-Fi deauthentication attacks against guests using their own Wi-Fi hotspots instead of the official hotel Wi-Fi networks.…
Thanks for the thoughtful reply. I encourage you to file an official comment with your ideas.
Thank you for this detailed feedback. In the long-run, it's worth asking whether a business that doesn't make money once externalities have been internalized is a business worth having. But this is a voluntary program,…
One my favorite IoT botnet scenarios is an attacker taking control of thousands of ovens/air conditions/other high-wattage devices and using them to cause power outages.…
Good question. There's some discussion in this thread https://news.ycombinator.com/item?id=37395218
I think you're right that it would be difficult for the FCC to precisely define exactly when security updates are required. This is a problem in law generally, one that is usually resolved by imposing a reasonableness…
It's a voluntary label, so it's open to competition from other standard-setting organizations. When it comes to mandatory regulations generally, our office thinks that broad standards that are used to hold people…
I think you're right that it would be difficult for the FCC to precisely define exactly when security updates are required. This is a problem in law generally, one that is usually resolved by imposing a reasonableness…
I think if the box says updates until the beginning of 2025, and they've stopped providing updates before then, you have a pretty good contract lawsuit against them. You'd have to show that their failure to issue a…
These are all great points and maybe a good reason why a voluntary program like this is the way to start, so a higher-tier of secure products can begin to emerge. We would also love to see the emergence of platforms…
Thanks for this thoughtful feedback. I encourage you to file an official comment, especially regarding end-user control of update timing. Maybe my response here https://news.ycombinator.com/item?id=37394935 addresses…
This will be a completely optional program. And the proposal is that even for participants of the program, they just have to disclose the update period, whatever it may be (could be zero-length).
This is something that has us worried too. The FCC took some action on this issue last year by outright banning equipment from certain companies (e.g. Huawei), but we haven't even scratched the surface of this pervasive…
I encourage you to file a comment suggesting this. It's actually not irrelevant. The FCC is free to decide that the label (which can include a QR code linking to more information) must include information about cameras…
Hi, the short of it is that I decided to go to law school and then looked for jobs focusing on cybersecurity. If you're interested in jumping over to law, I'm happy to talk about it more. You can find my email in the…
This is being proposed as a completely voluntary program. No need to participate in it if you don't want an FCC cybersecurity label on your product.
If you think stronger action is needed, please share it through an official comment. Even if we don't do what you suggest, thoughtful comments really do influence the rulemaking process. As an aside, it's worth…
>I've purchased equipment, new in the box, after the mfg had discontinued support. Exactly the kind of thing that sounds crazy but still happens. >1. Final date the manufacturer will provide firmware updates & security…
The general rule in tort is that you need physical injury or physical destruction of property to sustain a lawsuit. There's exceptions at the edges of that, but you basically can't sue a device manufacturer for crummy…
Good question. The Notice of Proposed Rulemaking has a Legal Authority section that discusses this issue https://www.fcc.gov/document/fcc-proposes-cybersecurity-labe.... I also touch on it here…
Maybe the presence or absence of this capability could be something disclosed on the label? It's an idea worth thinking about. I encourage you to file a comment with your thoughts on the matter. You probably want to…
Thank you for these thoughtful points. Some relevant responses from other threads: From https://news.ycombinator.com/item?id=37394188 : I think you're right that it would be difficult for the FCC to precisely define…
>And since this is HN - there is a startup hidden in the midst of all of this: an enterprise-grade IoT OS that "does security right." Sell to the device manufacturers, allow them to market it as "enterprise-ready" or…
These could be great suggestions for the criteria a product must meet to quality for a label. I encourage you to file an official comment with your thoughts.
In the 2010s, the FCC began enforcement proceedings against more than one hotel chain for using Wi-Fi deauthentication attacks against guests using their own Wi-Fi hotspots instead of the official hotel Wi-Fi networks.…
I think you're right that it would be difficult for the FCC to precisely define exactly when security updates are required. This is a problem in law generally, one that is usually resolved by imposing a reasonableness…