back to article Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?

Congress provided a masterclass in selective hearing Wednesday when urged by experts to do something about the increasing risk posed by poor IoT security. At a session of the House's Energy and Commerce Committee into last month's attack on DNS provider Dyn that caused widespread disruption to online services, several security …

Page:

  1. Tomato42
    Flame

    > to develop best practices that would "not hinder innovation."

    aren't business process patents already valid in the US of A?

    1. Destroy All Monsters Silver badge

      No farting in church!

  2. ratfox
    Devil

    The S in IoT is for security

    There's many years of wild West to come.

  3. Anonymous Coward
    Anonymous Coward

    Some hope...

    We still haven't killed Flash, Silverlight or Java.

    What chance of jumping on this steaming pile of ever growing turd-fest?

    1. Anonymous Coward
      Anonymous Coward

      Re: Some hope...

      Corrections

      > Cheap and cheerful, negative externality-exporting ActiveX is dead (is it? is it? at least in the browser, then?) Combined with cheap and cheerful, negative externality-exporting Internet Explorer and cheap and cheerful, negative externality-exporting Windows it was the cancer-creating Cannibal Nonhumanoid Internet Dweller.

      > Flash is being "killed" by being replaced by HTML5 gimmicks and none too fast. We need a postmortem analysis paper on what went wrong. Will the new gimmick implementations be more secure? Time will tell.

      > Silverlight is still being pushed by Microsoft in spite of the dev team having been gassed (AFAIK). No-one is convinced, luckiyl The last time I encountered it was for streaming a 2016 mathematics conference in Potsdam. Good work, Microsoft salesdroid - your next target will be children with disabilities, here is a jar of candies.

      > Java Applets are rare, rare, rare. Good. But Java itself is alive and well, as it should be. Hapless civilians who can't distinguish between the two are unfortunately plentiful. I still don't know why the "Applets" turned out to be so hackable, the sandbox idea was absolutely the right thing to do. Even more so as the idea was from 1995 (good times, anyone remember Inferno/Limbo?)! The goal initially was to shift code over the Internet to the computing nodes (why anyone would do that outside of the context of HPC where it easier to move the program to the data than thje reverse will remain a mystery). Additionally you can have jar signing. And you are running the code on a VM, not the bare metal. You can't do much better, the next step in security is a complete virtual machine. Breakouts may have been possible because of bad API choices and cross-abstraction attacks on the JVM (aka "optimizing the byte code verifications"), and likely because a lot of changes occurred between simple Java 1.1 and Java 8. Need another postmortem paper.

      > JavaScript. Oh boy, oh boy. A dynamically typed, global-variable demanding language originally meant to write quick 10-line hacks running unprotected code that comes from $deity knows where in complexified browsers using code-optimizing engines underneath? NoScript and at least TypeScript, please! And probably QubesOS, too. The people interested in IoT also happen to often be the people interested in JavaScript. We are looking at a combination from hell.

      > Native code in the browser: Get off my lawn!!

      1. This post has been deleted by its author

  4. Anonymous Coward
    Trollface

    You see, these IT security experts approached this testimony in the wrong way...

    Now, if before testifying Schneier and Co. had hired DDoS R' Us to take down U.S. political fundraising websites, THAT would have engendered a sufficient sense of urgency.

    1. ecofeco Silver badge

      Re: You see, these IT security experts approached this testimony in the wrong way...

      Sad but true.

    2. You aint sin me, roit

      Re: You see, these IT security experts approached this testimony in the wrong way...

      John Hinckley Jr.'s attempted assassination of Reagan did nothing for gun control...

      In this new Trump world they should have stressed American jobs for Americans...

      "Them Chinese don't know security, we do... make good security a legal requirement and they can't sell into the US market. We can. Even when they catch up and can add security they will become less competitive. In the meantime we establish US brands and sell to those liberal Europeans who will be demanding security regulation!"

      Doesn't matter if it's true or not, it plays on their fears and aspirations. Isn't that what Trump taught us?

      1. Destroy All Monsters Silver badge
        Holmes

        Re: You see, these IT security experts approached this testimony in the wrong way...

        John Hinckley Jr.'s attempted assassination of Reagan did nothing for gun control...

        Well, there is "gun control" at various levels in the various states (and this was more about a nutcase doing his nutty stuff), but apart from that:

        Panicky law reaction for cheap virtue signalling in response to child-killer-maim-rapist-horror-show: BAD

        Panicky law reaction for cheap virtue signalling in response to attempted Reagan assassination: GOOD

        You can't have it both ways,

    3. Pascal Monett Silver badge

      Re: You see, these IT security experts approached this testimony in the wrong way...

      Absolutely. Congress has a deaf ear because no Congresscritter has been negatively impacted by the problem.

      Just wait for one of them to have their IoT fridge order 5 tons of milk and have the driveway blocked due to the 10 delivery trucks, plus the bill.

      THEN legislation will get pushed through faster than the result of a Taco Bell lunch two hours later.

      1. Anonymous Coward
        Anonymous Coward

        Re: You see, these IT security experts approached this testimony in the wrong way...

        Or, better, when their fridge will give someone access to their "intimate photos" they "inadvertently" send to fifteen years old...

      2. tom dial Silver badge

        Re: You see, these IT security experts approached this testimony in the wrong way...

        Have an upvote for the probable accuracy of the claim, but the implied reason is a bad motivation for legislation.

    4. Captain DaFt

      Re: You see, these IT security experts approached this testimony in the wrong way...

      "Now, if before testifying Schneier and Co. had hired DDoS R' Us to take down U.S. political fundraising websites, THAT would have engendered a sufficient sense of urgency."

      True, a similar campaign worked before, even if it wasn't the intended effect.

  5. Palpy
    Devil

    Well, if these fine legislators have their way --

    -- there will soon be a booming market for non-smart tech. The unconnected and unchipped can't be remotely hacked. And so much for innovation.

    1. Charles 9

      Re: Well, if these fine legislators have their way --

      Oh? People have been hacked since before the word "hacked" ever existed. Ever heard of the Confidence Game? That's Social Engineering at its most direct.

      1. Destroy All Monsters Silver badge

        Re: Well, if these fine legislators have their way --

        But now you can harvest 100K people from the safety of your office.

        "Slack Hacks", innit?

        Just re-reading Neal Stephenson's "Diamond Age". Luckily, we will have to survive to "consumer IoT" age before stepping into the nanotech age. Or so we hope.

      2. veti Silver badge

        Re: Well, if these fine legislators have their way --

        There's a difference in kind between script-kiddie 'hacking' and social engineering.

        One requires someone - an actual, living person - to be aware of your existence. To take an interest in you. To contact you in some way.

        The other - doesn't.

        That's an important difference, because it affects how they scale. Face to face, you can con one person, or a hundred, or a thousand, within a given year. But to hit 100,000 you need to automate it. And that's what the IoT makes possible.

        And that works both ways. Face to face, you probably don't get conned more than once or twice a year. Online, it could be once or twice per hour - and you wouldn't even know.

        1. Charles 9

          Re: Well, if these fine legislators have their way --

          You can con by mail. That doesn't require a face-to-face presence and is just a bit of a slower version of a 419.

  6. Anonymous Coward
    Anonymous Coward

    There needs to be some serious suing of any IoT company that ignores sequrity.

    Why doesn't EU quickly whip up some laws that would be useful for IoT?

    It's tragic when any half decent techie knows, as soon as he hears about something called "IoT" for the first time, that it will be a security disaster. Even before it has taken off.

    1. Charles 9

      But then, as Washington pointed out, how do you deal with China, who's both sovereign and militarily powerful enough to be a legitimate threat if pushed?

      1. Ken Hagan Gold badge

        Re: How do you deal with China?

        The same way you deal with "Germany", or rather Volkswagen. You publish standards that manufacturers have to meet and then let someone else sues their arses off if they don't meet them.

        Lax security is very much like pollution. For any polluting device, the seller gains because they've cut a corner and the buyer wins because that makes it cheaper and the pollution of one single device is far outweighed by the benefit of possessing it. The cost is borne by the rest of society. Markets will not fix that and anyone who actually *understands* the trendy free-market mantras rather than merely being able to *spout* them will see why that is the case.

        Sadly, we've bred a generation of politicians who know that the market is better than government, but haven't a clue why. Even sadder, those politicians are frequently the same ones who will argue at length that market forces do not act on genetic variation. Maybe they're just fucking stupid.

        1. Charles 9

          Re: How do you deal with China?

          Volkswagen has an American presence. They have specialized dealers and a branch they can target.

          Most of the Chinese tat is sold direct form China, usually through the gray markets. I doubt customs even knows when they pass through.

          1. Doctor Syntax Silver badge

            Re: How do you deal with China?

            "Most of the Chinese tat is sold direct form China, usually through the gray markets."

            You keep rabbiting on about gray markets. What do you mean by them? Presumably you don't mean someone sidling up to folk in the street saying "If you want to buy some IoTat stuff I can order it from China for you.".

            Gray markets have to advertise, otherwise customers couldn't find them. And the big advertising routes such as eBay do usually have legal presences in the US, EU etc, where they can be leaned on.

            1. Charles 9

              Re: How do you deal with China?

              But eBay and the like are multi-national. They're like gel. If one country applies pressure, it'll just ooze to another. That's why ships rarely flag in US or European countries. Plus some of the sellers like Alibaba are already based in China and the like and out of western regulatory reach.

              1. Mark 85

                Re: How do you deal with China?

                That's why ships rarely flag in US or European countries.

                Ships are rarely US or European flagged because of profit. Being flagged as such means high pay, more crew, and more stringent safety requirements. So yes, they end being gel like but....

        2. John H Woods Silver badge

          Re: How do you deal with China?

          "Sadly, we've bred a generation of politicians who know that the market is better than government, but haven't a clue why." -- Ken Hagan

          Fun activity is quoting their hero Adam Smith at them --- often results in them telling you to stop quoting Marx.

  7. Queeg
    Coat

    We're talking politician here..

    They are literally paid to spout bullshit and do as little as possible to rock the boat.

    Until someone causes a Senator to drop dead on national TV by screwing with the firmware of their pacemaker they will do nothing.

    * for those who didn't vote for Donnie T Rump that was NOT a suggestion.

    although "those 2nd Amendment people could do something"

    Getting my coat,that'll be the one with the tin foil lining.

  8. Youngone Silver badge

    No surprises there then

    The Senate are largely idiots. I despise them all, the difference between R and D is just the things they misunderstand.

    Also, I am not surprised Homeland Security are keen on taking over IoT security. They will be well aware that as soon as someone decides to have a good look at what they really do for a living they are very vulnerable.

  9. Mark 85

    Lame Duck Congress

    That's a killer for anything right there and then there's new group coming. Hitting Congress to do something at this time is just plain stupid as it would take more than a couple of months to set this up.

    Then there's the new group coming in. For all we know, they'll end up banning everything on the internet except for the Jesus sites and the sites that have well-heeled lobbyists.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lame Duck Congress

      And if a Jew sues on First Amendment grounds?

      1. Anonymous Coward
        Anonymous Coward

        Re: Lame Duck Congress

        The first amendment currently only applies to Christian fundamentalists. Everyone else is a third class citizen.

        1. Destroy All Monsters Silver badge

          Re: Lame Duck Congress

          The first amendment currently only applies to Christian fundamentalists. Everyone else is a third class citizen.

          Stop reading left-wing fanzines, you!

    2. Destroy All Monsters Silver badge
      Holmes

      Re: Lame Duck Congress

      For all we know, they'll end up banning everything on the internet except for the Jesus sites and the sites that have well-heeled lobbyists.

      I really want to know at what place this kind of bullshit is being injected into the memosphere.

      Maybe the explanation lies in the fact that journalists are writing hysterical pandering stuff. Here's Jared Taylor of "American Renaissance" (of all things!) on this: Trump: The Media’s Frankenstein Monster

      1. Mark 85

        Re: Lame Duck Congress

        I made that statement simply because many Repubs pander to the Religious Right and some to the extreme. There's been more than one stating that NASA is a waste of money as the Bible says the universe is only 6000 years old. There's others that would like to see any religious site (other than their own taken down) as they "promote terrorism" or untruths in their eyes. Of course, Christianity is perfect in this regard.

        There was some facetiousness to my statement but for the NASA example, look to the head of the Science Committee.. former doctor but hardcore Religious Right. However, in the end, the lobbyists will rule all....

        Should I add that for the most part, CongressCritters are a joke at this point in time? Holding their breath until they turn blue or having a sit-in on the House/Senate floor because they aren't getting their way? There's no thought, no compromise, no critical thinking. Only reaction and deadlock when they don't agree.

        1. allthecoolshortnamesweretaken
  10. Kent Brockman

    DHS

    Haven't DHS just published some 'principles'... coincidence?

    https://www.us-cert.gov/ncas/current-activity/2016/11/15/Strategic-Principles-Securing-IoT

  11. bazza Silver badge

    Be Careful What You Wish For...

    Calling for regulated security on IoT devices is, well, likely to have consequences more far reaching than anticipated.

    For a start, when is a CPU + memory + NIC + software an IoT device, and when is it just a computer or smartphone? They're all potentially involved in home automation, especially if you consider the app as being part of the IoT system.

    To illustrate the difficulties of trying to make a legal differentiation between IoT and non-IoT, consider the Raspberry Pi. IoT device? Yes. Computer? Yes. Router? Yes. Server? Yes.

    So you cannot reasonably apply a bunch of regulations to an IoT device that then don't also apply to smartphones, computers, home routers, smart TVs, back end services, the entire Internet, Thus if the law required IoT devices to meet minimum security requirements, receive regular updates, etc they'd have to apply to everything else too, otherwise there'd be no point.

    That would be a problem for Android in particular.

    1. Ken Hagan Gold badge

      Re: Be Careful What You Wish For...

      Sounds great! Where do I sign up?

    2. anonymous boring coward Silver badge

      Re: Be Careful What You Wish For...

      IoT: Appliance that can be connected to the internet without any security whatsoever.

      So, connects without user intervention and setting up security measures.

      If sold as "just hook up", it better be secure.

      Simples

    3. PrivateCitizen

      Re: Be Careful What You Wish For...

      So you cannot reasonably apply a bunch of regulations to an IoT device that then don't also apply to smartphones, computers, home routers, smart TVs, back end services, the entire Internet,

      Isn't this sort of the point? The Dyn attack was supposedly driven by generic "IoT" devices like fridges which are internet connected without any security but the problem is anything internet connected without security is creating a risk.

      Smart TVs without security are just as much of a problem.

      The problem, as Schneier has said, is that the manufacturers dont care and the purchasers of each item dont care but the attacks affect everyone. This means that deep down the manufacturers & customers are actually paying a bit more for everything else as the security controls have to be implemented in more expensive areas.

    4. veti Silver badge

      Re: Be Careful What You Wish For...

      And that right there is why I can't watch Youtube on my TV.

      It comes with that option. All I have to do is hook it up to the home wifi network, and we could use it to browse and watch on demand, like - well, like we once imagined we could.

      But then I looked for documentation on "how to change the root password". No mention of it. No mention of there even being such a thing.

      And so, that device is not getting the password to my home wifi network. We'll watch TV the old fashioned way, use computers for the internet, and never the two shall meet.

      Shame there's no standard that it could comply to that would give me confidence in it.

    5. bombastic bob Silver badge
      Big Brother

      Re: Be Careful What You Wish For...

      a gummint "solution" is likely to breed PROBLEMS that require MORE "solutions" from gummint, yotta yotta. It's like an INFECTION with cyclic mutations.

      Instead, do this: pass laws that put the BLAME for 'lack of security' on the producers of insecure hardware and software, making them responsible for ANY liabilities caused by NEGLIGENCE when it comes to security. This would include DDoS attacks, mass infection/intrusion on IoT devices [requiring expensive 'fixes' on the part of end-users], and so on. Then, let the class action lawsuits fix it. I know, it's like calling down a napalm strike on your own head. Just make sure you duck for cover.

      And simple fixes by IoT vendors might include simple things like holding a button while changing settings or flashing new firmware.

      1. Charles 9

        Re: Be Careful What You Wish For...

        So what do you do when the manufacturers are outside the country, being protected by that country's sovereignty, and that country refuses to cooperate?

  12. Dan 55 Silver badge
    Facepalm

    "I don't think I want my refrigerator talking to some food police."

    Oh God, it's an unstoppable force... it's the rise of the stupid.

    1. Destroy All Monsters Silver badge

      Re: "I don't think I want my refrigerator talking to some food police."

      Actually, it will probably come.

    2. Anonymous Coward
      Anonymous Coward

      Re: "I don't think I want my refrigerator talking to some food police."

      Food police, maybe not. But food advertiser, lots of them.... and diet/health/etc....

      Unless his fridge isn't participating in DDoS attack, of course.... gullible senators are the perfect customer for some stupid IoT stuff to show off (paying with taxpayers money, of course).

      1. Anonymous Coward
        Anonymous Coward

        Re: "I don't think I want my refrigerator talking to some food police."

        Lipidleggin' (contains link to full text) is a Good Read.

    3. bell

      Re: "I don't think I want my refrigerator talking to some food police."

      The food police - otherwise known as SWMBO.

  13. Anonymous Coward
    Anonymous Coward

    As always with IT security..

    .. there's no hoping legislation or even law enforcement will be of any help at all. You're on your own.

    That's your reality, that's your fact. Starting from any other position is deluding yourself.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like