[miander]

I'm not sure how many others share my view but I think that regulation is worth the benefit to security. I have always been very skeptical of the "but it'll hurt innovation" claim. Won't it promote innovation in new approaches for securing low-cost devices? It sure seems nebulous to me, but I am willing to be convinced otherwise.

[tptacek]

If you believe any part of innovation comes from new products launched by small new companies, then regulation will hurt security, because to a first approximation none of those kinds of companies have any coherent plan for software security. None of them can afford market rates for this kind of work.

Another problem with regulating software security is that it will inevitably involve licensing software security assessors (it's hard to meaningfully require audits without doing that). The history of licensed security auditors is not reassuring; the economics predict a race-to-the-bottom, and that's what you get (see: PCI).

[tzs]

The concerns in the first paragraph could perhaps be addressed by having volume thresholds before regulation kicks in. If your internet-connected special purpose device has more than N unit sales, more than $M dollar sales, or is offered in more than K brick-and-mortar stores, then it is subject to security regulation.

I too am not in favor (at this point) of requiring licensed assessors to approve software after it is complete, at least for most products. Embedded medical devices, vehicle control systems, and things like that probably should have an outside assessment.

I'd be happy for now just having some rules to try to make it so IoT device breaches are mostly due to bugs in the implementation of a good design, rather than due to the producers not having a clue about security.

I think we are fast approaching (if we have not already past) the point where good security practices are something that almost every programmer and software architect should know and practice. There should be basic coverage of this in the standard computer science/software engineering curriculum, and there should be more extensive coverage as an optional part of the curriculum. If you take these optional courses, your degree is "B.S. in Computer Science and Computer Security" (BS CSCS). (There should also be a way to get this training outside of college, and get some sort of certificate that you have had this training).

Those making products that reach the thresholds for regulation should have to have someone with a BS CSCS (or a certification of equivalent security training) who signed off on the architecture, development standards, and testing process used for the product.

My expectation is that as everything (for better or worse) gets connected, the vast majority of CS students will go for the CSCS option and so people with a BS CSCS will not be significantly harder to find or more expensive to hire than people with just a BS CS, and so even small new companies should be able to afford them once they get past the point of the founders doing all the work and start hiring employees.

[woah]

Do you really think that you can give an programmer a certificate and have them write secure stuff? Exploits are always changing.

[tzs]

"Exploits are always changing" is not really a meaningful objection, because it applies to every way that one might try to ensure security short of only deploying software and systems that have been mathematically proven to be secure.

The vast majority of exploits against IoT devices do not involve new exploits. They involve ridiculously ancient exploits, like finding plaintext passwords embedded in the firmware, or adding something like "&admin=1" to the end of a URL.

If we could get to the point where breaking an IoT device requires something like finding a hole in, say, the TLS protocol (or in a widespread TLS library), rather than just looking because the damn thing doesn't use encryption at all, we'd be vastly better off than we are now.

This is what I meant when I said, "I'd be happy for now just having some rules to try to make it so IoT device breaches are mostly due to bugs in the implementation of a good design, rather than due to the producers not having a clue about security".

Right now far too many devices are vulnerable even if they are 100% bug free.

[tptacek]

I'd like it if there were some sort of non-profit Underwriters Laboratories for software security. But what we're more likely to get is a captured cartel of government-supported commercial labs.

For IOT, the bigger problem is that most of this stuff is getting deployed on BOM constrained designs, so they can't take advantage of safe programming environments, but instead pretty much have to link random C libraries together.

[tbrownaw]

Laws and case-law are always changing, but whatever lawyers do to stay current seems to work well enough.

Building codes change, but certifications for electricians/plumbers/whatever seem to work well enough.

The certifications I've heard of all come with an expiration date. The professional organizations I've heard of all require at least a little bit of ongoing study from their members.

I don't see why what works well enough everywhere else wouldn't work well enough here?

[firebones]

I'm confused by your first sentence. Read as you have written it, I think you mean that regulation will hurt innovation in the IoT space, not security in the IoT space, because you've already said that none of these companies have coherent plans for software security today. Regulation won't hurt security; it may help it by creating incentive for standardization around secure infrastructure to chip away at the "market rates for this kind of work" which "none of them can afford".

There is good regulation and bad regulation, but regulation can accelerate innovation. With or without regulation, addressing this problem with more standardization of secure software and hardware infrastructure would reduce the need for human assessors (or at the very least, push what they're worrying about higher in the stack). Addressing it with licensing and more humans is probably not the kind of regulation I'd look for. So could there be bar-raising regulation that encouraged infrastructural solutions that benefited the industry as a whole?

I'd hate to inject insurers into this world, but one way might be to require IoT manufacturers to carry some sort of indemnification against potential consumer damages, and the insurers drive the security quality. In the 1990s, it was insurers, tired of anesthesia-related malpractice losses, who created back-pressure on the profession to put better clinical standards in place, and errors related to anesthesia-related causes dropped, as did premiums for practitioners following the guidelines. Everyone benefited--especially the patients.

But in the IoT world today, there are no meaningful incentives around securing devices, and consumers have little influence.

[tptacek]

Yeah, you're confused because I mis-wrote that. Wow, that was indeed a confusing sentence. I meant regs will hurt innovation, not security.

The problem is that I think the security gains will also be marginal, and the innovation harm will be significant.

In particular, the history of security standards, which you bring up as an example of "good regulation", is checkered.

I agree with you that mandatory insurance could be a "middle way" between intrusive regulation and no regulation. But that's essentially the structure the payments industry uses with PCI, and PCI has been a race-to-the-bottom.

[manyxcxi]

I wholeheartedly disagree about letting regulators have anything to do with technology. It moves too fast and has too many interpretations to be codified into common sense law, leaving just the big pocket corps to write the regulations just like they've already done everywhere else.

How do you define reasonable security practices? If there's PII, what's reasonable then? What's reasonable today OAuth, tokens, 2FA was over the top crazy/impractical/expensive/impossible in 2001. You think there's going to be a committee evolving this crap every month in perpetuity?

On top of that, if actual harm comes to users of these devices as a result of these devices then we already have plenty of consumer laws protecting them. Granted, they're going to have to come up with ways to apply it sometimes and you're going to have to prove it was that device that allowed the harm, but we have it.

I will say this though: I'm mostly okay with laws (whether they exist or not yet) that say that if your negligence or stupidity was the root cause, as a manufacturer of these goods, you are on the hook for a multiplier of damages. There are a lot of companies out there that know they are pushing shit to market in a race to the bottom and then just claim security is hard and they tried their best when clearly, they knew about an 8 year old bug and shipped anyway. I'm that case, I'm okay with hitting them hard.

[cstross]

> I'm mostly okay with laws (whether they exist or not yet) that say that if your negligence or stupidity was the root cause, as a manufacturer of these goods, you are on the hook for a multiplier of damages.

Such laws won't work, however, without a regulatory framework that ensures that -- for example -- click-through EULAs aren't used to lock customers into sleazy "binding arbitration" agreements that sacrifice their rights in return for permission to use an appliance they bought in good faith.

It may be difficult for regulators to keep up with specific technologies, but much tougher consumer rights protection is essential in order to hold negligent manufacturers responsible, because it's cheaper for the cowboy manufacturers to hire a lawyer to draft some dodgy contract boilerplate than it is for them to hire security experts and ship a safe product.

[manyxcxi]

I agree with that. I'm much more in favor of punishing harshly when the mess up happens and could've been avoided but for willful negligence than trying to write a bunch of catch all regulations before we have a problem.

I think, at least in the US, we need much stronger consumer advocacy laws, something with teeth that can't be arbitrated down by a group of expensive lawyers.

We'd have to find a balance though, as we are already way too litigious and we'd be stifling innovation out of fear of getting accused of negligence.

[gherkin0]

I think it's a little bit of this, a little bit of that. We need regulation to attempt to enforce baseline security practices (e.g. no passwords in cleartext, encryption during authentication, etc), since that can be proactive if not comprehensive. In addition to that, we need stronger consumer advocacy and liability for the more complicated, unanticipated cases.

> We'd have to find a balance though, as we are already way too litigious and we'd be stifling innovation out of fear of getting accused of negligence.

If we're "way too litigious" to the point of stifling innovation, then I think the problem and solution are in a completely different area than this.

[LinuxBender]

I am a technologist; and yet, I am all for stifling innovation with IoT. The folks creating these devices are not qualified to make decisions for themselves or for us.

[manyxcxi]

What decisions are they making for you? It's your decision to opt in to their system by buying. As a technologist you have a good idea how to spot the crappy ones that can put you at risk- or would just (rightly) assume that something like an internet connected Elmo is a bad idea. It's the general population that we have to worry about, as they'll be the ones most seriously harmed (identity theft is the thing I worry most about any of this) by these things going awry. They may also not even put things together that some of these devices could be or are internet connected in the first place, where to us it's obvious that there must be network connectivity of some sort.

That being said, let the bad actors fail. Let their names get dragged through the mud, let the big companies sober up after a few too many VTech/Mattel/LG style failures that make the headlines. Let them either back out of the market because this shit is hard to keep secure, let them work with someone who can, or let them triple down and figure it out themselves. We're going to see a lot of failures, but we'll be better for it.

I've connected my own devices around my house (securely), use z-wave, and consumer home automation hubs/hardware, as well as some well known stuff like Nest and Amazon Echo. I don't ever want to go back to NOT having these things.

I've accounted for many of the likely failure points by these very well regarded manufacturers and I've firewalled my network very tightly, among many other things. But damn it, I've seen the future and I don't want to go back. It's too nice, too convenient, and adds too much real value.

It's your decision to buy their goods, no one should be preventing anyone from trying to enter the market just because you get the heebie jeebies or don't see the value. Someone else does- or no one else does and they fold up shop.

[LinuxBender]

History has shown us that all the the IoT devices are poorly coded at best and completely un-managed at worst.

It is also assumed that these devices have unfettered internet access. Most of them can do HTTPS. Either you allow it or you don't. How many Barbie dolls have been having inappropriate conversations with children that a human would otherwise be arrested for? How many televisions are feeding audio from families back to a company? How long is this data saved? Who has access to it? When must it be destroyed? What legal protections does anyone have against data abuse? What is deemed data abuse? If it turns out I am being spied on, what binding agreement do I have with the manufacturer and seller that will make them feel pain? Are they obligated to give me more than, "We're sorry. Gosh, we're just so darn sorry."

Sorry, no. These devices need to be recycled before they are ever used.

[LinuxBender]

EULA's and binding arbitration clauses are not valid when up against negligence. You can not legally waive negligence in most countries, no matter what a web form or paper contract says. It is not legally binding.

[Silhouette]

On top of that, if actual harm comes to users of these devices as a result of these devices then we already have plenty of consumer laws protecting them.

The trouble with this is that "actual harm" in a legal context tends to mean something that can be proven in some specific context and have some specific monetary value attached to it.

Personally, I think harm is also done if someone knows their financial details might have leaked and then worries about their credit record and future financial security, or if someone discovers that a creep somewhere in another country has been watching their baby sleeping, or if a "smart" TV has been transmitting personal conversations of whatever nature from the living room to someone else. However, if we're only talking "actual damages", how do you decide what financial compensation is appropriate in such cases?

In reality, the most damaging violations probably aren't the ones with tangible financial losses attached, because financial losses can at least be made good after the fact. You can't make up for lost time, though maybe you can at least assign some nominal value to compensate for time spent on things like updating credentials after a breach. No amount of money can make up for the kind of distress caused to a teenager if a compromised device leaks something like their diary or an intimate video of them getting changed and the results go all around their school.

If security and privacy implications for the Internet of Things are to be taken seriously, I suspect the laws will need updating so that (a) there is a presumption of harm in cases where personal information leaks to an unintended party, and (b) there is a punitive value attached to leaks that cause non-monetary damage, with that value being very high for leaks that cause severe and/or ongoing distress.

I don't think this needs regulation. All it needs is a scale of meaningful penalties, leading up to company-destroying fines and/or jail time for executives for the most serious infringements caused by gross negligence or malice.

[JoBrad]

You can't hold someone liable for a standard that isn't legally defined. So, defining regulation that sets a reasonable expectation of security that every IoT manufacturer has to adhere to is not a bad idea, and helps everyone.

> On top of that, if actual harm comes to users of these devices as a result of these devices then we already have plenty of consumer laws protecting them.

When was the last time a software company was held liable for their software not working correctly, and exposing users unnecessarily? Most of them EULA their way out of any lawsuit to begin with.

[fiatmoney]

The problem is that a regulation like "be secure" is impractical, because to a close approximation no system is actually, 100% secure - it's just a matter of the effort taken to hack it.

So the regulation ends up being "go through the security process" (take something like PCI compliance as your model). This always ends up being a crappy fit because the guy doing the process can typically only throw out a list of "best practices" that may or may not make any sense for any particular application, and in any event aren't comprehensive enough. It's also wildly expensive, since the process is embedded in a regulatory-certified person who charges N$ / hour.

Empirically the best you can do absent some specific industrial setup is a series of bright-line rules like "don't store passwords in the clear", but that's far from sufficient.

[acdha]

What if the regulation largely ignored the technology and instead focused on responsibility: prohibit license terms requiring arbitration or restricting class action cases, setting minimum warranty terms which treat software support as a primary requirement (no selling a washing machine with a 10+ year hardware lifetime but ending software support 6 months after release), and restricting liability disclaimers so a company can't completely shirk responsibility the way everyone does now?

The one which would make the most sense to me is something like a souped-up CERT: researchers report vulnerabilities to them, staff grades the severity, and a company has increasingly strict penalties if the fix isn't shipped within certain timeframes. Imagine if e.g. Samsung, Lenovo, etc. executives knew that their personal assets would be frozen in the U.S. if they continued not to support all of the millions of vulnerable Android devices?

The main thing I'd hope an approach like this could avoid would be the PCI bureaucracy you mentioned where a company might choose to avoid riskier areas rather than being required to expensively audit a process.

[mikeash]

Maybe we could go a bit further and say that a proven security breach (i.e. an unauthorized person actually accesses your device) carries some concrete liability, for example $500 plus a refund of the purchase price?

It's a bit like the laws for junk faxes or illegal telemarketing calls. You don't have to take them to court or prove actual damages, you just press the "statutory damages" button when an actual violation occurs.

I could see some difficulty arising from people who are breached not because of some fault with the product, but because the people made their password "password" or whatever. But maybe this would just encourage manufacturers to make it difficult to set up their devices insecurely.

There might be problems with people knowing that they're breached. To combat this, you might make the $500 (or whatever amount) payable to anybody who accesses such a device in good faith. These "find an insecure web cam pointed at a baby" web sites would go from voyeuristic amusements to money makers.

Just some random ideas....

[acdha]

> Maybe we could go a bit further and say that a proven security breach (i.e. an unauthorized person actually accesses your device) carries some concrete liability, for example $500 plus a refund of the purchase price?

Yeah, that's exactly the kind of thing I was thinking about for market incentives. Right now the immediate cost to a company is zero so the only question is whether it'll cost them future sales. Even a simple refund of the purchase price would be a big shift.

I rather like the bounty idea, too, particularly if we could combine it with some sort of clearing house so e.g. the person who finds an unprotected webcam doesn't have a reason (or excuse) to identify the owner.

[noonespecial]

I think it will hurt real innovation. The big companies will just build the same crap they always do, but have an army of clerics and lawyers to shepherd that crap through the kafkaesque paperwork scheme that will certainly develop.

The real innovators will then not be able to come to market because the don't have $750k extra laying around for 6 months of burn waiting for/obtaining certifications, bonds, insurance etc.

Edit: In theory, I agree with OP, but in practice, these things almost always end up being more about permission than proficiency so we end up with corruption instead of competence.

[pdkl95]

Specific security regulation is not necessary, because the solution is simple: liability.

If a product leaks pictures of your kids to the internet when it is used normally, the product is defective. If the problem was caused by a bad design[1], then the manufacturer should be liable for their negligence.

Yes, this would make entire categories of currently-used software unusable. It would probably require recalling many current and upcoming products. Adding complex network features (or any network connectivity at all) would also add liability risk, so this would also discourage (but not ban) throwing internet connectivity on everything.

As Dan Geer recommended[2], when the product is Free Software (including the build environment), the end user has the ability to defend themselves, liability can probably be limited to a refund. However with proprietary software or embedded devices where changing the software is not practical, the manufacturer should be liable for any damage their products cause.

I'm sure there will be a lot of resistance to this idea, as many products currently rely on bad design (smart TVs, nest), but allowing a security-free internet of things to happen would be a yet another Sword Of Damocles hanging over our head. Liability may be bad, but the problems that will happen if we connect everything to the internet without serious would be much worse.

[1] "bad design" would not include things outside o f the manufacturer's control, such as new way to weaken crypto or a completely new attack method. Buffer overflows, protocol design problems, incorrect configuration or permissions, unauthenticated updates or other downloads, and sending plaintext over a network should count.

[2] http://geer.tinho.net/geer.blackhat.6viii14.txt

[daveguy]

> Specific security regulation is not necessary, because the solution is simple: liability

That would be simple if companies weren't able to lawyer up and weasel out of any and all liability that doesn't come with explicit standards required by ... regulation. What makes the definition of "defective" vs "not defective" in determining liability is regulation. Regulations don't have to be "fine X will be levied if Y" it can be "Y is required for product Z". That is regulation and it is how we define liability in the legal system. What you are proposing -- establishing bad design -- is the basic definition of regulation.

[cmurf]

What's the definition of "defective". The company defines this, federal regulation can supersede that, but between those two things the "leaks personal data" definition of defective must be present or it simply isn't true just because you (and most any reasonable person) says it's true. If it's explicitly excluded from warranty (or EULA) and inclusion isn't required by federal law, then you're SOL because you've tacitly agreed to be bound by that warranty and EULA by buying the product and not returning it. EULAs allow companies to get away with even known bad design bugs in software that cause data loss, there's nothing you can do about this liability wise.

So maybe you're talking about changing the law, but good luck with that.

[ctulek]

+1

Regulations on hardware devices do not stop innovation in hardware. One can say there are far few hardware startups than software startups, but I don't think regulations are the main reasons of this difference.

[golergka]

My be instead of prohibiting insecure products we can just put labels on them? Want to buy shiny new thing from kickstarter, be my guest, but it'll have a huge SECURITY NOT CERTIFIED label on the side or something like that.

Which will not turn away a dedicated geek, but will give a hint to an average soccer mom.

[JoBrad]

Certified by whom? And how do we keep those security labels from becoming as useless as certifications like "organic", "natural", and "fat free"?

[golergka]

By some appropriate government agency, I assume.

[yk]

Any kind of suggestion, how regulation should look like? For example, automatic updates would probably be a must-have for network connected devices. On the other hand, I do not really want my TV to phone home. The problem is, that computers are too flexible for meaningfull regulation, contrast it with the case of a boiler, the interest of the user is that the boiler does not explode, both for the engineer and the housewive.

[Joeri]

Security can never be perfect, but it can be sufficient. Simple sufficient regulation could be having a clearly documented address and process for security issues to get reported and an obligation to provide fixes for remote vulnerabilities in a reasonable time frame after becoming aware of them within the warranty period (they are design flaws, so warranty should cover them). In other words, legally mandate everyone should do what conscientious vendors already do.

[yk]

Your suggestion is not sufficient, you need also a way to roll out the updates, which means a network connection to the outside world, but for someone who has done a IoT set up himself it is probably a sane thing to put the IoT things onto their own network, without internet connectivity. So yes, it is likely possible that there could be sane regulation, but I lack thrust that regulation will be sane, and even more, I suspect that regulation will interfere with my use case, so that I have to jailbreak my light bulbs.

[JoBrad]

Your light bulbs already have to adhere to regulation, and it's largely not been a hindrance at all. In fact, most of it has been helpful.

[zanny]

Just compelling the ability to update does not mean anyone will make updates.

The only answer that makes any sense at all is funamdental legislation that any product where the primary product is the physical article and not the software must publish the source to included software. That way even if IoT devices are abandoned or become insecure we can update our own hardware.

Most people would not be able to maintain their own devices, but we can easily end up with OpenWRT / DDWRT style products for each class of IoT device if they are required to be freedom respecting. Then techies will naturally instruct their peers to use supported devices, and the natural progression should get us most of the way to where we are today on routers - the liberated ones are recommended and can be supported by the community even if the OEM abandons them, and the ones that are not are a red flag to avoid. The only problem today is that since there is no compulsion to liberate routers a lot of them are sold to ignorant consumers who do not realize the mistake they are making.

So maybe that should be a regulation? Like with how cigarettes must inform consumers of how dangerous they are, proprietary IoT devices must have an FCC general warning their security is out of the users control.

[abrezas]

We already have regulations for things like safety, so it all depends on how seriously you think of the matter, and how well you think the government will be able to regulate it.

[xbmcuser]

I agree US dislike of regulations is understandable becuase of the cost it adds but they let things go to far. Subprime mortgage crisis is a good example they gave an inch and the banks stole miles.

[merpnderp]

The banks were told by the regulators to give out this loans and the government even invented the scheme to cook the books. More like partners in crime than dereliction of duty.

[adventured]

The US dislikes regulations? Since when? It has one of the most regulated major economies. With banking being arguably the most regulated industry.

Federal regulations have gone from 20,000 pages in 1970, to 80,000 this year. With a 60% increase just since 1990. The US loves regulation. And that's just at the Federal level, there's an entire government system nearly the size of the Federal Government at the State level.