[sh34r]

This is a very poor analogy. For one thing, casing someone's home is not interesting research. It's not news to anyone that locks only keep honest people out. You need physical access to break in. The legal system and the people nearby (neighbors and residents, and their firearms in the USA) are the main lines of defense here. Unlocked doors are a harm targeting one household.

Conversely, with vulnerable IoT devices, we're talking about internet-connected devices. The potential harm is to everyone on the Internet, not just one household, when they're taken over and made part of a botnet. An attacker can exploit them from anywhere in the world, including residents of hostile jurisdictions that are tolerant (or actively supportive) of such activity. Russia, North Korea, Iran, etc. The protections people have relied on for centuries to defend their residences from bad guys don't apply anymore.

These IoT devices can also be used to gain a foothold in your home network, which are usually flat networks. It's surprisingly difficult to find a "router" for home use at a reasonable price point that can setup VLANs, by the way. Even as a technical person.

The better analogy IMO is to building codes, where your property rights are limited by society's interest to keep your family safe, but more importantly, your neighbors safe too, because fires spread. It's still an imperfect analogy for a number of reasons. Cyberattacks are a relatively novel kind of threat. All analogies are going to be imperfect.

[dchftcs]

I think a better analogy can be drawn by just considering the physical version of some things. For IoT, you can say if someone discovers a specific brand of physical lock can be broken in unexpected ways, they should be allowed to communicate this in a way that benefits the users of the lock without facing any legal risk. For internet banking, you can discuss a physical vault that safekeeps everyone's gold, and say that someone who notices a broken lock should not be punished for telling the vault manager to fix the lock. Unfortunately the common situation is that the lock company and the vault manager will sue because they don't want to admit they put their users and clients at risk - it sounds absurd, but that's what happens in the electronic world.

[EricMausler]

Well, in this analogy the problem starts with how the person is noticing the lock can be broken in unexpected ways

Everything you said after that is a valid continuation from that, but the scope of the issue I am talking to centers around that how.

Because locks have never actually been unbreakable, right? The main purpose of a lock, the generally accepted way that the lock keeps people out - is by existing, not by being strong.

We have higher standards for the lock in more serious applications, like a vault, but if you buy a vault door, put it in your garage, and begin testing it for vulnerabilities- I feel like it's reasonable to view that as criminal. I admit 100% that it could be a curious tinkerer, but I do not think it is unreasonable to tell the tinkerer that they can't do that without permission.

[ddingus]

What happens in that case is said tinkerer does it anyway.

And say they got that door by any of a number of legal means. Fact is they have it and could have a wide range of legal uses for said door too.

Is it better to drive that sort of thing underground?

I question that.

[EricMausler]

Building codes analogy still supports my argument. You cannot just walk into a strangers home and inspect it for whether or not it is up to code.

I agree analogies are going to be imperfect, which is why it's important not to criticize an anology based on where it fails but to work with it on the point it is meant to express, and then yes if it doesn't actually convey the point then it could be a bad analogy.

I think it might help if we clarify WHY a lock keeps honest people out. If a house is locked, you MUST commit a crime to gain entry. So by nature of bypassing the lock, you are no longer acting honest. It is not about what type of person you are, it is about clearly delineating honest actions from criminal actions.

If the door is unlocked, then a person could walk in and then pretend they didn't know better if they get caught. This is assuming we say it's okay to walk through unlocked doors

However, since we acknowledge it as criminal behavior to even test whether or not a door is unlocked - the existence of locks in general and the common knowledge of where they should be expected to be found establishes a barrier honest people know not to cross.

With respect to cybersecurity, I am proposing we accept a similar relationship while also creating protected legal paths for honest people to conduct security research.

The thing we can all likely agree on is what cybersecurity is and where it applies. By nature of knowing where it should apply, we establish a barrier that honest people should not be crossing without permission.

I agree that there is a lot of foreign danger involved with the topic and botnets are a concern. However, progress there is not going to be made by random hobbyists testing websites for sql injections for fun. It's going to be made by cybersecurity professionals who can easily be educated to and comply with a regulation to declare their intent and get approval before poking around.

The rules for an approval process are a totally open book. It does not need to be restrictive or limiting to researchers

[aldousd666]

Another analogy could be someone doesn't realize they left their back door open and these guys come and point it out.

[EricMausler]

I think the analogy would be someone doesn't realize they left their backdoor unlocked.

You can see an open door. You can see an unlocked door unless you go up and try to open the door.

if a stranger informed me that my backdoor was unlocked, then I would be immediately suspicious. Why were you at my door trying to open it without trying to contact me first?