Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday November 12 2016, @03:11AM   Printer-friendly
from the world-wide-web-pollution dept.

Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.

First, the facts. Those websites went down because their domain name provider — a company named Dyn —­ was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers ­— possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.

Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.

The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.

Is government regulation the only way to get manufacturers of Internet of Things (IoT) devices to care about security?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by stormwyrm on Saturday November 12 2016, @07:55AM

    by stormwyrm (717) on Saturday November 12 2016, @07:55AM (#425966) Journal

    The EPA made mistakes in its handling of the Flint water supply issue The FDA approved Vioxx at one time too. In the same way, a hypothetical government agency with the mandate to oversee the security of network connected devices will undoubtedly make mistakes just as big too. Government, like everything run by humans, is fallible and prone to mistakes. But is that really worse than having no regulation at all, and having a simple free for all like today where anyone and everyone can plug in their insecure, unpatchable IoT device to the Internet with no possible recourse? We could go back to the era of medicine shows and snake oil and folks being allowed to pollute anywhere and everywhere if you really think that government agencies that have made some big mistakes like the FDA and the EPA have really done so much more harm than good in the decades since their foundation. I for one don't see that as being the case.

    Also, as Schneier points out in TFA, this is not a choice of regulation vs. no regulation. The day someone causes a major disaster that kills hundreds or thousands by means of an Internet-connected system (e.g. a nuclear power plant) will be the day that the government scrambles to add ill-thought, emotionally-driven regulation over the Internet just like the Patriot Act in the wake of 9/11. Would you rather have well-thought out and sane regulation produced before the problem becomes big enough to allow a disaster of such magnitude to occur, or ill-conceived regulation that is railroaded through in the face of such a disaster?

    --
    Numquam ponenda est pluralitas sine necessitate.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Sunday November 13 2016, @02:07AM

    by Anonymous Coward on Sunday November 13 2016, @02:07AM (#426179)

    Oh that is all true. HOWEVER, my point was do not put too much stock into stickers that say 'gov approved'. Like a gallon of milk they eventually expire.

    They will get old and out of date very quickly. The market (legal, grey, and illegal) will take care of that. Not in a good way either. Take for example one of the early "IoT" devices that everyone had. The linksys WRT54G. That thing was a powerhouse. Millions sold. However support for the original version is pretty much gone. Have not looked lately as I upgraded ages ago. But I am not sure you can even get a current opensource build on there. There are hundreds of routers models like that out there. No support and will never see another patch. Some will get some love from the open source community. But not all. In fact the vast majority will fall out of date. So as an end user I am stuck with a device that works for the reason I bought it but is insecure.

    No amount of regulation will fix that. In fact I would predict it would just be a way for larger players to lock out newer players through the use of regulatory capture.

    ill-conceived regulation that is railroaded through in the face of such a disaster
    That is the way it will happen unfortunately. It will then become some massive rolling disaster of ill thought out regs that pretend to do something but do very little. My bet is one of the first things they pass would be 'no hacking'. Which will basically make people who try to break the things villains. Even though they just want to fix those things. The people who want to find the vulins for monetary gain will not give one whit about the law.