SoylentNews is people
SoylentNews
Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.
First, the facts. Those websites went down because their domain name provider — a company named Dyn — was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers — possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.
Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.
The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.
Is government regulation the only way to get manufacturers of Internet of Things (IoT) devices to care about security?
(Score: 3, Disagree) by zocalo on Saturday November 12 2016, @08:22AM
Oh, wait, how's that supposed to work now that globalisation is the new big bad and we're supposedly going to be spending the next few years shredding interntional treaties? Don't expect this to go away while we're busy breaking up TPP, TTIP, NAFTA, the EU, and all the rest.
UNIX? They're not even circumcised! Savages!
(Score: 4, Insightful) by canopic jug on Saturday November 12 2016, @12:04PM
and we're supposedly going to be spending the next few years shredding interntional treaties? Don't expect this to go away while we're busy breaking up TPP, TTIP, NAFTA, the EU, and all the rest.
Good riddance to TPP, TTIP, NAFTA, TISA, and CETA at least. Read up on them. They are not helpful in promoting trade. NAFTA now has many years of documentation showing what a big failure it has been with trade and especially jobs. As for the others, they suck so badly that they had to be negotiated in secret. Except that they weren't actually negotiated by anything other than corporate lawyers. Make of that what you will but the leaked treaty documents show in some of them that opening source code is expressly forbidden [techdirt.com]. So for Geer's / Kamp's proposal to gain traction, these travesties have to be eliminated on those grounds even if the obscene secrecy weren't sufficiently anathema to democratic process.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @01:36PM
Not to mention all the draconian copyright and patent laws the TPP and friends impose. We should not only scrap these treaties, but we should scrap older draconian treaties like the Berne Convention as well; it's time we fought back against the copyright and patent cultists.
Getting rid of software patents would also make developers less wary of making their software truly free.
(Score: 2) by zocalo on Saturday November 12 2016, @04:08PM
Most educated people realise that the world isn't black and white and that sometimes the greater good must prevail, yet globalisation seems to have even less of a middle ground than climate change right now. The problem isn't with the pursuit of such treaties, the problem is with the attitudes, greed and (above all else) lack of long term vision, of those that are pulling the strings of those doing the negotiations,
UNIX? They're not even circumcised! Savages!
(Score: 3, Insightful) by canopic jug on Saturday November 12 2016, @04:52PM
You're right that globalization is not black and white, at least when considered generally. Those specific treaties are black and white though. The US has fast-tracked them which means the vote is take it or leave it, no modifications or conditions allowed. That's as black and white as it gets.
But any regulations referring to source code are going to be encountering large barriers, because M$ has been functioning as a mighty lobbying engine for the last decade and a half.
Money is not free speech. Elections should not be auctions.
(Score: 3, Insightful) by Anonymous Coward on Saturday November 12 2016, @05:30PM
Here's a solution, then: Negotiate the treaties in public and without all the corporate lobbying, and don't allow draconian nonsense into them (keep it about beneficial free trade and other things that actually benefit the people). Until that happens, these treaties must be rejected.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @01:33PM
The software must be free or else the software can't be trusted (even with supposedly external audits) and shouldn't be used anyway because it doesn't respect the users' freedoms. [gnu.org] Anyone, anywhere, and at any time should be able to view, modify, and distribute modifications of the source code, as well as use any modifications on their devices. Anything less is intolerable.
(Score: 2) by zocalo on Saturday November 12 2016, @04:19PM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @05:35PM
Sure, that might be true for legislation and treaties, but I'm saying that as many individuals as possible should reject non-free devices. Maybe there won't be enough people doing that to actually cause the companies to have second thoughts, but it can still benefit the individual boycotters.
(Score: 1) by trimtab on Saturday November 12 2016, @09:49PM
The problem is that the "so called" balanced approach will absolutely lead to more DDOS attacks for IoT devices. It costs money to develop, audit, and maintain secure firmware/software properly. There is NO incentive to spend that extra money without government penalties for failure to do so, so closed software will almost NEVER be fixed. Open Source software at least allows customers or others to audit and improve the result and if you are a hardware maker it would be a marketing and sales win.
Of course, most CPUs, GPUs and SoCs require NDAs and closed sourced BLOBs of binary *crap* to even be included in products. We need some smart hardware maker to figure out that "open and secure" is the best path and that will NOT occur without substantial financial penalties for producing insecure devices.
So a Government imposed penalty is absolutely necessary. A Government mandate on a specific solution is not. However, the "open source" option would be a "low cost" way for new players to enter the market without the costs of paying for proprietary reviews which may or may not prevent future takeovers of their products. And at least with Open Source the customers (or experts they can hire) can fix the problem with the equipment even if the company that created the hardware goes belly up.
We need no more Oracles or Microsofts, particularly in IoT.
(Score: 2) by zocalo on Sunday November 13 2016, @07:49AM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @04:28PM
Q: but how will the whores keep their competitors from stealing their precious secrets and the whole market?
A: no one is stopping you from getting off your ass or innovating. maybe you think you should be able to work once and then just get paid for the rest of your life by violating others' freedoms? also, your market is artificially constricted by your closed business model, fuckhead.