SoylentNews is people
SoylentNews
from the Protecting-the-product-or-the-public? dept.
The U.S. Consumer Product Safety Commission is conducting a public hearing on the safety of internet-connected consumer products, and is requesting comments.
The Commission hearing will begin at 10 a.m., on May 16, 2018, and will conclude the same day. The Commission hearing will also be available through a webcast, but viewers will not be able to interact with the panels and presenters through the webcast.
...
The growth of IoT-related products is a challenge for all CPSC stakeholders to address. Regulators, standards organizations, and business and consumer advocates must work collaboratively to develop a framework for best practices. To that end, the Commission will hold a public hearing for all interested parties on consumer product safety issues related to IoT.
Although this explicitly does not cover data security and privacy it covers many of the other issues seen with IoT devices.
Comments can be submitted to the commission through the web portal:
You may submit written comments, identified by Docket No. CPSC-2018-0007
...
Electronic Submissions: Submit electronic comments to the Federal eRulemaking Portal at: www.regulations.gov. Follow the instructions for submitting comments.
Seen through the Internet Of Shit twitter feed.
(Score: 2, Interesting) by Anonymous Coward on Thursday March 29 2018, @05:32PM (13 children)
Harmed parties should have a clear legal path to sue ISPs that facilitate bot attacks.
Similarly, ISPs should have a clear legal path to sue (or at least turn off without compensation) those people whose IoT devices have been misappropriated.
That is , this is the question that is not being answered: What property belongs to whom, and who is responsible for breaching the associated property rights?
(Score: 5, Insightful) by Grishnakh on Thursday March 29 2018, @06:03PM (10 children)
Harmed parties should have a clear legal path to sue ISPs that facilitate bot attacks.
Similarly, ISPs should have a clear legal path to sue (or at least turn off without compensation) those people whose IoT devices have been misappropriated.
This to me is the big issue here: ISPs should be responsible for deactivating service to people whose IoT devices are compromised. Doing a bot attack is misuse of your ISP service, and the fact that you don't know any better isn't an excuse. Your ISP should have every right to cut you off until you get your shit under control; you're the one that bought that crap, and it's your responsibility to maintain it. Of course, most people have no idea what a network analyzer is, but ISPs do and should be able to tell customers "hey, you seem to have an XYZ device that's misusing our network. Disconnect it or we're not reconnecting your service".
ISPs that don't do enough here should be liable for damages. They already threaten to cut off people who torrent movies, so they should be doing the same for people with malware-infested IoT devices.
(Score: 5, Insightful) by edIII on Thursday March 29 2018, @07:00PM (3 children)
That's a slippery fucking slope right there. I DO NOT want ISPs being responsible for anything that I do, or watching any of my packets specifically.
COMMON CARRIER
Do we sue the airlines because some nutter flew halfway across the country to shoot up a church? It's the same thing. The airport, the TSA, the airlines, all of them should be culpable too since they should've protected us from somebody clearly bad right? How do you determine a bad packet from a good packet? Some things are easy to see, and some are not. Especially if it occurs over protected and encrypted links. An ISP could detect traffic in bad faith by matching it with a pattern, but then those exploits will disappear. Afterwards, it will be far more difficult to detect, and that much more expensive for ISPs to watch for bad behavior.
Also, if the ISP does do something, this presumes the customer can fix it. We're all pretty damn capable and smart around here, yet I don't see us claiming iron clad defenses. The opposite in fact, and we're all pretty cognizant of the fact that security is utterly terrible at this point. Can some things be fixed at all?
I happen to know that the vast majority of bluetooth enabled devices are grabbing their ankles and ready to be bent over. Those devices cannot be patched, because the LARGE corporation responsible for it isn't interested in upgrading the Android OS on that device.
We aren't fixing shit that we know is bad, so how can we shift all the blame and liability to the victims and the ostensibly common carrier ISPs?
We should do something, but I'm loathe to attack the victims. If you want them all punished, then step up at least with a way to clean and protect those devices.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Interesting) by Anonymous Coward on Thursday March 29 2018, @07:20PM
Nobody said the ISP should be watching your packets specifically.
Yet, you cannot have an ISP that doesn't watch packets in general—that's what they do; they transport and manage packets.
A botnet that is used for DDoS attacks results in a huge amount of packets being sent to a particular party; those packets could indeed be traced back to the originators after the fact.
A nutcase flying to a destination is not at all equivalent; that's a normal use of the airline—as you point out, it's indistinguishable from any other person using the airline.
In contrast, a DDoS attack is like the airline flying a whole plane of nutcases who are toting guns and talking loudly about the damage they're going to do when they land.
(Score: 3, Interesting) by Runaway1956 on Friday March 30 2018, @01:37AM (1 child)
Your packets? Really? So, you are aware of every packet that your IOT devices sends, and you know what is in those packets? All of those packets are benign, and benefit you specifically?
I want to see the whole IOT burned to the ground. I want to see the villagers, with their torches and pitchforks rooting out the evil. The IOT is not about you, the consumer, any more than animal husbandry is about the cattle. Animal husbandry is all about feeding people, and the IOT is all about enriching corporations. The data must flow!
(Score: 3, Interesting) by Hyperturtle on Friday March 30 2018, @03:20PM
I'd be more supportive of IoT hardware if they came with a little guide that had contents that wouldnt change on a random schedule requiring me to visit some website periodically to learn if the terms of the agreement have changed, agreed to if I keep using the product or read that page.
The guide should say what it does and how it does it, and if i had a firewall, what ports to open or traffic types to permit.
If it phones to a home, where that is, what the ip address or addresses are going to be, or the DNS names that won't change if the IPs do, due to a site failover or other maintenance because they have redundancy and stuff. Or not, say that too.
And also if I do DNS filtering, what do I have to enter in to permit the device to go outbound, and will it work without that?
Can I have it on its own local layer 2 network without needing an internet connection? Can I still expect to use anything on the IoT network if the internet goes down for any reason?
Right now, the only way to find these things out are to purchase and isolate a device and torture it to make it talk. They do not necessraily give up their secrets easily, but when they do, often they have default user names and passwords on some arduino uno or raspberry pi zero or something anyway.
Anyway I do check that stuff, but I am probably in the minority in wanting to know what the devices on my home network are trying to tell other people about me when I am not paying attention--if they get updates and can I block them, and what happens to my gear if the company that made it or supports it decideds to cancel the service. Will by devices get bricked remotely, or just stop working? Can I redirect them, etc.
As you can imagine, there is not a lot out there that works if you don't let it talk to some random dns name in an amazon cloud. I have spoken to tech support that did not know what IP address the product uses or the DNS name. Just that it had to be online to work, have I tried turning it off and on if I have already rebooted my internet connection? Can I bypass my firewall? If the application isn't working right on my computer, did I try disabling all antivirus and other protections?
Not a good feeling when that's mostly the same script no matter who you call. It's like no one paid to support the products know how any of it works. You get clowns like me that are interested in safeguarding my home network that finds out how some of the stuff works, but we'd be labeled dangerous hackers if we had a blog about it.
(Score: 3, Insightful) by JoeMerchant on Thursday March 29 2018, @07:58PM (5 children)
So, when you buy a Nest and have it professionally installed in your home, and the professional installer slips a bitcoin miner into it, and that miner is taken over by a bot-net, that's no excuse, your internet should be shut down and you should be liable for damages?
How would anyone prove that the professional installer tampered with the device? I've got a 56 year old sister in law who seems incapable of connecting a Blu-Ray player to a new TV set, given the proper HDMI cable and the new-in-box instruction manuals for both (seriously, after "hours" of trying she still can't make it work.) You're going to make this population liable for the technology that is being installed in their cars and homes for them?
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Thursday March 29 2018, @10:14PM
Every problem you come up with is due to a lack of well defined property rights.
(Score: 2) by Grishnakh on Friday March 30 2018, @12:55AM (3 children)
Yes, of course. Why not?
Does your sister know anything about how cars work? Probably not. However, she's fully responsible for the emissions from her car if she lives in an emission-controlled area. She doesn't get to just ignore the emission testing because she's ignorant of how car engines work.
(Score: 3, Touché) by tonyPick on Friday March 30 2018, @09:06AM (2 children)
So, following this line of argument then in the VW emissions scandal [theguardian.com] it's the people who bought the cars that should be held responsible?
Because that's not the way it's working in the UK [thisismoney.co.uk] or Germany [globallegalpost.com] or even the US [theguardian.com].
ISTM all of these places are holding the car maker to blame, and they're very much not holding the owners to blame for the faults of the manufacturer in this case.
(Score: 2) by Grishnakh on Saturday March 31 2018, @02:06PM (1 child)
So, following this line of argument then in the VW emissions scandal [theguardian.com] it's the people who bought the cars that should be held responsible?
If they continue to drive non-compliant cars on public roads, then yes. Why would you argue otherwise? You don't get to ignore the laws just because someone else is at fault. In their case, VW should have the responsibility of either fixing or replacing their cars (which, to my knowledge, is what has happened). However, if they refuse this corrective action, they don't get to just drive around and ignore the emissions laws. So YES, they should be held responsible. VW has already been held responsible for their part of the crime, and consumers were not, before that point.
Same goes for IoT devices: manufacturers should be held responsible by the legal system when found to be negligent, but that doesn't mean consumers can just keep using the faulty devices and ignore the laws or regulations. Worse, with IoT devices, many of them aren't backed by some giant European-based multinational company with deep pockets, they're made by fly-by-night Chinese companies. So no, consumers can't just say "well sorry, my device's manufacturer has disappeared from AliExpress and there's no support or software updates so I'm just going to keep using it it".
I'm sure a lawyer could enlighten us about the specific legal terminology involved here, but you don't get to just throw your hands up when a manufacturer has disappeared, and keep ignoring laws or regulations. You're responsible for abiding by them with your devices or possessions, and you can shift blame to the manufacturer at times (if they can be found and then held responsible legally and financially), but that doesn't completely absolve you of all responsibility. It's really mind-boggling that you would even think this.
(Score: 2) by tonyPick on Sunday April 01 2018, @09:35AM
I see this as a change from your opening argument, where the initial example was of the final product owner being automatically held liable for damages which were due to the actions of the manufacturer and installer. To quote:
Nobody (AFAICT) is arguing owners should not be responsible for their *own* actions, but automatic liability for damages on the owner also places them on the hook for the actions of the suppliers and third parties.
(Score: 0) by Anonymous Coward on Thursday March 29 2018, @06:12PM (1 child)
The vendor says it magically doesn't belong to anyone because it is in the cloud. Because cloud cloudy cloud cloudity cloud.
You can't sure the cloud. The judge rules in favor of the cloud because clouds. So vendor can do whatever they want. It's the cloud's problem. Can't do anything about the cloud. Everything is good in the cloud. Why are you questioning the cloud? What is best for everyone is in the cloud. Cloud belongs to no one. Can't blame the cloud. Cloud's going to do what a clouds going to do. You will learn to love the cloud too.
(Score: 0) by Anonymous Coward on Thursday March 29 2018, @06:14PM
You're just making the other AC's point.
Society depends on well-defined property; that's the whole point of Capitalism: Every disputed resources needs to be assigned a well-defined owner—that's what "capital" is.