Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.
First, the facts. Those websites went down because their domain name provider — a company named Dyn — was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers — possibly millions — of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.
Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.
The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.
Is government regulation the only way to get manufacturers of Internet of Things (IoT) devices to care about security?
(Score: 2) by Snotnose on Saturday November 12 2016, @03:17AM
They could find all the vulnerable devices, change the network settings and the default password. Device is effectively bricked, gets sent in to warranty repair, offending company goes bankrupt, and problem solved.
Of course, anyone doing this is breaking federal law. As are the black hat hackers, but the black hats are overseas and get tons of money when they succeed, while the white hats are here and get bupkis when they succeed.
Me? Be at least 5 years before I buy an IoT device, and I'll be damned sure to change the default password on it.
When the dust settled America realized it was saved by a porn star.
(Score: 3, Insightful) by Ethanol-fueled on Saturday November 12 2016, @03:26AM
I prefer the old-skool approach - I'll walk the 12 steps down the hall and turn the knob myself. Anybody who allows their home to be a digital disease vector deserves what they get.
(Score: 1) by tftp on Saturday November 12 2016, @05:46AM
Then you will be in violation of the new lifestyle. A modern man is supposed to be a couch potato, and walking 12 steps down the hall to do something is anathema. It started with the TV remote controls, I guess... and today some people can work whole day without leaving the bed. Just wait for adoption of the basic income...
(Score: 2) by mcgrew on Saturday November 12 2016, @03:12PM
Then you will be in violation of the new lifestyle. A modern man is supposed to be a couch potato, and walking 12 steps down the hall to do something is anathema.
Huh? You're behind the times (and so am I). These days it's all about fitness. Personally, I think exercise is bad for you. Proof? Take a ten mile hike and see what your legs feel like the next day.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by Gaaark on Saturday November 12 2016, @05:39PM
Fitness?!?! What the what is fitness???? :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Insightful) by Anonymous Coward on Saturday November 12 2016, @06:32AM
Except *we* get what they deserve. Thus the problem...
(Score: 2) by mcgrew on Saturday November 12 2016, @02:57PM
The problem is that the people who are "digital disease vectors" aren't usually the ones impacted. The DDOS affects anyone using the sites that are affected online, sites the "digital disease vectors" may not use. [cyberscoop.com]
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2, Touché) by Anonymous Coward on Saturday November 12 2016, @03:21AM
Concerning the "Internet of Things", I can understand looking for a solution for the myriad of problems in government regulation. The track record of the War on Poverty, War on Drugs, the high regard for the Rule of Law, and the careful respect given to individual rights all speak volumes.
(Score: 1, Insightful) by Anonymous Coward on Saturday November 12 2016, @03:23AM
Remember NT4 was DoD certified at one point. Let that sit and gel in your mind for a bit.
(Score: 1, Interesting) by Anonymous Coward on Saturday November 12 2016, @05:33AM
Remember when Linux was missing features that existed in NT4 for years? Like KUSER_SHARED_DATA which NT4 had in 1993, but it took until 2001 for Linux to get vsyscall because Linux dweebs were in pathological denial about the usefulness of mapping kernel memory into userspace to avoid the overhead of a system call? If penguin hugging Linux bigots got their way, they would eliminate userland entirely and run everything in the kernel. Sit and think on that one for a minute.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @05:26PM
What the fuck is a "Linux bigot"? Are there also 'Windows bigots', 'Mac bigots', and so on?
(Score: 4, Insightful) by stormwyrm on Saturday November 12 2016, @07:55AM
The EPA made mistakes in its handling of the Flint water supply issue The FDA approved Vioxx at one time too. In the same way, a hypothetical government agency with the mandate to oversee the security of network connected devices will undoubtedly make mistakes just as big too. Government, like everything run by humans, is fallible and prone to mistakes. But is that really worse than having no regulation at all, and having a simple free for all like today where anyone and everyone can plug in their insecure, unpatchable IoT device to the Internet with no possible recourse? We could go back to the era of medicine shows and snake oil and folks being allowed to pollute anywhere and everywhere if you really think that government agencies that have made some big mistakes like the FDA and the EPA have really done so much more harm than good in the decades since their foundation. I for one don't see that as being the case.
Also, as Schneier points out in TFA, this is not a choice of regulation vs. no regulation. The day someone causes a major disaster that kills hundreds or thousands by means of an Internet-connected system (e.g. a nuclear power plant) will be the day that the government scrambles to add ill-thought, emotionally-driven regulation over the Internet just like the Patriot Act in the wake of 9/11. Would you rather have well-thought out and sane regulation produced before the problem becomes big enough to allow a disaster of such magnitude to occur, or ill-conceived regulation that is railroaded through in the face of such a disaster?
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Sunday November 13 2016, @02:07AM
Oh that is all true. HOWEVER, my point was do not put too much stock into stickers that say 'gov approved'. Like a gallon of milk they eventually expire.
They will get old and out of date very quickly. The market (legal, grey, and illegal) will take care of that. Not in a good way either. Take for example one of the early "IoT" devices that everyone had. The linksys WRT54G. That thing was a powerhouse. Millions sold. However support for the original version is pretty much gone. Have not looked lately as I upgraded ages ago. But I am not sure you can even get a current opensource build on there. There are hundreds of routers models like that out there. No support and will never see another patch. Some will get some love from the open source community. But not all. In fact the vast majority will fall out of date. So as an end user I am stuck with a device that works for the reason I bought it but is insecure.
No amount of regulation will fix that. In fact I would predict it would just be a way for larger players to lock out newer players through the use of regulatory capture.
ill-conceived regulation that is railroaded through in the face of such a disaster
That is the way it will happen unfortunately. It will then become some massive rolling disaster of ill thought out regs that pretend to do something but do very little. My bet is one of the first things they pass would be 'no hacking'. Which will basically make people who try to break the things villains. Even though they just want to fix those things. The people who want to find the vulins for monetary gain will not give one whit about the law.
(Score: 1, Insightful) by Anonymous Coward on Saturday November 12 2016, @04:11AM
Let's start with BCP 38 mmm Kay?
And then some consensus around tcp port 25 to help mitigate spam.
And then, and only once we've done the above, let's think about regulating the internet.
Also, do you really want our current, DUMBER THAN DOG SHIT politicians to even mess with the internet? All of these dumb cunts, from all sides of politics, are fucking dumber than fuck, and constantly FUCK EVERYTHING they touch.
Just look at the USA. their citizens just voted this trump person as president. Someone who's illiterate, and never served in an office of any kind. You would have a trump be in charge of regulating the internet?
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @04:42AM
The IoT zombies seem to be "ignoring" BCP38, they use their real IPs, they would not be affected antispoofing measures. The numbers are so high they don't need to play magnification or spoofing games, they just attack as massive horde.
SMTP seems also fixed, just only accept mails starting or going thru the real machines configured as mail machines for a domain (and don't relay for anybody not allowed). There are some extras to certify the permissions, or allow other machines to appear as valid senders.
So all goes back to step 0: misconfigured machines, or p0wned machines. IoT seems to come misconfigured from the factory and never get fixed, to save some pennies. Plus most of them being completly and totally badly designed, requiring connection to external things and doing it poorly instead of correctly, or better, not at all.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @07:15AM
Oh of course, this one attack doesn't use packets with source addresses.
Therefore, no need for BCP38?
You are a fucking imbecile. Get the fuck out.
What else is needed is something like RTBH but taking out the entire /24 or /56 or /48.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @07:13PM
RFC2827 / BCP38 Abstract says:
There is no source address spoofing with the recent IoT attacks, so it would change nothing as BCP38 is about restricting forged traffic, not valid one.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @07:22PM
Before reading https://www.ietf.org/rfc/rfc2827.txt [ietf.org] you should read https://www.ietf.org/rfc/rfc1855.txt [ietf.org] .
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @05:01AM
A technical problem can never be fixed by government decree.
Incidentally, everything in life is a technical problem.
(Score: 3, Insightful) by Anonymous Coward on Saturday November 12 2016, @10:16AM
Sunny Somalia awaits you.
(Score: 1, Insightful) by Anonymous Coward on Saturday November 12 2016, @05:41AM
Getting government involved in this is straightforward idiotic.
Even if they somehow, in some intelligible, enforceable and identifiable way require good security practices (hah!) that actually are followed by manufacturers (double hah!) and are generally effective (and I'd like a pony and a blowjob too, thanks) there is no power on earth that can require companies that no longer exist to retrofit abandonware to their standards.
And that's not the worst of it. New devices? New cracks. Oh, sure, the hardware, firmware and software will meet all the checkboxes (probably checked off by a government employee who isn't even clear on the real meanings of all the words, just using some semi-automated test suite) but if there's an exploitable programming flaw (and there will be, sure as fate) then all your checkboxes won't amount to a hill of beans.
Citation: Microsoft.
Go ahead. Regulate like a mofo. All you'll do is spend money, annoy people, and give a politician an excuse to tell the world that Something Has Been Done.
Oh, and slow down real, sensible innovation.
(Score: 3, Insightful) by ticho on Saturday November 12 2016, @09:41AM
As as someone who lived through several enterprise-level security audits, where auditors barely understood what a computer is, and just went through their Excel checklists, parrotting line after line, I approve of the parent post.
(Score: 5, Interesting) by stormwyrm on Saturday November 12 2016, @05:58AM
As much as this place seems to be a den of libertarian diehards I think it has to be said that this is one of the situations where government regulation really is the only viable solution. Even some libertarian theorists recognise that market failure of this kind is one of the only places where government is useful. It's just like the reason why we have things like the FDA and the EPA, and it's arguable that these agencies have done way better than just leaving things up to the "invisible hand" which is just going to fist you up the ass in cases like this. A car analogy is useful here I think. Would the average motorist go out of their way to add, say, a catalytic converter to their car, or keep their vehicles well-tuned so that they don't emit black clouds of smoke? The car companies aren't going to care about these things because they cost money, and the selling point that "our cars have fewer air emissions" isn't going to make them sell more cars when adding anti-pollution devices adds a significant expense. The average motorist isn't going to care about this, because they're like snowflakes in an avalanche: no one of them feels responsible for the cloud of smog. In the same way, "our devices are more secure" isn't going to make an IoT gadget company sell more units, especially since it is a claim that is hard for an individual purchaser to verify, over a cheaper company that cuts corners on security. An average, individual owner of an insecure IoT device will likewise not care very much that their devices are being suborned to participate in a massive distributed denial of service attack on someone, as long as their devices seem to be otherwise working as advertised. The only way that worked to make car companies and motorists responsible for air pollution was to have the Environmental Protection Agency lay down regulations that dictated emissions standards. I can't think of another way to make the manufacturers and owners of network-connected devices care about security than for a government agency to lay down regulations that dictate security standards.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Interesting) by GungnirSniper on Saturday November 12 2016, @07:47AM
Keep your laws away from my code. But liability laws should still apply for insecure devices.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 4, Insightful) by termigator on Saturday November 12 2016, @02:33PM
Agreed. I think many hear make the mistake that "regulation" would entail laws dictating coding practices and hardware design. That is not needed. Instead, the law could state that manufacturers can be held liable. Right now, the industry is allowed to claim no warranty of fitness and claim no liability. Other industries (e.g. auto) are not allowed to do that.
(Score: 4, Insightful) by stormwyrm on Sunday November 13 2016, @05:50AM
Exactly. To extend my car analogy, that would be the equivalent of the EPA telling car companies that they must design their engines and fuel systems in a certain way. The EPA is not now nor has it ever been in the business of automotive research and development. In the same way, a hypothetical Computer Security Protection Agency (this is what the NSA should be doing, by the way, not spying on the world!) would not go down to the level of dictating coding practice or hardware design either. Most likely they would start by doing the analogue of EPA emissions testing on devices that are permitted to be sold in the United States. Perhaps they might hire a bunch of tiger teams to check devices for at the very least the most glaring of security flaws. That way we wouldn't have any of these IoT devices which have default passwords that can't be changed and other obvious nonsense. If someone sold a device with an unpatchable flaw, they might force the manufacturer to issue a recall the way the NHTSA does today, or issue liability lawsuits themselves. They will not be perfect of course, but nothing ever is, but if they are created with a clear mandate and proper authority to execute it there is potentially plenty of good that they could do that would be otherwise impossible.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @12:03PM
Regulation is not the only way to fix this. There are certainly technical solutions that can mitigate DDoS attacks. Let's work on those instead of whining. If users and vendors don't care about security, they can learn a lesson from being hacked.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @03:04PM
(Score: 0) by Anonymous Coward on Wednesday November 16 2016, @04:27PM
(Score: 5, Interesting) by canopic jug on Saturday November 12 2016, @06:06AM
Dan Geer and Poul-Henning Kamp have both spoken and written about how to use product liability to address this Internet-of-Things-That-Cannot-Be-Patched. It's really quite straightforward to give the vendors a choice: to provide the complete source code under an OSS license or else to comply with standard product liability.
Those that don't want to provide source then are forced to man up and act like any other manufacturer in the world. Those that do provide the source allow the customer(s) to potentially remove unwanted features or misfeatures, find or fix bugs, or hire people to do that after the vendor has abandoned the product or gone out of business.
Money is not free speech. Elections should not be auctions.
(Score: 3, Disagree) by zocalo on Saturday November 12 2016, @08:22AM
Oh, wait, how's that supposed to work now that globalisation is the new big bad and we're supposedly going to be spending the next few years shredding interntional treaties? Don't expect this to go away while we're busy breaking up TPP, TTIP, NAFTA, the EU, and all the rest.
UNIX? They're not even circumcised! Savages!
(Score: 4, Insightful) by canopic jug on Saturday November 12 2016, @12:04PM
and we're supposedly going to be spending the next few years shredding interntional treaties? Don't expect this to go away while we're busy breaking up TPP, TTIP, NAFTA, the EU, and all the rest.
Good riddance to TPP, TTIP, NAFTA, TISA, and CETA at least. Read up on them. They are not helpful in promoting trade. NAFTA now has many years of documentation showing what a big failure it has been with trade and especially jobs. As for the others, they suck so badly that they had to be negotiated in secret. Except that they weren't actually negotiated by anything other than corporate lawyers. Make of that what you will but the leaked treaty documents show in some of them that opening source code is expressly forbidden [techdirt.com]. So for Geer's / Kamp's proposal to gain traction, these travesties have to be eliminated on those grounds even if the obscene secrecy weren't sufficiently anathema to democratic process.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @01:36PM
Not to mention all the draconian copyright and patent laws the TPP and friends impose. We should not only scrap these treaties, but we should scrap older draconian treaties like the Berne Convention as well; it's time we fought back against the copyright and patent cultists.
Getting rid of software patents would also make developers less wary of making their software truly free.
(Score: 2) by zocalo on Saturday November 12 2016, @04:08PM
Most educated people realise that the world isn't black and white and that sometimes the greater good must prevail, yet globalisation seems to have even less of a middle ground than climate change right now. The problem isn't with the pursuit of such treaties, the problem is with the attitudes, greed and (above all else) lack of long term vision, of those that are pulling the strings of those doing the negotiations,
UNIX? They're not even circumcised! Savages!
(Score: 3, Insightful) by canopic jug on Saturday November 12 2016, @04:52PM
You're right that globalization is not black and white, at least when considered generally. Those specific treaties are black and white though. The US has fast-tracked them which means the vote is take it or leave it, no modifications or conditions allowed. That's as black and white as it gets.
But any regulations referring to source code are going to be encountering large barriers, because M$ has been functioning as a mighty lobbying engine for the last decade and a half.
Money is not free speech. Elections should not be auctions.
(Score: 3, Insightful) by Anonymous Coward on Saturday November 12 2016, @05:30PM
Here's a solution, then: Negotiate the treaties in public and without all the corporate lobbying, and don't allow draconian nonsense into them (keep it about beneficial free trade and other things that actually benefit the people). Until that happens, these treaties must be rejected.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @01:33PM
The software must be free or else the software can't be trusted (even with supposedly external audits) and shouldn't be used anyway because it doesn't respect the users' freedoms. [gnu.org] Anyone, anywhere, and at any time should be able to view, modify, and distribute modifications of the source code, as well as use any modifications on their devices. Anything less is intolerable.
(Score: 2) by zocalo on Saturday November 12 2016, @04:19PM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @05:35PM
Sure, that might be true for legislation and treaties, but I'm saying that as many individuals as possible should reject non-free devices. Maybe there won't be enough people doing that to actually cause the companies to have second thoughts, but it can still benefit the individual boycotters.
(Score: 1) by trimtab on Saturday November 12 2016, @09:49PM
The problem is that the "so called" balanced approach will absolutely lead to more DDOS attacks for IoT devices. It costs money to develop, audit, and maintain secure firmware/software properly. There is NO incentive to spend that extra money without government penalties for failure to do so, so closed software will almost NEVER be fixed. Open Source software at least allows customers or others to audit and improve the result and if you are a hardware maker it would be a marketing and sales win.
Of course, most CPUs, GPUs and SoCs require NDAs and closed sourced BLOBs of binary *crap* to even be included in products. We need some smart hardware maker to figure out that "open and secure" is the best path and that will NOT occur without substantial financial penalties for producing insecure devices.
So a Government imposed penalty is absolutely necessary. A Government mandate on a specific solution is not. However, the "open source" option would be a "low cost" way for new players to enter the market without the costs of paying for proprietary reviews which may or may not prevent future takeovers of their products. And at least with Open Source the customers (or experts they can hire) can fix the problem with the equipment even if the company that created the hardware goes belly up.
We need no more Oracles or Microsofts, particularly in IoT.
(Score: 2) by zocalo on Sunday November 13 2016, @07:49AM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @04:28PM
Q: but how will the whores keep their competitors from stealing their precious secrets and the whole market?
A: no one is stopping you from getting off your ass or innovating. maybe you think you should be able to work once and then just get paid for the rest of your life by violating others' freedoms? also, your market is artificially constricted by your closed business model, fuckhead.
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @11:12AM
It's really quite straightforward to give the vendors a choice: to provide the complete source code under an OSS license or else to comply with standard product liability.
Right. Please have a look at the real world away from your computer before having these stupid ideas and posting about them. Perhaps, at the pharmaceutical industry and where such ideas have failed miserably many times before?
(Score: 1, Insightful) by Anonymous Coward on Saturday November 12 2016, @07:54AM
This is just the warm up round for trying to enact legislation of a certain flavor regarding all internet connected devices... see, they are now a terrorist threat by disrupting internet "business".
(Score: 0) by Anonymous Coward on Saturday November 12 2016, @04:41PM
Is rarely the answer. Market forces however, is.
(Score: 1) by EETech1 on Saturday November 12 2016, @09:11PM
Wouldn't using a CPU with the Harvard Architecture solve much of this problem?
If the code is stored separately, and cannot be confused with data ,it would seem that would eliminate many of the methods used to take over these devices.
(Score: 2) by Scruffy Beard 2 on Sunday November 13 2016, @06:24AM
The code still has to be bug-free: even with read-only memory.
Computer Scientists Take Over [ucsd.edu]
Electronic Voting Machine with New Programming Technique
TL;DR: They invent an new programming technique called "return oriented programming". The use the tail-ends of subroutines to built up a turing-complete language.
The leverage a stack overflow in a maintenance routine in order to do naughty things.
That is the article that convinced me that modern computers are inherently insecure.
(Score: 1) by EETech1 on Sunday November 13 2016, @09:20AM
I thought the Z80 was a Von Neumann chip.
From your link:
“We overwrote the computer’s memory and state so it does what we want it to do, but if you shut off the machine and reboot from ROM, the exploit is gone and the machine returns to its original behavior,” explained Checkoway.
This would indicate to me that the chip was executing instructions from RAM caused by a buffer overflow.
This cannot happen of the CPU cannot execute instructions from data memory. It can corrupt the data, but not change the program.
Am I missing something?
Cheers
(Score: 2) by Scruffy Beard 2 on Sunday November 13 2016, @04:11PM
From the paper [usenix.org] (that I though was linked from that article:
(Score: 1) by jurov on Saturday November 12 2016, @11:47PM
Suppose a security-conscious customer wants to do the research before buying. Is there anybody who actually checks the devices for open ports/default passwords/other DDoS vectors and publishes the results?