Stories
Slash Boxes
Comments

SoylentNews is people

posted by charon on Friday June 02 2017, @08:58PM   Printer-friendly
from the looming-global-IoT-shitstorm dept.

TechDirt reports

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.

A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.

A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."

Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job; that overseas companies would be consistently willing to comply; or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020--is expected to balloon to 82 billion by 2025.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by jmorris on Friday June 02 2017, @09:12PM (7 children)

    by jmorris (4844) Subscriber Badge <jmorrisNO@SPAMbeau.org> on Friday June 02 2017, @09:12PM (#519577)

    IoT crap comes in two flavors, Google / Amazon stuff to bind you to an ecosystem, generally produced by IT savvy companies. Regular updates for them are an option. The rest comes from fly by night Chinese companies selling you crap, and once it is sold any maintenance is an expense they won't bear one second beyond when a product does out of production and the shelves empy.

    The only answer for that second sort is to standardize on a couple of basic platforms, ship the devices with OpenWRT or similar open tech and once the vendor ceases support release the means for the owner to point it at a standard repo for updates. Or better yet, just point it there from day one for the OS and the vendor for the webapp running atop it. But the requirement must be there from day one because even the minimal effort to get a Chinese vendor to publish a 'abandon it and throw it open' patch is too much to ask.

    • (Score: 4, Interesting) by bob_super on Friday June 02 2017, @10:01PM (4 children)

      by bob_super (1357) on Friday June 02 2017, @10:01PM (#519593)

      The only way to stop the idiocy (besides "not buying webcam-microwaves") is to upgrade consumers to firewalls treating any new device as a threat.
      "This device will be isolated from the rest of the network, until you explicitly enable it (via a grandma-friendly GUI) to connect to that other one, on that particular port, or that web server, and absolutely nothing else, ever, and you can only add permissions with the code that the firewall keeps changing on its front panel."

      Plug-and-play is the problem. Convenience sells devices, but it sells them to clueless people who endanger everyone else.

      If manufacturers want to connect a device to their servers, it should always be to a "trusted" single entry point, so you can firewall everything else.

      • (Score: 2) by jmorris on Friday June 02 2017, @10:09PM

        by jmorris (4844) Subscriber Badge <jmorrisNO@SPAMbeau.org> on Friday June 02 2017, @10:09PM (#519596)

        I like it. How about revise to when a new device appears ask you (if it can't auto id it) if it is a) a general purpose computing device that will receive regular OS/Browser updates and connects to a wide variety of web resources or b) an IoT device. If IoT, assume it is secure when first unboxed and thus observe traffic to/from it and build a whitelist from that over a week or two. After that provide a button for 'reconfiguring device' for cases like a Roku where you might subscribe to a new service via it and need to permit it to connect to the servers for it.

      • (Score: 4, Interesting) by zocalo on Friday June 02 2017, @10:40PM (2 children)

        by zocalo (302) on Friday June 02 2017, @10:40PM (#519605)
        I've been thinking along similar lines, since it's obvious that IoT is here to stay and so we'd better figure out how to fix it. If you take as given that any item of hardware and software will, at some point, have an exploitable weakness discovered on it and that not all users will know even the first principles of security, then defence in depth is the best mitigation. For most home IoT devices there are three tiers in the model; the device itself, their home router, and their ISP - with the brunt of the work falling on the router, since it's the closest we've got to an edge firewall and central management device. Protecting the router (also susceptible to "any given item of hardware...") is largely going to be down to better management of the admin interfaces, and the ISP.

        What seems to needed is a way for the router to autoconfigure firewalling based on the requirements of IoT device in question, which is going going mean some kind of lookup, either via querying the device itself (a standard URL to return basic device info, perhaps?) or an unconfigured device broadcasting the information in a similar manner to an ARP or DHCP request until it gets an ACK from the router that it has been configured. For security, all this should obviously be local subnet only unless manually configured otherwise, which shouldn't be beyond the capabilities of anyone running multiple subnets in the first place, and there's going to need to be at least some manual intervention to prevent spoofing ("Hi, I'm a newly compromised PC, but I'm pretending to be a new IoT device - now, if you can just open ports..."

        Problem is, as with that form for solutions to the spam problem, this approach advocates a technical and market-based approach (and maybe legislative too)... There are too many big players that are going to want to push their own take on the necessary "standard", and even if/when they all get behind a small enough subset for vendors of CPE to have a shot, there are too many cheap-ass vendors of IoT devices that won't bother supporting it anyway.
        --
        UNIX? They're not even circumcised! Savages!
        • (Score: 2) by c0lo on Saturday June 03 2017, @12:51AM (1 child)

          by c0lo (156) Subscriber Badge on Saturday June 03 2017, @12:51AM (#519657)

          I've been thinking along similar lines, since it's obvious that IoT is here to stay and so we'd better figure out how to fix it.

          (malevolent trollish grin - if the provider of this IoT thingies make such a crap, how about spoofing a malfunctioning device and feed - plausible deniable - crap to their server?
          While doing it, good chances I might discover weaknesses on their serverside in the process, but why bother exploit it when "poisoning attack" is good enough for the lulz?
          They can try to disable the "defective device", but... you see? ... it's defective, won't answer to "firmware upgrade" commands.
          I'd even publish the source code for the spoofer - a non-compiled version of course - for any other willing to share the fun. Source code is speech)

          • (Score: 2) by zocalo on Saturday June 03 2017, @09:46AM

            by zocalo (302) on Saturday June 03 2017, @09:46AM (#519786)
            Now that you mention it, taking over a vendor's vulnerable IoT devices then using them to launch a DDoS against the vendor's infrastructure would also make for a pleasantly cathartic payload for a BrickerBot / Hajime style IoT worm. The author would need to figure out some means of determining what the target should be using the available data (what port and password was used for the compromise, etc.), plus any additional info that can be learnt from the device itself, but that shouldn't be too hard a challenge. I guess some kind of fallback mode if the vendor has already gone bust too - probably quite common given the fly-by-night nature of vendors at the sewer level of the market - and since a patch obviously won't be forthcoming, bricking the device for the greater good seems like a reasonable choice there.
            --
            UNIX? They're not even circumcised! Savages!
    • (Score: 3, Interesting) by frojack on Saturday June 03 2017, @01:39AM (1 child)

      by frojack (1554) Subscriber Badge on Saturday June 03 2017, @01:39AM (#519674) Journal

      IoT crap comes in two flavors, Google / Amazon stuff to bind you to an ecosystem, generally produced by IT savvy companies.

      Actually, that's completely wrong.

      Products from Google and Amazon themselves have, by and large, NOT been responsible for any the botnets or malware storms. Amazon and Google actually have something of a clue about their own products.

      The crapware that is responsible are the IOT devices deployed by Cities and Governments to watch every intersection and street corner, most of it on publicly route-able IPs, easily found by a simple scan, most of it deployed with default passwords.

      Joe User has his webcam and his ip-addressable light bulbs behind a firewall and are generally not exploitable.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by jmorris on Saturday June 03 2017, @02:38AM

        by jmorris (4844) Subscriber Badge <jmorrisNO@SPAMbeau.org> on Saturday June 03 2017, @02:38AM (#519691)

        Products from Google and Amazon themselves have, by and large, NOT been responsible for any the botnets...

        Reread, that is what I said. They aren't selling you crap they are getting you to buy into their ecosystem and the device is the door through which they hold you in a long term business relationship. They have every reason to invest in maintaining it. Random IoT lightswitch or webcam maker has no such motive. They sell it and are done with you and they will not issue a single update beyond production ending. And the option of renting a light switch forever to provide an incentive to update its firmware will find few takers, even if they provide a cloud service and an app to control it over the Internet. People will want Alexa to control their stuff if they went into Amazon's ecosystem, otherwise Google, Apple or Microsoft, etc. But not ChingChiongChinaman's skeevy cloud or not even Leviton's Internet Light Switch Hub or Whirlpool's Internet Air Conditioner App / Website. They don't want to be oppressed by just any megacorp, it must have the right hip image.

  • (Score: 5, Insightful) by pendorbound on Friday June 02 2017, @09:19PM (9 children)

    by pendorbound (2688) on Friday June 02 2017, @09:19PM (#519578) Homepage

    So because manufacturers can't manage to debug their garbage before they foist it on the world, I'm stuck with a device that turns into a brick if they go out of business or forget to deliver an update on time? No thanks.

    Debug, then ship. Not the other way around. I wouldn't even consider buying a device with that kind of user-hostile "feature."

    • (Score: 5, Interesting) by jmorris on Friday June 02 2017, @09:56PM (6 children)

      by jmorris (4844) Subscriber Badge <jmorrisNO@SPAMbeau.org> on Friday June 02 2017, @09:56PM (#519590)

      It is now the defects that drive sales and adoption of new versions of things. Think about it, if Microsoft still supported XP, if 7 weren't already out of mainstream support and heading to the end of the line, would anyone even look at 10? Why do we upgrade our browser every week when we KNOW the new version will be a regression in function? Because it is the only way to get the security fixes. It has literally become embedded in the business model of every software vendor now that they capitalize on their defects to drive upgrades, that they pick when to abandon security patches to drive their release cycles of new product. I really do not know how we can possibly break out of the downward spiral to Hell this implies because the obvious next step is to ensure sufficient bugs to permit using them to drive future sales. And both Firefox and Chrome prove Open Source is no defense.

      • (Score: 2) by c0lo on Friday June 02 2017, @10:29PM (5 children)

        by c0lo (156) Subscriber Badge on Friday June 02 2017, @10:29PM (#519601)

        The apology of planned obsolescence (aka deliberate waste) as a sacrifice to the God of Capitalism, if I ever saw one.

        Think about it, if Microsoft still supported XP, if 7 weren't already out of mainstream support and heading to the end of the line...

        Irrelevant example.
        None of the MS OSes used by your example from Microsoft bricked the computers they were installed on. Also, they could be removed and another OS installed without rendering the computer unusable.

        Why do we upgrade our browser every week when we KNOW the new version will be a regression in function?

        Another irrelevant example for the "I don't want a deliberately bricked device because the software is faulty".

        • (Score: 1, Troll) by jmorris on Friday June 02 2017, @10:57PM (3 children)

          by jmorris (4844) Subscriber Badge <jmorrisNO@SPAMbeau.org> on Friday June 02 2017, @10:57PM (#519614)

          Continuing to use an OS or browser without updating for the security patches is a quick way to get worse than bricked. That is the point, you MUST update or quickly become so dangerous that the only safe move is to disconnect from the Internet, either willingly or upstream detecting you and blocking... either before or after you become a bot spam cannery. That vendors like Microsoft depend on that knowledge to drive sales is the problem I'm making an issue of.

          And no, you can't even just upgrade in most cases. Good luck putting a new Windows on a machine, no drivers; At least one piece of hardware won't be supported so you will be spending additional money at minimum. And the Penguin is for we the few, normies can't generally install ANY OS on bare metal. And have you noticed the current trend toward making the PC an XBox? All tablets are locked, laptops and desktops MAY be unlocked, vendor option... for now. Now we get Windows S, the mandatory chains go onto a 'laptop' form factor. So no, even that argument is quickly vanishing. When the OS updates stop you get a brick or a forced payment to upgrade. Is forced payments every couple of years to fix the defects in the original product by trading up to a new product with all new defects really so much better?

          • (Score: 3, Insightful) by kaszz on Friday June 02 2017, @11:30PM

            by kaszz (4211) on Friday June 02 2017, @11:30PM (#519630) Journal

            That is the point, you MUST update so we can continue to spy on you, now even better! :p

          • (Score: 2) by c0lo on Saturday June 03 2017, @12:21AM

            by c0lo (156) Subscriber Badge on Saturday June 03 2017, @12:21AM (#519650)

            Continuing to use an OS or browser without updating for the security patches is a quick way to get worse than bricked. That is the point, you MUST update or quickly become so dangerous that the only safe move is to disconnect from the Internet,

            There's more ways to skin this cat.
            - I should be able to replace the OS/browser with something of my choice - certainly I should not be bound to a monopoly as a provider of security.
            - I can install extra external protection (firewalls) and restrict myself to where I go while browsing the internet
            - I can even use the combination not connected to the Internet (but to a local network) and still derive some restricted benefits I need - i.e. IE4.0 is still safe to use in a local intranet never connected to Internet.
            Granted, if the needs require me to go in promiscuous places, I will need to make sure I have the best protection of the moment or suffer the consequences.

            And the Penguin is for we the few, normies can't generally install ANY OS on bare metal.

            And should the rights on us, non-normies, be sacrificed because the majority of the others aren't capable to defend themselves?
            Where's the advantage in that? 'cause I see the immediate disadvantage - it is the non-normies that create something new and have the incentive to explore non-normal solutions.
            Stop us and you'll get into the same situation we had before the personal computers broke the monopoly on... well.. computing to those who could afford buying a mainframe.

            When the OS updates stop you get a brick or a forced payment to upgrade.

            I still have alternatives to this situation - and I vote with my wallet and not buy a device that is bricked when unsupported by the manufacturer or seller - and I don't like the idea of someone telling me I need to stop thinking that alternatives exists.
            If you like this idea, whatever floats your boat... but what right that researcher or you have to tell me I should desist?

          • (Score: 3, Interesting) by frojack on Saturday June 03 2017, @01:44AM

            by frojack (1554) Subscriber Badge on Saturday June 03 2017, @01:44AM (#519675) Journal

            Continuing to use an OS or browser without updating for the security patches is a quick way to get worse than bricked.

            Actually, that is apparently NOT true - at least not in the recent cases.

            Windows XP was notably absent from the Wannacry malware. In fact it is suspected that the only examples of XP that were successfully compromised were researchers deliberately installing it and bypassing the blue screen crashes that the malware caused while trying to infect XP.

            --
            No, you are mistaken. I've always had this sig.
        • (Score: 2) by Bot on Saturday June 03 2017, @08:03AM

          by Bot (3902) Subscriber Badge on Saturday June 03 2017, @08:03AM (#519769)

          > None of the MS OSes used by your example from Microsoft bricked the computers they were installed on. Also, they could be removed and another OS installed without rendering the computer unusable.

          for some values of "bricked" and "could"...

    • (Score: 5, Insightful) by Justin Case on Friday June 02 2017, @10:05PM (1 child)

      by Justin Case (4239) Subscriber Badge on Friday June 02 2017, @10:05PM (#519594)

      mandated software upgrades

      No, no, a thousand times no! Sigh. The ocean of stupidity is astounding, and things are getting worse.

      First, every time you install software you increase your risk, because there is a chance the software will do something you don't want. You do the research to reduce your risk, but it is never zero. Adding or changing any software you didn't write (and maybe some you did) should be regarded as a dangerous operation to be performed rarely, only when absolutely necessary, with care, including a back-out plan.

      From this principle, obvious to any computer professional, it is apparent that downloading and executing software on the fly from unknown untrusted sources is, well, terminally moronic. Yes, I'm looking at you EcmaScript and your ill-begotten peers. Likewise for installing every random "app" that promises new shiny for your phone.

      Those who understand computing warned about this from day one but were obliviously dismissed.

      And now, somehow, we have evolved to a world where crap software is not only tolerated but expected, even to the point where it is allegedly a good practice to update your software frequently! Automatically, even!!!

      Oh, but that's not enough; now we are going to pass a worldwide law (good luck with that) that requires updates which never should have been needed in the first place? Hey, if you do pass that worldwide law, why not require some minimum level of quality, and liability for defects, instead of just assuming everything will be vulnerable from the factory and there's nothing that can be done about that.

      Face it: every Windows Update or other security patch regardless of platform is proof of FAILURE by whoever wrote the junk! Get it right the first time. Or leave the job to somebody competent. And yes, maybe it shouldn't be so complicated that nobody can understand what it does.

      Now get off my lawn. For that matter, I wish these clueless "developers" and their managers would get off my planet.

      --
      No fair-minded person can dispute: the sex-rich should be forced to give say perhaps 40% of their sex to the sex-poor.
      • (Score: 1) by Ethanol-fueled on Friday June 02 2017, @11:07PM

        by Ethanol-fueled (2792) Subscriber Badge on Friday June 02 2017, @11:07PM (#519617) Homepage Journal

        1. Sell IOT garbage with bug-ridden firmware with expiration date to lazy rubes
        2. Firmware expiration date arrives
        3. Change only a few comments in the firmware code and release it as V 2.0
        4. ???????? [cubeupload.com]
        5. Profit!

  • (Score: 0) by Anonymous Coward on Friday June 02 2017, @09:24PM

    by Anonymous Coward on Friday June 02 2017, @09:24PM (#519581)

    It's called Windows.

  • (Score: 1, Informative) by Anonymous Coward on Friday June 02 2017, @09:27PM

    by Anonymous Coward on Friday June 02 2017, @09:27PM (#519584)

    Betteridge says no...

    Remember kids, in IoT, the S is for security and the P is for privacy...
    And just for giggles: https://xkcd.com/1807/ [xkcd.com]

  • (Score: 0) by Anonymous Coward on Friday June 02 2017, @09:43PM

    by Anonymous Coward on Friday June 02 2017, @09:43PM (#519587)

    Lets make the EOL 6 months and you get to buy another....

  • (Score: 5, Insightful) by kaszz on Friday June 02 2017, @09:56PM (3 children)

    by kaszz (4211) on Friday June 02 2017, @09:56PM (#519589) Journal

    Smells planned obsolescence a long way. And abusive business model even more so. It will also be used to force users into newer version with privacy invasions. Just like Microsoft has shown.

    • (Score: 2) by c0lo on Friday June 02 2017, @10:39PM

      by c0lo (156) Subscriber Badge on Friday June 02 2017, @10:39PM (#519603)

      It will also be used to force users into newer version with privacy invasions.

      Even more, there will be a "subscription fee" for not having the your device bricked.

      Oh, man, those WannaCry operators are wanna-be capitalists, the correct idea is there but they are doing it wrong!
      The proper way to do extortion is with the law on your side - if you don't have it, you utilize useful idiots, pay shills and lobbyist, any other kind of "creative ideas" just to have one!

    • (Score: 2) by captain normal on Saturday June 03 2017, @12:03AM (1 child)

      by captain normal (2205) on Saturday June 03 2017, @12:03AM (#519642)

      For some reason I Thought this was all about M$, cause most of the WanaCry stuff was directed at Win XP (which M$ has stopped supporting at all). Personally I would like to see a requirement that if a company drops support or drops a product, they then must release the source code for such product. That would make it easy for other parties (or whoever owns such software or device) to pick up support for the discontinued product.

      • (Score: 2) by kaszz on Saturday June 03 2017, @12:55AM

        by kaszz (4211) on Saturday June 03 2017, @12:55AM (#519660) Journal

        Or at least enable a replacement by documenting hardware and APIs etc.

  • (Score: 2) by MostCynical on Friday June 02 2017, @10:11PM (2 children)

    by MostCynical (2589) on Friday June 02 2017, @10:11PM (#519597)

    will the device come with an expiry date printed on the outside of the box?
    "Firmware expires on .."

    And just like dodgy corner stores, alot of shops will have many, many boxes with dates in the past..

    --
    (Score: tau, Irrational)
    • (Score: 2) by c0lo on Friday June 02 2017, @10:43PM (1 child)

      by c0lo (156) Subscriber Badge on Friday June 02 2017, @10:43PM (#519607)

      And just like dodgy corner stores, alot of shops will have many, many boxes with dates in the past..

      Mmmm.... low prices for unused e-junk. Maybe I'd buy one to see if I can root the firmware and replace it with my own.
      But then again, with low prices for components, why not build one from scratch in the first place.

      • (Score: 2) by MostCynical on Saturday June 03 2017, @01:12AM

        by MostCynical (2589) on Saturday June 03 2017, @01:12AM (#519665)

        hours and hours building custom pin sockets, further hours building a custom boot-loader, further hours debugging everything... then it works, and it is still likely to just a be a novelty toy...

        fun, if you are inclined that way (and if you have the time!)

        --
        (Score: tau, Irrational)
  • (Score: 0) by Anonymous Coward on Friday June 02 2017, @11:21PM

    by Anonymous Coward on Friday June 02 2017, @11:21PM (#519626)

    How about respecting users' freedoms [gnu.org]? That would not by itself guarantee security, but it would allow users to update software by themselves or hire whoever they want to do it for them; users would have actual freedom instead of being slaves. Being completely dependent upon a single company is a recipe for disaster, and also unethical. Anything else but this is frankly just superficial at best, because freedom is really the most important issue.

    I would also suggest - as many have before - that the vast majority of things in your home do not need to be connected to the Internet at all. If you really care about security, then stop unnecessarily connecting things to the Internet.

  • (Score: 2) by http on Saturday June 03 2017, @12:08AM (1 child)

    by http (1920) on Saturday June 03 2017, @12:08AM (#519646)

    The idea that vehicle inspection is universal is mistaken [wikipedia.org], and suggesting that it is somehow "standardized" is just... wrong [wikipedia.org]. I know this, and I don't even own a car.

    --
    I browse at -1 when I have mod points. It's unsettling.
    • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @02:55AM

      by Anonymous Coward on Saturday June 03 2017, @02:55AM (#519700)

      The wiki table of states isn't up to date. For example, NY State has annual safety inspections, but where I am (western part of
      NY state) there are no emission inspections (table says NY has annual emissions). IIRC, there were some emission controls or tests years ago, but only for a very short time, maybe less than a year.

      One thing I notice about states like NY with annual safety inspections...we have a lot fewer abandoned (and/or burned) cars on the side of the road and parked on the interstates. Not to say that the total cost of all these inspections pays back overall (it's a bureaucratic mess), but the fleet here does appear to be more reliable.

  • (Score: 5, Insightful) by ilsa on Saturday June 03 2017, @12:54AM (4 children)

    by ilsa (6082) on Saturday June 03 2017, @12:54AM (#519659)

    The thing is, this isn't a technological problem. It's a human greed problem. Companies shave every last penny they can from the manufacturing process in order to undercut other companies, turning it into one big race to the bottom.

    It doesn't matter what technological solution you come up with. Someone will figure out a way to work around it. It's that simple.

    This is a legislative problem. Cars today are incredible marvels of engineering that are, by and large, incredibly safe. This is because the automotive industry is under heavy regulation. These network companies and IoT companies need to be regulated. If you want to sell your product, you need to prove that your manufacturing process is well defined, functions correctly, and produces quality products. Your company must also be prepared to face some sort of sanctions if defects are unaddressed. Most importantly, your company can't even *start* selling your product until you have gone through some basic gov't managed tests to verify that it functions correctly, just like what is done in countless other industries.

    Computers are the only industry that have gotten an inexplicable free ride in terms of regulation, and that's just not sustainable anymore.

    • (Score: 3, Funny) by Azuma Hazuki on Saturday June 03 2017, @02:35AM

      by Azuma Hazuki (5086) on Saturday June 03 2017, @02:35AM (#519687)

      Modded up 'cause you said what I was going to but better and with less profanity :)

    • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @02:49AM

      by Anonymous Coward on Saturday June 03 2017, @02:49AM (#519697)

      Close, but try inching closer to the fundamental problems.

      Corporations get away with horrific deeds because they are effectively people who cannot be killed or jailed. Incorporation is a fictional grant from governments. Look closer at a problem caused by government and a proper solution is not likely to be "more government".

    • (Score: 2) by jmorris on Saturday June 03 2017, @02:52AM (1 child)

      by jmorris (4844) Subscriber Badge <jmorrisNO@SPAMbeau.org> on Saturday June 03 2017, @02:52AM (#519698)

      Ok, now what is your suggestion for this planet? Agree with everything you wrote but it ain't happening, certainly not in time. We could start with the government putting that sort of requirement on hardware/software running its own mission critical systems in the frickin' Pentagon and such. But no, they mostly run Windows. HRC was wrong to run a server at home but the one on state.gov is almost certainly also an Exchange Server, hopefully with better firewalls and 24/7 admin but.... we know ya can't actually fix Windows. And you want every Internet connected light switch mandated to only ship provably correct code? Good luck with that plan.

      That is the world all of this IoT crap is being shat into, we need to be looking for ways to mitigate the damage since it is already on shelves and most people are going to be dumb enough to buy it. Think about if you were on a mailing list for UseNet admins and knew AOL was about to unleash the drooling idiots, what could have been done to mitigate the disaster since stopping it wasn't an option. That is where we are now, it is halftime at the Superbowl, we have heard the great flush, heard the pipes rumble and KNOW what is about to spew forth. What can we do?

      • (Score: 2) by ilsa on Tuesday June 06 2017, @08:28PM

        by ilsa (6082) on Tuesday June 06 2017, @08:28PM (#521552)

        Oh, I don't have any suggestions. We're basically fucked. The US in particular currently has a gov't that is adamant about deregulating as much as humanly possible, and let the corporations basically do whatever they want.

        If anything is going to happen, it will originate somewhere in Europe, but the situation will need to get a whole lot worse than it is now before it becomes visible enough for the head honchos to take notice.

  • (Score: 5, Insightful) by archfeld on Saturday June 03 2017, @12:57AM

    by archfeld (4650) <treboreel@live.com> on Saturday June 03 2017, @12:57AM (#519661) Journal

    Why do we even allow computer stuff to be treated differently as other manufactured goods ? If my waffle maker was flawed from day one I'd take it back and get one that wasn't. If they were all flawed, they would be recalled as dangerous or non-functioning. Yet a piece of computer equipment or software is allowed to be sold even if it is deficient or barely functional without repercussions. Just hold software and such to the same standard as we do every other product manufactured or sold.

    --
    For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
  • (Score: 3, Insightful) by Bot on Saturday June 03 2017, @03:42AM (1 child)

    by Bot (3902) Subscriber Badge on Saturday June 03 2017, @03:42AM (#519720)

    In totally unrelated news, because of the endless quest for more planned obsolescence of hardware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already get used to being fucked in the a## in our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices.

    • (Score: 1) by anubi on Saturday June 03 2017, @09:32AM

      by anubi (2828) Subscriber Badge on Saturday June 03 2017, @09:32AM (#519781)

      I wonder how these researchers would approve of "job expiration dates", so the enjoyment of their job "expires" after, say, five years, and they have to go get another.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 2) by kaszz on Sunday June 04 2017, @01:50AM

    by kaszz (4211) on Sunday June 04 2017, @01:50AM (#520057) Journal

    Having reviewed the discussion on expiring firmware to mitigate the Internet of broken computer boxes. I think it will not work, in fact it is a really bad idea. What is needed is to push manufacturers to have a minimum robustness level. In addition demand that hardware is publicly documented such that free alternatives can be used, like OpenWRT etc. And that no evil lock down measures is used.

(1)