Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Friday June 02 2017, @08:58PM   Printer-friendly
from the looming-global-IoT-shitstorm dept.

TechDirt reports

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.

A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.

A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."

Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job; that overseas companies would be consistently willing to comply; or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020--is expected to balloon to 82 billion by 2025.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by ilsa on Saturday June 03 2017, @12:54AM (4 children)

    by ilsa (6082) Subscriber Badge on Saturday June 03 2017, @12:54AM (#519659)

    The thing is, this isn't a technological problem. It's a human greed problem. Companies shave every last penny they can from the manufacturing process in order to undercut other companies, turning it into one big race to the bottom.

    It doesn't matter what technological solution you come up with. Someone will figure out a way to work around it. It's that simple.

    This is a legislative problem. Cars today are incredible marvels of engineering that are, by and large, incredibly safe. This is because the automotive industry is under heavy regulation. These network companies and IoT companies need to be regulated. If you want to sell your product, you need to prove that your manufacturing process is well defined, functions correctly, and produces quality products. Your company must also be prepared to face some sort of sanctions if defects are unaddressed. Most importantly, your company can't even *start* selling your product until you have gone through some basic gov't managed tests to verify that it functions correctly, just like what is done in countless other industries.

    Computers are the only industry that have gotten an inexplicable free ride in terms of regulation, and that's just not sustainable anymore.

    Starting Score:    1  point
    Moderation   +4  
       Insightful=4, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Funny) by Azuma Hazuki on Saturday June 03 2017, @02:35AM

    by Azuma Hazuki (5086) Subscriber Badge on Saturday June 03 2017, @02:35AM (#519687) Journal

    Modded up 'cause you said what I was going to but better and with less profanity :)

    --
    I am "that girl" your mother warned you about...
  • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @02:49AM

    by Anonymous Coward on Saturday June 03 2017, @02:49AM (#519697)

    Close, but try inching closer to the fundamental problems.

    Corporations get away with horrific deeds because they are effectively people who cannot be killed or jailed. Incorporation is a fictional grant from governments. Look closer at a problem caused by government and a proper solution is not likely to be "more government".

  • (Score: 2) by jmorris on Saturday June 03 2017, @02:52AM (1 child)

    by jmorris (4844) on Saturday June 03 2017, @02:52AM (#519698)

    Ok, now what is your suggestion for this planet? Agree with everything you wrote but it ain't happening, certainly not in time. We could start with the government putting that sort of requirement on hardware/software running its own mission critical systems in the frickin' Pentagon and such. But no, they mostly run Windows. HRC was wrong to run a server at home but the one on state.gov is almost certainly also an Exchange Server, hopefully with better firewalls and 24/7 admin but.... we know ya can't actually fix Windows. And you want every Internet connected light switch mandated to only ship provably correct code? Good luck with that plan.

    That is the world all of this IoT crap is being shat into, we need to be looking for ways to mitigate the damage since it is already on shelves and most people are going to be dumb enough to buy it. Think about if you were on a mailing list for UseNet admins and knew AOL was about to unleash the drooling idiots, what could have been done to mitigate the disaster since stopping it wasn't an option. That is where we are now, it is halftime at the Superbowl, we have heard the great flush, heard the pipes rumble and KNOW what is about to spew forth. What can we do?

    • (Score: 2) by ilsa on Tuesday June 06 2017, @08:28PM

      by ilsa (6082) Subscriber Badge on Tuesday June 06 2017, @08:28PM (#521552)

      Oh, I don't have any suggestions. We're basically fucked. The US in particular currently has a gov't that is adamant about deregulating as much as humanly possible, and let the corporations basically do whatever they want.

      If anything is going to happen, it will originate somewhere in Europe, but the situation will need to get a whole lot worse than it is now before it becomes visible enough for the head honchos to take notice.