|
alternate headline: Chinese government better at protecting US secrets than US air force
|
#
?
Mar 15, 2017 02:59
|
|
|
|
| # ? Jun 7, 2024 22:47 |
|
|
infernal machines posted:roughly, something mandating ongoing manufacturer support and minimum levels of security for internet connected devices. I'm sure that the company that operates entirely from China is going to actually provide those updates after pinky swearing to do it. Are you going to mandate that the retailer does it instead?
|
|
#
?
Mar 15, 2017 03:31
|
|
|
Volmarias posted:I'm sure that the company that operates entirely from China is going to actually provide those updates after pinky swearing to do it. Are you going to mandate that the retailer does it instead? whoever the importer is would be liable, if that's the retailer then 
|
|
#
?
Mar 15, 2017 03:42
|
|
|
Volmarias posted:I'm sure that the company that operates entirely from China is going to actually provide those updates after pinky swearing to do it. Are you going to mandate that the retailer does it instead? how do we deal with any other product that is found to be defective after sale? computers are not magical unicorns, we can use the same legislation we already have.
|
|
#
?
Mar 15, 2017 03:44
|
|
|
so this happened today: http://colin.keigher.ca/2017/03/beating-bsides-vancouver-2017-ctf-using.html one of the organizers is miffed at me for having post this but alas
|
|
#
?
Mar 15, 2017 03:57
|
|
|
also in other news: checkpoint released an updated IPS signature for MS04-024 today
|
|
#
?
Mar 15, 2017 03:58
|
|
|
it's 2017
|
|
#
?
Mar 15, 2017 03:58
|
|
|
infernal machines posted:how do we deal with any other product that is found to be defective after sale?
|
|
#
?
Mar 15, 2017 04:01
|
|
|
re: IOT sec: Do what they do with physical safety right now: make the company liable if their poo poo is hosed. If it's a non-US company and they don't want to do any thing about it, make the seller liable. That and prosecuting companies for criminal negligence with PII leaks. When it turns out that the root password for all their web servers was q12345 and all of your employee W-2's get exfil'd the response should be something along the lines of what VW is going through right now.
|
|
#
?
Mar 15, 2017 04:08
|
|
|
infernal machines posted:how do we deal with any other product that is found to be defective after sale? what classes of goods currently require proactive maintenance from the manufacturer? vehicles, maybe medical devices, what else? which legislation do you have in mind? I don't know this area of law very well. I know that I can buy something "as is" and have no recourse, so I'm now sure what the minimum bar is for the legislation you're talking about
|
|
#
?
Mar 15, 2017 05:15
|
|
|
unfortunately if your cooking stove blows up it won't take half the internet with it, but i think it taking steel beams with it is a close enough analogy here. who's liable if that happens due to product being defective? probably absolutely nobody, lol. some lowly worker that did everything as told might get fired somewhere. iot works the same way
|
|
#
?
Mar 15, 2017 05:22
|
|
|
i'm not drafting policy here. broadly, you have minimum security standards and a certification mark showing you meet the standard. you have minimum ongoing support requirements for anything that's found to breach the standard, for x years your company, or your representative in the us is financially responsible for costs associated with any lapse or recall. i don't know exactly how enforcement works, to my knowledge there are some basic requirements for electrical devices sold in the united states, things like requiring UL and CE marks, so in theory something similar to that
|
|
#
?
Mar 15, 2017 05:22
|
|
|
infernal machines posted:i don't know exactly how enforcement works, to my knowledge there are some basic requirements for electrical devices sold in the united states, things like requiring UL and CE marks, so in theory something similar to that just a gentle reminder that you were the one talking about existing legislation. I'm not asking you to make policy, I'm asking you how said existing legislation applies UL/CE means that they don't present safety hazards, not that they will function as advertised. I think it would be a stretch of case law to claim that someone using your doorbell in a botnet constitutes a safety hazard, but again it's not an area of expertise all IoT devices I've encountered already have UL/CE certification, because as you point out that applies to electrical devices. are you saying that under current legislation there is liability for the DDoS appliance manufacturers, if someone decided to press a suit?
|
|
#
?
Mar 15, 2017 05:28
|
|
|
well i suppose it depends on how you qualify a safety hazard. if your device has a known vulnerability, you don't patch it, and it participates in a DDoS that knocks the eastern seaboard offline, i think there's an argument to be made for culpability there.
|
|
#
?
Mar 15, 2017 05:37
|
|
|
if that's the case, and liability exists under current legislation, do you share my surprise that nobody has pressed charges or a suit?
|
|
#
?
Mar 15, 2017 05:39
|
|
|
somewhat, so either i'm very wrong (likely), or this is another case where computers are magic because reasons and no one has gotten anyone to bite on those grounds (probably not) i think you would have a clearer case if some critical infrastructure went offline due to an IoT DDoS and there were a directly attributable loss of life. although even then, it would probably be easier to focus on the direct cause of death. infernal machines fucked around with this message at 05:45 on Mar 15, 2017 |
|
#
?
Mar 15, 2017 05:43
|
|
|
well what material losses do you have as a result of your doorbell being part of a botnet?
|
|
#
?
Mar 15, 2017 05:45
|
|
|
bandwidth costs? hardship due to the police shaking you down over participating in cybercrime (lol)
|
|
#
?
Mar 15, 2017 05:48
|
|
|
infernal machines posted:i think you would have a clearer case if some critical infrastructure went offline due to an IoT DDoS and there were a directly attributable loss of life. although even then, it would probably be easier to focus on the direct cause of death. if a life-critical piece of infrastructure fails because of unwelcome network traffic, lawyers are going to be pretty busy without figuring out the makes and models of the light switches generating the traffic, yeah
|
|
#
?
Mar 15, 2017 05:48
|
|
|
Subjunctive posted:if a life-critical piece of infrastructure fails because of unwelcome network traffic, lawyers are going to be pretty busy without figuring out the makes and models of the light switches generating the traffic, yeah do i need to go find the screenshot of the aws support posting where the guy was crying about their home care monitoring infrastructure being down because aws made an api change or something?
|
|
#
?
Mar 15, 2017 05:52
|
|
|
infernal machines posted:do i need to go find the screenshot of the aws support posting where the guy was crying about their home care monitoring infrastructure being down because aws made an api change or something? yeah, that's a good one. I just don't think anyone is going to make a case stick against Amazon
|
|
#
?
Mar 15, 2017 05:54
|
|
|
okay, but if your iot doorbell is participating in a botnet and so your glucose monitor fails to upload your stats and trigger an alarm, and you go into a diabetic coma, have we come up with a sufficiently obtuse example where iot device security becomes a consumer safety issue?
|
|
#
?
Mar 15, 2017 05:58
|
|
|
no more so than an ISP error, power outage, or misplaced backhoe, IMO, so probably not. I'm not likely to be called as an expert witness though
|
|
#
?
Mar 15, 2017 06:02
|
|
|
infernal machines posted:okay, but if your iot doorbell is participating in a botnet and so your glucose monitor fails to upload your stats and trigger an alarm, and you go into a diabetic coma, have we come up with a sufficiently obtuse example where iot device security becomes a consumer safety issue? If your glucose monitor fails in those conditions it's not legal to begin with. Implementing such a law would probably be easiest done by adding an extra tax and then allowing companies to claim back that tax after a certain period of patching known flaws.
|
|
#
?
Mar 15, 2017 06:03
|
|
|
Subjunctive posted:yeah, that's a good one. I just don't think anyone is going to make a case stick against Amazon can't sue the steel supplier if your bridge was designed wrong in the first place well, you can but you'd lose
|
|
#
?
Mar 15, 2017 06:06
|
|
|
Subjunctive posted:no more so than an ISP error, power outage, or misplaced backhoe, IMO, so probably not. I'm not likely to be called as an expert witness though and i'm not likely to be writing consumer safety policy for the FTC, so i think we're both in the clear
|
|
#
?
Mar 15, 2017 06:07
|
|
|
moot point anyways because a Trump admin won't regulate any of this
|
|
#
?
Mar 15, 2017 06:08
|
|
|
that's how the conversation started, the ftc made a statement washing their hands of responsibility for iot cyber security issues, saying they needed to see what threats would emerge before they could say if they had any standing on the issue
infernal machines fucked around with this message at 06:32 on Mar 15, 2017 |
|
#
?
Mar 15, 2017 06:11
|
|
|
imo just hijack iot devices first but only to secure them e: this is illegal don't do this!!!!!!!!
|
|
#
?
Mar 15, 2017 06:45
|
|
|
to be more succinct, i think iot security is a consumer safety issue as long as things like smoke/co alarms, stoves, and fridges are being connected to the internet. webcams in a botnet are a bit of a red herring, it's just a convenient example since it's been in the news
|
|
#
?
Mar 15, 2017 07:07
|
|
|
infernal machines posted:to be more succinct, i think iot security is a consumer safety issue as long as things like smoke/co alarms, stoves, and fridges are being connected to the internet. webcams in a botnet are a bit of a red herring, it's just a convenient example since it's been in the news Like everything else nothing will happen until it blows up spectacularly. Then people will wring their hands and a half measure measure will happen and then in 10-20 years we'll have forgotten why and gently caress it all up again. Repeat until sweet sweet nuclear release. Basically humanity.txt
|
|
#
?
Mar 15, 2017 07:49
|
|
|
infernal machines posted:well i suppose it depends on how you qualify a safety hazard. if your device has a known vulnerability, you don't patch it, and it participates in a DDoS that knocks the eastern seaboard offline, i think there's an argument to be made for culpability there. anthonypants fucked around with this message at 08:15 on Mar 15, 2017 |
|
#
?
Mar 15, 2017 08:12
|
|
|
all iot developers, retailers and owners against the wall imo isps can stay for now
|
|
#
?
Mar 15, 2017 08:14
|
|
|
anthonypants posted:who's culpable? the manufacturer, who can claim ignorance? the consumer, who was """""""notified""""""" about the vulnerability but neglected to patch the device or take it offline? the consumer's isp, who allowed their customers to participate in a botnet? the botnet doesn't matter, it's a convenient example of compromised devices. who's liable if your smoke alarm doesn't go off while your house burns down because someone hacked it for lulz? being part of a botnet can prevent devices from functioning, but the same access methods can be used to modify their behaviour in other ways, the fact that they're vulnerable to remote intrusion is the problem specifically the manufacturer's problem infernal machines fucked around with this message at 08:23 on Mar 15, 2017 |
|
#
?
Mar 15, 2017 08:18
|
|
|
anthonypants posted:who's culpable? the manufacturer, who can claim ignorance? the consumer, who was """""""notified""""""" about the vulnerability but neglected to patch the device or take it offline? the consumer's isp, who allowed their customers to participate in a botnet? the manufacturer, and security patches should be treated the same way car recalls are treated where people get physical letters in the mail with big red important font on them obviously this will never happen but lol
|
|
#
?
Mar 15, 2017 08:21
|
|
|
infernal machines posted:the botnet doesn't matter, it's a convenient example of compromised devices. who's liable if your smoke alarm doesn't go off while your house burns down because someone hacked it for lulz? the person who hacked it obviously, not the innocent all-american company that just wanted to bring you the quality targeted advertising tuned to your smoking habits that 9 out of 10 smokers prefer
|
|
#
?
Mar 15, 2017 08:22
|
|
|
nice paper: https://spqr.eecs.umich.edu/papers/trippel-IEEE-oaklawn-walnut-2017.pdf
|
|
#
?
Mar 15, 2017 09:11
|
|
|
ate all the Oreos posted:the manufacturer, and security patches should be treated the same way car recalls are treated where people get physical letters in the mail with big red important font on them most recall notices are voluntary, or "self-regulated" if you will, and not imposed by a regulator
|
|
#
?
Mar 15, 2017 09:50
|
|
|
Twitter accounts are getting owned left and right by Turkish hackers https://twitter.com/amnesty/status/841909178243379200
|
|
#
?
Mar 15, 2017 09:52
|
|
|
|
| # ? Jun 7, 2024 22:47 |
|
|
bicycle posted:Twitter accounts are getting owned left and right by Turkish hackers Next time take a screenshot.
|
|
#
?
Mar 15, 2017 10:12
|
|
