This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
The "S" in IoT stands for Secure
Boy, looong ago now, I broached the topic of security standards for techno-mabobs. At that time, I mentioned that the UK was considering some legislative proposals on the matter. I can't find the comment where I described what I viewed as the core driver of the tension over the topic - the culture of tech folks. That is, they are so used to the 90s consensus that software is gee wiz magic that is pure and sanctified, is the solution to world peace and all of life's problems, and can never possibly be the cause of anything bad, ever. The 90s conclusion was that government absolutely can. not. touch it. Hands off. No regulation whatsoever. No liability whatsoever. No matter what happens, they must have an absolute immunity stronger than even the strongest version that Donald Trump could have ever dreamed of claiming.
Justifications for this view have shifted, but I've always felt they've had a flavor of, "We can't be regulated! We're
autistsartists! We make unique snowflake masterpieces! We have to move fast and break stuff! If we're ever held accountable for breaking anything, even for the most egregious of practices, then the entire economy will grind to a halt!" Whelp, after years of incident after incident exploiting the IoT-of-Least-Resistance, including things like ransomware takedowns of major corporate networks and huge botnets of smart refrigerators, we're about to see how true that really is.Hitting the wire last week, the UK has dropped regulation for smart devices that are sold there. In my original comments five years ago, they were proposing three items; I had only asked for one (the most incredibly basic one - don't have every bloody device have the same default password). I really feel like it's a case of, "If you resist and throw enough of a shitfit over the really simple stuff, it's going to come back around in a much stronger way that you really won't like." The full document of "Baseline Requirements" speaks to fourteen items:
● No universal default passwords
● Implement a means to manage reports of vulnerabilities
● Keep software updated
● Securely store sensitive security parameters
● Communicate securely
● Minimize exposed attack surfaces
● Ensure software integrity
● Ensure that personal data is secure
● Make systems resilient to outages
● Examine system telemetry data
● Make it easy for users to delete user data
● Make installation and maintenance of devices easy
● Validate input data
● Data protection provisions for consumer IoT
Each area is broken down into one or more specifics. There's a helpful table on page 32, detailing whether the requirement is Mandatory, Recommended, and/or Conditional. This is important to know, because a bunch of them are truly just recommendations, but even many of the ones that are Capital M Mandatory are also Conditional, which is actually displaying quite a sense of care about the diversity of devices and possible situations. For example, they acknowledge things like "constrained devices", which is a "device which has physical limitations in either the ability to process data, the ability to communicate data, the ability to store data or the ability to interact with the user, due to restrictions that arise from its intended use". Here, they give some explicit examples, like "The device cannot have its software updated due to storage limitations, resulting in hardware replacement or network isolation being the only options to manage a security vulnerability."
I think this truly is a culture war between the culture of technokings and the culture of They Can't Keep Getting Away With This, and no culture war offensive ever comes without a counteroffensive. Will major corporations, either American or Chinese, bow the knee? Will they pull out of the UK in a weird, polar opposite anti-security stance to the position that has led other companies to pull products like Signal/Telegram from countries that threatened to make them less secure? The UK may be the sixth largest economy in the world by GDP, but that's still only about 4%. Will they go full tizzy and make separate products, where the secure versions go to the UK and the less secure versions go elsewhere? If they don't pull out and don't make different versions, than everyone in the world just got a huge security upgrayyyed. If they don't pull out and make different versions, other countries have a green light to mandate that they should also get the good stuff. So, if they're even thinking about pulling out, they've gotta rally the troops, punish any defectors, and really make the UK feel blockaded as a warning shot to the rest of the world.
My guess is that they'll bow the knee and just do this stuff for everyone. It's pretty much all stuff that everyone has known that they should be doing for quite a while now. Will it cost a little extra? Sure. Will they have to deal with some annoyed developers who feel constrained by law, as basically every other industry ever does, and eventually have to bring their culture into the Industrial Age? Sure. I doubt that having to pay $9 for a smart plug instead of $6 is going to change much about the economics of wiz bang gizmos... but it just might be a step toward not having newspapers filled with nightmare exploits causing millions in damage... at least not every week.
I understand the worry some people have towards IoT devices, and I like a lot of the rules in that document, but ultimately the issue rests with the users. The issue is the idea that network devices, outside of standard end user devices like a computers and phones (and even then), can be secure by default, without thought. At this point, people need to be responsabilized with regards to their network security, and you can't mandate away all the ways that someone can shoot themselves in the foot with consumer devices.
Users need to learn to keep shit behind their firewall, in their home network, and access it via VPN if they need to access it remotely. They should learn to NOT ask for cloud services where they are not strictly necessary.
Sure, I'm a professional and it may sound like wishful thinking that users will learn to do this or hire professionals. But there's a lot of stuff inside a home I wouldn't do, like plumbing and electricity. We don't mandate that plumbing fixtures be impossible to fuck up. And while we have standardized power outlets, everything other than plugging in something, to do with electricity inside a home expects some degree of expertise.
Totally get where you're coming from. However, the last paragraph has I think the most important bit:
Most IoT devices are billed as, "You just plug it in, and it just works!" No one anywhere is standing at a store, looking at the baby monitors, seeing that one of the options lets them listen to it from their phone, and thinking, "Ya know, I really better not think about buying this and plugging it in unless I become an expert in network security." Just how no one stands in a store looking at toasters, thinking, "Ya know, I better not think about buying this and plugging it in unless I become an expert electrician." Like, should people learn more about network security and how their electrical system works? Yeah, sure. But while the breaker boxes in the store might have some sort of warning on them or cultural expectation saying that they mayyyyyybe shouldn't buy it and try to install it on their own without any expertise while the toaster doesn't have anything of the sort, nobody's internet devices have any such warning or cultural expectation. Even effin' routers, people just buy the box and plug the box in; it's easy! It's magic! Best case, they have the guy from the ISP show up to plug in the modem and the router, but he's not going to be fiddling with the security settings for them, either. Everyone is perfectly happy just letting it seem like plug-and-play magic.
I mean ideally people should be aware of the issues around network security to the point of being able to make reasonable decisions on whether a given networking device is safe to use much like they do every day with other devices and vehicles and activities. No one looking at a lot full of cars doesn’t make sure the car has airbags and seatbelts and antilock brakes. That’s not a super deep understanding of automotive technology, it’s pretty basic. And in home network security I think you should know enough to look for the basic security features. I wouldn’t buy a networked baby monitor that didn’t have at minimum password protection and encryption. I’m not an expert but I know enough to know that unencrypted information can be viewed by anyone with the appropriate receiver and that a device not protected by a fairly strong password is open to hacking. I think people are treating PNP devices differently than they treat other similar devices. It’s not that they are incapable of due diligence, it’s that they see computer devices and the systems around them as too complex to understand. They aren’t.
Since they're all mandated now, no one bothers. And when they weren't, people indeed chose cars without them. But those are a different issue; those are safety, and what we're talking about with IoT devices is security. Think door locks and immobilizers, not airbags and seat belts.
I also suspect that even someone who intentionally chose a car based on it having airbags and seatbelts would be incompetent at deciding which cars had better airbags and seatbelts and which cars had worse airbags and seatbelts.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link