This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
The "S" in IoT stands for Secure
Boy, looong ago now, I broached the topic of security standards for techno-mabobs. At that time, I mentioned that the UK was considering some legislative proposals on the matter. I can't find the comment where I described what I viewed as the core driver of the tension over the topic - the culture of tech folks. That is, they are so used to the 90s consensus that software is gee wiz magic that is pure and sanctified, is the solution to world peace and all of life's problems, and can never possibly be the cause of anything bad, ever. The 90s conclusion was that government absolutely can. not. touch it. Hands off. No regulation whatsoever. No liability whatsoever. No matter what happens, they must have an absolute immunity stronger than even the strongest version that Donald Trump could have ever dreamed of claiming.
Justifications for this view have shifted, but I've always felt they've had a flavor of, "We can't be regulated! We're
autistsartists! We make unique snowflake masterpieces! We have to move fast and break stuff! If we're ever held accountable for breaking anything, even for the most egregious of practices, then the entire economy will grind to a halt!" Whelp, after years of incident after incident exploiting the IoT-of-Least-Resistance, including things like ransomware takedowns of major corporate networks and huge botnets of smart refrigerators, we're about to see how true that really is.Hitting the wire last week, the UK has dropped regulation for smart devices that are sold there. In my original comments five years ago, they were proposing three items; I had only asked for one (the most incredibly basic one - don't have every bloody device have the same default password). I really feel like it's a case of, "If you resist and throw enough of a shitfit over the really simple stuff, it's going to come back around in a much stronger way that you really won't like." The full document of "Baseline Requirements" speaks to fourteen items:
● No universal default passwords
● Implement a means to manage reports of vulnerabilities
● Keep software updated
● Securely store sensitive security parameters
● Communicate securely
● Minimize exposed attack surfaces
● Ensure software integrity
● Ensure that personal data is secure
● Make systems resilient to outages
● Examine system telemetry data
● Make it easy for users to delete user data
● Make installation and maintenance of devices easy
● Validate input data
● Data protection provisions for consumer IoT
Each area is broken down into one or more specifics. There's a helpful table on page 32, detailing whether the requirement is Mandatory, Recommended, and/or Conditional. This is important to know, because a bunch of them are truly just recommendations, but even many of the ones that are Capital M Mandatory are also Conditional, which is actually displaying quite a sense of care about the diversity of devices and possible situations. For example, they acknowledge things like "constrained devices", which is a "device which has physical limitations in either the ability to process data, the ability to communicate data, the ability to store data or the ability to interact with the user, due to restrictions that arise from its intended use". Here, they give some explicit examples, like "The device cannot have its software updated due to storage limitations, resulting in hardware replacement or network isolation being the only options to manage a security vulnerability."
I think this truly is a culture war between the culture of technokings and the culture of They Can't Keep Getting Away With This, and no culture war offensive ever comes without a counteroffensive. Will major corporations, either American or Chinese, bow the knee? Will they pull out of the UK in a weird, polar opposite anti-security stance to the position that has led other companies to pull products like Signal/Telegram from countries that threatened to make them less secure? The UK may be the sixth largest economy in the world by GDP, but that's still only about 4%. Will they go full tizzy and make separate products, where the secure versions go to the UK and the less secure versions go elsewhere? If they don't pull out and don't make different versions, than everyone in the world just got a huge security upgrayyyed. If they don't pull out and make different versions, other countries have a green light to mandate that they should also get the good stuff. So, if they're even thinking about pulling out, they've gotta rally the troops, punish any defectors, and really make the UK feel blockaded as a warning shot to the rest of the world.
My guess is that they'll bow the knee and just do this stuff for everyone. It's pretty much all stuff that everyone has known that they should be doing for quite a while now. Will it cost a little extra? Sure. Will they have to deal with some annoyed developers who feel constrained by law, as basically every other industry ever does, and eventually have to bring their culture into the Industrial Age? Sure. I doubt that having to pay $9 for a smart plug instead of $6 is going to change much about the economics of wiz bang gizmos... but it just might be a step toward not having newspapers filled with nightmare exploits causing millions in damage... at least not every week.
I understand the worry some people have towards IoT devices, and I like a lot of the rules in that document, but ultimately the issue rests with the users. The issue is the idea that network devices, outside of standard end user devices like a computers and phones (and even then), can be secure by default, without thought. At this point, people need to be responsabilized with regards to their network security, and you can't mandate away all the ways that someone can shoot themselves in the foot with consumer devices.
Users need to learn to keep shit behind their firewall, in their home network, and access it via VPN if they need to access it remotely. They should learn to NOT ask for cloud services where they are not strictly necessary.
Sure, I'm a professional and it may sound like wishful thinking that users will learn to do this or hire professionals. But there's a lot of stuff inside a home I wouldn't do, like plumbing and electricity. We don't mandate that plumbing fixtures be impossible to fuck up. And while we have standardized power outlets, everything other than plugging in something, to do with electricity inside a home expects some degree of expertise.
Totally get where you're coming from. However, the last paragraph has I think the most important bit:
Most IoT devices are billed as, "You just plug it in, and it just works!" No one anywhere is standing at a store, looking at the baby monitors, seeing that one of the options lets them listen to it from their phone, and thinking, "Ya know, I really better not think about buying this and plugging it in unless I become an expert in network security." Just how no one stands in a store looking at toasters, thinking, "Ya know, I better not think about buying this and plugging it in unless I become an expert electrician." Like, should people learn more about network security and how their electrical system works? Yeah, sure. But while the breaker boxes in the store might have some sort of warning on them or cultural expectation saying that they mayyyyyybe shouldn't buy it and try to install it on their own without any expertise while the toaster doesn't have anything of the sort, nobody's internet devices have any such warning or cultural expectation. Even effin' routers, people just buy the box and plug the box in; it's easy! It's magic! Best case, they have the guy from the ISP show up to plug in the modem and the router, but he's not going to be fiddling with the security settings for them, either. Everyone is perfectly happy just letting it seem like plug-and-play magic.
Let's say you were in charge of fixing this from the advertising side of things. What warnings would you add to this device so that even tech-illiterate users understand the risks of e.g. connecting this baby monitor up to the internet? Simple stuff you can fit on a pop-up or side of the box, because the user isn't reading the 100-page manual that probably already warns about this.
A big part of why you can just hand a toaster to someone with no further explanation is that people actually do know a lot about electricity and household appliances and can avoid the biggest problems. Nobody's dumping a live toaster into the sink to clean it.
Manufacturers should probably take this lower level of knowledge into account, but it's not as easy as "just make the device idiot-proof, like toasters!"
I don't believe any user manuals actually warn about any of these things. The manufacturers simply do not care about security, because they don't have to, be it built-in, in manuals, or in advertisements.
Totally and completely agreed. I started off saying that one way we could fix this is to do something extremely simple, like banning default passwords. No manufacturer is going to put on their box whether they have a default password or not, so many consumers aren't going to know.
There has been some efforts in the US to create a Cyber Trust mark, where that is an indication that they have been built to some sort of standards (that aren't that far off from these regulations). This is a plausible approach, though we likely won't see whether it would have been effective (are consumers going to be paying close attention for this mark on a box full of ten other certification marks?), because they're probably just all going to bring their devices up to the UK standard. Could have been an approach, though.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link