This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
The "S" in IoT stands for Secure
Boy, looong ago now, I broached the topic of security standards for techno-mabobs. At that time, I mentioned that the UK was considering some legislative proposals on the matter. I can't find the comment where I described what I viewed as the core driver of the tension over the topic - the culture of tech folks. That is, they are so used to the 90s consensus that software is gee wiz magic that is pure and sanctified, is the solution to world peace and all of life's problems, and can never possibly be the cause of anything bad, ever. The 90s conclusion was that government absolutely can. not. touch it. Hands off. No regulation whatsoever. No liability whatsoever. No matter what happens, they must have an absolute immunity stronger than even the strongest version that Donald Trump could have ever dreamed of claiming.
Justifications for this view have shifted, but I've always felt they've had a flavor of, "We can't be regulated! We're
autistsartists! We make unique snowflake masterpieces! We have to move fast and break stuff! If we're ever held accountable for breaking anything, even for the most egregious of practices, then the entire economy will grind to a halt!" Whelp, after years of incident after incident exploiting the IoT-of-Least-Resistance, including things like ransomware takedowns of major corporate networks and huge botnets of smart refrigerators, we're about to see how true that really is.Hitting the wire last week, the UK has dropped regulation for smart devices that are sold there. In my original comments five years ago, they were proposing three items; I had only asked for one (the most incredibly basic one - don't have every bloody device have the same default password). I really feel like it's a case of, "If you resist and throw enough of a shitfit over the really simple stuff, it's going to come back around in a much stronger way that you really won't like." The full document of "Baseline Requirements" speaks to fourteen items:
● No universal default passwords
● Implement a means to manage reports of vulnerabilities
● Keep software updated
● Securely store sensitive security parameters
● Communicate securely
● Minimize exposed attack surfaces
● Ensure software integrity
● Ensure that personal data is secure
● Make systems resilient to outages
● Examine system telemetry data
● Make it easy for users to delete user data
● Make installation and maintenance of devices easy
● Validate input data
● Data protection provisions for consumer IoT
Each area is broken down into one or more specifics. There's a helpful table on page 32, detailing whether the requirement is Mandatory, Recommended, and/or Conditional. This is important to know, because a bunch of them are truly just recommendations, but even many of the ones that are Capital M Mandatory are also Conditional, which is actually displaying quite a sense of care about the diversity of devices and possible situations. For example, they acknowledge things like "constrained devices", which is a "device which has physical limitations in either the ability to process data, the ability to communicate data, the ability to store data or the ability to interact with the user, due to restrictions that arise from its intended use". Here, they give some explicit examples, like "The device cannot have its software updated due to storage limitations, resulting in hardware replacement or network isolation being the only options to manage a security vulnerability."
I think this truly is a culture war between the culture of technokings and the culture of They Can't Keep Getting Away With This, and no culture war offensive ever comes without a counteroffensive. Will major corporations, either American or Chinese, bow the knee? Will they pull out of the UK in a weird, polar opposite anti-security stance to the position that has led other companies to pull products like Signal/Telegram from countries that threatened to make them less secure? The UK may be the sixth largest economy in the world by GDP, but that's still only about 4%. Will they go full tizzy and make separate products, where the secure versions go to the UK and the less secure versions go elsewhere? If they don't pull out and don't make different versions, than everyone in the world just got a huge security upgrayyyed. If they don't pull out and make different versions, other countries have a green light to mandate that they should also get the good stuff. So, if they're even thinking about pulling out, they've gotta rally the troops, punish any defectors, and really make the UK feel blockaded as a warning shot to the rest of the world.
My guess is that they'll bow the knee and just do this stuff for everyone. It's pretty much all stuff that everyone has known that they should be doing for quite a while now. Will it cost a little extra? Sure. Will they have to deal with some annoyed developers who feel constrained by law, as basically every other industry ever does, and eventually have to bring their culture into the Industrial Age? Sure. I doubt that having to pay $9 for a smart plug instead of $6 is going to change much about the economics of wiz bang gizmos... but it just might be a step toward not having newspapers filled with nightmare exploits causing millions in damage... at least not every week.
As a topic expert (despite myself, embedded is both fun and hell) I did not want and continue not to want any government standardization of software because:
Just make IoT doodad manufacturers liable for bad things that happen with them and the problem will sort itself out, no state intervention with the potential for universal surveillance and totalitarian control needed.
The real reasons people want to do this shit are economic and strategic, they don't like that the Chinese are beating everyone at the doodad game and want protectionism through the backdoor. It's the same reason you can't easily buy American ETFs in the EU, because they don't care to include the handful of made up documents that are mandated by law at the advice of European financial institutions that enjoy proximity to the rule makers.
Let us not mince words: nobody gives a shit about the end user here. This whole game of being "regulatory leaders" only works if the major players of the industry you are regulating actually want to help you prevent further competition.
You can have protectionism and regulation if you want, but you can't get that and innovation. You have to choose.
How about a government funded Red Team who's raison d'etre is taking out insecure household devices? Could be a nice cyber-warfare bootcamp; I can certainly think of worse uses for government funds. The problem with letting the market take its course is that IoT devices are a low-value target for black hattery -- classic case for governments protecting the commons!
Isn't this the reason the NSA is supposed to exist on paper too?
Security for devices for the defense industry is one of those reasons, but I think household devices would be mostly outside their purview.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link