Security quote of the week

[Posted June 6, 2018 by jake]

It gets even worse. Our system of disclosure and patching assumes that vendors have the expertise and ability to patch their systems, but that simply isn't true for many of the embedded and low-cost Internet of things software packages. They're designed at a much lower cost, often by offshore teams that come together, create the software, and then disband; as a result, there simply isn't anyone left around to receive vulnerability alerts from researchers and write patches. Even worse, many of these devices aren't patchable at all. Right now, if you own a digital video recorder that's vulnerable to being recruited for a botnet -- remember Mirai from 2016? -- the only way to patch it is to throw it away and buy a new one.

Patching is starting to fail, which means that we're losing the best mechanism we have for improving software security at exactly the same time that software is gaining autonomy and physical agency. Many researchers and organizations, including myself, have proposed government regulations enforcing minimal security-standards for Internet-of-things devices, including standards around vulnerability disclosure and patching. This would be expensive, but it's hard to see any other viable alternative.

— Bruce Schneier

Security quote of the week

Posted Jun 7, 2018 12:43 UTC (Thu) by mjthayer (guest, #39183) [Link]

Presumably some problems (obviously not for instance local wireless attacks) could be caught in a good Internet router firewall. Far from ideal of course, it would probably be a similar cat-and-mouse game to anti-viruses, but maybe still more realistic than expecting the devices to become secure.

Security quote of the week

Posted Jun 7, 2018 13:13 UTC (Thu) by karkhaz (subscriber, #99844) [Link] (9 responses)

I wonder why Schneier doesn't lobby the EU to implement these regulations that he keeps harping on about. The EU actually cares about consumer protection, and therefore is more likely to mandate such regulations. The EU is also a larger economy than the US, so IoT manufacturers will start conforming to those regulations even for products that they ship to the US (since it's cheaper to not make two versions of everything).

He's a signatory on several open letters to the US government (which I can't find on his blog), but trying to convince the US to pass any sort of consumer protection law seems like a laughable waste of time, no matter who is in power.

Security quote of the week

Posted Jun 7, 2018 13:19 UTC (Thu) by mjthayer (guest, #39183) [Link] (8 responses)

Doesn't that sort of thing work better through the courts in the US than through the government, with class action suits from people who feel that they have been harmed?

Security quote of the week

Posted Jun 7, 2018 13:32 UTC (Thu) by karkhaz (subscriber, #99844) [Link] (5 responses)

1) A lot of what Schneier is complaining about is vulnerabilities that affect IoT and embedded devices worldwide, and where a botnet powered by non-US devices can cripple people and companies in the US. Who are you going to sue for damages in that case, the whole world and all of their CCTV cameras? Better to ensure that the vulnerable devices don't end up in consumers' hands in the first place. I agree with you that this is not something that is likely to be enacted in US law. So my suggestion is to lobby for it to be enacted in EU law, so that US consumers (and everybody else) also end up with safer devices from manufacturers who want to sell in both markets.

2) does a class action suit actually force a change in the law, or does it merely entitle the damaged party to compensation? I thought it was the latter. This doesn't stop companies from selling their devices, it just gives them an incentive to hire expensive lawyers to demonstrate that it wasn't their fault in court. I realise that taking everything to court so that everybody apart from the lawyers ends up worse off is the American Way, but I'm more concerned with preventing the problem than retroactively seeking damages for its effects.

Security quote of the week

Posted Jun 8, 2018 5:32 UTC (Fri) by marcH (subscriber, #57642) [Link] (3 responses)

> 2) does a class action suit actually force a change in the law, or does it merely entitle the damaged party to compensation? I thought it was the latter.

I think you're mixing up two unrelated things.

> https://en.wikipedia.org/wiki/Common_law
> Common law (also known as judicial precedent or judge-made law, or case law) is that body of law derived from judicial decisions of courts and similar tribunals.[1][2][3][4][5] The defining characteristic of “common law” is that it arises as precedent.

Precedence can come indifferently from both class actions and from non-class actions.

Not every court decision is made in a previously grey area, so not every court decision generates new precedence.

Security quote of the week

Posted Jun 8, 2018 15:59 UTC (Fri) by karkhaz (subscriber, #99844) [Link] (2 responses)

Fair enough. But even then, even if a class action suit resulted in a precedent being set, I imagine that the precedent would be something like "it is reasonable to claim compensation from a device manufacturer if their poorly-secured device was used in a botnet that caused you damage"---right? I don't think that the class action suit would result in regulations against such poorly-secured devices being enacted, which is what Schneier keeps arguing for.

Although it might be nice to have that kind of precedent set, what I believe Schneier wants is for such devices to not be sold in the first place. After all, we already have regulations that prohibit devices from being sold if they emit interfering radio waves, or if they pose an unreasonable safety hazard to the consumer, etc. so that we don't even need to wait for the damage to be done before going after the manufacturer. If botnets become a big enough problem to society, then it makes sense to preemptively regulate against them in the same way as any other hazard, rather than playing whack-a-mole with lawsuits.

Security quote of the week

Posted Jun 8, 2018 17:17 UTC (Fri) by pizza (subscriber, #46) [Link] (1 responses)

> I don't think that the class action suit would result in regulations against such poorly-secured devices being enacted, which is what Schneier keeps arguing for.

Not _governmental_ regulations, but if the insurance companies that pay those claims out (under the business' general E&O insurance policies) have to pay out too many claims due to class action suits, they will start requiring that their customers secure things properly as a requirement to getting insurance.

(Not unlike how the payment card industry requires point of sale terminals to adhere to certain standards in order to have the vendor not be liable for fraudulent activity...)

The bottom line is that nobody is going to care until there is a real $$$ cost that is born by those who have poor security practices.

Security quote of the week

Posted Jun 8, 2018 18:01 UTC (Fri) by marcH (subscriber, #57642) [Link]

> The bottom line is that nobody is going to care until there is a real $$$ cost that is born by those who have poor security practices.

Yes, no solution will ever work without this most basic requirement.
https://en.wikipedia.org/wiki/Externality

Customer (or even worse: consumer) pressure and the "invisible finger" of the market will never be enough with respect to security, security is something that is basically impossible to evaluate before the fact/breach.

Security quote of the week

Posted Jun 8, 2018 12:16 UTC (Fri) by mjthayer (guest, #39183) [Link]

Admittedly not what I originally had in mind (other comments suggest that class actions are no longer current anyway), but I could imaging people affected by DDOS attacks suing the makers of specific insecure IoT devices involved in the attack.

Security quote of the week

Posted Jun 8, 2018 5:25 UTC (Fri) by marcH (subscriber, #57642) [Link] (1 responses)

Class actions (and justice) against large corporations are dead in the US; a thing of the past: https://www.nytimes.com/2018/05/21/business/supreme-court...

Security quote of the week

Posted Jun 11, 2018 16:27 UTC (Mon) by ScottMinster (subscriber, #67541) [Link]

Whether or not arbitration is a bad thing, it wouldn't apply in this case. If D-Link (or whoever) makes a consumer router that is vulnerable to being recruited into a bot net that is used against my server and causes me financial harm, I could potentially have a claim against D-Link. There's no previous contact between us, so that arbitration decision wouldn't apply.

Think of it like this: if a company made a toaster with faulty wiring that burned down an apartment building, all the other people in the building (and the building owner) would have a claim against that company, but no prior contract with them. So arbitration wouldn't apply.

Of course, IANAL, so I have no idea if there is even liability in my toaster example. But if there is liability there, then I could see there being liability for vulnerable routers or other IoT devices.