LWN: Comments on "Security quotes of the week"

Security quotes of the week

Vipketsh — Thu, 27 Apr 2023 14:06:40 +0000

> Then, you could require switches and routers to refuse to interconnect with MAC addresses that correspond to devices that are known to be out of service.

There is little behaviour you could ask for that is more asshole than this. Effectively you are screwing over someone who has no idea what is going on and has actually done exactly nothing wrong to be screwed over. Moreover, I doubt that in the mind of the user the "responsible person" for the non-working situation is going to be the manufacturer of the device in question.

This is always a wonderful idea until you get the short end of the stick. A bit like communism...

> Users who install custom firmware [...]

I truly wonder how long you will be able to do this in general. The trend today is very clear: secure boot on everything with a complete ban on custom firmware.

> Maybe we could instead require that the software receive security updates for at least the natural life of the hardware.

While it would be great, who would pay for those updates ? Because money doesn't materialise just because someone said it must. I think the more sane approach would be to have security & code review part of the certification process. That way the cost is known, one-off and upfront.

> I suppose this is why the average tech worker has exactly zero smart devices in their home...

That is, quite frankly, the best advice I give to people.

Security quotes of the week

pabs — Mon, 24 Apr 2023 07:29:49 +0000

We need a right to repair for software.

Security quotes of the week

Wol — Sun, 23 Apr 2023 12:51:34 +0000

> (The BBC does not have £150/year worth of programmes I want to watch.)

I got my BA(Hons) through the OU. I paid 6 years worth of licence fees as a result. I stopped paying because the TV was switched on for less time than I could have bought time in the cinema for the same money.

We have a tv licence now, my wife can't live without it, but it's the one bill I refuse to pay. And she has control of the remote - I can never be bothered even to switch it on :-)

Cheers,
Wol

Security quotes of the week

mpr22 — Sun, 23 Apr 2023 10:20:37 +0000

> The problem is when the devices you want only come in smart versions. How many tech workers have an (intentionally) dumb tv?

I have only ever owned a TV for use as a display for a games console.

(The BBC does not have £150/year worth of programmes I want to watch.)

Security quotes of the week

Wol — Sun, 23 Apr 2023 07:54:09 +0000

> I suppose this is why the average tech worker has exactly zero smart devices in their home...

The problem is when the devices you want only come in smart versions. How many tech workers have an (intentionally) dumb tv?

Our second TV broadcaster has just switched its online service over to ITVx. That's broken both our main smart tv devices. The same thing happened a few years back. I couldn't give a monkeys but my wife's well upset. And we just don't want to have to shell out loads of money when the kit is perfectly functional - the other end has simply stopped talking to it.

It won't help when the problem is the internet end, but just mandate "open source". If the company stops supporting it, the customer has the right to the source. Tied in with this new EU security law saying companies *have* to keep their internet devices secure, we might actually get somewhere.

Cheers,
Wol

Security quotes of the week

NYKevin — Sun, 23 Apr 2023 06:18:37 +0000

Unfortunately, there is a basic tension between freedom and security here. It would be relatively straightforward (if politically difficult) to require IoT manufacturers to publish their MAC address ranges, and to publicly announce when they stop releasing firmware updates. Then, you could require switches and routers to refuse to interconnect with MAC addresses that correspond to devices that are known to be out of service.

Users who install custom firmware could easily spoof the MAC address, so they would be unaffected by such a regulation. The real question is whether this impinges on the freedom of the vast majority of users, who don't know how to install custom firmware, and just want their hardware to work as advertised. Is it right for a switch to decide that it knows better than the user, and refuse to connect a device to a network?

Perhaps this is tackling the wrong end of the problem. Maybe we could instead require that the software receive security updates for at least the natural life of the hardware. But we've been down this road before with product manufacturers. They will make every excuse to limit the "official" lifespan of their devices, as can be seen from the plethora of Android phones that no longer get updates, but are still perfectly functional. Phones are arguably at the less-bad end of the spectrum, too.

I suppose this is why the average tech worker has exactly zero smart devices in their home...

Security quotes of the week

flussence — Fri, 21 Apr 2023 16:52:43 +0000

And it's not just devices at the end of the connection. Most of the infrastructure they talk over is secured by six inches of topsoil, and HMAC-MD5 on the routing address if you're lucky. We have cheap HTTPS (some still refuse to do even that…) but the rest is still very much a 1980s understanding of computers.

Security quotes of the week

Karellen — Thu, 20 Apr 2023 17:54:08 +0000

More from Geoff Huston's post:

What makes this scenario even more depressing is the portent of the so-called Internet of Things (IoT).

[...]

What do we know about the “things” that are already connected to the Internet? Some of them are not very good. In fact, some of them are just plain stupid. And this stupidity is toxic, in that their sometime-inadequate models of operation and security affect others in potentially malicious ways.

[...]

But what we tend to forget is that all of these devices are built on layers of other people’s software that is assembled into a product at the cheapest possible price point. It may be disconcerting to realise that the web camera you just installed has a security model that can be summarised with the phrase: “no security at all,” and it’s actually offering a view of your house to the entire Internet.

[...]

The Internet of Things will continue to be a marketplace where the compromises between price and quality will continue to push us on to the side of cheap rather than secure. What’s going to stop us from further polluting our environment with a huge and diverse collection of programmed unmanaged devices with inbuilt vulnerabilities that will be all too readily exploited? What can we do to make this world of these stupid cheap toxic things less stupid and less toxic? So far, we have not found workable answers to this question.