[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do

[Kevin W. Wall]

First, Peter's sentiments reflect a lot of mine, so I'm not going
to repeat those specific points.

On Sat, Feb 25, 2017 at 5:52 PM, Peter Todd <pete at petertodd.org> wrote:
> On Sat, Feb 25, 2017 at 04:26:27PM +0100, Ian G wrote:
>> 2. I think we can agree that the market hasn't solved the problem.  But it
>> is a fallacy that this implies the government has to then step in.  As a
>> matter of objective reality, governments can't solve some problems, and
>> governments can make some problems worse.  Which is why we have bad wars and
>> bad legislation, something that even Schneier admits with DCMA.
>
> Why would the market have solved the problem? There's no way if I'm getting
> attacked by some insecure IoT devices for me to sue the users, distributors,
> manufacturers, and/or developers of those devices.

This certainly will go a long way to addressing a lot of the issues, but
it's not going to be a panacea. There will always be small shady 3rd party
knock-offs who will be in it for the short term profits and once they
get sued, the declare bankruptcy and close up shop. Happens with fake
pharmaceuticals a lot and killing them off is a lot like playing whack-a-mole.

>
> Introduce strict liability for distributors, manufacturers, and/or developers
> and this problem would go away. Of course, so would the IoT industry, but they
> were creating an unsafe product causing harm to others, so there's every reason
> why that industry (and individuals working in that industry) should be sued
> into the ground until they find ways of developing secure IoT devices that
> don't cause harm to others.

For starters, I'd like to see it mandated that any IoT device that is sold
will NOT try to connect to the Internet by default. That alone may help,
especially when you can no longer buy devices that don't have Internet
connectivity. I know that I've had Smart TVs and an Blu-Ray players that
tried to connect to the Internet as soon as I've plugged them in. That's
a pain.  Second thing is that they should not be permitted to be sold unless
they have a mechanism to update their firmware and they should be required
to support it for the expected life of the device (and not just the
warranty period).

However, this is not going to happen overnight. For one thing, there likely
will be a lot of push-back from large software companies, because if IoT
devices are liable for insecure software, that will set a precedent for
all software. Also, unless they work out a way to exclude open source
software, that will pretty much kill off FOSS development. And that would
mean no one to continue to fix all the open source out there when new
vulnerabilities are discovered. And if they do exclude open source,
then IoT manufacturers will just open source their firmware to evade
liabilities.  So I think that strict liability will be some tricky waters
to navigate legally and achieve the right balance. And yet I think that's
a better idea than setting up yet another government regulatory body.
More often than not, they just create more bureaucracy and have little
positive impact. Plus, it seems to me that there's going to be a conflict
of interest here, at least with the USG. Their preference seems to be
increased surveillance, As Schneier wrote, "We don’t want car navigation
systems to be used for mass surveillance, or the microphone for mass
eavesdropping", but I fear that our government has other preferences.
So for that reason, I'd prefer not to put this into the hands of a
regulatory body.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.