[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do

Ian G iang at iang.org
Sun Feb 26 07:01:37 EST 2017 

> On Sat, Feb 25, 2017 at 04:26:27PM +0100, Ian G wrote:
>> 2. I think we can agree that the market hasn't solved the problem.  But it
>> is a fallacy that this implies the government has to then step in.  As a
>> matter of objective reality, governments can't solve some problems, and
>> governments can make some problems worse.  Which is why we have bad wars and
>> bad legislation, something that even Schneier admits with DCMA.
> Why would the market have solved the problem?

The market hasn't solved the problem because (a) we haven't waited long 
enough and/or (b) the market hasn't found a large enough space to 
justify the extra work.

Consider Apple.  Let's say Apple decides to solve the problem of IoT.  
It collects an A-list of devices, crafts a SOHO security mechanism, and 
launches a suite of stuff.  Bingo, solved.  By the market.

To rephrase, Apple could do this and nobody would blink an eye.  The 
reason they could do it is that Apple has the margins that permit them 
to take the long view and craft a franchise that keeps providing, which 
feeds into their loyal customer base.  But to do that, Apple have to 
find a set of devices that sell in the 100mm+ range.

Which is to say, the market might solve this problem.  All we know right 
now is the market hasn't solved it, yet, today.  Tomorrow?

> There's no way if I'm getting
> attacked by some insecure IoT devices for me to sue the users, distributors,
> manufacturers, and/or developers of those devices.
>
> Introduce strict liability for distributors, manufacturers, and/or developers
> and this problem would go away. Of course, so would the IoT industry, but they
> were creating an unsafe product causing harm to others, so there's every reason
> why that industry (and individuals working in that industry) should be sued
> into the ground until they find ways of developing secure IoT devices that
> don't cause harm to others.

Yes that is a cure often suggested.  But, not only would it kill the 
existing IoT manufacturers, it would put a wet blanket on the open 
source world as Kevin mentions, and also impact the licensed software 
world.  As Richard suggests.  So it's not really a solution, unless 
killing that patient and rest of the ward as well is considered a solution.

Maybe, we want our cake and eat it too.  But also, even if such were to 
be introduced, would it really solve the problem?  Or would we just 
encourage a grey market in non-strictly attachable IoTs which would 
cause the same damage, and add to the mix cost of trying to make owners 
strictly liable?  It hasn't really worked for the music/films industry.  
Or pharma as Kevin mentioned.

Also, the legal world is very good at crafting legal arrangements that 
appear to protect the public but don't.  The easy go-to solution here is 
to do white label imports into the country and expect the importer to go 
bust any time the problems happen.  Or, slightly more sophisticated, 
sell the camera raw, with firmware that is only capable of downloading 
some open source software.  Seller is strictly responsible for the 
hardware, buyer is strictly responsible for the open source software...

I'm not saying (forcefully) that liability is a hopeless direction, 
rather that we don't know enough about what works, and we know that's 
obviously got some pretty dramatic downsides.  And putting that in the 
hands of a government agency isn't going to find us the balance.

iang

More information about the cryptography mailing list