[Cryptography] [FORGED] Re: Schneier's Internet Security Agency - bad idea because we don't know what it will do

[Peter Gutmann]

Kevin W. Wall <kevin.w.wall at gmail.com> writes:

>For starters, I'd like to see it mandated that any IoT device that is sold
>will NOT try to connect to the Internet by default.

That'll never fly, it would take any IoS device and reduce it to just a S
device.  It looks like you're thinking of "smart" TVs and the like, but most
IoS devices are "I" so you can monitor and/or control them via your phone, for
which disabling the I bit defeats the whole point of their existence.  Even
something like "must be explicitly enabled by the user" doesn't help, because
no-one's going to not enable it, the whole point of getting it was the I part.

>Second thing is that they should not be permitted to be sold unless they have
>a mechanism to update their firmware and they should be required to support it
>for the expected life of the device (and not just the warranty period).

And then you run into this (scroll down to "Update Mechanism"):

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#IoT_Attack_Surface_Areas

The lack if ability to update is actually a security feature in many devices.

>So for that reason, I'd prefer not to put this into the hands of a regulatory
>body.

I'm not so much worried about the government-surveillance angle, but more the
fact that commercial vendors are very good at co-opting regulatory bodies to
create barriers to entry that lock out anyone but them.

Peter.