[Cryptography] [FORGED] Re: Schneier's Internet Security Agency - bad idea because we don't know what it will do
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Feb 26 19:28:47 EST 2017
Kevin W. Wall <kevin.w.wall at gmail.com> writes:
>For starters, I'd like to see it mandated that any IoT device that is sold
>will NOT try to connect to the Internet by default.
That'll never fly, it would take any IoS device and reduce it to just a S
device. It looks like you're thinking of "smart" TVs and the like, but most
IoS devices are "I" so you can monitor and/or control them via your phone, for
which disabling the I bit defeats the whole point of their existence. Even
something like "must be explicitly enabled by the user" doesn't help, because
no-one's going to not enable it, the whole point of getting it was the I part.
>Second thing is that they should not be permitted to be sold unless they have
>a mechanism to update their firmware and they should be required to support it
>for the expected life of the device (and not just the warranty period).
And then you run into this (scroll down to "Update Mechanism"):
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#IoT_Attack_Surface_Areas
The lack if ability to update is actually a security feature in many devices.
>So for that reason, I'd prefer not to put this into the hands of a regulatory
>body.
I'm not so much worried about the government-surveillance angle, but more the
fact that commercial vendors are very good at co-opting regulatory bodies to
create barriers to entry that lock out anyone but them.
Peter.
More information about the cryptography
mailing list