[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do

Mon Feb 27 22:37:08 EST 2017

> Consider Apple.  Let's say Apple decides to solve the problem of IoT.  It collects an A-list of devices, crafts a SOHO security mechanism, and launches a suite of stuff.  Bingo, solved.  By the market.
Actually, Apple *is* trying to do this.  They have a standard for IoT devices - HomeKit - that is designed to be secure.  In fact, various device makers grumble about the costs of doing things Apple's way - too hard, too expensive.  (E.g., they allegedly require 3072-bit keys and use Curve25519.  How these two fit together, I don't know.)

The net result is that HomeKit-certified devices remain pretty rare.

Obviously, don't take this as an endorsement of the details of Apple's approach.  There's probably a published version of the requirements, but I've never looked for it - and I'm unaware of any third-party analyses.  It's certainly *possible* that the HomeKit requirements are all PR hot air.  Then again, given what we've seen about the security of iPhone's, it appears Apple really is taking this stuff seriously, and really does have some very competent people working on it.

But going back to the question of whether this "solves" the market failure:  iPhones appear to be more secure than Android phones - but even our dear leader, er, president, using an Android phone, and more than that, one that is apparently so old it cannot have received any security updates in quite some time.  Apple's (by hypothesis) secure stuff would cost more than some bleeding edge, dirt-cheap internet-connected flea comb - but that flea comb and all its compatriots will be serving in some bot army no matter how secure Apple makes HomeKit thermostats and cameras.

                                                        -- Jerry