fsuk-manchester
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fsuk-manchester] A powerful argument for software freedom legislati

From: Chris Hilliard
Subject: Re: [Fsuk-manchester] A powerful argument for software freedom legislation?
Date: Thu, 27 Oct 2016 18:59:24 +0100
Far easier just to use civil courts to pass the costs of a DDoS attack like this onto the manufacturer and deal with this the way we've always dealt with damages stemming from manufacturer negligence. It's not hard, or complicated, and doesn't implement a 'one solution' methodology from on high. Just fix your products or your company will cease to exist, and in UK law negligence can wipe out the protection for directors that a limited company gives as a shield.

A simple legal case through a court for damages stemming from an attack like this would do the job. Not new legislation.

Chris

On Thu, Oct 27, 2016 at 4:04 PM, Bob Mottram <address@hidden> wrote:
On Sun, Oct 23, 2016 at 10:48:31AM +0100, John Rooke wrote:
https://www.theguardian.com/commentisfree/2016/oct/23/internet-of-things-vulnerable-nework-hackers-brian-krebs
>From the article:
"Instead of using traditional computers for their botnet, they used CCTV
cameras, digital video recorders, home routers and other embedded
computers attached to the internet as part of the internet of things.”

What this attack demonstrates, Schneier says, is that the economics of
the IoT mean that it will remain insecure unless government steps in to
fix the problem. “This is a market failure,” he writes, “that can’t get
fixed on its own.”

He’s right. Computer companies such as Apple and Microsoft go to great
pains to try and ensure that the desktop and laptop computers they sell
are protected from malware and that vulnerabilities are patched as soon
as possible after they are discovered. But none of that happens with IoT
devices, which are sold at razor-thin profit margins and are usually
built by smallish Chinese and Taiwanese companies that don’t possess the
expertise (or the incentive) to make them secure. What makes it even
worse, though, is that most of the IoT devices currently installed in
homes cannot be patched. As Schneier says: “The only way for you to
update the firmware in your home router is to throw it away and buy a
new one.”


It's a tricky one to deal with, and this has been a problem ever since
internet routers at home became a thing. So it's not a new problem, just
one that's increasing in scale.

What could happen is that the government puts pressure on ISPs to become
the "cyberpolice" for your home network, monitoring and controlling
devices behind the home router. That could be quite convenient for users
but would also have freedom implications.

The other possible approach would be "the Tyrell solution" where
internet connected devices just stop working after a fixed number of
years, perhaps by blowing some diodes as happens with some security
devices.

The effectiveness of DDoS can also be greatly reduced by moving to
peer-to-peer systems rather than client/server. A possible intermediate
solution is to have static content seeding as a feature of browsers,
meaning that they don't always need to go to a web server to get the
content. There would be the beneficial side-effect of also making the
censorship of sites more difficult for any central authority.

_______________________________________________
Fsuk-manchester mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/fsuk-manchester




--
Shibboleet - for XKCD 806 compliant organisations.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]