In message <20161026120634.GA20735@gsp.org>, Rich Kulawiec <rsk@gsp.org> wrote:
On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote:
2) Second, once elected I will decree that in future all new IoT devices, and also all updates to firmware for existing IoT devices will have, BUILT IN TO THE KERNEL, code/logic which (a) prevents all outbound TCP session initiation and which also (b) strictly rate-limits all other protocols to some modest value.
I like this idea. But unfortunately, I think it has no chance of succeeding.
The makers of IoT devices are falling all over themselves to rush products to market as quickly as possible in order to maximize their profits. They have no time for security. They don't concern themselves with privacy...
Well, see, this is why I was clear at the outset that in order for this scheme to work, I'll first need to be elected King of the World.
From that high perch I will be able to decree, by fiat, that no Internet connectable device shall be sold or marketed *unless* it has been certified (i.e. by some reliable entity that knows how to test these things) to be incapable of being converted into a weapon, i.e. incapable of spewing unnecessarily large amounts of garbage at completely arbitrary targets, *even if* an attacker somehow manages to get a shell prompt.
OK, so setting aside all frivolity now, how could this kind of restriction actually be achieved? Here's the thing: Any solution to these problems is going to come in two parts, technical and political. We here, by and large, are not politicians, but we can influence them and urge them towards solutions that are, workable, economically practical, and above all, technically effective. Or alternatively, we can leave them to flouder around on their own, in the dark. (We've all seen *that* movie before, and it isn't pretty. Think Clipper Chip and the recent push for crypto backdoors.) Left to their own devices, politicians routinely screw up technology regulation virtually every time. So the first order of business is for the industry itself to come up with a rational approach... and virtually immediately, because the window of opportunity is rapidly closing... for solving these IoT problems, and then get widspread agreement... or at least a lack of violent disagreement... within the industry itself. The industry can then speak with one voice to the politicians and regulators, who will then be effectively bound to doing the Right Thing. Sensible regulations, once enacted in one jurisdiction, tend to be contagious. In my own state of California, state regulation of various things, most notably air pollution, and the production thereof by cars, has eventually affected the entire North American auto market and beyond, in part because it is less economically palatable for manufacturers to design and ship multiple configurations of any one product, i.e. one which conforms to the regulations in jurisdiction X, and another that doesn't. In short, if sensible regulations requiring "safe" designs for IoT products were to come into force in one locale, it is not only possible, but actually quite likely that they would affect the whole market. If a given Far East manufacturer was required to have safety built into the kernel of its toasters in order to be able to sell said toasters, say, in the United States... or even just in California... would they really go to the trouble to strip out the additional "safety" part of their firmware when manufacturing what is essentially the same product, but destined for other markets? I think not. (A question for the audience: How has FCC regulation of the maximum power output of WiFi routers affected the worldwide market for such devices, over time? I honestly don't know, but I suspect that there has been a good effect, over time, on the whole worldwide market.) It may be difficult, even among technologists, to find common ground and agreement about what "IoT" things should and should not be able to do, or even, for that matter, to agree on the definition of "IoT". But after last Friday, and even before, I think that most of us know what we *do not* want them to be able to do, i.e. to send an unlimited percentage of their available bandwidth towards any arbitrary IP address. General purpose computers, and also routers, need to be able to do that, but your bird feeder, your lightbulb, your HDTV, your refrigerator and your home alarm system don't. So maybe that's a starting point. I proposed something which is at base, really rather simple, even if, in practice, the implementation details could get a bit complex. Basically, the proposal is that the kernels of all IoT devices should impose sensible limits on outbound bandwidth usage, consistant with each specific device's expected operational needs. It seems to me that this is not particularly different from other belt-and-suspenders approaches used in other safety critical systems, ranging from medical radiation treatment devices to nuclear power plants. Actual engineering of the firmware-imposed safety constraints needed in IoT devices will not, in my opinion, be very hard. In the absence of a King of the World to impose such a requirement on all manufacturers of IoT devices, I believe that it would be equally effective, in the long run, to get (U.S.) state-level regulations on the books, perhaps starting in California, just because we here in my home state have some experience going first with a lot of these kinds of things. A plausible alternatively would be to get the FCC on the case. (Obviously, the FCC already has a ton of experience in promulgating regulations whose goal is to prevent individual devices from behaving in ways that muck up the communications of other devices, so from that perspective at least, it seems like a good fit. Not that the FCC could be easily persuaded to take on this tar-baby, but they might.) So anyway, bottom line, I think this is do-able, both technically and politically, and also absolutely necessary. After the Krebs, OVH, and Dyn attacks, is anybody in their right mind willing to stand up, at this late date, and say that we can go on, as we have been, ignoring these problems and just constantly racing to build bigger pipes... a strategy which, by now, should be universally accepted as a self-defeating non-solution? Lincoln said "As our case is new, so we must think anew and act anew." If you hook up a device to your local telephone or cable company which sends fifty thousand volts down the line, you may fry your local distribution substation, but you're not going to fry the entire Eastern Seaboard or take down the world's largest e-commerce site for two hours. Even the popular news media, typically devoid of technical sophistication, now knows that the single organism that is the Internet is becoming more vlunerable *to itself* day by day. The time is ripe for clear-headed action and I do hope that we will see some. Regards, rfg