Internet of shit
-
EU to introduce strict IoT security regulation - TechCentral.ie
The EU is set to introduce a law that would require smart devices to follow strict cyber security rules, on threat of a device ban. Internet of Things (IoT) devices such as smart home controls or fitness trackers are becoming more ubiquitous, making life more convenient while also increasing the...
-
@Zerosquare I am torn about this. On one hand something clearly should be done about the security, on the other EU is an exercise in government overreach (and everything from Brussels is terrible).
-
@Bulb said in Internet of shit:
@Zerosquare I am torn about this. On one hand something clearly should be done about the security, on the other EU is an exercise in government overreach (and everything from Brussels is terrible).
Yes, yes, government is BAaaaaad. We know it.
Do you know how ridiculous you sound? "Something should be done!" - something is done: "Not that way!"
And who exactly do you think should "do something" if the companies in question don't? That exact case is kind of the reason governments exist: There's a widespread problem and the companies don't care.
Also don't see how this here is "overreach":
Once law, smart device manufacturers will be required to review the risk profiles of their products and fix any discovered vulnerabilities.
In the event of a problem or threat being discovered, the law will also require companies to notify the European Union Agency for Cybersecurity (ENISA) within 24 hours.
-
@Rhywden said in Internet of shit:
@Bulb said in Internet of shit:
@Zerosquare I am torn about this. On one hand something clearly should be done about the security, on the other EU is an exercise in government overreach (and everything from Brussels is terrible).
Yes, yes, government is BAaaaaad. We know it.
We understand. It is impossible for you as a government employee to feel otherwise
-
@Applied-Mediocrity Naw, I'm fine with criticising overreach when it actually happens. In this case? Not seeing it.
I mean, I've seen plenty of those "voluntary self-restrictions" pledges from companies where then either precisely nothing happened or they merely hid away the thing they pledged against.
A very good example would be what's happening to the UK's beaches and rivers right now - no regulations or the repeal thereof (along with a lack of enforcement of what regulations are left) means literally wading through shit.
-
@Rhywden Neither do I, in this case. I just like annoying you.
-
@Rhywden Some exaggeration and shit talking included.
Something should be done, so it's not overreach. I still don't have high hopes it will actually work though.
-
I'm one of the most stauch proponents that the computing industry - in general, not just Internet of Shit - is Wild West so wild, misguided, irresponsible, predatory and chaotic like the real Wild West by far never even was, and full wrath of a fleet of thousands of wizened poker-face technology-averse Vogons is the best thing that can possibly happen to it.
-
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
-
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
This.
Regulations tend to be a whole lot of do this and do that and it a lot of vague verbiage that keeps hordes of lawyers occupied while not doing much to the actual problem, and are usually obsolete a year ago before they are passed. Saying they are responsible to make sure this does not happen would be much better. But nobody wants responsibility these days and politicians tend to be willing to avoid giving it.
-
@ixvedeusi Not that I think that shouldn't be the case. However, the question then is how to determine damages for stuff like leaking personal data. Or if somebody uses a IoT device to snoop on its users (camera or otherwise). Or if customers lose control over the lights in their home. Or any number of stupid things.
That said, the article suggest that the proposal essentially requires
- Vendors to assess the risks (briefly Googled, and some other article mentioned certification)
- Vendors need to fix vulnerabilities when they're discovered
- Vendors need to notify ${EU agency} within 24 hours of "discovering a threat or problem" (I'm guessing the actual proposal defines threat/problem a bit better than the article)
Doesn't exactly seem like overreach to me. Second point seems like the largest change. But, then again, not having large numbers of essentially unpatchable devices out there seems like a good idea.
-
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Well, with this regulation that's actually possible now. Because now they're required to fix their shit and also to notify the authorities as soon as they become aware of a breach/threat/exploit/.... That, along with the threat assessment, makes it now possible to determine whether it was a genuine accident or neglect.
-
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Not sure if too political for not being in
, but anyways:While in theory this is absolutely something that should be done, is the right thing to do with the best intentions, it would still only end up hurting companies in the EU, as always.
As seen with any privacy regulations, US companies just get away with either not caring about them, because you can't conclusively prove what everybody knows, or prefer to just pay some fines for the advantage in market dominance it brings them not to follow the rules as intended.
And more on topic for Io
, all this crap comes from China, where they change the company name of the front that sells this like underpants. If you actually try to sue them for anything, they're already gone and sell the same shit under three different names. Good lucking getting any money out of them.
-
@cvi said in Internet of shit:
the question then is how to determine damages for stuff like leaking personal data.
Indeed these kinds of things would have to be defined; but the concept of "damages to one's person, reputation or honor" exist in other contexts so I'd think something similar could apply here.
@cvi said in Internet of shit:
endors to assess the risks (briefly Googled, and some other article mentioned certification)
My main issue with certification (and auditing in general) is the inherent conflict of interest the certifiers face: they are usually paid by the company requiring the certification so they have a strong incentive to please these clients by waving them through.
@Rhywden said in Internet of shit:
Because now they're required to fix their shit and also to notify the authorities as soon as they become aware of a breach/threat/exploit/.... That, along with the threat assessment, makes it now possible to determine whether it was a genuine accident or neglect.
It also basically gives them a free pass for the first time. "Oh we made an oopsie, we'll fix it right away". Being liable from the outset for damages caused by neglect would better motivate them to fix their shit from the outset. I guess the certification requirement is supposed to fix this issue but see above.
-
@ixvedeusi said in Internet of shit:
My main issue with certification (and auditing in general) is the inherent conflict of interest the certifiers face: they are usually paid by the company requiring the certification so they have a strong incentive to please these clients by waving them through.
They also typically want to keep the ability to do certification, which they would loose if anybody finds that out. That needs to be enforced though.
It also basically gives them a free pass for the first time. "Oh we made an oopsie, we'll fix it right away". Being liable from the outset for damages caused by neglect would better motivate them to fix their shit from the outset.
I haven't seen anything that supports this assertion - neither the above article, nor the other one I briefly skimmed, said anything about getting a free pass for doing any of the above (at least not any more than they might already get now).
-
I think NodeBB just shat the bed for a second. My post did not appear where it should have.
-
@Rhywden said in Internet of shit:
I think NodeBB just shat the bed for a second. My post did not appear where it should have.
ï…º Your post is right where you left it
-
@cvi said in Internet of shit:
They also typically want to keep the ability to do certification, which they would loose if anybody finds that out. That needs to be enforced though.
Yeah well, stories I've heard from the auditing world don't make me very confident in that. Don't remember the specifics though so maybe it's just me being my usual cynical self.
@cvi said in Internet of shit:
I haven't seen anything that supports this assertion - [...] about getting a free pass for doing any of the above (at least not any more than they might already get now).
Well yes, now they are getting a free pass every time. I was comparing to the utopian situation where they are actually held liable. I'm not saying that the proposal explicitly states they will get a free pass, just that it fails to state the contrary.
-
@cvi said in Internet of shit:
@ixvedeusi said in Internet of shit:
My main issue with certification (and auditing in general) is the inherent conflict of interest the certifiers face: they are usually paid by the company requiring the certification so they have a strong incentive to please these clients by waving them through.
They also typically want to keep the ability to do certification, which they would loose if anybody finds that out. That needs to be enforced though.
Did you ever hear the tragedy of
Darth Plagueis The WiseErnst & Young and their audits that certified Wirecard isn't cooking the books, pinky promise?
-
@topspin said in Internet of shit:
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Not sure if too political for not being in
, but anyways:While in theory this is absolutely something that should be done, is the right thing to do with the best intentions, it would still only end up hurting companies in the EU, as always.
As seen with any privacy regulations, US companies just get away with either not caring about them, because you can't conclusively prove what everybody knows, or prefer to just pay some fines for the advantage in market dominance it brings them not to follow the rules as intended.
Yeah, It’s hard to take the EU seriously when all they’re doing is fining people. They issue a fine. The company makes a cost benefit analysis of paying it or paying lawyers to dispute and reduce it. If the fines were forced into escrow while the dispute is in motion they might be taken more seriously. That or jail time for everyone involved.
As it stands, smaller European firms are just folding and the giants just tank it or pay lawyers.
Ireland recently issued a fine for billions against someone. What’s more likely to happen is the state will incur more costs perusing it than they’ll pull out of the company.
-
@DogsB said in Internet of shit:
@topspin said in Internet of shit:
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Not sure if too political for not being in
, but anyways:While in theory this is absolutely something that should be done, is the right thing to do with the best intentions, it would still only end up hurting companies in the EU, as always.
As seen with any privacy regulations, US companies just get away with either not caring about them, because you can't conclusively prove what everybody knows, or prefer to just pay some fines for the advantage in market dominance it brings them not to follow the rules as intended.
Yeah, It’s hard to take the EU seriously when all they’re doing is fining people. They issue a fine. The company makes a cost benefit analysis of paying it or paying lawyers to dispute and reduce it. If the fines were forced into escrow while the dispute is in motion they might be taken more seriously. That or jail time for everyone involved.
As it stands, smaller European firms are just folding and the giants just tank it or pay lawyers.
Ireland recently issued a fine for billions against someone. What’s more likely to happen is the state will incur more costs perusing it than they’ll pull out of the company.
And how exactly do you think "jail time" would work? Please note that I'm not seeing any other country jailing people over such things - well, apart from countries like China or Russia (but there you can be jailed for practically anything, so...)
And 4 billion Euros against Google or 400 million Euros against Instagram are not exactly peanuts.
-
@Rhywden said in Internet of shit:
@DogsB said in Internet of shit:
@topspin said in Internet of shit:
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Not sure if too political for not being in
, but anyways:While in theory this is absolutely something that should be done, is the right thing to do with the best intentions, it would still only end up hurting companies in the EU, as always.
As seen with any privacy regulations, US companies just get away with either not caring about them, because you can't conclusively prove what everybody knows, or prefer to just pay some fines for the advantage in market dominance it brings them not to follow the rules as intended.
Yeah, It’s hard to take the EU seriously when all they’re doing is fining people. They issue a fine. The company makes a cost benefit analysis of paying it or paying lawyers to dispute and reduce it. If the fines were forced into escrow while the dispute is in motion they might be taken more seriously. That or jail time for everyone involved.
As it stands, smaller European firms are just folding and the giants just tank it or pay lawyers.
Ireland recently issued a fine for billions against someone. What’s more likely to happen is the state will incur more costs perusing it than they’ll pull out of the company.
And how exactly do you think "jail time" would work? Please note that I'm not seeing any other country jailing people over such things - well, apart from countries like China or Russia (but there you can be jailed for practically anything, so...)
Is fining anyone working? Cost of doing business for most of the bigger companies. Start throwing C level people in a box for a decade and you might see some change. Even if it’s a different face.
And 4 billion Euros against Google or 400 million Euros against Instagram are not exactly peanuts.
First you have to collect it and is it working as a deterrent?
-
@Rhywden said in Internet of shit:
And 4 billion Euros against Google or 400 million Euros against Instagram are not exactly peanuts.
They haggle that down with an army of lawyers or pay up every once in a decade. In the meantime, they made double digit billions by ignoring privacy regulations that would fuck with their do-no-evil-
business, instead of actually stopping what the regulations intend to stop.
-
@DogsB said in Internet of shit:
@Rhywden said in Internet of shit:
@DogsB said in Internet of shit:
@topspin said in Internet of shit:
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Not sure if too political for not being in
, but anyways:While in theory this is absolutely something that should be done, is the right thing to do with the best intentions, it would still only end up hurting companies in the EU, as always.
As seen with any privacy regulations, US companies just get away with either not caring about them, because you can't conclusively prove what everybody knows, or prefer to just pay some fines for the advantage in market dominance it brings them not to follow the rules as intended.
Yeah, It’s hard to take the EU seriously when all they’re doing is fining people. They issue a fine. The company makes a cost benefit analysis of paying it or paying lawyers to dispute and reduce it. If the fines were forced into escrow while the dispute is in motion they might be taken more seriously. That or jail time for everyone involved.
As it stands, smaller European firms are just folding and the giants just tank it or pay lawyers.
Ireland recently issued a fine for billions against someone. What’s more likely to happen is the state will incur more costs perusing it than they’ll pull out of the company.
And how exactly do you think "jail time" would work? Please note that I'm not seeing any other country jailing people over such things - well, apart from countries like China or Russia (but there you can be jailed for practically anything, so...)
Is fining anyone working? Cost of doing business for most of the bigger companies. Start throwing C level people in a box for a decade and you might see some change. Even if it’s a different face.
Dude, that wasn't what I was asking. I was asking: How exactly do you suppose this to work?
Last time I looked, the US doesn't do extraditions. Even for people strongly suspected of killing someone.
-
@DogsB said in Internet of shit:
@topspin said in Internet of shit:
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Not sure if too political for not being in
, but anyways:While in theory this is absolutely something that should be done, is the right thing to do with the best intentions, it would still only end up hurting companies in the EU, as always.
As seen with any privacy regulations, US companies just get away with either not caring about them, because you can't conclusively prove what everybody knows, or prefer to just pay some fines for the advantage in market dominance it brings them not to follow the rules as intended.
Yeah, It’s hard to take the EU seriously when all they’re doing is fining people.
Fining people makes sense. Fining companies less so, but is still not completely pointless. States fining their own agencies though, that really takes the cake (the state has to immediately increase the budget of the agency by comparable amount as it still needs to keep it running).
They issue a fine. The company makes a cost benefit analysis of paying it or paying lawyers to dispute and reduce it.
Often the fines end up being too small to really matter to the supernational hegemon companies. The proper way of calculating fees should be from income from related activity—that would at least ensure that the cost/benefit analysis would always come out in favor of not giving them any reason to fine them in the first place.
If the fines were forced into escrow while the dispute is in motion they might be taken more seriously.
A4 couples of years ago they added criminal liability of companies to the law. The problem with it is twofold- Companies can be somewhat easily disbanded and new ones incorporated, which leads to lengthy legal battles on which company should and shouldn't be held liable.
- It usually won't hurt the people who made the illegal decisions. Because last time I checked companies did not have their own brains so any decision boils down to some specific people working at the company.
That or jail time for everyone involved.
I would be in favor of a ‘cover your ass’ rule: everyone who knew about it unless they can show they either objected to their superiors or notified the authorities. That would allow the lowly peons not to risk much, but prevent them from just pretending they don't see it. Obviously the CEO has no superiors to object to, so when it comes to him, he can either scratch it or risk facing jail time.
As it stands, smaller European firms are just folding and the giants just tank it or pay lawyers.
Ireland recently issued a fine for billions against someone. What’s more likely to happen is the state will incur more costs perusing it than they’ll pull out of the company.
Indeed.
It's a wider problem that the supernational hegemon companies grew way over the heads of any and all law enforcement and judicial systems that should oversee them.
-
@Rhywden said in Internet of shit:
@DogsB said in Internet of shit:
@Rhywden said in Internet of shit:
@DogsB said in Internet of shit:
@topspin said in Internet of shit:
@ixvedeusi said in Internet of shit:
@Bulb said in Internet of shit:
Something should be done
The one thing I'd like most to be done is to make producers liable for any damage caused by bad security of their products and then strictly enforcing this.
Not sure if too political for not being in
, but anyways:While in theory this is absolutely something that should be done, is the right thing to do with the best intentions, it would still only end up hurting companies in the EU, as always.
As seen with any privacy regulations, US companies just get away with either not caring about them, because you can't conclusively prove what everybody knows, or prefer to just pay some fines for the advantage in market dominance it brings them not to follow the rules as intended.
Yeah, It’s hard to take the EU seriously when all they’re doing is fining people. They issue a fine. The company makes a cost benefit analysis of paying it or paying lawyers to dispute and reduce it. If the fines were forced into escrow while the dispute is in motion they might be taken more seriously. That or jail time for everyone involved.
As it stands, smaller European firms are just folding and the giants just tank it or pay lawyers.
Ireland recently issued a fine for billions against someone. What’s more likely to happen is the state will incur more costs perusing it than they’ll pull out of the company.
And how exactly do you think "jail time" would work? Please note that I'm not seeing any other country jailing people over such things - well, apart from countries like China or Russia (but there you can be jailed for practically anything, so...)
Is fining anyone working? Cost of doing business for most of the bigger companies. Start throwing C level people in a box for a decade and you might see some change. Even if it’s a different face.
Dude, that wasn't what I was asking. I was asking: How exactly do you suppose this to work?
Last time I looked, the US doesn't do extraditions. Even for people strongly suspected of killing someone.
Then I suppose the EU is to remain toothless then.
-
@Bulb said in Internet of shit:
last time I checked companies did not have their own brains so any decision boils down to some specific people working at the company.
Those people you mention often don't have brains, either.
-
@Rhywden said in Internet of shit:
Last time I looked, the US doesn't do extraditions. Even for people strongly suspected of killing someone.
For people strongly suspected of killing someone US does do extraditions (provided they are shown evidence that the prosecution does indeed have a case and they trust the court that will hear the case).
But of course they won't extradite if it wouldn't be similarly punishable under their own laws.
-
… I mean regarding people suspected of killing, there was a case some years ago where an American guy killed I think four people somewhere near Brno (Czechia) and headed home. Police was on his trail quite fast, but he was already in the airplane flying to America. They called to the USA, he was arrested on landing, then the DA went to the USA to present the case and the guy was extradited for trial in Brno.
-
@Bulb said in Internet of shit:
It's a wider problem that the supernational hegemon companies grew way over the heads of any and all law enforcement and judicial systems that should oversee them.
That basically sums it all up.
-
-
@Atazhaia said in Internet of shit:
@DogsB said in Internet of shit:
EU is to remain toothless
FWIW... If I were at your desk i’d be puzzled and speechless.
-
@Bulb said in Internet of shit:
@Rhywden said in Internet of shit:
Last time I looked, the US doesn't do extraditions. Even for people strongly suspected of killing someone.
For people strongly suspected of killing someone US does do extraditions (provided they are shown evidence that the prosecution does indeed have a case and they trust the court that will hear the case).
Not always.
-
@Rhywden The UK case is further complicated by the dispute whether she had diplomatic immunity and whether it should apply. Or because it was a negligent homicide while the Czech one was a willful murder—USA is more protective of their citizens in cases of negligence.
-
@Bulb said in Internet of shit:
@Rhywden The UK case is further complicated by the dispute whether she had diplomatic immunity and whether it should apply. Or because it was a negligent homicide while the Czech one was a willful murder—USA is more protective of their citizens in cases of negligence.
The US now explicitly states that dependants of staff (i.e. family members) in the UK do not fall under immunity. As such, any barriers to extradition no longer apply. And yet she still isn't.
And funny that you should say this:
USA is more protective of their citizens in cases of negligence.
Because you know what plenty of those company cases we're talking about will be tried as? That's right: Negligence. Because that's what most of those are.
-
This post is deleted!
-
@Rhywden said in Internet of shit:
Because you know what plenty of those company cases we're talking about will be tried as? That's right: Negligence. Because that's what most of those are.
Indeed.
And unless the same deeds become punishable in the USA as well, they won't extradite anybody for them for certain. I am not saying otherwise, I was just saying that for murder they at least sometimes do.
-
@Rhywden said in Internet of shit:
I think NodeBB just shat the bed for a second. My post did not appear where it should have.
Hmm...it did, a few minutes before you posted this but it doesn't appear that you were using that instance (we run multiple independent processes and users get distributed among them for load balancing, with a watchdog process that kills and restarts them when one gets stuck).
-
@boomzilla said in Internet of shit:
we run multiple independent processes and users get distributed among them for load balancing, with a watchdog process that kills and restarts them when one gets stuck
Node.js is the future
-
-
@TimeBandit said in Internet of shit:
@boomzilla said in Internet of shit:
we run multiple independent processes and users get distributed among them for load balancing, with a watchdog process that kills and restarts them when one gets stuck
Node.js is the future
Best we could figure out, some regex was going crazy.
-
@BernieTheBernie looks like it, yes.
-
@TimeBandit said in Internet of shit:
@boomzilla said in Internet of shit:
we run multiple independent processes and users get distributed among them for load balancing, with a watchdog process that kills and restarts them when one gets stuck
Node.js is the future
Duck-tape programming WTF! Does not have to be node.js, everything seems to have that kind of problems.
-
@ixvedeusi said in Internet of shit:
The one thing I'd like most to be done is to make producers liable
The greatest con that the IT industry managed to pull is the whole "as-is" stuff in licences.
We all take it for granted because "OMG it's impossible to avoid bugs!11!" but if a car maker was selling you a car that didn't even start, you wouldn't be saying "oh well, I guess making a perfect car is impossible, I'll just use it as storage space instead." But with software, nah, that's fine.
-
@remi said in Internet of shit:
@ixvedeusi said in Internet of shit:
The one thing I'd like most to be done is to make producers liable
The greatest con that the IT industry managed to pull is the whole "as-is" stuff in licences.
We all take it for granted because "OMG it's impossible to avoid bugs!11!" but if a car maker was selling you a car that didn't even start, you wouldn't be saying "oh well, I guess making a perfect car is impossible, I'll just use it as storage space instead." But with software, nah, that's fine.
This is the most obvious, ridiculous con being pulled. Even astrology is more responsible than that.
If laws were applied equally, 99% of the industry would have to be in line to be tried for wire fraud.
-
@remi said in Internet of shit:
@ixvedeusi said in Internet of shit:
The one thing I'd like most to be done is to make producers liable
The greatest con that the IT industry managed to pull is the whole "as-is" stuff in licences.
We all take it for granted because "OMG it's impossible to avoid bugs!11!" but if a car maker was selling you a car that didn't even start, you wouldn't be saying "oh well, I guess making a perfect car is impossible, I'll just use it as storage space instead." But with software, nah, that's fine.
Some software makers do warrant that their software is suitable for a particular application. That's common in safety-critical situations. It adds a lot to the cost of the software, as it requires both understanding how things are really used and a bunch of liability insurance. The libraries on which that software is built don't carry the liability though. They did not assert that it would work in that situation; it is the engineers who decided "we'll use that" who have that responsibility. Any liability for a component ought to be limited to whether the component does what the documentation/advertising says it does; if it says it sorts strings, it would be bad if it actually does cryptomining and personal data exfiltration.
-
@dkf and depending on the app, you can also get people who are vendors who’ll stick warranties around existing apps. I used to work for a company that specialised in this one open source package, offered hosting solutions for it (because at any scale other than trivial, it needs help) and also could offer warranties around it if desired. Some places signed up for it but it wasn’t that common.
-
@remi you mean like a Tesla?
-
@Applied-Mediocrity said in Internet of shit:
99% of the industry would have to be in line to be tried for wire fraud.
What about wireless stuff?
-
Just discovered that my 4K HDR TV has some kind of issue when it's running for too long (be that active or in standby): It then begins to flicker when you try to play a 4K HDR BluRay.
After testing various things (cable, settings, ...) I finally selected "restart TV" and got flicker-free 4K HDR once again. Before that it was either 4K or HDR.
FlowTex - Wikipedia
