back to article IoT security is RUBBISH says IoT vendor collective

A vendor group whose membership includes Microsoft, Symantec, Verisign, ADT and TRUSTe reckons the Internet of Things (IoT) market is being pushed with no regard to either security or consumer privacy. In what will probably be ignored by the next startup hoping to get absorbed into Google's Alphabet's Nest business, the Online …

  1. Anonymous Coward
    Anonymous Coward

    "The framework also includes the following minimum requirements:

    Don't hide the privacy policy – demanding that someone wait until after buying a product before they see the privacy policy is a no-no, and consumers need to know the impact of opt-in or opt-out decisions on a product or service.

    Make the privacy policy readable – the OTA notes that this includes the user interface design presenting the policy. Since a home sensor or a fitness tracker lacks the user interface, vendors should keep in mind that the policy will be read on another device.

    Tell people what you're collecting – or as the framework puts it, “Manufacturers must conspicuously disclose all personally identifiable data types and attributes collected.”

    IoT vendors' promiscuous attitude to data sharing is frowned on – data should only be shared with third parties who agree to keep it confidential, and only for limited purposes.

    Tell consumers how long you're keeping their data."

    Well that would rule out Microsoft's Windows 10 wouldn't it then?

    "Yes," said Arthur, "... It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'."

    1. BillG
      IT Angle

      Re: "The framework also includes the following minimum requirements:

      I'm deep into IoT and I can tell you we ain't seen nothing yet.

      IoT will have a direct impact on people's lives. Hacked IoT will have a devastating impact that will cost lives. Corporations are protected by laws that insulate the individuals responsible for the fiasco. This lets them achieve their personal corporate goals while being totally apathetic as to the destruction they can cause.

      No politician anywhere will change the laws to make corporate officers responsible, but someday there will be an IoT hack so great that a way will be found to haul them off to jail.

  2. Ole Juul

    Forgettaboutit

    In other words, vendors can't simply abandon users either at the end of the warranty, or at some arbitrary end-of-life date.

    Sounds good.

    If a security vulnerability emerges (and the vendor still exists), it should be patched.

    Hey waitaminnit. You mean some company that I probably don't trust and who I'll never know what I need to know about them, is going to have access to my stuff in my house - forever?

    Deal's off.

  3. jake Silver badge

    More succinctly:

    IoT so-called security ... isn't.

    One wonders how many of the engineering staff working on IoT were born before 1990 ... Back in my day (pre so-called IoT, of course), the conversation went something like this:

    Management: MARKETING SEZ WE GOTTA SHIP IT!!!!

    Engineer: Sorry, it's not ready to ship. I'm not signing off on it.

    Marketing: BUT YOU HAVE TO! WE HAVE ADVERTISING READY!!!

    Engineer: Ok, Marketing, YOU sign off on it.

    Marketing: BUT WE'RE NOT QUALIFIED TO DO THAT!!!

    Management: Now, now, Engineer. Be nice to Marketing. They have ADVERTISING!!!

    Engineer: Then you sign off on it, Management. I'm not going to.

    Management: We could FIRE you for this insurrection!!!

    Engineer: Go ahead. Then you'll never have a working product.

    Management: ::sputter::

    Management: OK, WE'LL HIRE NEWLY MINTED ENGINEERS TO SIGN OFF!

    Marketing: Yeah! That's EXACTLY what we'll do! (BTW, what does "sign off" mean?).

    Management: (It's a technical term. I don't really get it either. Don't worry about it.)

    Marketing: (Thank heavens for that. Ignoring technical stuff is easy for me.)

    Engineer: Good luck with that, guys. I'm taking early retirement. Have fun.

    RIP DEC

    1. ben_myers

      Re: More succinctly: Procedure stolen from Microsoft

      The dialog cited above happens in the Microsoft borg before every product release.

  4. Will Godfrey Silver badge
    Unhappy

    Bug Fixing

    Theory: Company puts long term procedures in place.

    Practice: Directors wind up company as soon as profits dip, and start a new (strangely similar) one.

  5. This post has been deleted by its author

  6. VinceH

    Optional

    "In other words, vendors can't simply abandon users either at the end of the warranty, or at some arbitrary end-of-life date. If a security vulnerability emerges (and the vendor still exists), it should be patched."

    That sounds sensible - but, noting that Microsoft is a member of the group, we should consider what the 'T' stands for in IoT.

    A computer is a thing - even one running XP.

    1. Anonymous Coward
      Anonymous Coward

      Re: Optional @VinceH

      Yeah, XP - that operating system that is end of life with plenty of advance warning and Microsoft to their credit are doing everything they can to make it go away so all the security issues it has go with it.

      Too bad you were too cheap to move to Windows 7 or later.

      Just HAVE to get your gratuitous digs in on Microsoft, that company that pretty much launched the careers of the majority of IT people today and to whom you owe most of your income to.

      1. Richard Plinston

        Re: Optional @VinceH

        > Microsoft, that company that pretty much launched the careers of the majority of IT people today and to whom you owe most of your income to.

        Maybe, but it wasn't because MS produced such a wonderful product, it was because MS products need a lot of IT people to keep it running and attempting to keep it safe. IT loves Windows and other stuff because it keeps their jobs safe, there is always something more to do, more to retrain users, more to buy, more licences to keep track of.

      2. VinceH

        Re: Optional @VinceH @Anonymous Coward

        Since you were replying to me...

        "Too bad you were too cheap to move to Windows 7 or later."

        Just for the record, while I do have a machine running XP (for a specific purpose) my main computer - the one on which I am typing this - is running 8.1

        "Just HAVE to get your gratuitous digs in on Microsoft,"

        Yes, yes I do.

        "that company that pretty much launched the careers of the majority of IT people today and to whom you owe most of your income to."

        No, no I don't.

      3. anonymous boring coward Silver badge

        Re: Optional @VinceH

        I tried many times to update XP before MS killed support.

        Unfortunately updates didn't work. It used to work before MS updated the update system.

        Does MS even supply a full update package for XP now that can be installed to bring it up to "last support date"?

        Also: How come MS didn't see fit to fix the exponential time consumption issue in Windows Update that has wasted millions upon millions of users' hours, not to mention gigawatthours of energy? I'm sure it would have cost it several 10s of k$, the poor little company.

        What a pathetic excuse of a tech company.

    2. Speltier

      Re: Optional

      Sort of my thinking -- XP should be supported forever (well, for the life of Microsoft) based on the IoT manifesto.

      More realistically, the manufacturer should print on the product the "Trash By" date, sort of like a "Use By" date on food... No one can afford to buy a product supported forever at an initial fixed price. Even auto manufacturers don't have to fix fatally flawed vehicles after some period of time at least not yet.

      1. VinceH

        Re: Optional

        That is indeed more realistic - but as well as on the product, it should probably be prominently displayed wherever it is sold, including (especially?) through third parties.

  7. Doctor Syntax Silver badge

    "The framework also includes the following minimum requirements:"

    Add one: a vendor should undertake not to change the policies etc to the detriment of the Thing's user after purchase.

  8. ben_myers
    Thumb Up

    Some wisdom

    With reference to the sub-heading of this article, IoT vendors are to IoT security what Donald Trump is to politics.

  9. Anonymous Coward
    Anonymous Coward

    IOT bugs

    Sorry, but if a product is EOLed I won't release a patch.

    I won't even look at the problem.

    Time is money, and there is no reason to spend money on things that are no longer sold or under warranty, unless it is understood that reasonable support should be given (laptops, etc).

    As a consumer it pisses me off, but such is life.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like