New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices
Furnished content.
As we've pretty well documented, the internet of things is a security and privacy shitshow. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale -- especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what's happening:"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution." There's no quick fix for this problem. And as Schneier notes it's going to take the cooperation of companies, governments, consumers and independent groups to craft a solution, something that was already difficult enough during decidedly more sane times.Consumer Reports has been one of the few organizations to try and tackle this problem with plans to incorporate some open source security and privacy testing standards into its product reviews, to name and shame companies that turn a blind eye to this problem. Just about a year ago the organization noted it was working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledged was early and requires public and expert assistance.This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word:"We are focused on ensuring the Standard's maximum impact by working across many constituencies to use and refine this tool as a metric for evaluating consumer software and hardware. Our goals are to educate companies on how they can use the Standard to improve their products, help consumer and digital rights advocates to leverage the Standard in their advocacy, and solicit feedback from the full range of stakeholders on how the Standard can be improved." The emerging standard would incorporate 35 different security and privacy testing standards into product reviews, with a heavy emphasis on the obvious need for quality encryption, non-default usernames and passwords, transparency as to what data is collected and who it's being sold to, more easily understood terms of service, and better government mechanisms to handle consumer complaints and enforcement against bad actors.Traditionally, IOT companies have disregarded these issues in both their business models and product design, creating Schneier's unaccountable "invisible pollution" (for example when your cheap ass Chinese security camera gets hacked minutes after being connected online, then contributes to historically massive DDOS attacks without your knowledge or consent). Convincing companies (especially when they're overseas and outside of regulatory authority) that contributing to the greater good benefits everybody in the long run hasn't been easy.As such, the OTI tries to make the case that over the long term, respecting privacy and embracing security standards should save everybody money, noting that firms like the Ponemon Institute have estimated that the average data breach in 2017 cost "responsible" businesses $3.5 million. Not to mention the costs of downtime from massive DDOS attacks like the one that targeted Dyn last year, or the costs of having to deal with regulatory action because of the lack of common security sense we've seen applied to everything from smart TVs to in-car infortainment systems.Still, the temptation to disregard security and privacy and just move on to marketing the next IOT product in the pipeline is a siren song that will be hard to compensate for (especially for overseas Chinese vendors), and it's going to take a massive, collective push to avoid some of the doomsday scenarios many security researchers have been warning about.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 27-Mar-2018
path: /Policy | permalink | edit (requires password)
Founder Of Fan-Subtitle Site 'Undertexter' Loses Copyright Infringement Appeal
Furnished content.
Just a quick update on the current craziness going on in the Swedish court system. In the middle of 2017, we wrote about the Swedish authorities raiding the offices of Undertexter, a site that provides fan-created subtitles of movies. Many people were confused by this, but the film industry has long branded fan-made subtitles as contributors to piracy, allowing people in foreign countries to download films and append the subtitles to watch them, rather than buying the localized version. The industry also argues that these subtitles are themselves copyright infringement, as they essentially reproduce the film's script in another language.Founder Eugen Archy was convicted of copyright infringement. Ever the fighter, he appealed, but now we learn that Archy has lost his appeal as well.On appeal, Archy agreed that he was the person behind Undertexter but disputed that the subtitle files uploaded to his site infringed on the plaintiffs’ copyrights, arguing they were creative works in their own right.While to an extent that may have been the case, the Court found that the translations themselves depended on the rights connected to the original work, which were entirely held by the relevant copyright holders. While paraphrasing and parody might be allowed, pure translations are completely covered by the rights in the original and cannot be seen as new and independent works, the Court found.The Svea Hovrätt also found that Archy acted intentionally, noting that in addition to administering the site and doing some translating work himself, it was “inconceivable” that he did not know that the subtitles made available related to copyrighted dialog found in movies. Now, the good news is that losing this appeal only results in his original conviction and punishment of probation and a $26,000 fine. All told, that isn't the craziest punishment we've seen for copyright infringement. Those caveats aside, let's all remember that Undertexter gave away the fan-translations it hosted. The site didn't sell them. They were offered for free. And for the crime of providing free translations in markets that are often underserved by Hollywood, he now has a copyright infringement conviction on his record and a five-figure bill to pay.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 27-Mar-2018
path: /Policy | permalink | edit (requires password)
|
|