
California passes nation’s first IoT security bill – too little too late? - m_eiman
https://diginomica.com/2018/09/24/california-passes-nations-first-iot-security-bill-too-little-too-late/
======
ccnafr
This is incorrect. The bill has not been signed into law. It can still get
rejected by Gov. Brown, who has a habit of rejecting bills that come under
criticism, and this one has received some criticism for its vague lingo.

~~~
Bucephalus355
Quick thing on “vague lingo”.

Vague lingo is currently accepted, among white-collar crime academics, as
_absolutely_ the best path forward for reining in corporate behavior.

When you have very specific lingo, it’s extremely easy to circumvent the law.
You want to keep the law vague and open so you have lots of maneuver room to
prosecute. This assumes you trust the government, which when compared with
companies I 97% do. Bruce Schneier’s latest book, “Click Here to Kill”, makes
the same point [1].

[1] [https://www.amazon.com/Click-Here-Kill-Everybody-Hyper-
conne...](https://www.amazon.com/Click-Here-Kill-Everybody-Hyper-
connected/dp/0393608883)

~~~
PurpleBoxDragon
>When you have very specific lingo, it’s extremely easy to circumvent the law.
You want to keep the law vague and open so you have lots of maneuver room to
prosecute. This assumes you trust the government, which when compared with
companies I 97% do. Bruce Schneier’s latest book, “Click Here to Kill”, makes
the same point [1].

Companies don't have a monopoly on force that the government does. This
greatly changes how you calculate who the law should favor. I much prefer
specific laws instead of laws that are selectively applied to whomever the
government decides to target, because there is a long history of showing a
very evil nature in how they pick targets.

------
olliej
I’m not sure how good this law is. For example “best practice” is often
interpreted as “includes a virus scanner”, yet as Travis Ormandy has shown
over and over again virus scanners add huge attack vectors. Added to that the
very nature of what virus scanners want to do means that the entire OS must
allow exactly the type of code injection that malicious software wants.

Yet there are places that will only purchase things that can run antivirus
(because there are rules or regulations that require them to run antivirus).

------
crankylinuxuser
You want to fix this?

Get rid of/make void the fact that software and hardware companies disclaim
any and all liability. If they make bad things, they should be liable for
them.

I would provide an exception to this, and that's if they are open sourced,
able to upload firmwares, and able to revert to a safe baseband.

~~~
jarfil
Consumers don't want that.

There is already a kind of hardware and software where companies are liable:
in medical equipment. Now look at what that does to the prices.

Open source and consumer serviceable makes sense, but that's already being
fought for with the "right to repair" movement.

~~~
monocasa
The medical field has all sorts of other market failures going on, that it's
not really fair to compare their prices in that way.

~~~
logfromblammo
Look at the prices for hardware certified for permanent installation into an
aircraft?

~~~
dsfyu404ed
You practically have to have every bolt be traceable back to the ore the iron
for the steel was smelted from (this is only a slight exaggeration). That puts
a huge additional cost on every unit shipped. Software is not subject to that.
You can certify it once and amortize the cost over a million copies sold. The
cost of testing is also much cheaper.

~~~
logfromblammo
It isn't just the cost of testing. The barrier to entry, no matter how modest,
is not what increases the price so much. It's the pricing power acquired from
the lack of competition, as the barrier prevents new entrants.

If three brands of GPS mapping device dominate the consumer market, but only
one of them bothers to certify for aircraft, the exact same hardware in an
aircraft dash-mount will cost many times the amount for a consumer handheld.
Costs only determine prices for commodity suppliers. Everyone else charges
what the market will bear.

------
jiveturkey
good time to be in law school ...

