
Ask HN: Can we solve device security without regulation? - nitrogen
We&#x27;ve seen an awful lot of stories about various IoT and Smart devices being
hacked and used to spread malware, DDoS, and more in the past year.  We also
talk a lot about better languages and tooling to help prevent vulnerabilities.
There has been talk of legislation or regulation to address clear market
failures.<p>As someone whose own startup&#x27;s devices took longer to develop and ultimately
failed in the market due in part to my deep concern for security and code
quality (there were lots of other reasons), I welcome some kind of change in
developer and manufacturer culture toward strong and effective security.  But as
we all know, the legal system&#x27;s past track record is very poor when it comes to
technology, and regulation or legislation can have unintended and burdensome
consequences that might make it impossible for independent developers,
contractors, or startups to enter the market ever again.<p>So now I have to ask, are there any behind-the-scenes efforts currently underway
to draft and propose regulation or legislation that would address all security
concerns and protect consumers, while keeping our industry as accessible to
newcomers as possible?  How can we make sure that if&#x2F;when governments finally
react to the security situation, it&#x27;s done in a developer- as well as
consumer-friendly way?  Is there some kind of industry association alternative
that could produce voluntary compliance with security best practices, without
turning those best practices into a meaningless and ineffective CYA liability
shield?  Is there any way to make sure that attention is focused on the real
issues, instead of placebos meant to appear to be &quot;doing something&quot;, or worse,
blanket ban all new classes of technology like IoT, cryptocurrencies, etc.?
======
deftnerd
I would love to see a series of pass-through "device filters" manufactured by
a third party.

When purchased, they can be configured to designate what is attached and then
they would regularly connect to the filter service to get updated definitions.

For instance, the inline filter could be purchased to be placed in between a
router and a smart TV hooked up via ethernet. Then the owner configures the
filter and selects the exact TV manufacturer and model that is attached.

The filter device would then connect to the filter service on a regular basis
to get the rulesets for that specific model of TV. The rulesets could filter
incoming traffic, outgoing traffic, apply whitelists or blacklists, etc.

Basically, inexpensive device-specific firewalls.

------
nitrogen
Maybe we could create some voluntary logo program, like the old EnergyStar
program, that could show that a device meets basic UI/UX standards and has
adequate security? Like, all UI actions must respond or display a progress bar
within 60ms, device must boot within 5s for dumb display, 10s for smart
features, device must not use UPnP to open ports, device must not have default
passwords, and so on?

------
BuuQu9hu
We can't solve device security, period. Regulation isn't going to help and
effective regulation would be way too costly.

