The main issues I see with this is, rather than just "I don't trust the government":
1. They'll do a scan of all devices then ask the ISPs to provide customer information for the vulnerable IPs found so that the government can contact them. So now you'll end up with a big fat list somewhere with names and addresses next to known vulnerability and that list is bound to leak sooner than later. See "My Number" (Japanese equivalent of social security numbers) leaks recently.
2. This makes for great phishing. All newspapers and TV channels have said you might receive notice from the government about security. Now you just have to send emails or letter claiming to be the government, saying "we have found your network to be vulnerable, please run this program to clean it up" and it's way more likely people will run your malware. FREE Advertisement provided by public funds!
Yeah, people don't trust the government. But most of the conspiracists are convinced the government is already secretly accessing their home devices (or trying to). If that's your belief, then really, nothing has changed!
I feel very differently, especially if it's a government whose "expert" minister doesn't know what a USB drive is:
1) don't do it at all. Vulnerable families remain vulnerable to organised crime and we have systemic weakness to state and/or vandal attack (worms, botnets or whatever else.)
2) Government does it, in public, performed by public servants, with appropriate guidelines that are enforced under pain of criminal prosecution. This has the opportunity to shame and possibly sue ISPs who provide default routers that suck giving indirect systemic benefits.
3) Private enterprise does it. Facebrick and Gogglers being the obvious candidates who one would think would just love to get in there, probably with the same checks and balances they've enjoyed so far.
4) Some rumsfeld style unknown unknown, beyond my limited imagination - really keen to hear if anyone has an idea here.
I absolutely agree with you that the number of people in positions of power who are completely f&^ing clueless about the domain over which they make decisions is astounding and a huge, massive problem. It still isn't required to have someone who knows what a usb drive is on your board of directors while they sign billion dollar contracts with Oracle, IBM Global Services, Accenture and whoever else has the best con, for example. Same for public service IT consulting contract ripoffs of which ripoffs utterly dominate the space.
So the "expert" minister thing you raise is really bad. Just as you say it is in fact and must be remedied across the board in all countries.
And I'm still going with (2) govt. doing it, with public scrutiny as the best of the available options.
True, and while I understand that high level officials do not necessarily need to be able to write code or explain the difference between public and private key crypto, they should have a base level of understanding to make decisions on the materials prepared by their employees.
I don't think someone who isn't familiar with the concept of a USB drive is at that base level of understanding.
EDIT: but "Gpetrium"'s statement is actually still correct ("a department can still be functional and even successful if their boss listens and applies the ideas offered") - maybe from this perspective it's more a "must" for a successful manager, but, after the "listening" comes the "judging" and that MUST be based on own know-how.
I'd trust any democratic government doing a preventative security scan for vulnerable devices, over some hacker who's only out to exploit them for personal gain.
Most people have never patched their router nor even know how to. Someone needs to proactively inform that group that they're vulnerable, at scale, if we're even going to have a chance to solve a lot of network problems.
It depends on what kind of actions they wish to do with the resulting scan/hack.
If they offer services to secure people/companies free or cheaply, then its a overall large positive.
If they give it to their equivalent NSA apparatus, that's a major bad.
Vast majority of Internet users are not security savvy. Doing a baseline scan with appropriate remediation guidance will go a long way.
I'm pretty sure security researchers will set up honeypots and monitor what the government probes are doing.
In the United States, I'm inclined to think that the former has already taken place and the latter will only happen after an extensive FOIA battle and enough years to make disclosure useless to the average citizen.
What do you mean? Is it not the case that in some countries encryption, let alone hiding anything from the government is illegal?
I feel the complete opposite way. The government having access to my things is worse than cyber-criminals having access to my stuff.
Cyber-criminals, on the other hand do not have the power to exercise physical violence over you, they can only harm you in non-violent ways.
Practically speaking, you are more likely to be harmed by cyber-criminals than by your country's state, but if tomorrow there's a new law against certain political ideologies (not uncommon in third world countries), or against encryption, or against privacy and they happen to know that you're interested in those things, the consequences could include physical violence.
There is a philosophical point to be made about one's right to willfully violate what are considered best practices (eg toad.com), but we're not debating penalties for running "insecure" devices. The sheer majority of vulnerabilities they find are going to be due to straight cluelessness.
It’s why I don’t worry the medication I take is not genuine, why the water that comes out the tap is safe to drink and why if I get run over I’ll get medical treatment.
It’s why I can walk down the street without unduly fearing I’ll get robbed etc.
Blind distrust is as silly as blind trust is what I’m saying here.
The government taking cyber security seriously is a good thing if you trust that government and the Japanese government is pretty good in that specific area.
Also given that Japan is a regional and major economic competitor to China which along with Russia and the other major powers is currently waging and undeclared series of wars in the global networks it seems like a pretty smart move to me,
"Japan's cyber-security minister has 'never used a computer'"
As for medicine, water and medical treatment... Your government makes the medicine, your government runs the water company and your government runs your hospitals? Seems like a recipe for disaster. Just out of curiosity, what country do you live in?
Yes. Japan is a regional and major economic competitor to china, russia and korea and the US. But what's your point? They are also a major trading partner to all those countries.
Sure, blind mistrust is bad as blind trust. But there are plenty of reasons for people to distrust governments. It's why we have rights to protect ourselves from the government. And the last government I'd trust is the japanese government if I were the japanese people considering how they were so willing to throw their citizens lives away on kamikaze missions and endure endless firebombings and nukes.
I trust my government more than Facebook or Huawei. Open source or neutral 3rd parties don't exist for this kind of thing.
I agree with you 100% and up voted you too. Furthermore people speak of "Government" as if it were a thing--akin to say an apple, as opposed to what it is in reality: a random group of random people with possibly, if not probably, virtually unlimited ideas on the nature of what the citizens under their thumb (or hopefully stewardship) have the right to see, hear, think, say or do.
This seems like the digital version of checking for locked doors. Here in Montreal you can get a ticket for leaving your car door unlocked. This seems like a similar initiative, but one that protects against greater threats while being less punitive.
What is the reasoning behind that law? I know plenty of people who live in areas where they don't lock their house because they believe it's safe enough not to have to lock it. And besides, anyone who really wanted in could bust the door down or break a window.
Same with cars. I've had my car broken into 5 times in LA/SF. They busted the window each time. Not locking would have solved nothing although maybe it would have saved me having to pay to get the window replaced.
Ideally if the law is about preventing crime it seems like they should actually try preventing the crimes rather than tell citizens to change their lives. Here in Japan pull out car stereos are not a thing and they have large car stereos that are not available in the USA. They are not available in the USA because they're too large to carry and would get stolen. I'd prefer to live in a society that protects it's people's lifestyles than one which tells them "that's the way the world is, lock your stuff up"
Not sure that made any sense. There's plenty of things you can do in Japan you can't do other places because the crime level is high in those other places. The attitude of those other places is "crime exists, there's nothing to be done about it, so suck it up". Living somewhere where the crime doesn't exist (or is low enough to ignore it) opened my eyes that I was in a a bubble of "crime is the way things are". Now I see that no, it's the way we let them be. I'm sure it's more complicated than that.
Tangential story: I know someone who used to have a soft-top convertible. He would purposefully leave it unlocked because he didn't want someone to tear open the top to get in, which they could very easily do. Someone still tore it open one time to get some change out of the center console.
An open door is seen as an invitation even for a thief that normally wouldn’t risk breaking a window. Basically for crimes of opportunity. And this applies to houses, cars, etc. Insurance companies will see it the same way.
In Japan if you go to a coffee shop like Starbucks which might be 3 stories tall (each floor rather small though), the norm is you go first see if there is a seat available. If there is you leave your stuff there. By stuff I mean your $1k-$3k notebook, or you phone, I've even seen people leave their wallet and just take $10 out (equiv). You then go to the floor where you can order and order your stuff, wait for your order, then go back to the place you reserved and your items are still there.
AFAICT you think that's wrong because you live in a world where that stuff would be stolen and it's therefore your responsibility to make sure it's not stolen.
I live in a world where I don't worry about it being stolen. This has lots of advantages. One I can reserve a seat. Another I can use the toilet without giving up my seat and without worrying about my stuff being stolen. I can leave stuff in my car from car stereos to cameras to whatever.
I'd prefer to live in my world. To put it in modern terms, in your world the terrorist have won. They've managed to remove your freedoms and you're so deep in you can't imagine it could be any other way.
I stepped out of that bubble. Now I see the places where I have to guard my stuff as 3rd world (in that particular area, Japan has plenty of other issues).
I don't know how to do it but I want to find a way to encourage people not to let the terrorists/thieves win. I don't want our daily lives where instead of just enjoying our lives with each other we have to be on constant guard for the bad guys and the things they might do. The problem is most places are so used to theft they can't imagine a society without so much of it that they always have to be on guard. So they don't press to make their place better. They just assume it's as good as it gets already. Well, it's not.
> My world [...]
> There's plenty of things you can do in Japan you can't do other places because [...]
That’s you. How about that bubble... I guess in “your world” there are no locks on cars and houses. No need you say, right?
But the OP was talking about Montreal. And my answer applies basically to all western world. It’s literally in the law of most of those countries and it makes sense. You don’t need to agree with it but rejecting my explanation will not make it any less accurate and true to the reality of far more than “my bubble”.
P.S. If you don’t want to let the thieves/terrorists in just lock the doors like I suggested.
On the other hand please refrain from judging others for their choices and opinions, and also stop assuming only you've seen the truth. The same justice and policing system that lowered the crime rate is also responsible for suspects being considered guilty until proven innocent, routinely coerced into confessing even when being innocent , and sometimes investigating crimes only if a conviction is almost guaranteed otherwise treating it as an accident to keep those stats looking good  .
I'll just lock my doors, thank you.
 http://articles.latimes.com/2007/nov/09/world/fg-autopsy9 [Not for EU it seems]
If 100 people leave the car unlocked and are robbed and on average the car costs $30,000, this will cost $3,000,000 + insurance resource + customer hassle + police resources + judicial resources. That is a steep cost to all parties.
(Dis)incentives are more successful when it considers all actors.
I would also argue that insurance resources, customer hassle, police resources and judicial resources are also all roughly equal for handling stolen items from a car, versus stolen items from a car + window broken.
Many opportunistic thieves will simply try the door and only go in if it opens.
"As an example, while a simple automobile case may resolve quickly after case initiation and incur less than $10,000 in fees, the total costs of such a case can also exceed $100,000 per side if the case goes to trial." - IAALS.Du.EDU
Here in the US you get robbed when you leave your car door unlocked. Kind of a punitive measure in its own way.
I could imagine a lot of businesses will open a closet to find the source of that infernal beeping, and discover a computer they forgot about.
"The huge question is what happens if, as many experts suspect, the experiment reveals major vulnerability throughout Japan. Even that shock may not do the trick. There is an awful lot of complacency to shake off and while Japan is far from alone in that, all the top-down, Society 5.0 posturing makes it hard to shift. Even with the government’s pro-IoT drumbeating in the background, said Itsuro Nishimoto, the president of Japanese cyber security group LAC, the business of IoT security is not yet growing in Japan. There remain deep, unresolved questions of whether manufacturers of IoT devices or their users should have responsibility for ensuring security and a nagging concern that the government’s mega-hack will not conjure up an answer."
The biggest issue I see with almost all security software is that they have no idea what should or shouldn’t happen and the just punt to the user asking them to be a SME on the right behavior, and with enterprise software that’s so complex there’s no way to know if the millions of settings are what the business really intended, and very little software even allows you to express intentions beyond a low level allow deny rule. Google docs is a little better in that they talk in terms of what you’d do with a doc, but very little software is even at that basic level.
I think it says something more specific to Japan than that. If you go on Shodan or do your own scans and compare Japan to other technologically advanced nations, you'll find a hell of a lot more random internet-exposed IP cameras, printers, etc. Do a quick search for the Server response header from a Brother printer, and you'll see what I mean. The way that people use computers in Japan is very different from how people use them in the West. I suspect that the way the organizations are structured, and the way that crime works in Japan, are a likely source of this difference.
So I don't really see a problem, if it results in citizens getting informed by someone other than their paranoid neighborhood tech-obsessed geek that their negligence is part of the problem.
I've been that guy in the past, there's a substantial portion (majority?) of the American population that will pay far more attention to a government notice of vulnerability than a fellow citizen they perceive as a paranoid extremist dreaming up invisible threats.
that’s a relief
"The road to hell is paved with good intentions."
Classic example of "what could go wrong"?
Unless someone better at scanning for vulnerabilities finds a hole in their system.
I don't even think it's a case of trusting them, because if they get access to webcam data or something else that they shouldn't, assume someone with less well-meaning intentions can and has also done so.
The problem is that the normal, every day people who run these devices, on the most part, don't understand that not only are they open to the internet, most manufacturers provide Dynamic DNS making it painfully easy to search for them. Further still, these manufacturers set the same default password for every device. Some have been known to leave the "empty" credential slots usable. Due to poor programming, you could simply login with no credentials at all.
I have to agree, I'd be hard pressed to decide whether I would or wouldn't accept this "survey", but, with notice, like people are being given here, you can mitigate the risks (cover the cameras, remove the data etc) and be told there are weaknesses in your system, or alternatively, not know and have some unknown accessing them at any point they wish, for any reason they wish.
In several countries pen testing tools for plebeians are even illegal.
But, lets be reasonable for a second, Japan is concerned that if people's networks aren't secured before the Olympic games, these vulnerable devices will be used to disrupt systems by outside attackers and potentially costing the country significantly.
It's well known that IoT devices on the market are poorly implemented and poorly secured and rarely-to-never updated by the manufacturer.
It is particularly hairy, and I don't think there's a perfect solution for the average person.
Once the avalanche is in progress, a government plan to add an extra snowflake scarcely matters.