From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp73.iad3a.emailsrvr.com (smtp73.iad3a.emailsrvr.com [173.203.187.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id A4C0E3B29E for ; Mon, 26 Nov 2018 19:29:39 -0500 (EST) Received: from smtp2.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp2.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 78857599C; Mon, 26 Nov 2018 19:29:39 -0500 (EST) X-SMTPDoctor-Processed: csmtpprox beta Received: from smtp2.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp2.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 6C37B5A3F; Mon, 26 Nov 2018 19:29:39 -0500 (EST) Received: from app6.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp2.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 4B088599C; Mon, 26 Nov 2018 19:29:39 -0500 (EST) X-Sender-Id: dpreed@deepplum.com Received: from app6.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Mon, 26 Nov 2018 19:29:39 -0500 Received: from deepplum.com (localhost.localdomain [127.0.0.1]) by app6.wa-webapps.iad3a (Postfix) with ESMTP id 393FDE16AD; Mon, 26 Nov 2018 19:29:39 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: dpreed@deepplum.com, from: dpreed@deepplum.com) with HTTP; Mon, 26 Nov 2018 19:29:39 -0500 (EST) X-Auth-ID: dpreed@deepplum.com Date: Mon, 26 Nov 2018 19:29:39 -0500 (EST) From: "David P. Reed" To: "Sebastian Moeller" Cc: "=?utf-8?Q?Dave_T=C3=A4ht?=" , "cerowrt-devel" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20181126192939000000_62784" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: <13EA268F-994D-45FF-A0B2-1CAF4C530B4F@gmx.de> References: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> <13EA268F-994D-45FF-A0B2-1CAF4C530B4F@gmx.de> Message-ID: <1543278579.232231705@apps.rackspace.com> X-Mailer: webmail/15.4.6-RC Subject: Re: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 00:29:39 -0000 ------=_20181126192939000000_62784 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0A> I would like it very much if my country attempted to get to something>= similar as a requirement for FCC certification or import. Stronger> yes, w= ould be nice, but there was> nothing horrible in here that I could see.=0A = =0ADave T. - You may remember from when I helped get you in contact with th= e FCC regarding their attempt to rule against software updates of routers. = Subsequent to that, I and others were brought into an ex parte discussion w= ith the top policy people in the FCC regarding their role in supporting sec= urity reviews of routers and development of secure routers for WiFi. The FC= C lawyers have asserted that they have no legal authority whatsoever in reg= ard to assuring security of routers.=0A =0AThey haven't been interested in = communications security at all, in all of my work with them over the last 2= 0 years. Personally, I don't see Congress passing laws on router security, = or for that matter, "Internet of Things" security. There is some thought th= at the Federal Trade Commission might have authority under "consumer protec= tion" and "product safety" laws. But FTC is generally weak and uninterested= in regulating most technologies.=0A =0AOne of the US's problems (which may= have parallels in Europe) is that ALL responsibility for communications se= curity in the USG resides in the NSA, which is in the Department of Defense= . Every other part of the USG depends on NSA support. (Even the Federal Inf= ormation Processing Standards for commercial encryption are vetted official= ly by NSA, because they are the only agency that has security competencies)= =0A =0AIs it a good thing to bring NSA into regulating the security of home= routers or IoT? Technically, they and their contractors are very sharp on = this. I've worked with them since I began work in computer security in my r= esearch group at MIT in 1973. (we did no classified research, but NSA was p= art of our support, and the chief scientist of the NSA shared an office wit= h me when he visited us).=0A =0APersonally, I think it's time to move "secu= rity" out of the military sector of government..=0A =0ABut maybe not in the= FCC, which is in a weird part of the USG, with no budget for technical exp= ertise at all. (Congress doesn't want them to have technical resources)=0A = =0A ------=_20181126192939000000_62784 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

> I would like it very much if my country attempted to get to someth= ing
> similar as a requirement for FCC certification or= import. Stronger
> yes, would be nice, but there was
> nothing horrible in here that I could see.

= =0A

 

=0A

Dave T. - You may= remember from when I helped get you in contact with the FCC regarding thei= r attempt to rule against software updates of routers. Subsequent to that, = I and others were brought into an ex parte discussion with the top policy p= eople in the FCC regarding their role in supporting security reviews of rou= ters and development of secure routers for WiFi. The FCC lawyers have asser= ted that they have no legal authority whatsoever in regard to assuring secu= rity of routers.

=0A

 

=0A

They haven't been interested in communications security at all, in all o= f my work with them over the last 20 years. Personally, I don't see Congres= s passing laws on router security, or for that matter, "Internet of Things"= security. There is some thought that the Federal Trade Commission might ha= ve authority under "consumer protection" and "product safety" laws. But FTC= is generally weak and uninterested in regulating most technologies.

=0A=

 

=0A

One of the US's prob= lems (which may have parallels in Europe) is that ALL responsibility for co= mmunications security in the USG resides in the NSA, which is in the Depart= ment of Defense. Every other part of the USG depends on NSA support. (Even = the Federal Information Processing Standards for commercial encryption are = vetted officially by NSA, because they are the only agency that has securit= y competencies)

=0A

 

=0A

 

=0A

Personally, I think it's time to move "security" out of the military= sector of government..

=0A

 

=0A

But maybe not in the FCC, which is in a weird part of the USG, wi= th no budget for technical expertise at all. (Congress doesn't want them to= have technical resources)

=0A

 

=0A

 

 ------=_20181126192939000000_62784--