From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp65.iad3a.emailsrvr.com (smtp65.iad3a.emailsrvr.com [173.203.187.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 9B77A3B2A4 for ; Wed, 28 Nov 2018 14:10:26 -0500 (EST) Received: from smtp1.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 69F6E5BDA; Wed, 28 Nov 2018 14:10:26 -0500 (EST) X-SMTPDoctor-Processed: csmtpprox beta Received: from smtp1.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 63D055D53; Wed, 28 Nov 2018 14:10:26 -0500 (EST) Received: from app60.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 453A05BDA; Wed, 28 Nov 2018 14:10:26 -0500 (EST) X-Sender-Id: dpreed@deepplum.com Received: from app60.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Wed, 28 Nov 2018 14:10:26 -0500 Received: from deepplum.com (localhost.localdomain [127.0.0.1]) by app60.wa-webapps.iad3a (Postfix) with ESMTP id 2F8A8A0047; Wed, 28 Nov 2018 14:10:26 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: dpreed@deepplum.com, from: dpreed@deepplum.com) with HTTP; Wed, 28 Nov 2018 14:10:26 -0500 (EST) X-Auth-ID: dpreed@deepplum.com Date: Wed, 28 Nov 2018 14:10:26 -0500 (EST) From: "David P. Reed" To: "Michael Richardson" Cc: "Sebastian Moeller" , "cerowrt-devel" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20181128141026000000_27298" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: <24259.1543396467@dooku.sandelman.ca> References: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> <13EA268F-994D-45FF-A0B2-1CAF4C530B4F@gmx.de> <1543278579.232231705@apps.rackspace.com> <24259.1543396467@dooku.sandelman.ca> Message-ID: <1543432226.19311133@apps.rackspace.com> X-Mailer: webmail/15.4.6-RC Subject: Re: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2018 19:10:26 -0000 ------=_20181128141026000000_27298 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AMichael Richardson asked: "So where would it go, if not the FTC?"=0A =0A= I think Congress has to create a function in some organization that has tec= hnical and policy capabilities, and the powers to regulate manufacturers.= =0A =0AIt could be in the Dept. of Commerce, but it needs things the FTC do= esn't have. I know NIST (also in Commerce) has a number of initiatives in n= on-military security, but not privacy or individual rights. They have the t= echnical capabilities in house, and define standards where appropriate. But= NIST doesn't do policy nor have any power to regulate.=0A =0AMuch like the= FDA has powers to regulate medical device makers and sellers, because ther= e are important public goods in medical treatment, I think it might be time= to begin dealing with *essential* devices like routers in an appropriate w= ay. Doing so while retaining low cost and maximizing innovation is hard, bu= t it need not be done the same way as the regulation of medical devices are= regulated (in fact medical device regulations should probably be rethought= after 100 years of progress in technology and medicine).=0A =0A=0AFY= I: This whole idea, which seems necessary, makes part of me personally unco= mfortable. I don't trust Congress to get it right, given the huge amount of= money available to drive them in the wrong direction. FB and Google have r= un extremely successful propaganda campaigns to convince America that they = "serve their users" and it is too hard to do the right thing, so we should = admire their tiny amount of concern about their own bad behavior. But the = real truth is that they "serve their users to their customers on a platter"= , where their customers are not their users at all, but a vast advertising = and data-brokerage system that lives to maximize surveillance of of every b= ehavior of every human on the planet, and then to find new exploits that ca= n "monetize" the observed behavior.=0A =0AWe didn't build the Internet prot= ocols to enable mass surveillance by anybody. We built it for simplifying c= ommunications among willing participants. But the latter good is lost, as t= he Pied Piper solved our communications concerns using the Internet, and th= en demanded control of our children.=0A=0A =0A-----Original Message-= ----=0AFrom: "Michael Richardson" =0ASent: Wednesday, Nov= ember 28, 2018 4:14am=0ATo: "David P. Reed" =0ACc: "Se= bastian Moeller" , "cerowrt-devel" =0ASubject: Re: [Cerowrt-devel] security guidelines for home = routers=0A=0A=0A=0ADavid P. Reed wrote:=0A > Personal= ly, I think it's time to move "security" out of the military=0A > sector of= government..=0A=0A+1=0A=0A > But maybe not in the FCC, which is in a weird= part of the USG, with no=0A > budget for technical expertise at all. (Cong= ress doesn't want them to=0A > have technical resources)=0A=0ASo where woul= d it go, if not the FTC?=0A=0A ------=_20181128141026000000_27298 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Michael Richardson ask= ed: "So where would it go, if not the FTC?"

=0A

&nbs= p;

=0A

I think Congress has to create a function in = some organization that has technical and policy capabilities, and the power= s to regulate manufacturers.

=0A

 

=0A

It could be in the Dept. of Commerce, but it needs things th= e FTC doesn't have. I know NIST (also in Commerce) has a number of initiati= ves in non-military security, but not privacy or individual rights. They ha= ve the technical capabilities in house, and define standards where appropri= ate. But NIST doesn't do policy nor have any power to regulate.

=0A

 

=0A

Much like the FDA has pow= ers to regulate medical device makers and sellers, because there are import= ant public goods in medical treatment, I think it might be time to begin de= aling with *essential* devices like routers in an appropriate way. Doing so= while retaining low cost and maximizing innovation is hard, but it need no= t be done the same way as the regulation of medical devices are regulated (= in fact medical device regulations should probably be rethought after 100 y= ears of progress in technology and medicine).

=0A

&n= bsp;

=0A

<rant>

=0A

FYI= : This whole idea, which seems necessary, makes part of me personally uncom= fortable. I don't trust Congress to get it right, given the huge amount of = money available to drive them in the wrong direction. FB and Google have ru= n extremely successful propaganda campaigns to convince America that they "= serve their users" and it is too hard to do the right thing, so we should a= dmire their tiny amount of concern about their own bad behavior.  But = the real truth is that they "serve their users to their customers on a plat= ter", where their customers are not their users at all, but a vast advertis= ing and data-brokerage system that lives to maximize surveillance of of eve= ry behavior of every human on the planet, and then to find new exploits tha= t can "monetize" the observed behavior.

=0A

 =0A

We didn't build the Internet protocols to enable = mass surveillance by anybody. We built it for simplifying communications am= ong willing participants. But the latter good is lost, as the Pied Piper so= lved our communications concerns using the Internet, and then demanded cont= rol of our children.

=0A

</rant>

=0A

 

=0A

-----Original Message-----<= br />From: "Michael Richardson" <mcr@sandelman.ca>
Sent: Wednesd= ay, November 28, 2018 4:14am
To: "David P. Reed" <dpreed@deepplum.c= om>
Cc: "Sebastian Moeller" <moeller0@gmx.de>, "cerowrt-devel= " <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-de= vel] security guidelines for home routers

=0A
=0A

David P. Reed <dpreed@deepplum= .com> wrote:
> Personally, I think it's time to move "security"= out of the military
> sector of government..

+1
<= br /> > But maybe not in the FCC, which is in a weird part of the USG, w= ith no
> budget for technical expertise at all. (Congress doesn't = want them to
> have technical resources)

So where would= it go, if not the FTC?

=0A
 ------=_20181128141026000000_27298--