Re: [NNagain] Internet Education for Non-technorati?

["David Bray, PhD" <david.a.bray@gmail.com>]

[-- Attachment #1.1.1: Type: text/plain, Size: 6897 bytes --]

Here's a label example that is being considered for the "Cyber Trust Mark"
example... it wouldn't just be a boolean mark vs. no mark, it would be
something like this (CMU has helped design it)

[image: cylabs-iot-security-an-1127463569.jpg]

On Wed, Oct 11, 2023 at 2:19 PM David Bray, PhD <david.a.bray@gmail.com>
wrote:

> Are we talking about the one that modelled after the label from CMU (they
> showed some prototypes, there would be about 10-15 pieces of information on
> the label followed by a QR code to get the rest), here's a link - and the
> concerns I have apply to this:
>
>
> https://news.pantheon.cmu.edu/stories/archives/2023/july/cylab-presents-at-white-houses-launch-of-new-iot-cybersecurity-labeling-system
>
>
> https://www.securityindustry.org/2023/09/12/the-fccs-u-s-cyber-trust-mark-proposal-what-it-means-for-the-security-industry/
>
> On Wed, Oct 11, 2023 at 2:06 PM Dave Taht <dave.taht@gmail.com> wrote:
>
>> I think y'all are conflating two different labels here. The nutrition
>> label was one effort, now being deploye, the other is cybersecurity,
>> now being discussed.
>>
>> On the nutrition front...
>> We successfully fought against "packet loss" being included on the
>> nutrition label, but as ghu is my witness, I have no idea if a formal
>> method for declaring "typical latency" was ever formally derived.
>>
>>
>> https://www.fcc.gov/document/fcc-requires-broadband-providers-display-labels-help-consumers
>>
>> On Wed, Oct 11, 2023 at 10:39 AM David Bray, PhD via Nnagain
>> <nnagain@lists.bufferbloat.net> wrote:
>> >
>> > I was at a closed-door event discussing these labels about two weeks
>> ago (right before the potential government shutdown/temporarily averted for
>> now) - and it was non-attribution, so I can only describe my comments:
>> >
>> > (1) the labels risk missing the reality that the Internet and
>> cybersecurity are not steady state, which begs the question how will they
>> be updated
>> > (2) the labels say nothing about how - even if the company promises to
>> keep your data private and secure - how good their security practices are
>> internal to the company? Or what if the company is bought in 5 years?
>> > (3) they use QR-codes to provide additional info, yet we know QR-codes
>> can be sent to bad links so what if someone replaces a label with a bad
>> link such that the label itself becomes an exploit?
>> >
>> > I think the biggest risks is these we be rolled out, some exploit will
>> occur that the label didn't consider, consumers will be angry they weren't
>> "protected" and now we are even in worse shape because the public's trust
>> has gone further down hill, they angry at the government, and the private
>> sector feels like the time and energy they spent on the labels was for
>> naught?
>> >
>> > There's also the concern about how do startups roll-out such a label
>> for their tech in the early iteration phase? How do they afford to do the
>> extra work for the label vs. a big company (does this become a regulatory
>> moat?)
>> >
>> > And let's say we have these labels. Will only consumers with the money
>> to purchase the more expensive equipment that has more privacy and security
>> features buy that one - leaving those who cannot afford privacy and
>> security bad alternatives?
>> >
>> > On Wed, Oct 11, 2023 at 1:31 PM Jack Haverty via Nnagain <
>> nnagain@lists.bufferbloat.net> wrote:
>> >>
>> >> A few days ago I made some comments about the idea of "educating" the
>> >> lawyers, politicians, and other smart, but not necessarily technically
>> >> adept, decision makers.  Today I saw a news story about a recent FCC
>> >> action, to mandate "nutrition labels" on Internet services offered by
>> ISPs:
>> >>
>> >>
>> https://cordcuttersnews.com/fcc-says-comcast-spectrum-att-must-start-displaying-the-true-cost-and-speed-of-their-internet-service-starting-april-2024/
>> >>
>> >> This struck me as anecdotal, but a good example of the need for
>> >> education.  Although it's tempting and natural to look at existing
>> >> infrastructures as models for regulating a new one, IMHO the Internet
>> >> does not work like the Food/Agriculture infrastructure does.
>> >>
>> >> For example, the new mandates require ISPs to "label" their products
>> >> with "nutritional" data including "typical" latency, upload, and
>> >> download speeds.   They have until April 2024 to figure it out. I've
>> >> never encountered an ISP who could answer such questions - even the
>> ones
>> >> I was involved in managing.  Marketing can of course create an answer,
>> >> since "typical" is such a vague term.  Figuring out how to attach the
>> >> physical label to their service product may be a problem.
>> >>
>> >> Such labels may not be very helpful to the end user struggling to find
>> >> an ISP that delivers the service needed for some interactive use (audio
>> >> or video conferencing, gaming, home automation, etc.)
>> >>
>> >> Performance on the Internet depends on where the two endpoints are, the
>> >> physical path to get from one to the other, as well as the hardware,
>> >> software, current load, and other aspects of each endpoint, all outside
>> >> the ISPs' control or vision.   Since the two endpoints can be on
>> >> different ISPs, perhaps requiring one or more additional internediate
>> >> ISPs, specifying a "typical" performance from all Points A to all
>> Points
>> >> B is even more challenging.
>> >>
>> >> Switching to the transportation analogy, one might ask your local bus
>> or
>> >> rail company what their typical time is to get from one city to
>> >> another.   If the two cities involved happen to be on their rail or bus
>> >> network, perhaps you can get an answer, but it will still depend on
>> >> where the two endpoints are.  If one or both cities are not on their
>> >> rail network, the travel time might have to include use of other
>> >> "networks" - bus, rental car, airplane, ship, etc.   How long does it
>> >> typically take for you to get from any city on the planet to any other
>> >> city on the planet?
>> >>
>> >> IMHO, rules and regulations for the Internet need to reflect how the
>> >> Internet actually works.  That's why I suggested a focus on education
>> >> for the decision makers.
>> >>
>> >> Jack Haverty
>> >>
>> >> _______________________________________________
>> >> Nnagain mailing list
>> >> Nnagain@lists.bufferbloat.net
>> >> https://lists.bufferbloat.net/listinfo/nnagain
>> >
>> > _______________________________________________
>> > Nnagain mailing list
>> > Nnagain@lists.bufferbloat.net
>> > https://lists.bufferbloat.net/listinfo/nnagain
>>
>>
>>
>> --
>> Oct 30:
>> https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
>> Dave Täht CSO, LibreQos
>>
>

[-- Attachment #1.1.2: Type: text/html, Size: 9400 bytes --]

[-- Attachment #1.2: cylabs-iot-security-an-1127463569.jpg --]
[-- Type: image/jpeg, Size: 234287 bytes --]

[-- Attachment #2: cylabs-iot-security-an-1127463569.jpg --]
[-- Type: image/jpeg, Size: 234287 bytes --]