Here's a label example that is being considered for the "Cyber Trust Mark" example... it wouldn't just be a boolean mark vs. no mark, it would be something like this (CMU has helped design it) [image: cylabs-iot-security-an-1127463569.jpg] On Wed, Oct 11, 2023 at 2:19 PM David Bray, PhD wrote: > Are we talking about the one that modelled after the label from CMU (they > showed some prototypes, there would be about 10-15 pieces of information on > the label followed by a QR code to get the rest), here's a link - and the > concerns I have apply to this: > > > https://news.pantheon.cmu.edu/stories/archives/2023/july/cylab-presents-at-white-houses-launch-of-new-iot-cybersecurity-labeling-system > > > https://www.securityindustry.org/2023/09/12/the-fccs-u-s-cyber-trust-mark-proposal-what-it-means-for-the-security-industry/ > > On Wed, Oct 11, 2023 at 2:06 PM Dave Taht wrote: > >> I think y'all are conflating two different labels here. The nutrition >> label was one effort, now being deploye, the other is cybersecurity, >> now being discussed. >> >> On the nutrition front... >> We successfully fought against "packet loss" being included on the >> nutrition label, but as ghu is my witness, I have no idea if a formal >> method for declaring "typical latency" was ever formally derived. >> >> >> https://www.fcc.gov/document/fcc-requires-broadband-providers-display-labels-help-consumers >> >> On Wed, Oct 11, 2023 at 10:39 AM David Bray, PhD via Nnagain >> wrote: >> > >> > I was at a closed-door event discussing these labels about two weeks >> ago (right before the potential government shutdown/temporarily averted for >> now) - and it was non-attribution, so I can only describe my comments: >> > >> > (1) the labels risk missing the reality that the Internet and >> cybersecurity are not steady state, which begs the question how will they >> be updated >> > (2) the labels say nothing about how - even if the company promises to >> keep your data private and secure - how good their security practices are >> internal to the company? Or what if the company is bought in 5 years? >> > (3) they use QR-codes to provide additional info, yet we know QR-codes >> can be sent to bad links so what if someone replaces a label with a bad >> link such that the label itself becomes an exploit? >> > >> > I think the biggest risks is these we be rolled out, some exploit will >> occur that the label didn't consider, consumers will be angry they weren't >> "protected" and now we are even in worse shape because the public's trust >> has gone further down hill, they angry at the government, and the private >> sector feels like the time and energy they spent on the labels was for >> naught? >> > >> > There's also the concern about how do startups roll-out such a label >> for their tech in the early iteration phase? How do they afford to do the >> extra work for the label vs. a big company (does this become a regulatory >> moat?) >> > >> > And let's say we have these labels. Will only consumers with the money >> to purchase the more expensive equipment that has more privacy and security >> features buy that one - leaving those who cannot afford privacy and >> security bad alternatives? >> > >> > On Wed, Oct 11, 2023 at 1:31 PM Jack Haverty via Nnagain < >> nnagain@lists.bufferbloat.net> wrote: >> >> >> >> A few days ago I made some comments about the idea of "educating" the >> >> lawyers, politicians, and other smart, but not necessarily technically >> >> adept, decision makers. Today I saw a news story about a recent FCC >> >> action, to mandate "nutrition labels" on Internet services offered by >> ISPs: >> >> >> >> >> https://cordcuttersnews.com/fcc-says-comcast-spectrum-att-must-start-displaying-the-true-cost-and-speed-of-their-internet-service-starting-april-2024/ >> >> >> >> This struck me as anecdotal, but a good example of the need for >> >> education. Although it's tempting and natural to look at existing >> >> infrastructures as models for regulating a new one, IMHO the Internet >> >> does not work like the Food/Agriculture infrastructure does. >> >> >> >> For example, the new mandates require ISPs to "label" their products >> >> with "nutritional" data including "typical" latency, upload, and >> >> download speeds. They have until April 2024 to figure it out. I've >> >> never encountered an ISP who could answer such questions - even the >> ones >> >> I was involved in managing. Marketing can of course create an answer, >> >> since "typical" is such a vague term. Figuring out how to attach the >> >> physical label to their service product may be a problem. >> >> >> >> Such labels may not be very helpful to the end user struggling to find >> >> an ISP that delivers the service needed for some interactive use (audio >> >> or video conferencing, gaming, home automation, etc.) >> >> >> >> Performance on the Internet depends on where the two endpoints are, the >> >> physical path to get from one to the other, as well as the hardware, >> >> software, current load, and other aspects of each endpoint, all outside >> >> the ISPs' control or vision. Since the two endpoints can be on >> >> different ISPs, perhaps requiring one or more additional internediate >> >> ISPs, specifying a "typical" performance from all Points A to all >> Points >> >> B is even more challenging. >> >> >> >> Switching to the transportation analogy, one might ask your local bus >> or >> >> rail company what their typical time is to get from one city to >> >> another. If the two cities involved happen to be on their rail or bus >> >> network, perhaps you can get an answer, but it will still depend on >> >> where the two endpoints are. If one or both cities are not on their >> >> rail network, the travel time might have to include use of other >> >> "networks" - bus, rental car, airplane, ship, etc. How long does it >> >> typically take for you to get from any city on the planet to any other >> >> city on the planet? >> >> >> >> IMHO, rules and regulations for the Internet need to reflect how the >> >> Internet actually works. That's why I suggested a focus on education >> >> for the decision makers. >> >> >> >> Jack Haverty >> >> >> >> _______________________________________________ >> >> Nnagain mailing list >> >> Nnagain@lists.bufferbloat.net >> >> https://lists.bufferbloat.net/listinfo/nnagain >> > >> > _______________________________________________ >> > Nnagain mailing list >> > Nnagain@lists.bufferbloat.net >> > https://lists.bufferbloat.net/listinfo/nnagain >> >> >> >> -- >> Oct 30: >> https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html >> Dave Täht CSO, LibreQos >> >