<div dir="ltr"><div>Here's a label example that is being considered for the "Cyber Trust Mark" example... it wouldn't just be a boolean mark vs. no mark, it would be something like this (CMU has helped design it) <br></div><div><br></div><div><img src="cid:ii_lnm2wgbs0" alt="cylabs-iot-security-an-1127463569.jpg" width="609" height="786" style="margin-right: 0px;"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 11, 2023 at 2:19 PM David Bray, PhD <<a href="mailto:david.a.bray@gmail.com">david.a.bray@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Are we talking about the one that modelled after the label from CMU (they showed some prototypes, there would be about 10-15 pieces of information on the label followed by a QR code to get the rest), here's a link - and the concerns I have apply to this: <br></div><div><br></div><div><a href="https://news.pantheon.cmu.edu/stories/archives/2023/july/cylab-presents-at-white-houses-launch-of-new-iot-cybersecurity-labeling-system" target="_blank">https://news.pantheon.cmu.edu/stories/archives/2023/july/cylab-presents-at-white-houses-launch-of-new-iot-cybersecurity-labeling-system</a></div><div><br></div><div><a href="https://www.securityindustry.org/2023/09/12/the-fccs-u-s-cyber-trust-mark-proposal-what-it-means-for-the-security-industry/" target="_blank">https://www.securityindustry.org/2023/09/12/the-fccs-u-s-cyber-trust-mark-proposal-what-it-means-for-the-security-industry/</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 11, 2023 at 2:06 PM Dave Taht <<a href="mailto:dave.taht@gmail.com" target="_blank">dave.taht@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I think y'all are conflating two different labels here. The nutrition<br>
label was one effort, now being deploye, the other is cybersecurity,<br>
now being discussed.<br>
<br>
On the nutrition front...<br>
We successfully fought against "packet loss" being included on the<br>
nutrition label, but as ghu is my witness, I have no idea if a formal<br>
method for declaring "typical latency" was ever formally derived.<br>
<br>
<a href="https://www.fcc.gov/document/fcc-requires-broadband-providers-display-labels-help-consumers" rel="noreferrer" target="_blank">https://www.fcc.gov/document/fcc-requires-broadband-providers-display-labels-help-consumers</a><br>
<br>
On Wed, Oct 11, 2023 at 10:39 AM David Bray, PhD via Nnagain<br>
<<a href="mailto:nnagain@lists.bufferbloat.net" target="_blank">nnagain@lists.bufferbloat.net</a>> wrote:<br>
><br>
> I was at a closed-door event discussing these labels about two weeks ago (right before the potential government shutdown/temporarily averted for now) - and it was non-attribution, so I can only describe my comments:<br>
><br>
> (1) the labels risk missing the reality that the Internet and cybersecurity are not steady state, which begs the question how will they be updated<br>
> (2) the labels say nothing about how - even if the company promises to keep your data private and secure - how good their security practices are internal to the company? Or what if the company is bought in 5 years?<br>
> (3) they use QR-codes to provide additional info, yet we know QR-codes can be sent to bad links so what if someone replaces a label with a bad link such that the label itself becomes an exploit?<br>
><br>
> I think the biggest risks is these we be rolled out, some exploit will occur that the label didn't consider, consumers will be angry they weren't "protected" and now we are even in worse shape because the public's trust has gone further down hill, they angry at the government, and the private sector feels like the time and energy they spent on the labels was for naught?<br>
><br>
> There's also the concern about how do startups roll-out such a label for their tech in the early iteration phase? How do they afford to do the extra work for the label vs. a big company (does this become a regulatory moat?)<br>
><br>
> And let's say we have these labels. Will only consumers with the money to purchase the more expensive equipment that has more privacy and security features buy that one - leaving those who cannot afford privacy and security bad alternatives?<br>
><br>
> On Wed, Oct 11, 2023 at 1:31 PM Jack Haverty via Nnagain <<a href="mailto:nnagain@lists.bufferbloat.net" target="_blank">nnagain@lists.bufferbloat.net</a>> wrote:<br>
>><br>
>> A few days ago I made some comments about the idea of "educating" the<br>
>> lawyers, politicians, and other smart, but not necessarily technically<br>
>> adept, decision makers. Today I saw a news story about a recent FCC<br>
>> action, to mandate "nutrition labels" on Internet services offered by ISPs:<br>
>><br>
>> <a href="https://cordcuttersnews.com/fcc-says-comcast-spectrum-att-must-start-displaying-the-true-cost-and-speed-of-their-internet-service-starting-april-2024/" rel="noreferrer" target="_blank">https://cordcuttersnews.com/fcc-says-comcast-spectrum-att-must-start-displaying-the-true-cost-and-speed-of-their-internet-service-starting-april-2024/</a><br>
>><br>
>> This struck me as anecdotal, but a good example of the need for<br>
>> education. Although it's tempting and natural to look at existing<br>
>> infrastructures as models for regulating a new one, IMHO the Internet<br>
>> does not work like the Food/Agriculture infrastructure does.<br>
>><br>
>> For example, the new mandates require ISPs to "label" their products<br>
>> with "nutritional" data including "typical" latency, upload, and<br>
>> download speeds. They have until April 2024 to figure it out. I've<br>
>> never encountered an ISP who could answer such questions - even the ones<br>
>> I was involved in managing. Marketing can of course create an answer,<br>
>> since "typical" is such a vague term. Figuring out how to attach the<br>
>> physical label to their service product may be a problem.<br>
>><br>
>> Such labels may not be very helpful to the end user struggling to find<br>
>> an ISP that delivers the service needed for some interactive use (audio<br>
>> or video conferencing, gaming, home automation, etc.)<br>
>><br>
>> Performance on the Internet depends on where the two endpoints are, the<br>
>> physical path to get from one to the other, as well as the hardware,<br>
>> software, current load, and other aspects of each endpoint, all outside<br>
>> the ISPs' control or vision. Since the two endpoints can be on<br>
>> different ISPs, perhaps requiring one or more additional internediate<br>
>> ISPs, specifying a "typical" performance from all Points A to all Points<br>
>> B is even more challenging.<br>
>><br>
>> Switching to the transportation analogy, one might ask your local bus or<br>
>> rail company what their typical time is to get from one city to<br>
>> another. If the two cities involved happen to be on their rail or bus<br>
>> network, perhaps you can get an answer, but it will still depend on<br>
>> where the two endpoints are. If one or both cities are not on their<br>
>> rail network, the travel time might have to include use of other<br>
>> "networks" - bus, rental car, airplane, ship, etc. How long does it<br>
>> typically take for you to get from any city on the planet to any other<br>
>> city on the planet?<br>
>><br>
>> IMHO, rules and regulations for the Internet need to reflect how the<br>
>> Internet actually works. That's why I suggested a focus on education<br>
>> for the decision makers.<br>
>><br>
>> Jack Haverty<br>
>><br>
>> _______________________________________________<br>
>> Nnagain mailing list<br>
>> <a href="mailto:Nnagain@lists.bufferbloat.net" target="_blank">Nnagain@lists.bufferbloat.net</a><br>
>> <a href="https://lists.bufferbloat.net/listinfo/nnagain" rel="noreferrer" target="_blank">https://lists.bufferbloat.net/listinfo/nnagain</a><br>
><br>
> _______________________________________________<br>
> Nnagain mailing list<br>
> <a href="mailto:Nnagain@lists.bufferbloat.net" target="_blank">Nnagain@lists.bufferbloat.net</a><br>
> <a href="https://lists.bufferbloat.net/listinfo/nnagain" rel="noreferrer" target="_blank">https://lists.bufferbloat.net/listinfo/nnagain</a><br>
<br>
<br>
<br>
-- <br>
Oct 30: <a href="https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html" rel="noreferrer" target="_blank">https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html</a><br>
Dave Täht CSO, LibreQos<br>
</blockquote></div></div>
</blockquote></div>