Who Wants to Be A Regulator: The IoT Security Game Show

all right thank you thank you thank you it is fantastic to see so many people out here today I just want to appreciate everyone for coming out this morning welcome back to another episode of who wants to be a regulator the IOT security game show applause applause now our longtime viewers will know that this show is about better understanding the complexity of IOT security and the fact that real truths about solutions longtime viewers will also be surprised since this is the first episode that we've ever done but we're appreciated that you're here for us to reiterate the reminder please keep phones in silent mode please keep arms legs and any external genitalia inside the clock and

we're to go forward today's talk is going to be about exploring some of the nuances and complexities inside IOT security we're to be voraciously debunking myths and flawed overly simplistic proposals and we're going to be trying not to make fun of the game show hosts too much yes okay there so in this game the points don't mean anything the jokes are going to be dirty but the stakes cannot be higher and we have a fantastic participants today I'm going to introduce the panel now after we play our game there's me a lot of time for you guys to come forward with your own questions and ideas remember there are no dumb questions but there are lots of

dumb ideas so let's get them out on the table today contestant number one is Jen Ellis every game show needs a very swearing gender-confused Brit Jeff this is vice-president rapid7 she's been trying to bang through the she's been trying to bang it through the thick skull of the security community that communications is important she's also been trying to bang through other things which is how she gets into further trouble she works very hard to hurt all the cats and are you bastards grateful for all the work she's done now hey contestant number two is your favorite X regulator Whitney Merrill Whitney is a lawyer but that's okay because some of my best friends also know lawyers and

she's currently the privacy and consumer protection counsel for ei but she is ample experience in the Washington policy scene she's got a background in engineering and she spent some time in the FTC as an actual regulator so can tell us how not to do it and then finally and our final contestant today is Wendy Knox Everett she's a regulator she's not a regulator she is a lawyer but we're gonna forgive her for that one she used to be a real engineer and then for some reason she went to law school realize the error of her ways and went back into engineering she's one of the people who's been on the forefront of thinking about how security in the law

absolutely have to work together sometimes you know just smushing them really hard so you're all ready to play our game today all right now just as a slight program you know we ordered buzzers to be shipped so that the panelists would all have buzzers because of the proper game show unfortunately they sent us rubber Birds so we have buzzards instead we have buzzards it so we're going to be asking our panelists to make strange noises but Mandy not that strange all right we'll start off with an easy one a survey of consumers shows that the number one feature people want in a smart home device is Wendy lots and lots and lots of blinky blinky LEDs we do see it's

true shiny lights we've got some support in the audience you can come in for the steel ease of use cool apps you know things that make their old boring devices seem fun and interesting that is o PS Jen all right for the record some of you applauded to that one on camera your names and very quickly can we hear Jen's mic yes we cannot it's the mustache we made is given that this being recorded we may want to check that it's on turns an IOT is really hard do you generally I can say that question number two question number two why on earth are we connecting things light lightbulbs anyone have an answer for that one

you know I really have no idea but I'll be honest I bought my first IOT device while taking a security class we were talking about threat models of IOT and I thought wow that sounds really cool I really want light bulbs that turn on without me having to do anything and shut off and also turn blue yes when I mean I don't know but I have lights up even better than some alexa controlled lightbulbs that is a small dumpster my people you know like trying not to kill all of you excellent six points extra for bringing a prop so we are seeing this connected technology everywhere what's driving this rapid pace of adoption yes when

it's really just like bacon you want more of it you want it everywhere it makes everything even fridges even better it's true it is delicious yes the dinosaur at the end you know i think it's really good marketing people are driven by consumerism they want what's cool and new and they don't care if their old fridge is perfectly good if their new fridge is connected to the internet and has a pretty screen they'll be interested in buying it and so I think people are suckers same dog we are trying to do a plate I wait it's more than just consumers and there's more to it than this we're not just talking about consumer devices we're also

talking about industrial control systems don't watch the massage waggling it's not it's distracting we're talking about lots of enterprise stuff and and there's lots of really good reasons for doing some of this like this there's convenience this productivity there's efficiency the safety in some cases there's health there's loads of good reasons to have IOT not just you know your fridge telling you when you're out of milk and we'll do it bacon blue tooth bacon so I'm convinced this stuff sounds really useful we're gonna connect everything are there any challenges that we should be focused or concerned about in this you know connecting all the things anything that we should be worried about well I mean I am kind of running out of

places to plug things in that's been a bit of a burden for me this is this is a challenge keeping all the battery charges it's it's tricky my my electricity bills going way up just know I don't know no one else has any books like maybe yes buddy the hackers get into all the things you know places in our home right now you bastards you bastards this is why we can't have nice things it's clearly all your fault but why is security of these devices something that we should care about why is this important well I think Jana [Music] why is it important well there are privacy and security concerns and ultimately it reveals a lot of

information about ourselves so I I I like I will add to that I think there are three main reasons why I ot security matters and why it's different to the way that we think about security traditionally so the first is I think that when you're talking about IOT you are bridging the divide between physical and virtual so instead of just talking about confidentiality integrity and availability of data as we have traditionally talked about with security now we're talking about the potential for physical harm that's a pretty fundamental shift in terms of the stakes so that's the first thing the second thing is that you are looking at just really really massive rapid adoption of IOT and connected devices and that speed

of adoption is massively increasing the opportunity for attackers there's a much greater attack surface and now it's penetrating into more areas of our lives and the third thing is that these devices are being created using a lot of third party systems a lot of interconnectivity and so the complexity of securing them has just massively increased and so kind of trying to secure after the fact is at best incredibly challenging and at worst just redundant and that's why we kind of really need to get ahead of it before the fight I want to know what the proliferation of really crappy IOT devices is the first stage of the rise of the robots I mean I think well that's

a excellent question I for one welcome our new robot overlords which takes us into our first commercial break if you have a headache that's this big run straight to your local drug store and just shout I can't [ __ ] take it anymore I've got a headache that's this big that's right we are sponsored today by useless outrage for when you won't know what to do and Twitter is down this outrage all right let's check in with the scores we've got Jen with 17 Wendy with 93 Whitney with 7 and 3/4 plus I know losing thank you all right and now it's time to play a children's favorite game can you top this so we're going to

be asking our panel who can come up with the biggest IOT security fail who wants to start the bidding there are so many bad fails I had to think about it I think that all of the devices that failed I wouldn't even say failed um they just failed in crazy ways during the DynaTAC including one thermostat that just kept rising the temperature of a home and they couldn't shut it off yes I think one concern that you know is oftentimes unaddressed except the New York Times recently wrote about it so kudos to them is the rise of the use of home automation by abusers and other people who are controlling people who live with them and sort of

gaslighting them by locking them out of flight setting thermostats to do crazy things the surveillance when there are lots of cameras in your home people know where you are the the monitors in cars my husband has more than once texted me and be like hey I saw you stopped at the grocery store in the way home can you pick up some milk as you can see on the phone with the cars and like he's he's awesome he's just trying to help us out but it's a little weird the first time happens I I just I like those great examples and everything but I think the reality is that we have no clue today how far the fail goes or to what extent

for example if you have a car crash nobody is doing analysis right now to see whether there was any kind of tinkering any any outside involvement through any of the connectivity like that's just not part of the diagnostic process right now the forensics process and I think that's probably true in health care it's for be true in a lot of ways so people could be using these technologies in nasty scary ways that we theorized right now and we wouldn't really know if it's happening in real life and so we think it sounds kind of sci-fi but we don't really know can anyone really know IOT fail but I don't know and you say this stuff could be

happening how is this stuff really different from what we were seeing you know in my home computers no one patches their home computers so why should we care about horrible security on connected devices ok so firstly like that is just blatantly like patently absurd like people should be matching their sorry accept and be like [ __ ] whatever secondly secondly best estimates at the moment are that like some ridiculous number like somewhere between seven and nine homes have a device that's part of a botnet right and like if you think about IOT like so today let's say that you have I don't know five connected devices in your home and like one of them as part of a botnet in some way and

then like let's say in five years time you have forty connected devices in your home because you know everything's more delicious with sweet-sweet pollutants then they're like amazing amount of potential for you to be part of a botnet and for that computer power to be available to the bad guys has just like massively increased and then you get situations where you've got like bad guys with super computers constantly my coffee machine is a supercomputer right other confessions loop step yes the buzzer on the end by the creative Dennis right I think you know a lot one of the big problems is that IOT is generally so new and we better understand desktop systems we have a user interface there

people have been trained on how to work with them I mean it's not even perfect on the desktop system but there's been time to develop it and we're in a very early stages of IOT and I think with the lack of user interface people don't exactly know how to interact yes the Buzzard in the middle so in users homes we now have all these computers and physical things I can move around our homes that can interact with us we got thermostats we got lights we got smart fridges who wants some food poisoning due to a virus we have smart robots rolling around who wants someone to hack into their robot and trip them when they get up

late at night this intrusion into this physical really means that a lot more of our private information it's exposed it means that viruses and so forth they're just malicious our negligent crappy programming it could actually injure us so we have this much more of our stuff and what we consider to be a private safe environment being captured tracked analyzed marketed at us then as exposed through our desktop computers and our mobile devices and we all know there's an insane amount of information about us getting tracked through those areas but it really is this bringing the software into a place where it could physically harm me like Microsoft Office can crash all day and it annoys me and the only

physical injury I'm gonna get is like me beating my head against the keyboard we have robots and we have cars we have other things that might start breaking legs and so forth it becomes a little bit slightly slightly different excellent so that sound that you all totally just heard means it's time to play one of my favorite games which is school a man's planer now this is open how long for everyone this is open for anyone on the panel you can pick whatever answer you want to offer in here well actually if this is still so important why don't we just stop selling these things people really cared they buy it they'd stop buying them if this

is important it's not buying them does anyone want a school the man's planar yes I will we have a buzzard for that one I here's the thing you might say we're crappy at judging risk but we're actually all really really good at judging risk it's a really small risk for an individual to bring one of these things into their home like yeah your room but might trip you but it's probably not gonna do that security is really someone else's problem all the folks who had their stuff hacked and dine they didn't necessarily have any problems like maybe they got the same impact everybody else it didn't now the IOT devices like it's very rare for a

consumer to be actually targeted nonsense it's [ __ ] you don't have to be targeted like that's the problem it's all of this stuff there's like so many low level attacks that are just designed to go across the internet and hey any devices receptive and we all know that right like we work on security and so it's this fallacy that consumers have of like I'm not gonna be a target it's just nonsense they just don't understand the ecosystem and like that's not on them we haven't done a really good job of explaining that to them we've like kind of you know done this whole like ooh Security's complicated you have to be as smart as us and clearly I'm not that

smart so I think that we have to do a better job of educating consumers on what is relevant to them and how it can impact them how do you know I think one of the problems is IOT is everywhere and in addition to enticing consumers to purchase it's very difficult in some markets actually find non smart types of devices has anyone tried shopping for an on smart television or trying to make a consumer choice where you're signaling to them that you don't want this feature that you don't want something but they're all competing with one another to get the newest the best you know they love saying it's now connected and smart but is it really smart I'm not sure well

put my Bluetooth pure water filter on my faucet like it's smarter than me know as much water I'm drinking it's kind of cool that is actually kind of cool but surely this only applies to like the great unwashed masses we here in the security community we wouldn't fall for something like that we would only buy things that were locked down and secure there's no product that we would say yeah it'll be okay right don't think them yes I I don't know I'm convinced that people continue to buy but baby monitors despite the horror stories we read and ARS technica and wired etc explaining and showing actual attacks on innocent individuals people are still buying smart baby monitors because

ultimately as a scared parent you want to see your child 24/7 even if it's just laying there breathing you want to be you want to check and see is it still alive and so in that risk model its baby death or weird strange man or woman yells things over the baby monitor and I think people are still purchasing them and I think it's going to continue to be a big market those of you interested in the service Jen will come and just yell strange things at your house with accents a range of accents I have one word for you telepods onyx onyx alright on the count of three everyone say it with me one two three all right you guys

have convinced me teledildonics notwithstanding we should just ban this why don't you know we're talking about the government up here why don't we just ban all of this stuff burn it to the ground anyone ever response on the penalty you can just ignore everything I said about the advantages Ellie I like let's just ban it I agree that's great idea that's about it uncle about yes what America like I I think people should have the freedom to choose and be able to make smart choices and I think too if we start banning devices we're gonna lose the good with the bad and I think there's an idea of freedom of choice we shouldn't be over

regulating the space in a way that might hinder competition or hinder innovation it's really useful like you're prying my Roomba out of my cold dead hands because I'm a working lady and my place ain't gonna get vacuumed in my second tell Alexa to tell Roomba to vacuum all right shares out for the working the working ladies in the audience they like this answer fantastic so if we're not gonna ban them what can we do surely the government must be able to do something we've got this risk from everything from toys the Toyotas it's everywhere what's a poor nation state to do with a legitimate monopoly on the use of force I don't have something what the government can

do yes Wendy I they can you know go establish a department of IOT like you guys got lots and lots of agencies let's maple one more it's just totally just like when radio is becoming popular you know we need a regulator they had to establish clear roles set up some ownership rules and so forth you got the FCC pretty darn cool you know we got the FAA regulates pilots and stuff like that like let's just go make one more department because I'm pretty sure you got space somewhere in DC to build another large large building with extremely long hallways for poor small interns to get lost in and never be seen again for three weeks I was wondering

what you were doing for those three weeks when you're working for me yes do we have an answer that could beat build another DEATH modernist building in washington DC one of the problems is what is IOT right it's a very very diverse term that encompasses a lot of things and technically a phone and a computer or IOT because they're connected to the Internet so where do you start drawing the lines and how do you start regulating amongst all of the regulators that have traditionally worked in the space and so if you have the FDA regulating health devices and you have the FTC doing some area of that for privacy stuff at what point do they intersect how do

you start working them together and so I think there are already quite a large range of agencies that already do this and we have to establish a better framework to empower the regulator's to understand the technologies and how they're changing because for all these years these regulators have been yeah maybe it's just a refrigerator right it's not connected to the Internet now you're giving a series of regulators who may not be familiar with the internet or security because they haven't had to deal with it before the power to make decisions about IOT devices and so I think there has to be a large cross agency support but I think adding another regulator would just add to the

headache I love the idea that having a new regulator that's too much bureaucracy but cross-agency integration ah that always happens lately but it's okay we've got this notion that we're gonna have a little a little easy use here something more complex than that but what is actually the difference between something in the home and something in a different context why can't we use the same regulatory model well I mean see we're an enterprise is different when you're talking about this kind of technology and the way that you think about sorry I just let me want I just my stomach um well you distract myself uh what do you think about you know industrial control systems and you think about

anything that's really sort of in in critical infrastructure that's a vastly different thing to your fridge or your washing machine or Wendy's Roomba in terms of how you protect them and how you manage them and it's really critical that at the same time we need to balance this sort of thing of you need to make sure that you're protecting the greater populace and you're thinking about risk and harm appropriately for that so critical infrastructure is really important to look at but you also need to make sure that you're supporting innovation you're supporting the economy and the ability for entrepreneurship you know these projects that get off the ground they have Kickstarter's and all that kind of stuff it's great it's great

to think one of me it's great for society it's drives innovation forward and we don't want to like create a regulatory burden on those kinds of organizations when they don't need it it's not actually what the public once or NEADS and it just hurts us all so there's a balance yes I think you know security has a cost and ultimately that cost is passed down to consumers and so when you start talking about adding security to consumer devices at what point does the cost of security outweigh the benefits to the consumer and so it's really a balancing act of risk models and also providing the right set of tools available for consumer facing devices to

bring down that cost because you know as much as I love my Hugh IOT lightbulbs I'm also thankful that I don't have to use 2fa every time I want to change them because if I did it would be I would stop using them I would use the light switch and then at that point why buy the lightbulbs and then I don't get this wonderful honestly I have it for home security right when I'm on vacation here in Las Vegas like the lights go on and off my cat feels like somebody is kind of home maybe a ghost but you know it's a nice thing and so if we build in too much cost I'm not sure there's gonna be

a ton of benefit all right so if we can't have the same regulatory model of everything surely in the consumer goods space there's one fairly straightforward regulatory model we can just impose on all of that yes I'd like to point out there's a slight difference between like Dongs versus dryers like your dong is probably no matter how like bluetooth it is gonna send your house on fire I think I think that really depends on how you use it or the lipo I don't know all right so we've talked a lot about balance the need to appreciate this but there are some government agencies out there that might be able to do something for 17 points and a slice of fresh

pineapple name a government agency that can play a useful role here say the FTC I'm so shocked that you said the FTC did she get disqualified and so as a as a former FTC or myself I think the FTC is uniquely positioned to deal with privacy and purity issues across the board generally their position their consumer-facing so maybe not the industrial side of products but the consumer facing products they can have a really big impact in helping drive standards helping provide insight into small actionable items that companies can use or do to move consumer privacy and security in a positive direction the FTC well is that can anyone share another government agency that might be

useful oh yeah don't me me me yes bingo so yesterday anyone here from the FDA okay well so FDA stands for the Food and Drug Administration part of HHS which stands for Health and Human Services so you get a prize well done outs like it's like you work in the government okay does anybody here work in the medical sector at all okay fantastic all right a little bit so then you might be familiar with this so the the FDA actually I would say of all of the industry specific regulators is ahead of the game they a few years ago got together a group of pretty knowledgeable security people and they went into like a sort of

deep collaborative process with them to come up with a set of both free-market and post-market guidance around how you think about medical device security and so the idea is that they want me to say meth manufacturers am I stuck okay I'm just going to go they wanted to say to medical device manufacturers that if you receive notification of there being an issue with your product it's great it's great that somebody came and gave you notification of it and you should work with that person and you should figure out how to address this issue and like you're not have to go through reauthorization on your product just cuz you update it updating the product is good and so they have this like set of

guidance and there's been actually a pretty Tift in the culture in the medical device manufacturing sector as a remote that and the DMCA exemption for security research the to kind of came out sort of approximately the same time and they kind of created this led effect where medical device manufacturers me that they were going to get in bounds from researchers Pipal and that they were because now researchers are legally allowed to take these devices and test them in safe test environments and they also knew that the FDA had basically said this is a good thing and you should work in these ways so there's been a shift of medical device manufacturers really trying to embrace this and create

vulnerability disclosure and handling processes there's definitely like a you know a front running set of companies and a tail on this but like there there has been a shift and now the FTC is looking at how they can expand on this and not FTC if the FDA is looking at how they can expand on this and go further conversely there are other sector organizations regulators that are not as far ahead on this like for example MIT so came out with some guidance that's me if anyone here is from MIT sir let's talk and don't hate me too much but at least they're doing something in there acknowledging that it's an issue and that they need to look at it but they're

just further behind in the journey and I mean the FAA is also further behind in the journey but recognizes the thing so like they're all trying to start down the path but you know as as I think some of my competitors said earlier you're dealing with sectors where they know their sector really deeply but they don't know our sector they don't know cybersecurity and so like it's kind of on us to help them with this and figure out how to like help them get where they need to go fantastic I'd like to buzz into some people who might be aware that they're not aware of everything in the cybers anybody heard of this small department called like commerce i hear

that they suck yeah they employ some really sketchy people any of my friends at commerce or no Alan you're great and we love you we're just such cool people in gold suits yes Wendy what kind of role can the Department of Commerce play in this you know they're aware that they're not experts in this area and they like to get lots of people together in relates they can be linked Avene they think they talk they're interns to the ages and ages and pages and pages of notes and then yeah they get all these cool people together then they rate these reports it's kind of neat and then they put on a gold jacket and pretend to do a TV show

I have no idea what you're talking about but first just because of the title is I need to be clear that the Department of Commerce is not a regulator except for fish I think we regulate fish or their

security fishing poles it's true all right so we just somehow mentioned the US Department of Commerce they recently published they just recently published a report that was in part drafted by a devastatingly handsome young man and it talked about IOT security baselines things that might span across this very broad and diverse IOT sector for three points and a slice of Gouda cheese can anyone name one of these baselines dang dog yes ah easy no default credentials what's wrong with default credentials they're just a patently stupid idea because like their default and people know them in there in like the manuals and oh that's just a terrible idea and they're even worse that they're hard-coded they need you need to have

titles that can be changed and I'm so irate about this I'm tripping over my own as much it's an outrage yes when do they you know really need to think about how they're storing their keys securely key management is really hard to channel the tunnel lis but you know they hard code these keys on there if they're even using them a lot of these things like to do security update it's over you know non TLS connection so let me just sort of hop on in and be in the middle of your software update and so now all the feeds from your cameras are going out into all the ciphers for folks to intercept this is kind of

tricky I mean I realized people make my toaster probably not super down with hada it scarily handle keys but it's a cool practice they should start learning about do yes there's an answer on the end for three points and she's very excited about that I think figuring creating matching standards and making sure that devices are being made in a way that requires patching is really really important because it has to be something that's easy either for the consumer or done automatically because otherwise no one's gonna patch their device even if they know it's part of a botnet because they have to somehow get online figure out how to patch it figure it out and I

think there are a lot of consumers that a little screw this it's not affecting me I don't really care and so to have patching as part of the design of the IOT device is really really vital and that way we can you know patch devices securely as opposed to I think it was the FBI who is just begging people to patch their devices and I'm not sure how well that campaign went remember kids a patching mechanism as a remote code exploit that you really hope that only the vendor can use it's important do you want to talk about encryption backdoors well we're gonna take a quick break when we come back our panel is going to

discover that there are countries outside the United States but first a word from our sponsor is a secure engineering process too hard for you does secure by designs seem like a ridiculous concept then come to the good folks at bolt on security why design a property when you can bolt it on after bolt on security when you've made a mistake and are just too lazy to fix it properly all right it is 100% guaranteed to protect you from everything that threat but tells you about and you should check out that table in the main room get some stickers all right so welcome back it turns out that the United States is not the only country in the world comes a surprise to

some of us I know you can't prove it all there is I've also suggested some solutions what are some of the ideas that we've heard from countries around the world that can really weigh in on this IOT security challenge yes I security by design there have been a ton of folks that I've started sort of rejecting that bolt-on kind of idea thinking about how you should do this starting from scratch and sort of not just you know keeping it on afterwards but thinking about how to actually successfully build these things so they're not hack proof but you know they ain't gonna join a botnet five seconds after you plug them in because you've built you know authentication

built some patching build all kinds of other stuff into it before you started building the whiz-bang he other fancy things onto him ding dong yes so I may have some reason to talk about the UK government the they they are doing some interesting things they recently brought out a code of practice document I'm gonna be candid and telling you a lot of it's boring but within it there is an actual sort of section that is like the the actual code of practice and I think they have like 13 principles that they suggest that a well worth a look at and they are sort of sensible things like you have to have patchy mechanism you should use encryption you should not

have hard-coded default credentials which we already understood is the thing I hate I get around so it's a lot of very logical things I recommend checking out it was by the Ministry of Harry Potter and giggles the ministry of trade culture foxhunting waistcoats and sporting right Harry Polson giggles you should check it out and look at the code of practice the other one I'll mention is the Dutch government has done a lot of work around coordinated disclosure and they are pretty like far ahead on that there I think actually no because the UK just were one out but the Dutch government was the only government that had like an actual published policy around coordinator disclosure and it's it's

well worth looking at it's very good it is in Dutch they've translated public say we're just like you can have it if you want it's true I should have done the duck checks a member like that would have gotten you next to a few points crypto no no means no means cryptography I think encrypting data at rest and in transit is some big steps that other governments are encouraging I think the FTC because they are great also agrees that these are great things but America so there are some there's some work that's happening with our friends across the Atlantic's in Brussels that have said that no we're going to have a certification model where devices will be certified as

secured panel what do we think about this um to me you need to understand about this is firstly the thing is like hmm the thing is like 800 pages long or something ridiculous and secondly in those 800 pages it largely says nothing it says we're gonna have certification for IOT devices but we're not going to tell you which IOT devices or how to certify them because we're the EU and we have Member States and we want the Member States to figure this out and come up with like ways of working of themselves so basically it's 800 pages of like we should do a thing but we don't really know what the thing is but we should definitely do it

and like that just opens us up to this world of confusion the whole thing is like hey if you certify these devices it's gonna improve the ability to sell across borders and that's a nice idea but then when you go eh but you know like nobody can figure out they care about it France can figure it out they care about it I like I get it in this room there's a lot of Americans you probably don't know this but like there's more the one country in Europe and we're quite it's called France right no really that's what you would and we're quite different in how we think about things like privacy so on the one

hand Germany really cares about privacy and on the other hand the UK is the surveillance state we will watch you and we will judge you sorry is the UK photo nice about it Europe should we do something well it depends on whether it's hard or soft sorry ah my point being that if you're going to let countries figure this out for themselves within this like dynamic you're gonna get probably a range of ways that they figure it out and then that whole like oh we have transparency and we have alignment and we can have great cross-border flow that's probably not gonna happen and on top of that are we creating new regulation are we using

existing regulation like nobody really knows but that's the thing that's happening right now and you should check it out it sounds like it might be the GDP are four iota nothing could go wrong with that at least at least a preparer is like a little bit more like prescriptive and we're gonna do this thing it's cook you grind crack but it is a little bit more like oh we have a thing it's this thing it's the same across Europe it's this thing beep beep yes I mean you're talking about certifying against a standard but we don't know what the standard is like are we gonna get a standard for the standards right like what that that's the problem

it's standards all the way down all the way down all right so we've talked a little bit about patching what makes patching priority different like we have patching for software why is this support model somehow different variety oh definitely bro deejay Dino DJ Dino lots patching is hard how many people here have patched something and then it broke a bunch of [ __ ] now imagine doing that with something that can you know burn your house down or actually kill someone and what if that patch isn't secure and what if it's tampered with in the process I think patching is very difficult even on the devices we know a lot about also encouraging people to

patch is very difficult one of the things that my company does that I really love / as a user appreciate is there is a countdown clock that I get of when my computer is going to restart to apply a bunch of patches it's 12 hours and it's like in 12 hours you're gonna it's gonna force hard reset and the reality is I'm in security I know I care I want a patch but you know I lose all my browser tabs and I don't want to do X Y & Z and I keep forgetting and then all of a sudden I'm not patching and it's not secure and so we need a way that basically is forcing patching but in a

secure a good way and that's a hard problem shekel bbbbb yes the beeper you know it turns out that like most stuff sold on the market these days you can get you know some basic support for like 18 months ago it breaks they'll swap it out and so I've got this idea warranties going on right but it's a little different when you got a software patch something because you had the software running in there maybe four five years four years down the road after the company went bankrupt who's gonna patch the bug in the open-source library that they stuck in there like who's responsible at that point that company might be a long long gone these are much longer time ranges

and involve much more effort than like hey you mail me that broken thing and I'm gonna mail a replacement back to you yes also it's not really clear when something is broken when it's a software problem so you know in traditional devices you can tell when your oven doesn't work and when it's being weird you can tell when your refrigerator and no longer keeps things colds and things start to smell but if the software's slightly off if it's spying on you a little bit more or sending data in a way that it shouldn't be how do you know as the consumer how does the how does that feedback loop happen how do you then tell the company it's happening and this

is a big privacy and security problem generally is that most users don't know bad things are happening to them fantastic so let's take quick low time check in on the scores you see that Jen has won the water-ski Whitney has won the rotating platform that the water-ski is on and Wendy's in the lead with a puppy so these are cool I got a dinosaur instead so if we're not going to really push very hard on the regulator side of things how can we nudge the market to place what are some of the incentives that we might be able to use to sort of move towards a more secure space yes Wendy I see the invisible hand of the

market and it's out there it's blooming it's stretching it's spreading it doodlee appendages to correct all the buffer overflows and all the smart things wait wait sorry no you know it's just the Flying Spaghetti Monster that's it's a common mistake and it may be purchased on your head at the moment yes the dinosaur alarm clock I think we have to reward the good actors I think instead of you know starting I think we have to start about a we have to start thinking about a culture of security you know vulnerability programs are really helpful but if we reward the good actors the people who are doing security right who are caring about these devices and

as opposed to focusing on punishing the bad actors we can create a ecosystem that focuses on creating good instead of punishing bad dang dog all right we have an answer from the massive ding dong I've been sitting here the entire time playing okay so I think that the reality is that consumers have a power and they don't necessarily appreciate that they have that power and we may struggle today to really get like the average individual consumer to really sort of like exercise that power or to think about why they should exercise that power you know Whitney trying to find a cheaper a TV that doesn't connect to the internet she's probably in her like vast

minority so there's not that much power there because we're not at that point with education yet but there is a lot of power between behind organizational consumers so for example if you have some of the really really big health care providers like Mary clinics for example if they were to go to their medical device vendors and say hey these are the things that we require if we're gonna continue being a customer that has a lot of power and at that point the medical device manufacturers are gonna basically go well we should probably do something about this or we're gonna lose business and the same applies really in any sector it's not medical specific so if you had any of the like big-box

vendors who you know sell a lot of this stuff get together and turn around to the manufacturers and say the same thing like we're not gonna put you in our stores unless you do these three or four or five things or if they went to their big-box members and said we're gonna now have in store a new rating system and it's gonna have like little check marks where your product is available saying like that your product is packed full and your product uses encryption or like whatever whatever the standards are they have and like if you don't meet these things that's gonna be very apparent to consumers when they're buying like these things have power they will they will

charge a babe behavioral change and that same rationale is actually behind a bill that is being discussed at the moment in Senate the people behind the bill senators Warner and Garner and the way that the bill works is trying to get at the issue of IOT and the way it's doing that is it's looking at government procurement specifically so rather than trying to regulate IOT manufacturers its regulating the way that the government buyers technology and it's saying to the government hey when you go to buy here's some things you should think about and you should require from your vendors because the government spends a [ __ ] ton of money and so if they say hey we need

these things that will create behavioral change in people who want to sell to them and that benefit then trickles down through to everybody else who buys those things fantastic and certainly an idea that's also raised in the Commerce report on distributed automated tax but we are running out of time but I want to make sure that since we have lawyers here we need to talk about how the ruining America and so what about liability as an option can that help alright we've got the scatting dinosaur in the front yes I think lawsuits are an effective tool to a certain extent FTC's you know lawsuits that they bring against companies drive policies and procedures and start requiring companies to think

about these problems because the reality is is if you get a letter from the FTC that turns into a full-blown lawsuit it's a very very expensive thing to be dealing with as well as a massive PR problem and so I think you know they serve as a tool to kind of deter other people from making similar mistakes at the same time I'm just gonna hop on in here like you can fix everything this is really hard for consumers if we look at using product liability on software like right now it's not causing physical harm and so you you don't necessarily need to come in we really do not want to depress innovation in this country we've got a

lot of really cool blue tooth bacon to spread out further in the world and if we have companies finding that they are getting chronic liability lawsuits filed against them any time they patch a bug they are not going to patch things it's a really bad set of incentives so it's not that product liability is not ever going to help us it's just not the solution in the way that we you might be right now all right we are running out of time the scores are tied at dead-even so before we get in the audience we have one last question here which is what can we as the hacker elite do to help fix these problems yes we

need you know we should just all go on Twitter and post a lot of like wool fail all right oh my I think I already said it I'm just gonna repeat say that I think you know everybody in this room has power to help with this problem you can help by educating the organization you work in you can help by educating manufacturers you can help by educating regulators policy makers consumers your family your friends it is like that's really what we need more than anything it's clean a constant level and priests awareness and knowledge around this and as people who see the matrix you can help others hopefully the ghosts of dinosaurs passed yes you have a open

standards I think open standards things like open SSL yes when there are problems there are problems that affect us all but if we start providing open source standards that are low cost easy to implement I think more device manufacturers are gonna be willing to incorporate with those and I think that can make some really really positive change because you know a lot of these IOT devices it's like SQL issues it's just any ways you can defeat a lot of the low-hanging fruit if you start creating standards that people buy into fantastic so as we look across the scores I think the audience has not yet scored a single point so shame on you but this is a chance to while we just

have a few minutes left actually have you guys weigh in a little bit on what you think this might look like and I've got a mic for you here so on the labeling and stores and consumer focused thing since the lawyers ruin everything we all know this isn't that going to be just any trust immediately like do I like isn't Home Depot almost inevitably going to collude with Phillips and make you know you know security certified hue light bulbs that only happen to pay us twenty million dollars or the privilege of certification I mean I think that's where the government could come in in creating a framework that regulates that sort of thing but I think we've

successfully seen labeling work in other areas it's not that different to food labeling and you know you work that out and supermarkets will have a health food section and that's okay they can do that they just you know they're not gonna do it with just one one one group of vendors that make healthy food so I think it's I think it's doable and it's manageable I think we actually already have examples of how to do this well all right great first off love the costumes it's really hard to keep a straight face when you're actually this is what I always look like excuse me I dressed down this you look great too I'm trying to think of examples where manufacturers

have actually put in features and devices and then had to roll them back and the only thing that I can come to is 3d in TV the last time consumers really kind of spoke with their pocketbooks when it comes to really pushing back on a feature they didn't want so I'm wondering you know do you think we can actually have a market for non Smart TVs or is this this inevitable that we're gonna have these chips as these capability I really so as so my IOT lightbulbs one of the features I noticed that they implemented that I really liked but also hate it was you couldn't use the app unless you updated to the most recent version they did roll that

back at some point I'm sure they got a lot of complaints because then you can't quickly turn on your lights right and if you have to wait for the patch to go that can be really difficult if you need your lights immediately so I saw that as one thing they did implement and then roll back I don't know maybe a version or two later there's also water beds I mean other than some of the panelists was your own one I since I punctured it alright we have time for one last question in the back I heard that Underwriters Laboratories ul is thinking about moving into the space into the cybers any any thoughts from the panel on could this be

successful or not they they have they have moved into the space they are doing things they have a pretty narrow focus on where they are right now I think that I think the certification of some kind of inevitable I think that we're seeing too many moves in that direction for it to like randomly stop and I think there will be lots of people who want to get in on that business not just ul ul is just has a good position to start from the challenge with it is always going to be like what areas of Technology you focus on how do you develop standards that apply and the people think are reasonable again this is where I think

that security experts can help by advising on the development these standards I think that what the le UL is doing is is minimally useful in a very focused area all right I think we might have time for a very quick two-finger your question in the back yes has there been cases where a manufacturer actually has been sued for failing to patch well off the top of my head it's it's always it's one of the many factors that are in consideration so on when the FTC initiates an investigation against the company usually failure to patch is one aspect of a parade of Horrors so yes one that I can think of off the top of my head was a router case they

knew that it was vulnerable they knew it was being exploited not only did they fail to listen to the coordinated disclosure that they were getting but they were failing to patch in a reasonable time frame and when they did patch there than failed to give notice to consumers that they needed to patch and that was a big central part of links us that's the name of the case yeah that was a big central part of they have investigation and ultimate ultimately resulted in a consent order okay thanks I might be wrong about this but I think there's an ongoing case in the medical sector in the women so I think we've learned a lot here today on the game

show I think we've learned that IOT security is both important about of her nuanced issue learned that easy regulatory fixes may not be the right way but there are lots of ongoing industry lead opportunities for people that weigh in with real expertise and I think we've learned that yes Jen can even be creepier which is a must affair Oh trust me I can always so with that I would like you to join me in thanking our brave contestants Jenna do you want to give a quick plug for the policy thing that's happening right okay yes so people who are interested in public policy there is besides a serious delia's to donate in a room called

public round and people who work in the policy sphere either in the government or in private sector in some way like volunteering their time or actual professional policy person they'll be hanging out there and you can just go and talk to them about what's happening in cybersecurity policy how to get involved they'll give you advice all that kind of stuff so unfortunately the public around room is yet believe it's over and platinum anyone in an orange shirt will route you there I'll be there this afternoon from 2:00 to 4:00 and I know a number of our people who signed up it's today and tomorrow so that's the place to go if you're interested public loss think you can poke at a real live

government person yes please don't they are humans they do have feelings if you mock me do we not weep alright everyone thank you very much again [Applause]