I've been trying too. On Reddit I just get downvoted - which I actually don't understand.
I've also been warning governments about how bad things are and how bad things are going to be. I can see some movement, but it is too slow. We need more mandatory, automated penetration testing of all corporations by regulation. We also need cyber army reserves to help bring some of the knowledge that we have in the private sector to our governments without having to work in a shitty beige office downtown Ottawa.
A bunch of Teslas hacked at the same time is a weapon of mass destruction. We need to recognize that we have weapons of mass destruction online and take countermeasures now so we don't wake up one day to the news that 20 million cars accelerated to 200km/h and crashed into gas plants and government buildings all around the country. We need to regulate industry so the "move fast and break things" doesn't actually move fast and break things.
> We need more mandatory, automated penetration testing of all corporations by regulation.
No thank you, there be dragons there. Before you know it that regulation leaks to all software development that includes calls to connect() or bind().
But an Underwriters Laboratory for pen testing? Yes, please. (Or even UL themselves!) I saw an article on HN within the last 12-18 months about a similar concept/security auditing.
UL and similar agencies already check that plugging a device into your electrical system doesn't set something on fire. They have simple, yet strict standards that must be applied.
Likewise the FCC is very particular about radio emissions and will outright reject your product if it's too noisy.
We absolutely need something that can handle obvious problems like this, plus a way of coordinating with the vendors of these products should a vulnerability emerge that requires a patch or a recall.
> Likewise the FCC is very particular about radio emissions and will outright reject your product if it's too noisy.
That's only really recently true--just ask a ham radio guy about the noise floor if you want an earful. The FCC was pretty lax about this until this year when they finally quit accepting cross-certification from emissions labs from countries like China.
That's a slippery slope argument. I know regulating tech is not going to be popular here, and maybe we leave it for corporations that are valued at over a certain amount, but right now foreign governments are hacking our financial services companies, communications companies, phones, laptops, everything. 95% of the time a it's an extremely easy hack that would have been discovered by a routine scan.
Maybe IoT manufacturers or even the consumers owning the things should be liable for damages if their products participate in a DDOS. "Underwriters" labs proves you built your product to some standard, and that presumably makes you insurable because you have a first line of defense against a lawsuit.
But as opposed to EMC standards, software vulnerabilities arise periodically and standards need to be continually updated. Would devices need to be audited periodically to maintain certification?
I've also been warning governments about how bad things are and how bad things are going to be. I can see some movement, but it is too slow. We need more mandatory, automated penetration testing of all corporations by regulation. We also need cyber army reserves to help bring some of the knowledge that we have in the private sector to our governments without having to work in a shitty beige office downtown Ottawa.
A bunch of Teslas hacked at the same time is a weapon of mass destruction. We need to recognize that we have weapons of mass destruction online and take countermeasures now so we don't wake up one day to the news that 20 million cars accelerated to 200km/h and crashed into gas plants and government buildings all around the country. We need to regulate industry so the "move fast and break things" doesn't actually move fast and break things.