I would love to see frank discussion on the record of consumer-grade vs infrastructure-grade practices and what label(s) would be appropriate for each! It’s not lost on me either that the roots of much high-ticket critical infrastructure is about to rest on web tech and highly evolved descendants of 8-bit micros.
Hi and thanks for commenting. My concern with this topic is motivated in part by the AcidRain family of energy infrastructure attacks and the larger questions they raise about infrastructure security. Teardowns on Chinese-sourced equipment have been somewhat worrying as well -- one report I've read highlighted about two dozen versions of SSH in a single base station. Best wishes and good luck.
The example was "energy infrastructure", so network group in those firms use their skills to set it up.
If any government group should be providing guidance and best practices on how to air gap devices, maybe NSA should write the standards. This FCC proposal looks like a ploy to spend the ever-growing pot (reportedly ten billion USD each year) from the regressive USF phone bill tax instead of reducing the USF tax.
As mentioned in another comment, a plug-and-play home device which provides network isolation and filtering for IoT devices may have a market. I would likely be a buyer at home.
"The bigger culprit is the FCC’s spending on USF, which is close to $10 billion per year, practically doubling in size since 2001."
> If any government group should be providing guidance and best practices on how to air gap devices, maybe NSA should write the standards.
I guess this is a bad joke? It's hard to tell w/ the internet.
> This FCC proposal looks like a ploy to spend the ever-growing pot (reportedly ten billion USD each year) from the regressive USF phone bill tax instead of reducing the USF tax.
I can agree this is what it is under the hood [0].
> As mentioned in another comment, a plug-and-play home device which provides network isolation and filtering for IoT devices may have a market. I would likely be a buyer at home.
Here's the key - there isn't a market. Otherwise there would already be one (you are unique). That's the crux of the problem. IoT is a race to the bottom when it comes to consumers. Consumers compare "smart devices" to what they already have - a light switch, a light bulb - commodities - they don't think about security until it's too late.
So, that leads to:
> If any government group should be providing guidance and best practices on how to air gap devices
You can't have "guidance" and actually get anything done in the consumer devices space. Standards and certifications - rejection of devices that don't meet them.
When it comes to dealing with communications FCC is the 3-letter-agency, and there's no changing that.
I guess the question boils down to - mass spying on Americans with un-secured devices sending data to China or let the FCC handle the problem by potentially expanding the USF?
UL tests and certifies electrical devices voluntarily. I would like to see improvement on a industry basis without more government regulation. Apparently people voluntarily purchase carbon offsets when purchasing airline tickets, do people pay for non-tangibles.
Open standards of tcpip allowed for tremendous innovation, unlike the old Bell System which regulated through monopoly what could be attached to the network.
Thank you so much everyone for the interesting, high-quality discussion so far. My team and I are looking forward to continuing to engage with you for at least a few more hours.
Just a reminder: As fun as discussing this in here with you is, the best way to influence what the FCC ends up doing is to file an official comment by September 25th at https://www.fcc.gov/ecfs/search/docket-detail/23-239 . Click to file either an ‘express’ comment (type into a textbox) or a ‘standard’ comment (upload a PDF). The FCC is required to address your arguments when it issues its final rules. All options are on the table, so don’t hold back, but do make your arguments as clear as possible so even lawyers can understand them. If you have a qualification (line of work, special degree, years of experience, etc.) that would bolster the credibility of your official comment, be sure to mention that, but the only necessary qualification is being an interested member of the public.
Finally, I'd like to extend a special thanks to dang and the rest of the HN team for their help putting this together. They have been a pleasure to work with.
Thanks! Sorry for any lack of clarity. My initial draft was way over the character limit and I had to cut a lot prior to posting. Thanks for highlighting the relevant language and clearing things up.
Comments against push updates and highlighting industrial applications would be a very important part of record development. I would expect industrial buyers to have very different needs from commodity consumer hardware buyers and it would be great if they (and their vendors) were represented on the record!
Really appreciate your kind words and the effort required in getting your arms around so much material so quickly.
it would be really useful if there were a TLDR version
I agree; I'm hoping that the tech press takes up this topic, but an "official" one would make engagement much faster.
I think the labeling should be simple - like a small discrete set of classes for compliance that can be extended over time with further rules. So 20 years security updates is “platinum” 10 years is “gold” 5 is “silver” or something. Then the classes of label can accrete meaning over time as you enhance your proposals.
This is how I'm thinking about it too -- not just for support term, but for all kinds of things, FOSS firmware in escrow, bankruptcy transition plan, responsibility to publish and implement fixes from public databases -- there's so much that might go into each tier, and while I have my own ideas, it would be great to see the tech community take up these questions.
in some ways a way to work best is right here in the HN comments and then lifting material up into your direct work via the proposal and statement
Also true, and my team will be doing a detailed after-action on this thread once it winds down.
To that end maybe reaching out earlier in the process to get feedback would work
That's one to grow on for next time. The good news is that the final rule (I'd expect end of Q2 2024) will also be subject to notice-and-comment.
Seriously, a huge thank you for your close engagement. I'm really excited about what the tech world can bring to this high-level proposal.
Thanks for your response! This would be an excellent comment on the record, and implanted devices are a particularly compelling example considering cases such as Second Sight.
It might help to explain how that works - how do public comments influence things?
The FCC conducts notice-and-comment rulemaking and is accountable to a public interest standard. Obviously the public interest can be hard to define, but at minimum, if reasonable comments on the record raise issues that we are clearly ignoring, this is likely to emerge in item debate, dissenting statements, and the press. In fact, the courts can go as far as overturning a rule if the FCC failed to adequately address arguments made on the record during the rulemaking process. A lot of our rulemaking is technical and not of general interest, but the public has the right to comment on all of it.
In this particular case, I think the much of the relevant experience and expertise resides with the public more than the federal government. A lot of tech workers are very upset with the current state of IoT security and with the US Government's actions or lack thereof, so if we get a lot of comments on the records about specifics, those will be hard to brush off.
