Just this morning I read a story about a family that got woken up at night by a voice of a man screaming in their newborn baby’s room.
It was a sick man that had hacked into the wifi surveillance camera used by the parents to watch over their baby and was screaming at the baby trying to wake her up. When the parents arrived in the room, they saw the camera following their path and the man screaming obscenities at them.
This is just an example of what can happen if proper security practices are not enforced.
With a storm of connected objects entering all our spaces, it becomes necessary to have a Global certificate of security and quality that labels any programmable device.
This certificate has to define the principles, based on free standards, the tests to guarantee the maximum security, the update procedures that must be simple and easily feasible by any person amongst other rules to be defined.
My call is to coordinate and centralize efforts to define such a security label the ethics and the standards associated, and diffuse as widely as possible the fundamental importance of such practices.
This has to be seen in a global effort of re-empowering people joint with a true independent and free internet and connected tools that adhere to the manifesto.
The adhesion to the chart should be in a participative matter, and the principles of security taught in schools.
For a safe and connected future we need to guarantee secure connected objects from phones, to glasses, fridges, dongles or any other programmable connected device.
All input is welcome and needed.
Wow, now that’s a scary story… You should really post a link to it in order to source it.
The response to this issue is not an easy one. How did this family end up with this problem? Was it a security exploit in the camera system? If so, was it known to the manufacturer? Was a patch available? If so, why has the patch not been applied to the system? Was is too complicated? And how do we define “too complicated”?
Or maybe the Wifi password was too weak and was easy to attack. Or it was known by too many people. Or there was just no password…
So many questions… I am sure that in many cases, we need the manufacturer to do better in order to secure such systems. But another major issue is education of the users. This is an issue in itself since the manufacturers will probably avoid to tell their potential customers how things could go wrong if they don’t apply security updates or pick easy to guess passwords. But software could be the answer to many of these issues: automatic updates could be easy to be installed (even completely transparent to the users), the installation assistant would require a secure password, etc.
These are just early responses to some of the issues. We should go further than this and establish more general principles.
–Tristan
I updated the post with a link to the news thanks 😉
The main issue is to define and centralise a global certificate that ensures that each connected object responds to a set of defined standards and ethics, including simple update procedures, and maybe a warning light indicating the presence of a known vulnerability and why not maybe blocking usage until the system is updated.
This is why I am making this call. In the next few days I will set up a gitlab account with the manifesto in order to allow for the discussions to go further and establish the general principles
Je suis partagé, Matteo, car avec un tel certificat, qui part d’une intention louable, on peut arriver à un véritable enfer pour les nouveaux entrants: les petites entreprises, les projet indépendants (genre logiciel libre…), qui pourraient être : soit découragés, soit limités faute de moyens si on pense à une certification donnée par un organisme agréé…
En plus, tu pars d’un exemple qui se base sur le Wifi, qui est très standardisé et déployé, et dont la sécurité est déjà encadrée: des normes et des bonnes pratiques… que souligne Tristan.
Une fois de plus, au lieu d’ajouter une énième norme, je pense que c’est un travail d’éducation qui est prioritaire!
Merci Raphael, je comprends tes inquiétudes et le but n’est sûrement pas de limiter ou décourager toute initiative. L’education est primordiale sans doute. Je constate que encore certains comportements basiques tel que les sauvegardes périodiques des disques durs ne sont pas faites et cela même par des personnes qui travaillent (et donc connaissent les risques) dans l’informatique, c’est pourquoi je cherche une voie alternative à la seule education. La question n’est pas facile, peut être une fondation financé de façon indépendante…