Traffic bouncer Cloudflare has outlined what it claims is the solution to the perennial internet-of-things security problem: pay it. The company points out what most security experts have been saying for some time: IoT devices are a security disaster, they are going to grow exponentially, and when people can’t even be relied on to update their browsers, having billions of unpatched internet-connected devices is a disaster waiting to happen. And so Cloudflare has come up with its solution: route everything through us.
This does not come as a huge surprise. The company does tend to offer the same solution to every online problem: Distributed denial of service (DDoS) attack? Route your traffic through us. Man-in-the-middle attack? Pay us to deal with your data. Too many spam comments? We have a paid service for that. Need encryption? Guess what? But that doesn’t mean that the company’s new Orbit service is a bad idea. In fact, it may very well be a good or even great idea given the state of the current system for securing online devices. The basic idea is quite simple: in the same way website owners pay Cloudflare to sit in between them and their visitors, IoT manufacturers will pay for the Orbit service to sit between their devices and the public internet.
The manufacturers will configure their devices to only go through Orbit, which gives them (or, most accurately, Cloudflare) the ability to not only shield tech-ignorant consumers from hacking efforts, but also apply virtual security patches across all of its devices at once.
Although this is far from ideal since it introduces a proprietary layer to the open internet, the reality is that it could be a lifesaver for IoT companies, which have persistently shown themselves incapable of carrying out decent security audits on their products and continue to make basic errors, like hard-coding passwords. And, to be fair to Cloudflare, the company has shown itself to be very capable of handling huge amounts of traffic without lag or collapse. The million-dollar-question of course is: how much does it cost? Cloudflare told us that the fee was based on the number of devices and the bandwidth required but wouldn’t provide an exact figure.
If the cost is $10 a year per device and an IoT company can offer the extra security as part of a premium package alongside cloud recording or similar then it is probably a great deal. But if the idea is that it will be supplied for free to customers who buy the product and don’t sign up to an ongoing service fee, then the price is going to have to be much, much lower for there to be any kind of significant take-up. Of course, the biggest security risk comes from companies offering low-price IoT items that don’t require ongoing fees. So while Cloudflare’s new service may help improve mid- to high-end IoT products’ security, the huge risks from the low-end are unlikely go away. So expect plenty more DDoS attacks from zombie webcams.
And then there is the fact that if lots of IoT manufacturers chose to use this service, it would make Cloudflare a single point-of-failure and hence a huge target for hackers. And Cloudflare, like any company using software, is not immune to bugs. Bugs that can provide an enormous wealth of information.
Oh please god no, not another one
One thing we do have to pick on Cloudflare for, however: in the official notice of the new service, the company notes that it is “introducing the industry’s first IoT alliance made up of a group of IoT companies and experts in the field that will be committed to forming best practices and standards for protecting connected devices and ensuring the resilience of the Internet of Things.”
Far from this being the “industry’s first IoT alliance,” this effort will only add yet more overhead and confusion to a massively overpopulated world of internet-of-things alliances, consortiums, organizations, groups, working groups, feuding government departments, security experts pushing for laws, legislators and consumer agencies pretending not to hear, and god knows what else.
Below is a partial list of the people working on IoT security and best practices. We wonder why on earth Cloudflare thinks it’s a good idea to add yet another one to the list.
That barren landscape of Internet of Things standards bodies
- ^ solution (blog.cloudflare.com)
- ^ low-price IoT items (www.theregister.co.uk)
- ^ attacks from zombie webcams (www.theregister.co.uk)
- ^ not immune to bugs (www.theregister.co.uk)
- ^ massively overpopulated (www.theregister.co.uk)
- ^ feuding government departments (www.theregister.co.uk)
- ^ pushing for laws (www.theregister.co.uk)
- ^ consumer agencies (www.theregister.co.uk)
WASHINGTON, D.C. (WTNH)- On Wednesday, U.S. Senator Richard Blumenthal (D-CT) and U.S. Representative Jim Himes (D-CT) introduced the Cruise Passenger Protection Act (CPPA) to strengthen passenger safety on cruise ships. The bicameral legislation was led by Blumenthal and U.S. Senator Edward J. Markey (D-MA) in the Senate and U.S. Representatives Doris Matsui (D-CA), Ted Poe (R-TX) and Himes in the House of Representatives. The CPPA would build on the passenger safety measures signed into law in the 2010 Cruise Vessel Security and Safety Act (CVSSA). The bill strengthens crime reporting and video surveillance requirements, improves medical standards, and holds cruise lines responsible for deaths at sea.
Many cruise ships are the size of small towns but with few emergency services and no law enforcement, these vessels are more Wild West than Atlantis, said Blumenthal. And when something goes wrong on a cruise ship, a dream vacation can quickly turn into a nightmare. Our legislation will ensure that consumers know the risks associated with cruise ship travel before they buy a ticket; and if their rights are violated, this bill will help ensure that they have a place to seek recourse.
Cruise ship safety strikes close to home in Connecticut s Fourth District, said Himes. In 2005, a young man from Greenwich George Smith IV went missing while on his honeymoon cruise in the Mediterranean Sea. Since George disappeared, his family has fought tirelessly to improve safety on cruise ships and to protect cruise ship passengers. The fight continues today with the Cruise Passenger Protection Act. This bill bolsters current law with tighter crime reporting, expanded video surveillance equipment and record-keeping requirements, and streamlined tracking and public reporting of alleged crimes on cruise ships. Safety improvements like these will help prevent more avoidable tragedies. Blumenthal has introduced the Cruise Passenger Protection Act in the previous two Congresses. Since the legislation was first introduced, he has also led efforts to ensure the public reporting of cruise line crime statistics and results of safety checks. In 2015, Blumenthal successfully amended the Coast Guard Reauthorization Bill to require the Coast Guard issue a report on the implementation of man-overboard technology by cruise lines. Despite its life-saving potential, cruise lines have been slow to implement the technology and secretive about their plans for doing so.
With serious safety and health incidents continuing to occur on cruise ships every year, we need to put measures in place to protect passengers who need medical services or become victims of crime, said Markey. I am proud to join my colleagues in supporting federal legislation that puts in places basic protections for the millions of Americans who take cruises.
Standards for victims rights should be strong whether on land or at sea, said Matsui. The Cruise Vessel Security and Safety Act made important progress in strengthening protections for passengers, but we have much more work to do. This legislation strengthens existing reporting laws and raises consumer protection standards, so families have the peace of mind they deserve when they board a cruise ship. I am grateful to the victims and their families who have come forward and continue to be essential voices in our work to improve cruise safety through legislative reform.
When American citizens board a cruise ship, they expect a peaceful escape, said Poe. But the reality is that crime does not disappear simply because people are on vacation. Unfortunately, American passengers sometimes go missing or become victims of sexual and physical assault while sailing the high seas. The passage of the 2010 Cruise Vessel Security and Safety Act took the first step in protecting the safety and security of passengers. The Cruise Passenger Protection Act builds upon this important law by implementing stronger requirements to protect victims of crime and to hold their perpetrators accountable.
Specifically, the CPPA would:
Ensure a cruise vessel owner notifies the FBI within four hours of an alleged incident.
Ensure that if an alleged incident occurs while the vessel is still in a U.S. port, the FBI is notified before that vessel leaves the port.
Require vessel owners to also report an alleged offense to the U.S. Consulate in the next port of call, if the alleged offense is by or against a U.S. national.
Clarify that vessels must have video surveillance equipment in all passenger common areas, and other areas, where there is no expectation of privacy.
Allow individuals access to video surveillance records for civil action purposes.
Mandate that all video records are kept for 30 days after completion of the voyage.
Direct the Coast Guard to promulgate final standards within one year detailing requirements for the retention of video surveillance records.
Require that the internet website of alleged crimes on cruise ships indicate whether the reported crimes were committed against minors.
Direct the Department of Transportation to conduct a study determining the feasibility of having an individual charged with victim support services on board each passenger vessel.
Require integration of technology that can both capture images and detect when a passenger has fallen overboard.
Create medical standards requiring that a qualified physician and sufficient medical staff to be present and available for passengers, crew members receive basic life support training, automated defibrillators are accessible throughout the ship, and the initial safety briefing includes important emergency medical and safety information.
Ensure that should a U.S. passenger die aboard a vessel, his or her next of kin could request the vessel to return the deceased back to the United States.
Hold cruise lines responsible for deaths at sea by ensuring families of victims are able to pursue fair compensation. This gives cruise passengers the same rights as airline passengers.
The man charged in the 2009 disappearance and slaying of Pamela Butler told a friend that it was easy to get rid of a body, a D.C. homicide detective said Tuesday. The friend, who is a witness in the case against 51-year-old Jose Rodriguez-Cruz, told detectives that Rodriguez-Cruz had once said if you dig a hole deep enough, no one will find it, D.C. homicide detective Michael Fulton testified in D.C. Superior Court. Rodriguez-Cruz made similar comments about his ability to hide a body to two other people, according to authorities. Rodriguez-Cruz was charged this month with first-degree, premeditated murder in the death of Butler, his onetime girlfriend. She was 47 years old when she went missing Valentine s Day weekend eight years ago. Her body has not been found.
During Tuesday s preliminary hearing, homicide prosecutor Deborah Sines argued that Rodriguez-Cruz had a pattern of abusing women and may also be responsible for the disappearance of his first wife, Marta Rodriguez. She went missing in 1989. Sines said Rodriguez-Cruz told his second wife that he knew how to make sure no one ever found a body. During the nearly five-hour hearing, prosecutors also said they had identified another woman who recounted abuse by Rodriguez-Cruz. They said the woman told detectives that Rodriguez-Cruz duct-taped her wrists, held a gun to her head and repeatedly sexually assaulted her during a 2004 incident in Fairfax County. The woman said he also threatened to sexually assault her 3-year-old daughter, authorities said in court.
This man doesn t impulsively kill. He abducts women, duct-tapes them, sexually assaults them and then holds them captive, said Sines s co-counsel, Assistant U.S. Attorney Glenn Kirschner. Duct tape and a gun are his weapon of choice.
Without Butler s body, and no clear crime scene, authorities have built a case that relies in part on Rodriguez-Cruz s history of violence. Rodriguez-Cruz, wearing an orange D.C. jail jumpsuit, sat next to his public defender and watched as the detective and prosecutors outlined their evidence against him. Butler s family, including her mother and brother, sat in the audience in the courtroom. Fulton testified that authorities are working to bolster their case against Rodriguez-Cruz. On Friday, he said, police searched Rodriguez-Cruz s Northern Virginia home in connection with his first wife s disappearance and found a Ruger semiautomatic pistol.
In addition, Fulton said, D.C. authorities are testing items found in Butler s home for possible DNA evidence. Fulton described the Fairfax County attack in court, testifying that the woman involved was a security guard at a federal office who also ran a stand at Eastern Market with Rodriguez-Cruz on weekends. The woman said that on the morning of Jan. 9, 2004, she went to Rodriguez-Cruz s home to talk about their work. Fulton said the woman told detectives that when she arrived at the apartment, Rodriguez-Cruz put a gun to her head and a pillow over her face and said: I could kill you tomorrow and no one would ever find your body. I can make your body disappear. The woman told detectives that Rodriguez-Cruz sexually assaulted her as her young daughter was in the apartment, Fulton said. When Rodriguez-Cruz later fell asleep, she told police, she grabbed a knife with one hand and her daughter with the other and tried to run out of the apartment. Rodriguez-Cruz woke, pulled out his gun and grabbed her, the woman said. She then stabbed him multiple times.
Fulton said the woman, who at the time spoke little English, was unable to give a full account of what happened and was arrested and charged with assault. The case never went to trial after Rodriguez-Cruz stopped cooperating with Fairfax authorities, Fulton testified. Rodriguez-Cruz s public defender, Judith Pipe, argued that her client s past relationships were not relevant to the Butler case. Pipe noted that in Butler s otherwise immaculate home, there was evidence that someone had riffled through files in her home office and strewn them across the floor. There was also a box of floppy disks on the floor, a latex glove and some duct tape. This looks like a burglary at the house, Pipe said.
Judge Hiram E. Puig-Lugo said he found enough evidence to hold Rodriguez-Cruz in jail until trial. Puig-Lugo cited evidence such as video surveillance footage that showed Rodriguez-Cruz going in and out of Butler s house about the time of her disappearance. At one point, he is seen carrying five large bags out of the house and a white bucket holding what appears to be cleaning supplies. Puig-Lugo also noted that although there was no evidence of a crime scene in the home, cadaver dogs detected signs of a decaying body in the rear passenger seat and trunk of his vehicle. Puig-Lugo determined that Rodriguez-Cruz would be a danger if he were released and set his next hearing for July 28.
- ^ Ex-boyfriend arrested in 2009 disappearance, death of Northwest woman (www.washingtonpost.com)