Senators introduce bill to secure Internet of Things devices; provide some protection for researchers
Zack Whittaker reports:
A bipartisan group of senators have introduced legislation aimed at securing internet-connected smart devices, which were at the center of a massive cyberattack that brought down large swathes of the internet last year.
The distributed denial-of-service in October lasted for less than a day, but it further fueled concerns about threats posed by insecure and easily hijacked so-called Internet of Things (IoT) devices, thanks to an industry-wide apathy toward supplying devices with even the most basic security.
Read more on ZDNet.
Keep in mind that the bill would prohibit the type of thing that researcher Justin Shafer kept trying to increase awareness about – hard-coded credentials. Shafer is currently in jail, awaiting trial on charges of cyberstalking a federal agent and the agent’s family.
Shafer’s problems with law enforcement began when he exposed the fact that numerous health-related entities were exposing protected health information (PHI) on public FTP servers. It is believed that one of the companies he exposed, Patterson Dental, tried to make it seem that he hacked them.
The new bill, if it passes, would have more protections for researchers. As Whittaker reports:
The senators also added a caveat to the bill that would expand legal protections for security researchers working in the Internet of Things space to exempt “good faith” vulnerability hunting activities from federal hacking laws.
The hope is that the exemption would draw more security experts to the field, encouraging researchers to report vulnerabilities to ensure security flaws are fixed sooner.
It would also expand legal protections for cyber researchers working in “good faith” to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.
Why is Shafer still in jail? Does anyone in the FBI have the integrity to come forward and tell us what really happened and why Shafer got raided THREE times and arrested when all he was doing was pursuing trying to get entities to be more responsible about securing PHI and disclosing when they failed to do so? Why has he been persecuted this way – because entities were embarrassed that he exposed their security failures? Is that what this has been all about? If so, shame on any company that tried to portray him as a cirminal hacker, and shame on the FBI for pursuing this. Seriously. It’s disgusting.