translated

sources/tech/20171018 IoT Cybersecurity what is plan b.md

@@ -1,44 +0,0 @@
-translating---geekpi
-
-# IoT Cybersecurity: What's Plan B?
-
-In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any companies to do anything. It doesn't even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.
-
-What the bill does do is leverage the government's buying power to nudge the market: any IoT product that the government buys must meet minimum security standards. It requires vendors to ensure that devices can not only be patched, but are patched in an authenticated and timely manner; don't have unchangeable default passwords; and are free from known vulnerabilities. It's about as low a security bar as you can set, and that it will considerably improve security speaks volumes about the current state of IoT security. (Full disclosure: I helped draft some of the bill's security requirements.)
-
-The bill would also modify the Computer Fraud and Abuse and the Digital Millennium Copyright Acts to allow security researchers to study the security of IoT devices purchased by the government. It's a far narrower exemption than our industry needs. But it's a good first step, which is probably the best thing you can say about this legislation.
-
-However, it's unlikely this first step will even be taken. I am writing this column in August, and have no doubt that the bill will have gone nowhere by the time you read it in October or later. If hearings are held, they won't matter. The bill won't have been voted on by any committee, and it won't be on any legislative calendar. The odds of this bill becoming law are zero. And that's not just because of current politics -- I'd be equally pessimistic under the Obama administration.
-
-But the situation is critical. The Internet is dangerous -- and the IoT gives it not just eyes and ears, but also hands and feet. Security vulnerabilities, exploits, and attacks that once affected only bits and bytes now affect flesh and blood.
-
-Markets, as we've repeatedly learned over the past century, are terrible mechanisms for improving the safety of products and services. It was true for automobile, food, restaurant, airplane, fire, and financial-instrument safety. The reasons are complicated, but basically, sellers don't compete on safety features because buyers can't efficiently differentiate products based on safety considerations. The race-to-the-bottom mechanism that markets use to minimize prices also minimizes quality. Without government intervention, the IoT remains dangerously insecure.
-
-The US government has no appetite for intervention, so we won't see serious safety and security regulations, a new federal agency, or better liability laws. We might have a better chance in the EU. Depending on how the General Data Protection Regulation on data privacy pans out, the EU might pass a similar security law in 5 years. No other country has a large enough market share to make a difference.
-
-Sometimes we can opt out of the IoT, but that option is becoming increasingly rare. Last year, I tried and failed to purchase a new car without an Internet connection. In a few years, it's going to be nearly impossible to not be multiply connected to the IoT. And our biggest IoT security risks will stem not from devices we have a market relationship with, but from everyone else's cars, cameras, routers, drones, and so on.
-
-We can try to shop our ideals and demand more security, but companies don't compete on IoT safety -- and we security experts aren't a large enough market force to make a difference.
-
-We need a Plan B, although I'm not sure what that is. Comment if you have any ideas.
-
-This essay previously appeared in the September/October issue of  _IEEE Security & Privacy_ .
-
---------------------------------------------------------------------------------
-
-作者简介：
-
-I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I'm the Chief Technology Officer of IBM Resilient, a fellow at Harvard's Berkman Center, and a board member of EFF.
-
-------------------
-
-
-via: https://www.schneier.com/blog/archives/2017/10/iot_cybersecuri.html
-
-作者：[Bruce Schneier][a]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]:https://www.schneier.com/blog/about/

translated/tech/20171018 IoT Cybersecurity what is plan b.md

@@ -0,0 +1,42 @@
+# IoT 网络安全：后备计划是什么？
+
+八月份，四名美国参议员提出了一项旨在改善物联网 （IoT） 安全性的法案。2017 年的“ 物联网网络安全改进法” 是一项小幅的立法。它没有规范物联网市场。它没有任何特别关注的行业，或强制任何公司做任何事情。甚至不修改嵌入式软件的法律责任。无论安全多么糟糕，公司可以继续销售物联网设备。
+
+法案的做法是利用政府的购买力推动市场：政府购买的任何物联网产品都必须符合最低安全标准。它要求供应商确保设备不仅可以打补丁，而且可以通过认证和及时的方式进行修补，没有不可更改的默认密码，并且没有已知的漏洞。这是一个你可以设置的低安全值，并且将大大提高安全性可以说明关于物联网安全性的当前状态。（全面披露：我帮助起草了一些法案的安全性要求。）
+
+该法案还将修改“计算机欺诈和滥用”和“数字千年版权”法案，以便安全研究人员研究政府购买的物联网设备的安全性。这比我们的行业需求要窄得多。但这是一个很好的第一步，这可能是对这个立法最好的事。
+
+不过，这一步甚至不可能采取。我在八月份写这个专栏，毫无疑问，这个法案你在十月份或以后读的时候会没有了。如果听证会举行，它们无关紧要。该法案不会被任何委员会投票，不会在任何立法日程上。这个法案成为法律的可能性是零。这不仅仅是因为目前的政治 - 我在奥巴马政府下同样悲观。
+
+但情况很严重。互联网是危险的 - 物联网不仅给了眼睛和耳朵，而且还给手脚。一旦有影响到位和字节的安全漏洞、利用和攻击现在会影响血肉和血肉。
+
+正如我们在过去一个世纪一再学到的那样，市场是改善产品和服务安全的可怕机制。汽车、食品、餐厅、飞机、火灾和金融仪器安全都是如此。原因很复杂，但基本上卖家不会在安全方面进行竞争，因为买方无法根据安全考虑有效区分产品。市场使用的竞相降低门槛的机制价格降到最低的同时也将质量降至最低。没有政府干预，物联网仍然会很不安全。
+
+美国政府对干预没有兴趣，所以我们不会看到严肃的安全和保障法规、新的联邦机构或更好的责任法。我们可能在欧盟有更好的机会。根据“通用数据保护条例”在数据隐私的规定，欧盟可能会在 5 年内通过类似的安全法。没有其他国家有足够的市场份额来做改变。
+
+有时我们可以选择不使用物联网，但是这个选择变得越来越少见了。去年，我试着不连接网络购买新车但是失败了。再过几年, 就几乎不可能不连接到物联网。我们最大的安全风险将不会来自我们与之有市场关系的设备，而是来自其他人的汽车、照相机、路由器、无人机等等。
+
+我们可以尝试为理想买单，并要求更多的安全性，但企业不会在物联网安全方面进行竞争 - 而且我们的安全专家不是一个足够大的市场力量来产生影响。
+
+我们需要一个后备计划，虽然我不知道是什么。如果你有任何想法请评论。
+
+这篇文章以前出现在_ 9/10 月的 IEEE安全与隐私_上。
+
+--------------------------------------------------------------------------------
+
+作者简介：
+
+自从 2004 年以来，我一直在博客上写关于安全的文章，以及从 1998 年以来我的每月订阅中也有。我写书、文章和学术论文。目前我是 IBM Resilient 的首席技术官，哈佛伯克曼中心的研究员，EFF 的董事会成员。
+
+------------------
+
+
+via: https://www.schneier.com/blog/archives/2017/10/iot_cybersecuri.html
+
+作者：[Bruce Schneier][a]
+译者：[geekpi](https://github.com/geekpi)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]:https://www.schneier.com/blog/about/