cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

New IoT standard

OK, the headline on this reads, "First international smart home standard ensures secure connectivity between devices."  Read that fairly carefully.  The "standard" doesn't ensure that people won't make and sell devices that have stupid default passwords, or any of a number of other security vulnerabilities.  And, if you read the article itself, you will see that the standard only supports link (not end-to-end) encryption between compliant devices.  In other words, if everyone buys into this standard (which is by no means certain) we have (potentially) solved one part of a huge problem.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
4 Replies
AppDefects
Community Champion


@rslade wrote:

OK, the headline on this reads, "First international smart home standard ensures secure connectivity between devices."  Read that fairly carefully.  The "standard" doesn't ensure that people won't make and sell devices that have stupid default passwords, or any of a number of other security vulnerabilities.  And, if you read the article itself, you will see that the standard only supports link (not end-to-end) encryption between compliant devices.  In other words, if everyone buys into this standard (which is by no means certain) we have (potentially) solved one part of a huge problem.


Open Connectivity Foundation (OCF), well that's a new one... give them a few years and maybe, just maybe, they'll catch on...

dcontesti
Community Champion


@rslade wrote:

OK, the headline on this reads, "First international smart home standard ensures secure connectivity between devices."  Read that fairly carefully.  The "standard" doesn't ensure that people won't make and sell devices that have stupid default passwords, or any of a number of other security vulnerabilities.  And, if you read the article itself, you will see that the standard only supports link (not end-to-end) encryption between compliant devices.  In other words, if everyone buys into this standard (which is by no means certain) we have (potentially) solved one part of a huge problem.


The problem with Standards and Guidelines is once management determine there is an extra cost or money out the door to implement, we get told "it's only a standard or guideline, so we do NOT have to comply.

 

I wish them luck

 

d

 

CraginS
Defender I


@dcontesti wrote:

@rslade wrote:

OK, the headline on this reads, "First international smart home standard ensures secure connectivity between devices."  Read that fairly carefully.  The "standard" doesn't ensure that people won't make and sell devices that have stupid default passwords, or any of a number of other security vulnerabilities.  ...


The problem with Standards and Guidelines is once management determine there is an extra cost or money out the door to implement, we get told "it's only a standard or guideline, so we do NOT have to comply.

 


There is another more significant aspect of the cost-to-act decision than simply direct cost of implementation. That is the effort by each company to maintain a market dominance by offering unique features or customer-capture lock-in technology. We saw the reality of this process when Micro$oft pretended to support the move from proprietary word processing file types to an open standard. M$ reps to the standard s group ensured that there was a hole in the logic for the new open file standard to allow continued use of proprietary typeface families. Thus, the decades old baseline standard of Times New Roman for serif and Arial for sans serif typefaces in documents became, in the new M$ Word file type docx as Cambria and Calibri, both new proprietary M$ typeface families.

 

I believe that Cisco has done similar lock-in actions with their router family.

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Caute_cautim
Community Champion

@rsladeHow will it comply with CCPA SB-327 Connected Devices and has OCF been formally recognised by the IEEE or by RFI processes?  Or is OCF one of those non-compliant standards or is home grown?

 

So I went hunting for answers:  https://openconnectivity.org/foundation/membership-list/ 

 

It is fully supported by a lot of members as an open source standard with certification: 

 

https://openconnectivity.org/certified-products/

 

And you have to be a member to access the certification standard, so Joe public cannot tell whether it actually complies and this is supposed to be an "Open Standard" - pay you US$2,000 and find out.....

 

It appears to be a secret, hardly open to scrutiny at all unless you are a member.

 

Hmmm  sounds like another club to me.

 

Regards

 

Caute_cautim