Hi Tantek, On the very serious issues of security and privacy on the Internet of Things, I agree with you.
On your proposed solution to those problems of somehow trying to slow down the worldwide deployment of IoT devices (currently forecast to reach tens of billions by 2020) and prevent any efforts towards standardisation and the defining of best practices, I couldn't disagree with you more. We have a whole department at Mozilla dedicated to exploring this space and it is an organisational goal to attempt to influence standards in this area in order to embody Mozilla's values into the design and architecture of IoT. Let's try to make our feedback to the W3C a little more constructive, if we can. Ben On 29 November 2016 at 19:38, Tantek Γelik <tan...@cs.stanford.edu> wrote: > To add to this thread, I think there are still fundamental security > issues, which have only gotten worse, that the charter does not > address, nor has the incubation to date come even close to > understanding, much less prototyping / stress-testing. > > > 1. The rapid deployment of WoT/IoT devices poses an existential threat > to the open internet (something we, Mozilla, are particularly focused > on protecting more than other orgs are) due to their fundamentally > worse security. > > Since the DDoS attack on krebsonsecurity which motivated our initial > formal objection based on lack of security considerations in the > charter and incubation, there was the subsequent DYN DDoS attack which > took down major sites (Twitter, Github, Reddit, etc.), and that's only > with the current deployment of insecure IoT devices, by rogue groups > using open source malware. Basically it proved the security point of > our formal objection. > > WoT/IoT devices are both known to already have worse security, and > expected to in the future, both in initial design / development, and > with the lack of incentive to do security software updates due to such > devices being so low margin, often built by small companies that have > low life expectancy themselves, then whitelabel bundled into larger > devices, with no way of updating the embedded software, e.g. the IoT > cameras used in the DDoS attacks. > > The proposed charter (nor anyone's incubation efforts) does/do not > address these low cost, low margin, low life expectancy company, > whitelabel embedding issues. All of which have been shown to be real > problems. > > This threat is so bad, that it's not clear that any increased > deployment of WoT/IoT is "good" for the open internet. > > That regardless of tech stack, it is in the interest of maintaining an > open internet to do what we can to actually *slow down* the deployment > of of anything WoT/IoT, up to and including opposing standardization > efforts which seek to *accelerate* the deployment of such devices. > This is not an "absolute" situation, where we might as well give up > because it's going to happen anyway like somewhere other than W3C, but > rather a set of race conditions, where slowing things down anywhere at > all may still be incrementally helpful (make the internet as a whole > less vulnerable - it's a spectrum). > > > 2. Increased invasive surveillance. > > The above IoT security threat scenarios that we've experienced were > from small groups or individuals using malware they didn't even write. > There is an even worse potential threat from insecure WoT/IoT devices, > and that is state-level actors using those very same existing and > expected security flaws to turn WoT/IoT devices into the largest mass > surveillance and data gathering effort in history. > > Every sensor on every such device a user puts in their home becomes a > potential surveillance data gathering node. Note that most the > above-noted insecure devices used in the attacks were IoT *cameras*. > > Nothing from the proposed WoT charter, nor experiments/incubations > shows any semblance of any of the participants taking this threat > scenario seriously, nor did any of them raise or document any concerns > like what happened to Krebs. > > (The only person in the W3C context who did provide warnings of the > kinds of attacks occuring that eventually did happen was Bruce > Schneier during his talk at the May W3C AC meeting at MIT. But he's > not involved in W3C WoT/IoT efforts himself.). > > > I don't see any evidence to show that W3C should pursue > standardization of anything WoT/IoT, and quite the opposite, that > we're at a point of WoT/IoT industry immaturity where product > development and deployment is both hurting the internet, and > presenting a potentially even larger threat to users of such products > being transparently, illegally*, invasively surveilled by their > governments hacking the devices in their own homes (*but recently > approved in the UK[1]), and thus should be opposed. > > > If anything, we (Mozilla) should be reaching out to EFF and any other > W3C Members who value an open internet and respecting users privacy > more than profit (perhaps university members of W3C) and asking them > to join our formal objection to anything WoT/IoT at W3C. > > > Tantek > > [1] http://www.wired.co.uk/article/ip-bill-law-details-passed > > > On Tue, Nov 29, 2016 at 7:23 AM, Benjamin Francis <bfran...@mozilla.com> > wrote: > > Hi David, > > > > Have you had any more correspondence with the W3C on Mozilla's behalf > > regarding this charter? > > > > From the Web of Things Interest Group mailing list > > <https://lists.w3.org/Archives/Public/public-wot-ig/> it appears that > the > > group is happy to remove the dependency on RDF as suggested in our > feedback > > (although they claim this wasn't intended as a dependency in the first > > place). Instead I understand they would like to include an extension > point > > in the Thing Description such that semantic annotations could be added > > externally to the Thing Description specification if desired. This seems > > reasonable to me. > > > > On the point of the charter being too broad I don't think much has been > > done to address this. The group still seems intent on including a > > language-agnostic "scripting API" in the charter, despite Google's > feedback > > that the Thing Description should be the central focus of the charter and > > that the scripting API should be moved to a supporting research themed > > status. > > > > I'd like to share a recommendation from the IoT platform team in > Connected > > Devices that the charter should include only a *Web Thing Description* > with > > a default JSON encoding and a *Web Thing API* which is a REST API that > can > > be implemented using HTTP (or HTTP/2 or CoAP). We have started to draft a > > potential member submission <https://moziot.github.io/wot/> to > illustrate > > this proposal (this is just a skeleton at the moment, contributions > welcome > > on GitHub <https://github.com/moziot/wot/issues>). > > > > With this reduced scope no scripting API should be necessary (most > > programming languages already have the capability to call a REST API via > > HTTP and anyone can create a helper library to call the WoT REST API). It > > should also simplify the security and privacy requirements considerably > > given this is a well established and well understood technology stack on > > the web. > > > > This kind of RESTful approach is already becoming a de-facto standard in > > IoT (e.g. Google Weave, Apple HomeKit, Samsung SmartThings, EVRYTHNG, AWS > > IoT, Azure IoT, IoTivity, AllJoyn). What's missing is a standard data > model > > and common API using this pattern. This is also the direction the Open > > Connectivity Foundation <https://openconnectivity.org> is taking with > CoAP > > and their OIC specification, and the direction we expect the Mozilla IoT > > Framework to take. > > > > We'd very much like to collaborate on this specification via the W3C but > > currently the charter still seems too broad and I would argue not in line > > with the direction of the wider industry. > > > > Ben > > > > > > > > On 17 October 2016 at 19:15, L. David Baron <dba...@dbaron.org> wrote: > > > >> The comments I submitted on the WoT charter are archived at: > >> https://lists.w3.org/Archives/Public/www-archive/2016Oct/0004.html > >> > >> -David > >> > >> On Friday 2016-10-14 15:03 +0100, Benjamin Francis wrote: > >> > Hi David, > >> > > >> > We collected some feedback in a document > >> > <https://docs.google.com/document/d/1jbZUgqFiJa_ > >> R5E3OxPduFSiVsmOYGSWw66VVLij9FyA/edit?usp=sharing> > >> > and I'm going to try to summarise it here. Please let me know if you > feel > >> > this feedback is appropriate and feel free to edit it before sending. > I > >> > also welcome further feedback from this list if it can be provided in > >> time. > >> > > >> > > >> > > >> > There were some concerns expressed around the clarity of the goals set > >> out > >> > in the charter and whether there has been sufficient research and > >> > incubation in order to proceed with the drafting of specifications > via a > >> > Working Group. > >> > > >> > We propose the charter could benefit from a reduced scope, a more > >> > lightweight approach and a simplified set of deliverables. This might > >> > include a simpler initial data model with a reduced set of metadata > and a > >> > default encoding without a dependency on RDF (e.g. plain JSON), the > >> > specification of a single REST/WebSockets API and a reduced scope > around > >> > methods for device discovery. We propose that the deliverables could > be > >> > reduced down to a single specification describing a Web of Things > >> > architecture, data model and API and separate notes documenting > bindings > >> to > >> > non-web protocols and a set of test cases. > >> > > >> > It is suggested that the WoT Current Practices > >> > <http://w3c.github.io/wot/current-practices/wot-practices.html> and > WoT > >> > Architecture <https://w3c.github.io/wot/architecture/wot-architecture > . > >> html> > >> > documents referenced in the charter are not currently a good basis on > >> which > >> > to build a specification and that the member submission > >> > <http://model.webofthings.io/> from EVRYTHNG and the Barcelona > >> > Supercomputing Center could provide a better starting point. > >> > > >> > Mozilla welcomes the activity in this area but the charter as > currently > >> > proposed may need some work. > >> > > >> > > >> > > >> > > >> > Let me know what you think > >> > > >> > Ben > >> > > >> > On 11 October 2016 at 02:52, L. David Baron <dba...@dbaron.org> > wrote: > >> > > >> > > The W3C is proposing a new charter for: > >> > > > >> > > Web of Things Working Group > >> > > https://lists.w3.org/Archives/Public/public-new-work/ > >> 2016Sep/0005.html > >> > > https://www.w3.org/2016/09/wot-wg-charter.html > >> > > > >> > > Mozilla has the opportunity to send comments or objections through > >> > > this Friday, October 14. > >> > > > >> > > Please reply to this thread if you think there's something we should > >> > > say as part of this charter review, or if you think we should > >> > > support or oppose it. > >> > > > >> > > My initial reaction would be to worry about whether there's > >> > > properly-incubated material here that's appropriate to charter a > >> > > working group for, or whether this is more of a (set of?) research > >> > > projects. W3C has an existing Interest Group (not a Working Group, > >> > > so not designed to write Recommendation-track specifications) in > >> > > this area: https://www.w3.org/WoT/IG/ . > >> > > > >> > > -David > >> > > > >> > > -- > >> > > π L. David Baron http://dbaron.org/ π > >> > > π’ Mozilla https://www.mozilla.org/ π > >> > > Before I built a wall I'd ask to know > >> > > What I was walling in or walling out, > >> > > And to whom I was like to give offense. > >> > > - Robert Frost, Mending Wall (1914) > >> > > > >> > > _______________________________________________ > >> > > dev-platform mailing list > >> > > dev-platform@lists.mozilla.org > >> > > https://lists.mozilla.org/listinfo/dev-platform > >> > > > >> > > > >> > >> -- > >> π L. David Baron http://dbaron.org/ π > >> π’ Mozilla https://www.mozilla.org/ π > >> Before I built a wall I'd ask to know > >> What I was walling in or walling out, > >> And to whom I was like to give offense. > >> - Robert Frost, Mending Wall (1914) > >> > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
