Hackers Remotely Kill a Jeep on the Highway

[Cathal Garvey]

Without getting into the issue of whether patents encourage innovation.. 
I do think that medical devices are a special case. If you have a heart 
implant, that thing needs to be "unhackable", but also totally 
verifiably safe. So there should be firmware signing, no mutable state, 
verifiable memory safety...but the code should be open source, and if 
need be the firmware signing key for each device (needs to be different 
for each device!) should be accessible by a legitimate owner.

So, no more remote-hackable heart implants, but doctors and cardiac 
technicians can still apply critical patches and inspect the source for 
sanity.

On 24/07/15 21:26, Lodewijk andré de la porte wrote:
> Anyone care for a law that will:
>
> 1. Ban unhackable vehicles and other life-critical devices (meaning:
> life-critical software must be rewritable)
> 2. Require all life-critical software to be released in source format,
> for the purpose of public auditing, improving it's safety features and
> employing the software on the devices it is intended for.
> 3. Any tools used to translate the source to writable code must also be
> provided in the manner of 2.
>
> These laws should still allow manufacturers to:
> 1. Spy on their users without that being changed
> 2. Lock down their code so competitors may not use it (proprietary open
> source)
> 3. Have software in the machines that is not opened; so long as it is
> properly (verifiably) isolated from essential systems
> 4. Legally own the entire machine
> 5. Drop guarantees when non-security-related modifications have been made
> etc
>
> This law should be as precise and immutable as possible. This is not a
> matter of "I want to hack things" or "competition would be better if it
> were open" or "I want to own what I have/use", etc, etc. Being precise
> with the law allows it to pass more readily.
>
> Personally I think if everything were required open source and
> self-compiled; that would objectively be better for humanity as a whole.
> For protecting innovation there's patents, closing the source is excess.
> Etc. etc.
>
> But this is not about fun. This is about extremely basic safety. It is
> about national security; if 500,000 cars go haywire at the same time a
> lot of deaths, directly and indirectly, can be expected. And it's not
> just the cars; it's also the industrial machines, medical equipment, the
> metro's and trains, the automated cars and busses and trucks and
> aircraft, medium sized hobbyist drones, heaters, stoves and ovens,
> automated doors, elevators, fire, smoke and other emergency alarms, etc.
>
> Should a foreign country cyberattack whilst doing any other kind of
> large scale attack; the effects could be devastating. Should a person be
> marked for assassination, no one would be the wiser.
>
> I'd argue for similar protection for fridges, televisions, smartphones,
> etc, etc, as more and more items are expected to become networked and
> essential for upholding basic freedoms and ways of life. And I'd argue
> to have it for privacy; not just essential safety.
>
>
> Simply put; the simple version of the law above is imperative for
> personal and national security. And it doesn't exist.
>
> (note: all countries should be more worried about cybersecurity. I
> cannot trust my government to act as it should if every public servant
> can be blackmailed or thoroughly spied upon. It's not hard to improve
> security; but it's much harder now that nobody's doing it, and now that
> it's given no priority)

-- 
Scientific Director, IndieBio EU Programme
  Now running in Cork, Ireland May->July
  Learn more at indie.bio and follow along!
Twitter:  @onetruecathal
Phone: +353876363185
miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
peerio.com: cathalgarvey