UK: The Product Security and Telecommunications Infrastructure (PSTI) Bill

This might warrant some discussion?
it includes 'smart home assistants' & 'Internet of Things base stations and hubs to which multiple devices connect'

Admittedly its only the UK - but may need to be addressed, i.e forcing security for Node Red based on region?

Oh dear.
They did such a good job protecting us from cookies too. Even www.gov.uk seems to break that law.

Curious that home routers are not in the list.

They will have a hard job deciding who to gaol for my network of Chinese ESP32s and smart sockets with reflashed firmware, Raspberry Pies running Linux, programmed in Node-Red (with contributed nodes), Python, Bash, C, OldUncleTomCobbley and Awk.

The regs are still not up, so will have to wait for the finer detail.

The way I read it is: any system, that exposes consumer electronics or data must be protected.
for this, I think these systems fall under it:

  • Node Red
  • IO-Broker
  • Home Assistant
  • Open Hab
  • etc etc.

i.e 'smart home assistants' & 'Internet of Things base stations'

obviosuly there are other categories also.

Nodes, or plug ins for these systems are providing functionality, and not directly exposing data, outside of its platform, the platform its self - has the ability or can expose data/devices.

I might have this wrong - but its how I read it.

Maybe another Bill would be justified, simply & efficiently forbidding all kind of viruses, including recent mutations

2 Likes

I'd like to point out that the regulations only apply to commercial devices. It doesn't impact Node-RED in any way with one exception.

If you are using Node-RED in a commercial application, then you must adhere to the rules. Node-RED itself does not fall under the legislation as free, open source software. Nor does any other free, open source software.

Of course, the parts of the legislation we are talking about (there are other parts that are controversial) are common sense anyway. No fixed id/passwords, keep things updated, etc. But even should there be nobody to keep updating Node-RED, it still wouldn't be subject to this legislation.

What it does mean is that you should no longer be able to accidentally purchase networking hardware that has a hidden id/password or a default one that can't be changed.

The bill should also help curb the tendency for vendors to have hidden data feeds from your devices (smart TV's being one of the worst offenders).

Devices such as ESP8266/ESP32 would not be impacted since they don't contain anything that the bill is especially worried about. However, again, if you are creating commercial products from those devices, you will need to look at the bill in more detail to see if you are impacted.

?? It has a cookie warning and is GDPR compliant. If you think otherwise, please let me know via PM and I will talk to my colleages in the Government Digital Service (GDS) who are responsible for it. :wink:

2 Likes

Yup,

To be honest, I was already on the assumption this will apply to a commercial context, I have seen node red in that context many times, so wanted to run It passed the community.

I suppose if node red is being distributed in/with a commercial product, then it must be secured.

1 Like

Julian, I don't know if the law has been amended, but when it was originally enacted it required permission before setting any cookie. www.gov.uk sets a cookie "cookies_policy" immediately the page loads.

Whether or not it's legal, I hate to imagine that the GDS would be unaware of the site's behaviour.
Besides, the whole thing is a chocolate fireguard, doing nothing to protect the public from intrusive website activity.

It's also irrelevant to this topic except for wondering if Whitehall and it's industry advisors are capable of enacting a law to protect users of the internet.

Trust me, GDS have gone through the whole thing again and again. I very much doubt there is a problem. Or if there is, it has been deemed tiny enough for nobody to worry about. After all, the framework they use is also used by much/most central government and associated organisations. The NHS framework is similar. I know some of the GDS approvers and they can be very pendantic :grinning:

Haha, maybe I'd better not give too many of my own opinions here :grinning:

All I'll say is that much of this legislation - as most sensible people have come to expect from the current government - is (in my and many other people's opinion) outright political warfare. Both overseas and at home. The parts referenced here seem fine though.