Wait, is this April Fools? The way to make device manufacturers tighten up their security holes is to stick them on the public Internet? That's a hoot. On Jun 20, 2016 6:57 PM, "Mark Andrews" <ma...@isc.org> wrote:
> > In message <28657bed-e262-452d-b218-7b39b17f3...@delong.com>, Owen DeLong > writes: > > > > > On Jun 20, 2016, at 13:45 , Mark Andrews <ma...@isc.org> wrote: > > > > > > > > > In message <e67d028d-2a66-453c-9d8b-0ac8fea88...@delong.com>, Owen > DeLong writes: > > >> > > >>> On Jun 17, 2016, at 10:10 , Mark Milhollan <m...@pixelgate.net> > wrote: > > >>> > > >>> On Tue, 14 Jun 2016, Owen DeLong wrote: > > >>>> On Jun 14, 2016, at 11:57 , Ricky Beam <jfb...@gmail.com> wrote: > > >>> > > >>>>> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 > > >> traffic. > > >>>> > > >>>> Those are by definition poorly designed CPE. > > >>> > > >>> This (open by default vs closed) has been discussed before, with > > >>> plenty of people on either side. > > >>> > > >>> > > >>> /mark > > >> > > >> I’m unaware of anyone advocating open inbound by default residential > > >> CPE. > > >> > > >> I’m not saying they don’t exist, but I can’t imagine how anyone could > > >> possibly defend that position rationally. > > >> > > >> I’m pretty much in favor of open by default in most things, but for > > >> inbound traffic to residential CPE? Even I find that hard to > > >> rationalize. > > >> > > >> Owen > > >> > > > > > > For a lot of homes it actually makes sense. You laptops are safe > > > as they are designed to be connected directly to the Internet. We > > > do this all the time. Similarly phone and tablets are designed to > > > be directly connected to the Internet. I know that lots of us do > > > this all the time. Think about what happens at conferences. There > > > is no firewall there to save you but we all regularly connect our > > > devices to the conference networks. > > > > > > Lots of other stuff is also designed to be directly connected to > > > the Internet. > > > > > > Finding ways to successfully attack a machine from outside is > > > actually hard and has been for many years now. > > > > > > There is lots of FUD being thrown around about IoT. Some machines > > > will be compromised but as a class of devices there is no reason > > > to assume that manufactures haven't learn from what happened to > > > other Internet connected products. > > > > I dare you to purchase a Yamaha amplifier with an ethernet interface, > > connect it to a good set of speakers within range to make it loud in > > your bedroom and provide me with your timezone and the IP address > > of the Yamaha in its default configuration. > > I don't want a Yamaha amplifier. If you have one and if it is not > FIT FOR PURPOSE sent it back and demand your money back. You should > be able to connect any equipement to a network and not have it be > owned. > > > You can call it FUD all you want, but the average ethernet-connected > > printer is quite vulnerable. So are many of the smart media devices > > floating around out there. > > The internet printers I have contain access controls. They don't need > a CPE firewall. > > > Same with many of the network-connected thermostats I have experimented > > with. > > Well send them back and demand your money back saying why you are sending > the back. > > > For anyone who knows enough to understand the risk they are or are not > > taking by opening things up, it’s trivial to program in the desired > > exceptions or turn off the default deny. > > > > For everyone else, we should protect the internet from letting them > > shoot themselves in the head in such a way that we get hit with the > > back splatter. > > And that comes with a significant future cost. Every piece of > software that wants to accept connections from outside now needs > to be able to not only update the devices configuration but also > the firewalls configuration. > > > > The thing you need from all manufactures is a commitment to release > > > fixes (no necessarially feature upgrades) for the devices they ship > > > for the real life the product and for users to upgrade the products. > > > > Certainly that helps, but it’s a fantasy in too many cases to act like > > it is a foregone conclusion or fait accompli. > > Actually if we ship CPE devices with firewalls off, IoT manufactures > will tighten the security of their devices. It will lead to better > products overall. > > > > Software doesn't wear out. Bugs just get found and design flaws > > > discovered. The existing warranty policies are designed around > > > products that physically wear out. > > > > Sure, but until that is actually changed, a default permit policy on a > > home gateway remains one of the worst ideas I can imagine. > > Actually it is one of the best things we can do. Yes, there will > be a short term cost but it comes with benefits of a less complicated > network where everything works. > > Firewalls should be filtering out spoofed traffic (both ways) and > that is about all they should be doing. > > > Owen > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >