So device is certified, bug is found 2 years later. How does this help. The info to date is last week's issue was patched by the vendor in Sept 2015, I believe is what I read. We know bugs will creep in, (source anyone that has worked with code forever) Also certification assuming it would work, in what country, would I need one, per country I sell into? These are not the solutions you are looking for ( Jedi word play on purpose)
On Wed, Oct 26, 2016 at 3:53 PM, JORDI PALET MARTINEZ < [email protected]> wrote: > Exactly, I was arguing exactly the same with some folks this week during > the RIPE meeting. > > The same way that certifications are needed to avoid radio interferences, > etc., and if you don’t pass those certifications, you can’t sell the > products in some countries (or regions in case of EU for example), > authorities should make sure that those certifications have a broader > scope, including security and probably some other features to ensure that > in case something is discovered in the future, they can be updated. > > Yes, that means cost, but a few thousand dollars of certification price > increase, among thousands of millions of devices of the same model being > manufactured, means a few cents for each unit. > > Even if we speak about 1 dollar per each product being sold, it is much > cheaper than the cost of not doing it and paying for damages, human > resources, etc., when there is a security breach. > > Regards, > Jordi > > > -----Mensaje original----- > De: NANOG <[email protected]> en nombre de Leo Bicknell < > [email protected]> > Organización: United Federation of Planets > Responder a: <[email protected]> > Fecha: miércoles, 26 de octubre de 2016, 19:19 > Para: <[email protected]> > Asunto: Re: Spitballing IoT Security > > In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich > Kulawiec wrote: > > The makers of IoT devices are falling all over themselves to rush > products > > to market as quickly as possible in order to maximize their > profits. They > > have no time for security. They don't concern themselves with > privacy > > implications. They don't run networks so they don't care about the > impact > > their devices may have on them. They don't care about liability: > many of > > them are effectively immune because suing them would mean > trans-national > > litigation, which is tedious and expensive. (And even if they lost: > > they'd dissolve and reconstitute as another company the next day.) > > They don't even care about each other -- I'm pretty sure we're > rapidly > > approaching the point where toasters will be used to attack garage > door > > openers and washing machines. > > You are correct. > > I believe the answer is to have some sort of test scheme (UL > Labratories?) for basic security and updateability. Then federal > legislation is passed requiring any product being imported into the > country to be certified, or it is refused. > > Now when they rush to market and don't get certified they get $0 > and go out of business. Products are stopped at the boader, every > shipment is reviewed by authorities, and there is no cross boarder > suing issue. > > Really it's product safety 101. UL, the CPSC, NHTSA, DOT and a > host of others have regulations that if you want to import a product > for sale it must be safe. It's not a new or novel concept, pretty > much every country has some scheme like it. > > -- > Leo Bicknell - [email protected] > PGP keys at http://www.ufp.org/~bicknell/ > > > > > ********************************************** > IPv4 is over > Are you ready for the new Internet ? > http://www.consulintel.es > The IPv6 Company > > This electronic message contains information which may be privileged or > confidential. The information is intended to be for the use of the > individual(s) named above. If you are not the intended recipient be aware > that any disclosure, copying, distribution or use of the contents of this > information, including attached files, is prohibited. > > > >
