Rich,
Thanks for the nice confirmation.
My dabbling in internet governance topics has taught me (I guess) that
the real challenge is to eschew easy approaches such as shutting off
sites as a remedy.
The hard work is trying to come up with effective measures which are
anything but take downs / b
>> It helps solve the bad (including manufacturer's default) password
>> problem which was one of the attack vectors.
That problem has been adddressed pretty well by giving each device a
random password and printing the password on the device. Another hack
that works pretty well is a button you p
On Sun, Oct 09, 2016 at 04:47:30PM -0400, b...@theworld.com wrote:
> But I well remember proposed spam mitigations back in 2000 being just
> as forcefully shot down because IT WOULD TAKE A DECADE TO IMPLEMENT
> THAT!!!
I remember that. I also remember the dire predictions that it would
take a dec
On October 9, 2016 at 20:24 m...@beckman.org (Mel Beckman) wrote:
> You might as well wish for fingerprint readers. It's not going to happen,
> and thus can't be remedied. But there are already acceptable COTS solutions
> that need no special hardware. IoT vendors simply have to use them.
You might as well wish for fingerprint readers. It's not going to happen, and
thus can't be remedied. But there are already acceptable COTS solutions that
need no special hardware. IoT vendors simply have to use them.
-mel beckman
> On Oct 9, 2016, at 1:20 PM, "b...@theworld.com" wrote:
>
On October 9, 2016 at 20:07 m...@beckman.org (Mel Beckman) wrote:
> Barry,
>
> The problem isn't authentication during initial installation, since that can
> be done using SSL and a web login to the cloud service. The problem is that
> vendors aren't even using minimal security protections
Barry,
The problem isn't authentication during initial installation, since that can be
done using SSL and a web login to the cloud service. The problem is that
vendors aren't even using minimal security protections, such as SSL, and then
leaving devices open to inbound connections, which is bad
Elsewhere, for decades, I've bemoaned the fact that keyboards (etc)
don't have credit card swipes (perhaps today "and chip readers") so
with some care on the part of the software someone could prove they
likely have physical access to the card.
But it would be very useful in this IoT problem.
Yo
On 2016-10-09 08:33 AM, Stephen Satchell wrote:
On 10/09/2016 07:31 AM, Mel Beckman wrote:
remote RF temperature sensor hub for home, the GW-1000U.
...
The device accepts TCP connections on 22, 80, and 443. Theoretically
I can't see why it ever needs ongoing inbound connections, so this
seems
* John R. Levine:
> On Sun, 9 Oct 2016, Florian Weimer wrote:
>
>> If we want to make consumers to make informed decisions, they need to
>> learn how things work up to a certain level. And then current
>> technology already works.
>
> I think it's fair to say that security through consumer educat
The idea behind IoT is that devices collect data, but the power to process that
data, and archive it, is in the cloud.
-mel beckman
> On Oct 9, 2016, at 11:30 AM, "valdis.kletni...@vt.edu"
> wrote:
>
> On Sun, 09 Oct 2016 18:05:20 -, Mel Beckman said:
>> I don't know why it's "sub optim
On 10/9/16 11:30 AM, valdis.kletni...@vt.edu wrote:
On Sun, 09 Oct 2016 18:05:20 -, Mel Beckman said:
I don't know why it's "sub optimal" to use the cloud from an isolated network.
Can you elaborate?
Why should something out in the cloud have any part of the communication,
other than perha
On Sun, 09 Oct 2016 18:05:20 -, Mel Beckman said:
> I don't know why it's "sub optimal" to use the cloud from an isolated
> network. Can you elaborate?
Why should something out in the cloud have any part of the communication,
other than perhaps telling your cellphone the current address of yo
I don't know why it's "sub optimal" to use the cloud from an isolated network.
Can you elaborate?
-mel beckman
> On Oct 9, 2016, at 10:28 AM, "valdis.kletni...@vt.edu"
> wrote:
>
> On Sun, 09 Oct 2016 14:31:54 -, Mel Beckman said:
>
>> I just bought a $20 Lacrosse remote RF temperature
On Sun, 09 Oct 2016 14:31:54 -, Mel Beckman said:
> I just bought a $20 Lacrosse remote RF temperature sensor hub for home, the
> GW-1000U. It does the usual IoT things: after you plug it in, it gets a DHCP
> address and phones home, then you register it using a smartphone on the same
> LAN, w
Stephen,
But they don’t, in fact, allow such a console. And I don’t think such a thing
is even a good idea on IoT devices, because permitting inbound connections is a
pathway to exploitation.
As I noted in my post, I’ve put it on its own VLAN, which is better than a DMZ:
no inbound access at
On 10/09/2016 07:31 AM, Mel Beckman wrote:
> remote RF temperature sensor hub for home, the GW-1000U.
> ...
> The device accepts TCP connections on 22, 80, and 443. Theoretically
> I can't see why it ever needs ongoing inbound connections, so this
> seems to be a security concession made by the ma
I just bought a $20 Lacrosse remote RF temperature sensor hub for home, the
GW-1000U. It does the usual IoT things: after you plug it in, it gets a DHCP
address and phones home, then you register it using a smartphone on the same
LAN, which I'm guessing finds the device via a broadcast and then
On Sun, 9 Oct 2016, Florian Weimer wrote:
If we want to make consumers to make informed decisions, they need to
learn how things work up to a certain level. And then current
technology already works.
I think it's fair to say that security through consumer education has been
a failure every t
19 matches
Mail list logo