Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-10 Thread bzs
Rich, Thanks for the nice confirmation. My dabbling in internet governance topics has taught me (I guess) that the real challenge is to eschew easy approaches such as shutting off sites as a remedy. The hard work is trying to come up with effective measures which are anything but take downs /

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-10 Thread John Levine
>> It helps solve the bad (including manufacturer's default) password >> problem which was one of the attack vectors. That problem has been adddressed pretty well by giving each device a random password and printing the password on the device. Another hack that works pretty well is a button you

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-10 Thread Rich Kulawiec
On Sun, Oct 09, 2016 at 04:47:30PM -0400, b...@theworld.com wrote: > But I well remember proposed spam mitigations back in 2000 being just > as forcefully shot down because IT WOULD TAKE A DECADE TO IMPLEMENT > THAT!!! I remember that. I also remember the dire predictions that it would take a

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread bzs
On October 9, 2016 at 20:24 m...@beckman.org (Mel Beckman) wrote: > You might as well wish for fingerprint readers. It's not going to happen, > and thus can't be remedied. But there are already acceptable COTS solutions > that need no special hardware. IoT vendors simply have to use them.

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Mel Beckman
You might as well wish for fingerprint readers. It's not going to happen, and thus can't be remedied. But there are already acceptable COTS solutions that need no special hardware. IoT vendors simply have to use them. -mel beckman > On Oct 9, 2016, at 1:20 PM, "b...@theworld.com"

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread bzs
On October 9, 2016 at 20:07 m...@beckman.org (Mel Beckman) wrote: > Barry, > > The problem isn't authentication during initial installation, since that can > be done using SSL and a web login to the cloud service. The problem is that > vendors aren't even using minimal security

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Mel Beckman
Barry, The problem isn't authentication during initial installation, since that can be done using SSL and a web login to the cloud service. The problem is that vendors aren't even using minimal security protections, such as SSL, and then leaving devices open to inbound connections, which is

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread bzs
Elsewhere, for decades, I've bemoaned the fact that keyboards (etc) don't have credit card swipes (perhaps today "and chip readers") so with some care on the part of the software someone could prove they likely have physical access to the card. But it would be very useful in this IoT problem.

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Large Hadron Collider
On 2016-10-09 08:33 AM, Stephen Satchell wrote: On 10/09/2016 07:31 AM, Mel Beckman wrote: remote RF temperature sensor hub for home, the GW-1000U. ... The device accepts TCP connections on 22, 80, and 443. Theoretically I can't see why it ever needs ongoing inbound connections, so this

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Florian Weimer
* John R. Levine: > On Sun, 9 Oct 2016, Florian Weimer wrote: > >> If we want to make consumers to make informed decisions, they need to >> learn how things work up to a certain level. And then current >> technology already works. > > I think it's fair to say that security through consumer

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Mel Beckman
The idea behind IoT is that devices collect data, but the power to process that data, and archive it, is in the cloud. -mel beckman > On Oct 9, 2016, at 11:30 AM, "valdis.kletni...@vt.edu" > wrote: > > On Sun, 09 Oct 2016 18:05:20 -, Mel Beckman said: >> I

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Jim Shankland
On 10/9/16 11:30 AM, valdis.kletni...@vt.edu wrote: On Sun, 09 Oct 2016 18:05:20 -, Mel Beckman said: I don't know why it's "sub optimal" to use the cloud from an isolated network. Can you elaborate? Why should something out in the cloud have any part of the communication, other than

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Valdis . Kletnieks
On Sun, 09 Oct 2016 18:05:20 -, Mel Beckman said: > I don't know why it's "sub optimal" to use the cloud from an isolated > network. Can you elaborate? Why should something out in the cloud have any part of the communication, other than perhaps telling your cellphone the current address of

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Mel Beckman
I don't know why it's "sub optimal" to use the cloud from an isolated network. Can you elaborate? -mel beckman > On Oct 9, 2016, at 10:28 AM, "valdis.kletni...@vt.edu" > wrote: > > On Sun, 09 Oct 2016 14:31:54 -, Mel Beckman said: > >> I just bought a $20

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Valdis . Kletnieks
On Sun, 09 Oct 2016 14:31:54 -, Mel Beckman said: > I just bought a $20 Lacrosse remote RF temperature sensor hub for home, the > GW-1000U. It does the usual IoT things: after you plug it in, it gets a DHCP > address and phones home, then you register it using a smartphone on the same > LAN,

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Mel Beckman
Stephen, But they don’t, in fact, allow such a console. And I don’t think such a thing is even a good idea on IoT devices, because permitting inbound connections is a pathway to exploitation. As I noted in my post, I’ve put it on its own VLAN, which is better than a DMZ: no inbound access at

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Stephen Satchell
On 10/09/2016 07:31 AM, Mel Beckman wrote: > remote RF temperature sensor hub for home, the GW-1000U. > ... > The device accepts TCP connections on 22, 80, and 443. Theoretically > I can't see why it ever needs ongoing inbound connections, so this > seems to be a security concession made by the

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread Mel Beckman
I just bought a $20 Lacrosse remote RF temperature sensor hub for home, the GW-1000U. It does the usual IoT things: after you plug it in, it gets a DHCP address and phones home, then you register it using a smartphone on the same LAN, which I'm guessing finds the device via a broadcast and then

Re: IoT security, was Krebs on Security booted off Akamai network

2016-10-09 Thread John R. Levine
On Sun, 9 Oct 2016, Florian Weimer wrote: If we want to make consumers to make informed decisions, they need to learn how things work up to a certain level. And then current technology already works. I think it's fair to say that security through consumer education has been a failure every