Re: Spitballing IoT Security

On 30 Oct 2016, at 7:32, Ronald F. Guilmette wrote: you don't need to be either an omnious "state actor" or even SPECTER to assemble a truly massive packet weapon. I agree: ;> Two kids

Re: Spitballing IoT Security

Moving offlist on this. For those who are interested, send ping. On 11/11/16 4:42 PM, Marcel Plug wrote: > On Fri, Nov 11, 2016 at 1:55 AM, Eliot Lear > wrote: > > It is worth asking what protections are necessary for a device that

Re: Spitballing IoT Security

On Fri, Nov 11, 2016 at 1:55 AM, Eliot Lear wrote: > It is worth asking what protections are necessary for a device that > regulates insulin. Insulin pumps are an example of devices that have been over-regulated to the point where any and all innovation has been

Re: Spitballing IoT Security

This is, amongst other things, an epidemiological problem. We've known through practical experience since 1989 that worms can spread at the speed of light. And so neither an auto-update process nor BCP 38 filtering alone will stop infection. There may be ways like MUD to slow an infection, but

Re: Spitballing IoT Security

In message <20161108035148.2904b5970...@rock.dv.isc.org>, Mark Andrews wrote: >* Deploying regulation in one country means that it is less likely > to be a source of bad traffic. Manufactures are lazy. With > sensible regulation in single country everyone else benefits as >

Re: Spitballing IoT Security

In message , Pierre Lamy write s: > On 30/10/2016 12:43 AM, Eric S. Raymond wrote: > > Ronald F. Guilmette : > >> Two kids with a modest amount of knowledge > >> and a lot of time on their hands can

Re: Spitballing IoT Security

On 30/10/2016 12:43 AM, Eric S. Raymond wrote: > Ronald F. Guilmette : >> Two kids with a modest amount of knowledge >> and a lot of time on their hands can do it from their mom's basement. > > I in turn have to call BS on this. If it were really

Re: Spitballing IoT Security

On 10/29/2016 05:32 PM, Ronald F. Guilmette wrote: you don't need to be either an omnious "state actor" or even SPECTER to assemble a truly massive packet weapon. Please, it's SPECTRE show some respect

Re: Spitballing IoT Security

Is this report reliable? I don't know off-hand: http://www.csoonline.com/article/3134721/security/amateurs-were-behind-the-dyn-inc-ddos-attack-report-says.html or: http://tinyurl.com/zb9mpy5 Amateurs were behind the Dyn Inc. DDoS attack, report says Flashpoint says that despite

Re: Spitballing IoT Security

On 10/30/16 06:35, Rich Kulawiec wrote: On Fri, Oct 28, 2016 at 12:07:17AM -0500, Jim Hickstein wrote: A virus that kills its host (too much of the time) is not successful. True. On the other hand: "Some men aren't looking for anything logical, like money. They can't be

Re: Spitballing IoT Security

On Fri, Oct 28, 2016 at 12:07:17AM -0500, Jim Hickstein wrote: > A virus that kills its host (too much of the time) is not successful. True. On the other hand: "Some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with.

Re: Spitballing IoT Security

On 10/29/2016 9:43 PM, Eric S. Raymond wrote: I in turn have to call BS on this. If it were really that easy, we'd be inundated by Mirais -- we'd have several attacks a*day*. Some of us are seeing many significant attacks a day. That's because botnets are frequently used to hit game servers

Re: Spitballing IoT Security

Ronald F. Guilmette : > > In message <20161030044342.ga18...@thyrsus.com>, > "Eric S. Raymond" wrote: > > >Ronald F. Guilmette : > >> Two kids with a modest amount of knowledge > >> and a lot of time on

Re: Spitballing IoT Security

In message <20161030044342.ga18...@thyrsus.com>, "Eric S. Raymond" wrote: >Ronald F. Guilmette : >> Two kids with a modest amount of knowledge >> and a lot of time on their hands can do it from their mom's basement. > >I in turn

Re: Spitballing IoT Security

Ronald F. Guilmette : > Two kids with a modest amount of knowledge > and a lot of time on their hands can do it from their mom's basement. I in turn have to call BS on this. If it were really that easy, we'd be inundated by Mirais -- we'd have

Re: Spitballing IoT Security

In message <20161029180730.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >You don't build or hire a botnet on Mirai's scale with pocket change. Proof please? Sorry, but I am compelled to call B.S. on the above statement. This is a really important point that I, Krebs, and

Re: Spitballing IoT Security

Hi, Hi, >Put it another way: you bring home a NEST and the first thing you the >expert might do is read the net to figure out which ports to open. Are >you really going to not open those ports? Put onto its own isolated vlan with only internet access. Unfortunately no basic routers that are

Re: Spitballing IoT Security

On October 29, 2016 at 15:35 beec...@beecher.cc (Tom Beecher) wrote: > "That means the motive was prep for terrorism or cyberwar by a > state-level actor. " > > Or, quite possibly ( I would argue probably) it was marketing. Show off the > capabilities of the botnet to garner more interest

Re: Spitballing IoT Security

"That means the motive was prep for terrorism or cyberwar by a state-level actor. " Or, quite possibly ( I would argue probably) it was marketing. Show off the capabilities of the botnet to garner more interest amongst those who pay for use of such things. On Sat, Oct 29, 2016 at 2:07 PM, Eric

Re: Spitballing IoT Security

On 2016-10-29 14:07, Eric S. Raymond wrote: > You don't build or hire a botnet on Mirai's scale with pocket change. > And the M.O. doesn't fit a criminal organization - no ransom demand, > no attempt to steal data. it is wrong to underestimate script kiddies and open source code. It is wrong to

Re: Spitballing IoT Security

On October 29, 2016 at 14:07 e...@thyrsus.com (Eric S. Raymond) wrote: > b...@theworld.com : > > > > On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote: > > > On 10/28/2016 10:14 PM, b...@theworld.com wrote: > > > > Thus far the goal just seems to

Re: Spitballing IoT Security

b...@theworld.com : > > On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote: > > On 10/28/2016 10:14 PM, b...@theworld.com wrote: > > > Thus far the goal just seems to be mayhem. > > > > Thus far, the goal on the part of the botnet opearators is to make

Re: Spitballing IoT Security

On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote: > On 10/28/2016 10:14 PM, b...@theworld.com wrote: > > Thus far the goal just seems to be mayhem. > > Thus far, the goal on the part of the botnet opearators is to make > money. The goal of the CUSTOMERS of the botnet

Re: Spitballing IoT Security

Hi Chris, On 10/25/16 1:51 PM, Chris Boyd wrote: >> On Oct 25, 2016, at 3:10 AM, Ronald F. Guilmette >> wrote: >> >> An IoT is -not- a general purpose computer. In the latter case, it is >> assumed that the owner will "pop the hood" when it comes to the software >>

Re: Spitballing IoT Security

Hi Mike, On 10/27/16 11:04 AM, Mike Meredith wrote: > On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear > may have written: >> Well yes. uPnP is a problem precisely because it is some random device >> asserting on its own that it can be trusted to do what it wants. Had

Re: Spitballing IoT Security

On 10/28/2016 10:14 PM, b...@theworld.com wrote: > Thus far the goal just seems to be mayhem. Thus far, the goal on the part of the botnet opearators is to make money. The goal of the CUSTOMERS of the botnet operators? Who knows?

Re: Spitballing IoT Security

On October 28, 2016 at 00:07 j...@jxh.com (Jim Hickstein) wrote: > On 10/27/16 22:59, b...@theworld.com wrote: > > What would the manufacturers' response be if this virus had instead > > just shut down, possibly in some cases physically damaged the devices > > or otherwise caused them to

Re: Spitballing IoT Security

On 10/27/16 22:59, b...@theworld.com wrote: What would the manufacturers' response be if this virus had instead just shut down, possibly in some cases physically damaged the devices or otherwise caused them to cease functioning ever again (wiped all their software or broke their bootability),

Re: Spitballing IoT Security

On Thu, Oct 27, 2016 at 05:13:31PM -0400, Jon Lewis wrote: > This is one of my bigger concerns every time I buy something that's "cloud > controlled". Not so much that the manufacturer will force it's retirement, > but "what happens if they go belly up, or just kill the division that > supports

RE: Spitballing IoT Security

On Thursday, 27 October, 2016 22:09, Eliot Lear said: > On 10/28/16 1:55 AM, Keith Medcalf wrote: > >>> The problem is in allowing inbound connections and going as far as > doing > >>> UPnP to tell the CPE router to open a inbound door to let hackers > loging > >>> to

Re: Spitballing IoT Security

Hi Keith, On 10/28/16 1:55 AM, Keith Medcalf wrote: >>> The problem is in allowing inbound connections and going as far as doing >>> UPnP to tell the CPE router to open a inbound door to let hackers loging >>> to that IoT pet feeder to turn it into an agressive DNS destroyer. >> Well yes. uPnP

RE: Spitballing IoT Security

I suppose someone could modify this Mirai virus to instead inject antivirus software. I know, illegal. What would the manufacturers' response be if this virus had instead just shut down, possibly in some cases physically damaged the devices or otherwise caused them to cease functioning ever

Re: Spitballing IoT Security

On 2016-10-27 23:24, Ronald F. Guilmette wrote: I put forward what I think is a reasonbly modest scheme to try to get IoT things to place hard limits on their "unsolicited" packet output at the kernel level, and I'm going to go off now and try to find and then engage some Linux embedded kernel

Re: Spitballing IoT Security

In message <20161027204258.cd18057d5...@rock.dv.isc.org>, Mark Andrews wrote: >> The problem is, as I have said, this device is now the Apple equivalent >> of Windows XP. There could be a horrendous collection of a dozen or >> more known critical security bugs in the thing by

RE: Spitballing IoT Security

> > The problem is in allowing inbound connections and going as far as doing > > UPnP to tell the CPE router to open a inbound door to let hackers loging > > to that IoT pet feeder to turn it into an agressive DNS destroyer. > Well yes. uPnP is a problem precisely because it is some random

Re: Spitballing IoT Security

In message Ken Matlock wrote: >Fixing the current wave of 'IoT' devices and phones and Tv's etc is only >putting a bandaid on a broken arm. It gives the illusion of progress... >Until we accept that it's

Re: Spitballing IoT Security -- Dancing around a solution

I've been following the discussion with quite a bit of interest. What had become crystal clear to me is that nobody here has been looking at the problem from the perspective of the manufacturer, particularly how they actually get product to marked. A la "Dilbert". The engineer's credo: "Why

RE: Spitballing IoT Security

>On Thu, 27 Oct 2016, Ronald F. Guilmette wrote: > >> My iPhone 3GS still works just fine, > >I still have a "functional" iPhone 3G (no S). I don't think AT will >activate service on it at this point, and it's been relegated to iPod >service when I do yard work. > >> You can't *force* people to

Re: Spitballing IoT Security

> On 27 Oct 2016, at 21:25, Alan Buxey wrote: > > Hi, > > >> At which point the 3GS was almost 5 years old (having originally been >> released in June 2009) and had been already superseded by the iPhone 4, >> 4S, 5 and 5S/5C. > > But the release of and presence of

RE: Spitballing IoT Security

(deleted for ambiguity) > > Which is the point. These things stay out there...like those winXP > > boxes. There are 2 choices > > > > 1) manufacturers are responsible for the devices. No longer caring for > >them? Recall them. Compensate the users. > > > > 2) stronger obsolescence. eg

Re: Spitballing IoT Security

On Thursday, October 27, 2016, Mark Andrews wrote: > > In message <16193.1477594...@segfault.tristatelogic.com >, > "Ronald F. Guilmette" writes: > > > > In message <20161027112940.gb17...@ussenterprise.ufp.org > >, > > Leo Bicknell

Re: Spitballing IoT Security

On Thu, 27 Oct 2016, Ronald F. Guilmette wrote: My iPhone 3GS still works just fine, I still have a "functional" iPhone 3G (no S). I don't think AT will activate service on it at this point, and it's been relegated to iPod service when I do yard work. You can't *force* people to throw

Re: Spitballing IoT Security

In message <56b9abd3-6911-42cb-9c9d-81fb33ca5...@lboro.ac.uk>, Alan Buxey write s: > Hi, > > > >At which point the 3GS was almost 5 years old (having originally been > >released in June 2009) and had been already superseded by the iPhone 4, > >4S, 5 and 5S/5C. > > But the release of and

Re: Spitballing IoT Security

In message <16193.1477594...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <20161027112940.gb17...@ussenterprise.ufp.org>, > Leo Bicknell wrote: > > >Actually, they encourage you to trade {your old iPhone} in... > >... > >If your device is too

Re: Spitballing IoT Security

Hi, >At which point the 3GS was almost 5 years old (having originally been >released in June 2009) and had been already superseded by the iPhone 4, >4S, 5 and 5S/5C. But the release of and presence of those phones does not make the older phone suddenly stop working. As noted, the phone might

Re: Spitballing IoT Security

Perhaps something which is needed is analogous to Maritime Law's "Law of Salvage". If a manufacturer abandons all support of a technical product then they lose various intellectual property rights which might prevent a third-party from providing support. Including reasonable assistance such as

Re: Spitballing IoT Security

And I contend that the device manufacturer is only one part in this. Yes, the manufacturers need to get better in securing their devices (that's never been in question). *But* the end users need to have better CPE that can do NetFlow/Sflow/etc in a near real-time fashion. This would allow the

Re: Spitballing IoT Security

In message <20161027112940.gb17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Actually, they encourage you to trade {your old iPhone} in... >... >If your device is too old for that program, they will still take >it for free and recycle it in an enviornmentally friendly

Re: Spitballing IoT Security

On 27 Oct 2016, at 19:02, Ronald F. Guilmette wrote: > > > In message <20161027084939.5bdf457d0...@rock.dv.isc.org>, > Mark Andrews wrote: > >> Well the last update for the 3GS was iOS 6.1.6 in Feb 2014. > > Bingo! > > Less than a year and a half after

Re: Spitballing IoT Security

In message <20161027112601.ga17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Problems I think consumer safety legislation can solve: > >* SSH and Telnet were enabled, but there was no notification in the UI > that they were enabled and no way to turn them off.

Re: Spitballing IoT Security

In message <1477558411.730528...@apps.rackspace.com>, "t...@pelican.org" wrote: >...I back up to the cloud... Yes, I confess that this reasonable use case had not occured to me, and yes, it utterly negates what I was saying. (I myself am the paranoid type, so I -do not-

Re: Spitballing IoT Security

In message <20161027084939.5bdf457d0...@rock.dv.isc.org>, Mark Andrews wrote: >Well the last update for the 3GS was iOS 6.1.6 in Feb 2014. Bingo! Less than a year and a half after they stopped selling it, they effectively stopped supporting it.

Re: Spitballing IoT Security

In a message written on Tue, Oct 25, 2016 at 04:52:58AM -, John Levine wrote: > My nearest Apple stores are 50 miles away. I'm not sure 100 miles in > the car is a good tradeoff for one phone. Scroll down a bit further: "Tell us which device you have, and we’ll email you a prepaid mailing

Re: Spitballing IoT Security

>Please don't, bring it to your nearest Apple Store instead where it >will be properly recycled, . My nearest Apple stores are 50 miles away. I'm not sure 100 miles in the car is a good tradeoff for one phone.

Re: Spitballing IoT Security

Requiring manual approval is an excellent idea for the ThingSafe RFC! -mel > On Oct 27, 2016, at 2:10 AM, Mike Meredith wrote: > > On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear > may have written: >> Well yes. uPnP is a problem precisely

Re: Spitballing IoT Security

deration of Planets Responder a: <bickn...@ufp.org> Fecha: miércoles, 26 de octubre de 2016, 19:19 Para: <nanog@nanog.org> Asunto: Re: Spitballing IoT Security In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec wrote: > The makers of IoT devi

Re: Spitballing IoT Security

"Ronald F. Guilmette" writes: > My iPhone 3GS "goes on the Internet". > > Through no fauly of my own, it is also, apparently, destined in short order > to "go onto" a landfill, if not here, then in China or India, where a > pitiful plethora of shoeless and sad-eyed

Re: Spitballing IoT Security

In a message written on Wed, Oct 26, 2016 at 05:27:08PM -0700, Ronald F. Guilmette wrote: > do let me know how I can obtain this month's security patches for my iPhone > 3GS. > > (Note that Wikipedia says that this device was only formally discontinued > by the manufacturer as of September 12,

Re: Spitballing IoT Security

In a message written on Wed, Oct 26, 2016 at 04:40:57PM -0300, jim deleskie wrote: > So device is certified, bug is found 2 years later. How does this help. > The info to date is last week's issue was patched by the vendor in Sept > 2015, I believe is what I read. We know bugs will creep in,

Re: Spitballing IoT Security

On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear may have written: > Well yes. uPnP is a problem precisely because it is some random device > asserting on its own that it can be trusted to do what it wants. Had From my own personal use (and I'm aware that this isn't a

Re: Spitballing IoT Security

On Thursday, 27 October, 2016 00:40, "Ronald F. Guilmette" said: > Point: I have a DSL line which is limited to 6Mbps down and 756Kbps up. > My guess is that if any typical/average user is seen to be using more > than, say, 1/10 of that amount of "up" bandwidth in any

Re: Spitballing IoT Security

In message <12439.1477528...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <20161026205800.7188d57b2...@rock.dv.isc.org>, > Mark Andrews wrote: > > >Actually things have changed a lot in a positive direction. > >... > >* Microsoft, Apple, Linux and

Re: Spitballing IoT Security

Hi Jean-Francois, On 10/25/16 10:37 AM, Jean-Francois Mezei wrote: > On 2016-10-25 04:10, Ronald F. Guilmette wrote: > >> If all of the *&^%$# damn stupid vacation pet feeders had originally shipped >> with outbound rate limits hard-coded in the kernel, maybe this could have >> been avoided. > >

Re: Spitballing IoT Security

actually, the one technical hack i liked the most so far was the suggestion to put throttling into openwrt/lede, as they are used for the base in much cpe. randy

Re: Spitballing IoT Security

In message <58112f9f.6060...@vaxination.ca>, Jean-Francois Mezei wrote: >A camera showing the baby in 4K resolution along witgh sounds of him >crying on dolby surround to the mother who is at work would likely >saturate upload just as much as the virus sending DNS

Re: Spitballing IoT Security

i think this would be the most effective route proposed so far. May the force be with you :) On Wed, Oct 26, 2016 at 12:19 PM, Leo Bicknell wrote: > In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec > wrote: >> The makers of IoT devices are falling

Re: Spitballing IoT Security

In message <89795.1477520...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu wrote: >> Given that, and given that "OpenWRT and kin" often provide the end-user >> with readily accessible dials and knobs via which the user can force the >> device to *exceed* legal/FCC limits on power output, I

Re: Spitballing IoT Security

People under appreciate the power of a million-strong IoT bot net. Just a few K per second from each bot becomes gigabits per second at the target. -mel > On Oct 26, 2016, at 4:41 PM, Ronald F. Guilmette > wrote: > > > In message >

Re: Spitballing IoT Security

In message <12573.1477530...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <58111bd4.80...@vaxination.ca>, > Jean-Francois Mezei wrote: > > >My smart TV not only hasn't gotten updates in years, but Sharp has > >stopped selling TVs in

Re: Spitballing IoT Security

In message <58111bd4.80...@vaxination.ca>, Jean-Francois Mezei wrote: >My smart TV not only hasn't gotten updates in years, but Sharp has >stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere). A little more than 2 years ago, I bought a

Re: Spitballing IoT Security

On Wed Oct 26, 2016 at 05:10:44PM -0400, Jean-Francois Mezei wrote: > My smart TV not only hasn't gotten updates in years, but Sharp has > stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere). > > When manufacturers provide a 2 year support on a device that will last > 10

Re: Spitballing IoT Security

In message <20161026205800.7188d57b2...@rock.dv.isc.org>, Mark Andrews wrote: >Actually things have changed a lot in a positive direction. >... >* Microsoft, Apple, Linux and *BSD issue regular fixes for their > products and users do intall them. At the risk of repeating a

Re: Spitballing IoT Security

In message <12301.1477525...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message m> > Ken Matlock wrote: > > >- End users need to have ways to easily see what's going on over their

Re: Spitballing IoT Security

> On Oct 26, 2016, at 6:40 PM, Ronald F. Guilmette > wrote: > > Point: I have a DSL line which is limited to 6Mbps down and 756Kbps up. > My guess is that if any typical/average user is seen to be using more > than, say, 1/10 of that amount of "up" bandwidth in any one

Re: Spitballing IoT Security

In message Ken Matlock wrote: >- End users need to have ways to easily see what's going on over their >local networks, to see botnet-like activity and DDoS participation (among >other things) in a more

Re: Spitballing IoT Security

On 2016-10-26 18:02, Ronald F. Guilmette wrote: > http://p.globalsources.com/IMAGES/PDT/BIG/053/B1088622053.jpg > > i.e. a multitude of wall plates in every room, each one bristling with a > multitude of RJ11 sockets into which all manner of shiny new IoT things > will be directly plugged,

Re: Spitballing IoT Security

On Wed, 26 Oct 2016 15:02:46 -0700, "Ronald F. Guilmette" said: > i.e. a multitude of wall plates in every room, each one bristling with a > multitude of RJ11 sockets into which all manner of shiny new IoT things > will be directly plugged, thence to be issued their own IPv6 addresses > directly

Re: Spitballing IoT Security

In message <20161026123043.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >There is, however, a chokepoint we have more hope of getting decent software >deployed to. I refer to home and small-business routers. OpenWRT and kin >are already minor but significant players here.

Re: Spitballing IoT Security

On Wed, 26 Oct 2016 20:53:51 +0200, JORDI PALET MARTINEZ said: > Even if we speak about 1 dollar per each product being sold, it is much > cheaper than the cost of not doing it and paying for damages, human resources, > etc., when there is a security breach. This only works if the company

Re: Spitballing IoT Security

In message <11718.1477517...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > In short, if sensible regulations requiring "safe" designs for IoT products > were to come into force in one locale, it is not only possible, but > actually quite likely that they would affect the whole

Re: Spitballing IoT Security

In message <20161026120634.ga20...@gsp.org>, Rich Kulawiec wrote: >On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote: >>2) Second, once elected I will decree that in future all new IoT devices, >> and also all updates to firmware for existing IoT

Re: Spitballing IoT Security

On 2016-10-26 16:58, Mark Andrews wrote: > > Actually things have changed a lot in a positive direction. > > * Router manufactures are using device specific passwords. > * Microsoft, Apple, Linux and *BSD issue regular fixes for their > products and users do intall them. > * My smart TV has

Re: Spitballing IoT Security

r damages, human > > > resources, etc., when there is a security breach. > > > > > > Regards, > > > Jordi > > > > > > > > > -Mensaje original- > > > De: NANOG <nanog-boun...@nanog.org> en nombre de Leo Bicknell

Re: Spitballing IoT Security

Re: certification of IoT devices analogous to UL etc Another potentially useful channel to give this idea legs are insurance companies, get them involved if possible. They underwrite the risks particularly liability risks for manufacturers. That's why "Underwriters Laboratory" is called that,

Re: Spitballing IoT Security

De: NANOG <nanog-boun...@nanog.org> en nombre de Leo Bicknell < > > bickn...@ufp.org> > > Organización: United Federation of Planets > > Responder a: <bickn...@ufp.org> > > Fecha: miércoles, 26 de octubre de 2016, 19:19 > > Para: <nanog@nanog.org>

Re: Spitballing IoT Security

Why does everyone think the Master Plan for World Domination has to be Evil? :) -mel beckman > On Oct 26, 2016, at 12:40 PM, Eric S. Raymond wrote: > > Mel Beckman : >> I also really like the idea of offering open source options to vendors, many >> of whom

Re: Spitballing IoT Security

re: having gadgets certified (aka UL/CSA for electric stuff). Devil is in the details. Who would certify it ? And who would set the standards for certification? How fast would those standards change? updated with each new attack? Would standards update require agreement of multiple parties who

Re: Spitballing IoT Security

security breach. > > Regards, > Jordi > > > -Mensaje original- > De: NANOG <nanog-boun...@nanog.org> en nombre de Leo Bicknell < > bickn...@ufp.org> > Organización: United Federation of Planets > Responder a: <bickn...@ufp.org> > Fec

Re: Spitballing IoT Security

Mel Beckman : > I also really like the idea of offering open source options to vendors, many > of whom seem to illegally take that privilege anyway. A key fast-path > component, though, is in my opinion a new RFC for IoT security best > practices, and probably some revisions

Re: Spitballing IoT Security

nanog.org> Asunto: Re: Spitballing IoT Security In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec wrote: > The makers of IoT devices are falling all over themselves to rush products > to market as quickly as possible in order to maximize their pro

Re: Spitballing IoT Security

While I agree that fixing home routers is the best approach, something bugs me. If an IoT vendor doesn't even know that its devices have telnet or ssh enabled by default (and hence, no management interface to change passwords) and only focuses on the web interface it has added , then how come

Re: Spitballing IoT Security

In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec wrote: > The makers of IoT devices are falling all over themselves to rush products > to market as quickly as possible in order to maximize their profits. They > have no time for security. They don't concern themselves

Re: Spitballing IoT Security

Eric, I agree that the home router is a viable choke point, and even though we can’t quickly roll out new firmware, if we had started this ten years ago we’d be done by now! So this is the ten-year plan, but still worth doing. I also really like the idea of offering open source options to

Re: Spitballing IoT Security

Rich Kulawiec : > I think our working assumption should be that there will be zero cooperation > from the IoT vendors. (Yeah, once in a while one might actually step up, > but that will merely be a happy anomaly.) I agree. There is, however, a chokepoint we have more hope of

Re: Spitballing IoT Security

On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote: >2) Second, once elected I will decree that in future all new IoT devices, > and also all updates to firmware for existing IoT devices will have, > BUILT IN TO THE KERNEL, code/logic which (a) prevents all

Re: Spitballing IoT Security

On October 25, 2016 at 01:10 r...@tristatelogic.com (Ronald F. Guilmette) wrote: > > In message , > Jared Mauch wrote: > > >Top posting to provide some clarity: > > That's funny. Personally, I have always

Re: Spitballing IoT Security

> On Oct 25, 2016, at 3:49 AM, Aled Morris wrote: > > On 25 October 2016 at 09:37, Jean-Francois Mezei < > jfmezei_na...@vaxination.ca> wrote: >> >> One way around this is for the pet feeder to initiate outbound >> connection to a central server, and have the pet onwer connect

Re: Spitballing IoT Security

On Tue, Oct 25, 2016 at 12:09:26AM +0200, Matthias Waehlisch wrote: > IoT is not a well-defined term. Agreed. This is why I call it Internet of Trash. > IoT implementations depend on system constraints. Of course, this is how you see LoWPAN pop up as a possible solution. >

Re: Spitballing IoT Security

> On Oct 25, 2016, at 3:10 AM, Ronald F. Guilmette > wrote: > > An IoT is -not- a general purpose computer. In the latter case, it is > assumed that the owner will "pop the hood" when it comes to the software > configuration. Ah, but they are. In many cases you can

Re: Spitballing IoT Security

In message <580f19bf.2070...@vaxination.ca>, Jean-Francois Mezei wrote: >One way around this is for the pet feeder to initiate outbound >connection to a central server, and have the pet onwer connect to that >server to ask the server to send command to his pet

  1   2   >