nanog mailing list archives
Re: Spitballing IoT Security
From: Marcel Plug <marcelplug () gmail com>
Date: Fri, 11 Nov 2016 10:42:33 -0500
On Fri, Nov 11, 2016 at 1:55 AM, Eliot Lear <lear () ofcourseimright com> wrote:
It is worth asking what protections are necessary for a device that regulates insulin.
Insulin pumps are an example of devices that have been over-regulated to the point where any and all innovation has been stifled. There have been hardly any changes in the last 10+ years, during a time when all other technology has advanced quite a bit. Its off-topic for Nanog, but i promise you this is very frustrating and annoying topic that hits me close to home. There has to be a middle ground. I guarantee we do not want home firewalls, and all the IoT devices to be regulated like insulin pumps and other medical devices. I think I'm starting to agree with those that want to keep government regulation out of this arena... Marcel
Eliot On 11/8/16 6:05 AM, Ronald F. Guilmette wrote:In message <20161108035148.2904B5970CF1 () rock dv isc org>, Mark Andrews <marka () isc org> wrote:* Deploying regulation in one country means that it is less likely to be a source of bad traffic. Manufactures are lazy. With sensible regulation in single country everyone else benefits as manufactures will use a single code base when they can.I said that too, although not as concisely.* Automated updates do reduce the numbers of vulnerable machines to known issues. There are risks but they are nowhere as bad as not doing automated updating.I still maintain, based upon the abundant evidence, that generallized hopes that timely and effective updates for all manner of devices will be available throughout the practical lifetime of any such IoT thingies is a mirage. We will just never be there, in practice. And thus, manufacturers should be encouraged, by force of law if necessary, to design software with a belt-and-suspenders margin of safety built in from the first day of shipping. You don't send out a spacecraft, or a medical radiation machine, without such addtional constraints built in from day one. You don't send out such things and say "Oh, we can always send out of firmware update later on if there is an issue." From a software perspective, building extra layers of constraints is not that hard to do, and people have been doing this kind of thing already for decades. It's called engineering. The problem isn't in anybody's ability or inability to do safety engineering in the firmware of IoT things. The only problem is providing the proper motivation to cause it to happen. Regards, rfg
Current thread:
- Re: Spitballing IoT Security Mark Andrews (Nov 07)
- Re: Spitballing IoT Security Ronald F. Guilmette (Nov 07)
- Re: Spitballing IoT Security Eliot Lear (Nov 10)
- Re: Spitballing IoT Security Marcel Plug (Nov 11)
- Re: Spitballing IoT Security Eliot Lear (Nov 11)
- Re: Spitballing IoT Security Eliot Lear (Nov 10)
- Re: Spitballing IoT Security Ronald F. Guilmette (Nov 07)