nanog mailing list archives
Re: Spitballing IoT Security
From: jim deleskie <deleskie () gmail com>
Date: Wed, 26 Oct 2016 16:40:57 -0300
So device is certified, bug is found 2 years later. How does this help. The info to date is last week's issue was patched by the vendor in Sept 2015, I believe is what I read. We know bugs will creep in, (source anyone that has worked with code forever) Also certification assuming it would work, in what country, would I need one, per country I sell into? These are not the solutions you are looking for ( Jedi word play on purpose) On Wed, Oct 26, 2016 at 3:53 PM, JORDI PALET MARTINEZ < jordi.palet () consulintel es> wrote:
Exactly, I was arguing exactly the same with some folks this week during the RIPE meeting. The same way that certifications are needed to avoid radio interferences, etc., and if you don’t pass those certifications, you can’t sell the products in some countries (or regions in case of EU for example), authorities should make sure that those certifications have a broader scope, including security and probably some other features to ensure that in case something is discovered in the future, they can be updated. Yes, that means cost, but a few thousand dollars of certification price increase, among thousands of millions of devices of the same model being manufactured, means a few cents for each unit. Even if we speak about 1 dollar per each product being sold, it is much cheaper than the cost of not doing it and paying for damages, human resources, etc., when there is a security breach. Regards, Jordi -----Mensaje original----- De: NANOG <nanog-bounces () nanog org> en nombre de Leo Bicknell < bicknell () ufp org> Organización: United Federation of Planets Responder a: <bicknell () ufp org> Fecha: miércoles, 26 de octubre de 2016, 19:19 Para: <nanog () nanog org> Asunto: Re: Spitballing IoT Security In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec wrote: > The makers of IoT devices are falling all over themselves to rush products > to market as quickly as possible in order to maximize their profits. They > have no time for security. They don't concern themselves with privacy > implications. They don't run networks so they don't care about the impact > their devices may have on them. They don't care about liability: many of > them are effectively immune because suing them would mean trans-national > litigation, which is tedious and expensive. (And even if they lost: > they'd dissolve and reconstitute as another company the next day.) > They don't even care about each other -- I'm pretty sure we're rapidly > approaching the point where toasters will be used to attack garage door > openers and washing machines. You are correct. I believe the answer is to have some sort of test scheme (UL Labratories?) for basic security and updateability. Then federal legislation is passed requiring any product being imported into the country to be certified, or it is refused. Now when they rush to market and don't get certified they get $0 and go out of business. Products are stopped at the boader, every shipment is reviewed by authorities, and there is no cross boarder suing issue. Really it's product safety 101. UL, the CPSC, NHTSA, DOT and a host of others have regulations that if you want to import a product for sale it must be safe. It's not a new or novel concept, pretty much every country has some scheme like it. -- Leo Bicknell - bicknell () ufp org PGP keys at http://www.ufp.org/~bicknell/ ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
Current thread:
- Re: Spitballing IoT Security, (continued)
- Re: Spitballing IoT Security Eric S. Raymond (Oct 26)
- Re: Spitballing IoT Security Mel Beckman (Oct 26)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Valdis . Kletnieks (Oct 26)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Jean-Francois Mezei (Oct 26)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Leo Bicknell (Oct 26)
- Re: Spitballing IoT Security Jean-Francois Mezei (Oct 26)
- Re: Spitballing IoT Security JORDI PALET MARTINEZ (Oct 26)
- Re: Spitballing IoT Security jim deleskie (Oct 26)
- Re: Spitballing IoT Security Jean-Francois Mezei (Oct 26)
- Re: Spitballing IoT Security Ken Matlock (Oct 26)
- Re: Spitballing IoT Security Mark Andrews (Oct 26)
- Re: Spitballing IoT Security Jean-Francois Mezei (Oct 26)
- Re: Spitballing IoT Security Brandon Butterworth (Oct 26)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Mark Andrews (Oct 26)
- Re: Spitballing IoT Security bzs (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Mark Andrews (Oct 27)