IoT security, was Krebs on Security booted off Akamai network

Florian Weimer fw at deneb.enyo.de
Sun Oct 9 19:01:47 UTC 2016


* John R. Levine:

> On Sun, 9 Oct 2016, Florian Weimer wrote:
>
>> If we want to make consumers to make informed decisions, they need to
>> learn how things work up to a certain level.  And then current
>> technology already works.
>
> I think it's fair to say that security through consumer education has
> been a failure every time anyone has tried it.  Why do you think this
> would be any different?

People start to care once they have to.  Currently, there is not much
reason to worry about which devices you connect to your home network.
Even the interaction with Internet banking appears to be benign these
days.

If your Internet connection goes down because something starts spewing
packets, you can probably find it by disconnecting everything until
you have found the culprit.  It's probably not much different from how
you find which device triggers the breaker.

Anything that's more proactive requires some level of knowledge, and
if we assume that it cannot be dispersed to consumers, then it means
someone else gets to manage their home networks.  And I'm not sure if
the ISPs should be doing this (or if they want any part in this, maybe
except if it enables them to charge per connected device and
function).

>> There is little interest in this, however.  There's a comparable
>> business case for providing managed PCs to consumers, and I'm not sure
>> if any such companies are still left.
>
> There's at least two large ones: Microsoft and Apple.  Try installing
> Windows 10 without letting Microsoft update and reconfigure the
> software any time they want, any way they want.

I don't think I can phone Microsoft if something goes wrong.  In most
countries, they even disclaim responsiblity for breakage introduced by
updates and point to the PC makers instead (from whom most consumers
baught their OEM version).

Apple may be different.

> Expecting consumers to evaluate the security behavior of their
> lightbulbs and their refrigerator is absurd.  We need to figure out
> how to have the devices and routers configure themselves so the
> devices can do what they need to do without doing what we really don't
> want them to do.

We already have UPnP.  Clearly, it does not work, but it's not obvious
to me why any different solution would end up as being just as
ineffective.


More information about the NANOG mailing list