Spitballing IoT Security
Eric S. Raymond
esr at thyrsus.com
Wed Oct 26 12:30:43 UTC 2016
Rich Kulawiec <rsk at gsp.org>:
> I think our working assumption should be that there will be zero cooperation
> from the IoT vendors. (Yeah, once in a while one might actually step up,
> but that will merely be a happy anomaly.)
There is, however, a chokepoint we have more hope of getting decent software
deployed to. I refer to home and small-business routers. OpenWRT and kin
are already minor but significant players here. And there's an NRE-minimization
aregument we can make for router manufacturers to use rebranded versions
rather than rolling their own crappy firmware.
I think the anti-IoT-flood strategy that makes the most sense is:
1. Push open-source firmware that doesn't suck to the vendors with a
cost- and risk-minimization pitch.
2. Ship it with egress filters. (And telnet blocked.)
It wouldn't be technically very difficult to make the firmware
rate-limit outbound connections. Cute trick: if we unlimit any
local IP address that is a port-forwarding target, most users
will never notice because their browser sessions won't be effected.
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the NANOG