Spitballing IoT Security
jim deleskie
deleskie at gmail.com
Wed Oct 26 19:40:57 UTC 2016
So device is certified, bug is found 2 years later. How does this help.
The info to date is last week's issue was patched by the vendor in Sept
2015, I believe is what I read. We know bugs will creep in, (source anyone
that has worked with code forever) Also certification assuming it would
work, in what country, would I need one, per country I sell into? These
are not the solutions you are looking for ( Jedi word play on purpose)
On Wed, Oct 26, 2016 at 3:53 PM, JORDI PALET MARTINEZ <
jordi.palet at consulintel.es> wrote:
> Exactly, I was arguing exactly the same with some folks this week during
> the RIPE meeting.
>
> The same way that certifications are needed to avoid radio interferences,
> etc., and if you don’t pass those certifications, you can’t sell the
> products in some countries (or regions in case of EU for example),
> authorities should make sure that those certifications have a broader
> scope, including security and probably some other features to ensure that
> in case something is discovered in the future, they can be updated.
>
> Yes, that means cost, but a few thousand dollars of certification price
> increase, among thousands of millions of devices of the same model being
> manufactured, means a few cents for each unit.
>
> Even if we speak about 1 dollar per each product being sold, it is much
> cheaper than the cost of not doing it and paying for damages, human
> resources, etc., when there is a security breach.
>
> Regards,
> Jordi
>
>
> -----Mensaje original-----
> De: NANOG <nanog-bounces at nanog.org> en nombre de Leo Bicknell <
> bicknell at ufp.org>
> Organización: United Federation of Planets
> Responder a: <bicknell at ufp.org>
> Fecha: miércoles, 26 de octubre de 2016, 19:19
> Para: <nanog at nanog.org>
> Asunto: Re: Spitballing IoT Security
>
> In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich
> Kulawiec wrote:
> > The makers of IoT devices are falling all over themselves to rush
> products
> > to market as quickly as possible in order to maximize their
> profits. They
> > have no time for security. They don't concern themselves with
> privacy
> > implications. They don't run networks so they don't care about the
> impact
> > their devices may have on them. They don't care about liability:
> many of
> > them are effectively immune because suing them would mean
> trans-national
> > litigation, which is tedious and expensive. (And even if they lost:
> > they'd dissolve and reconstitute as another company the next day.)
> > They don't even care about each other -- I'm pretty sure we're
> rapidly
> > approaching the point where toasters will be used to attack garage
> door
> > openers and washing machines.
>
> You are correct.
>
> I believe the answer is to have some sort of test scheme (UL
> Labratories?) for basic security and updateability. Then federal
> legislation is passed requiring any product being imported into the
> country to be certified, or it is refused.
>
> Now when they rush to market and don't get certified they get $0
> and go out of business. Products are stopped at the boader, every
> shipment is reviewed by authorities, and there is no cross boarder
> suing issue.
>
> Really it's product safety 101. UL, the CPSC, NHTSA, DOT and a
> host of others have regulations that if you want to import a product
> for sale it must be safe. It's not a new or novel concept, pretty
> much every country has some scheme like it.
>
> --
> Leo Bicknell - bicknell at ufp.org
> PGP keys at http://www.ufp.org/~bicknell/
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the use of the
> individual(s) named above. If you are not the intended recipient be aware
> that any disclosure, copying, distribution or use of the contents of this
> information, including attached files, is prohibited.
>
>
>
>
More information about the NANOG
mailing list