Spitballing IoT Security

bzs at TheWorld.com bzs at TheWorld.com
Wed Oct 26 20:18:30 UTC 2016


Re: certification of IoT devices analogous to UL etc

Another potentially useful channel to give this idea legs are
insurance companies, get them involved if possible.

They underwrite the risks particularly liability risks for
manufacturers. That's why "Underwriters Laboratory" is called that,
ultimately it's an arm of the insurance industry.

If the insurance companies tell a manufacturer they won't cover risk
for any non-certified device the device will almost certainly be
improved.

Similar repercussions for wholesale and retail outlets who could
decide to just not offer non-certified devices, for insurance reasons
and otherwise.

As to those who would try maneuvers such as bankrupting or using shell
companies which are dissolved when liabilities occur such willful acts
often allow "piercing of the corporate veil".

That is, those individuals involved can be sued or held criminally
liable personally and any such indemnification made worthless as a
protection or defense.

In the US, at least, if there's a pattern of such behavior, such as
serially setting up shell corps and bankrupting them when trouble
arises, the fearsome RICO statutes can be invoked. Basically they
provide the added felonies of racketeering and engaging in a
conspiracy to commit criminal acts.

Not being located in the US may not be sufficient for evasion of
prosecution, merely doing business in the US (e.g., selling one's
products, establishing a "nexus") can make one a valid target for US
(and other) law enforcement.

The fly I see in all this ointment is that getting there could be a
lot of honest work so who would do that and champion this idea?

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*


More information about the NANOG mailing list