Spitballing IoT Security

Ronald F. Guilmette rfg at tristatelogic.com
Thu Oct 27 03:44:35 UTC 2016

In message <89795.1477520656 at turing-police.cc.vt.edu>, 
Valdis.Kletnieks at vt.edu wrote:

>> Given that, and given that "OpenWRT and kin" often provide the end-user
>> with readily accessible dials and knobs via which the user can force the
>> device to *exceed* legal/FCC limits on power output, I am not persuaded
>> that open source WiFi router firmware actually represents a shining
>> example of a methodology to prevent inexpensive devices from behaving badly.
>Given that out of the box, the default config is in bounds, and it requires
>actual user interaction to exceed the limits, and that we don't see a very
>large problem out in the wild, I think we have prior art for the concept
>that "shipped with default and clued user can reconfigure" is a workable design.

You're right, of course, and I didn't mean to be picking on DD-WRT or
OpenWRT, both of which I have used and have great admiration and respect

It's just that if it comes down to a choice between putting a big sign on
something which says "Please keep your arms and legs inside the vehicle
at all times" or actually building somewhat difficult-to-remove barriers
which physically prevent people from dangling their arms and legs out,
given what we now know about typical end-luser behaviour (e.g. not even
changing default passwords), the latter seems probably preferable to the

But perhaps this is all just a matter to be sorted out in the UI.

DD-WRT and OpenWRT assume that users are adults and non-stupid, and I,
for one, certainly prefer to be treated that way.  But for garden
variety consumers it might not be such a bad idea to first ask them
to provide the cube root of 27, or the airspeed velocity of an unladen
swallow, or the answer to Life, The Universe and Everything before
allowing them to increase their WiFi transmit power above FCC legal
limits, or before allowing them to disengage the handbrake on their
Roomba outbound bandwidth limit.

(Note to self:  Patent idea:  Intellectual CAPTCHAs... you must be at
least this non-stupid in order to proceed past this point.  HEADLINE:
Sixty Eight Percent of American Adults Flunk Turing Test, Cannot Be
Reliably Distinguished From Mindless Automatons --  Ninety Seven Percent
For First-Line Tech Support Professionals :-)


More information about the NANOG mailing list