Spitballing IoT Security

knack nanog at deltasly.com
Thu Oct 27 03:46:36 UTC 2016

I agree wholeheartedly.


Yes, BCP (any relevant to your business), filtering, active tit-for-tat 
with abuse teams, calling out manufacturers, ISPs doing /anything/ (most 
already block 25 and 80, not that they give you the upload to bother 
with the latter and it's not necessarily for the good of the 'net as a 
whole) - they're all things we absolutely should be doing.  That doesn't 
change the fact that all of those are just*ambulances in the valley*. 
If we're going to solve this, we need to be better as a species - we're 
about to the place where we can't progress much farther (without some 
sort of caste system nightmare - /The Diamond Age/ comes to mind) *until 
basic computing and good practice are as pervasive as the ability to 
read and write.*  Hint:  I don't mean 'can do an app on the smartphone' 
- real understanding and appreciation.

I'm not saying everyone needs to be a savant, but a basic understanding 
of the technology you*^1 use *every.single.day* for almost 
*every.single.function* of your life isn't asking much, I don't think.  
The ability to think logically and problem solve is something that I see 
declining in even the brighter of the youths I've encountered in the 
past few years.

This "it just works/should work" willfully (almost maliciously 
sometimes) ignorant mentality - pushed by vendors and craved by the 
overworked - is stunting our potential.  Christ, the people who are *in 
charge of the world* (not necessarily those who /run/ it...but I'd be a 
good portion still) don't even understand the basics of how these 
machines, and this thing that facilitates the global economy, work.  The 
root problem is much, much more significant than DoS attacks and spam.

Maybe we need to start younger - I can't speak for all schools, but my 
'computer course' was "here's Mavis Beacon - play games and...whatever" 
- I hope it's not [really | still] like that.  Maybe we, the community, 
create and sponsor course material, maybe there's a push for more than 
Cisco Academy - at this point this knowledge a public safety issue and 
should be a respected part of the general education syllabus (too bad 
we're all too busy with standardized tests to care).  Something so 
inherently part of everyday life cannot be just for the 'nerds' or even 
the especially interested, anymore.

I don't know what to do about manufacturers - it's been a global race to 
bottom for years now.  Someone mentioned a device certification 
earlier.  It's something and a start at least, so I'm on board and 
willing to devote some time.  I'm not sure this is something the 
community alone will be able to drive, silently, from the shadows.  The 
cynic in me wants to throw in to buy a politician or two.

The usual trick is to hit them where it hurts - in the wallet. Their 
wallets are so large these days (and constantly consolidating, lessening 
the chance of real change and competition) that I'm at a loss as to how.

Maybe a slow increase in user-required configurations, decisions, and 
interaction...complete with logical explanations to help with said 
decisions?  I don't know...that could affect profits this quarter 
(because who looks farther ahead than that...long term effects and 
progress aren't important anymore, right?).  Pavlovian training?  Seems 
a bit totalitarian.

The /last/ thing I want is government (on the country or global scale) 
intervention..the 2nd to last is to use this upcoming metaphor (but I 
haven't a better one).

Look at cars - in more places then not, it's damn near impossible to be 
a functional and contributory adult without a car; some might even call 
it a 'right' in the 1st world.  Does that stop us from driver's ed 
courses**^2 in school?  Do we not teach the basics of safe operation, 
maintenance, and even a bit about how it works under the hood (my school 
did)?  Does the ubiquity of the automobile stop the removal of that 
(legal) ability for those who *endanger others* or otherwise abuse the 
driving privilege?  No...no it doesn't.  Granted, there are still those 
who are going to do what they're going to do - but that number is 
lessened (and some even come around to see the harm).

That does *not* mean I think there should be a 'compu-tar license' - not 
at all.  But it *does* mean that everyone should be taught responsible 
computing, the harms of carelessness, and the fun in knowing how these 
things work.

Anyway - thanks for the rant (been bothering me for a while now)...I do 
believe we should address and minimize the symptoms as they appear, but 
without surgical attacks directed at the dark heart of the beast (be 
that people, intrinsically, or just our social norms) we're going to end 
up with either a horribly censored, totalitarian internet "app" regime, 
or burnt to the ground in chaos - too distracted by inane, emotionally 
infused, bullshit pumped forth day-to-day at an ADD inducing pace (meant 
to give us the ol' numb & dumb - I'll admit I succumb more often than 
I'd like - not trying to high-horse here), to notice the fires until 
it's too late to stomp them out.  I never imagined we***^3 could become 
so dichotomous-ly obsessed yet ignorant.

Yes, there will always be malicious people but, in the same way we 
convinced most of the world that sacrificing humans is murder and kinda 
wrong (and engaged them in at least a few active prevention tactics), we 
need to stigmatize -- really */really/* stigmatize (to the core of the 
soul) this bullshit.  On a side note: giving 10 years to the guy who 
just wanted to tinker with "his own" (because we don't /own/ anything 
anymore, in a hyperbolic way) equipment isn't the way to do it.

Everything seems overly fatalistic and over-dramatized until the moment 
it's not - how many disasters could have been prevented if people just 
listened to the engineers (ask the Challenger)?  Of course, we're still 
prescribing antibiotics for virii in the face of MRSA and worse - hell 
Pompeii partied until they were literally dying in the streets...so 
let's drink up, add a little duct tape, and worry about it in a few 
years (/s).  Or, we keep pushing, wherever possible, and maybe something 
will pop.

Seldom do I wish to be proven incorrect - here I do.  Contrary to what 
it may seem, I think we***^3 still have a chance.

*1: That's /you, the generalization I'm referring to/, and not /you, the 
specific people reading this./
**2: Though, unfortunately due to that government intervention, we spent 
more time memorizing the specific BAC to age ratio to determine your 
fine and loss of license than honing basic knowledge and skills.
***3: Again, that's /we, as a society of 7 billion - call it a median or 
mode/ rather than /we, individuals in a set/.


(Disclaimer: I don't like speaking publicly, especially at this length 
(though I've cut out a good 60%, as I admit I have a rambling problem).  
I've spent the last week writing and re-writing versions of this; I 
still don't like it (both overly idealistic and fatalistic at the same 
time, and the "voice" is much harsher than I would have liked - the 
tradeoff of curtailing the rambling I suppose), but I had a strong 
reaction to this subject.  ...And yes I even debated the disclaimer, as 
it's hokey as all getout...best I could muster was to move it to the 
end.  My apologies if I've overlooked points below being covered 
previously in the thread - /thank you for the ear & I'm sorry/™).


On 10/26/2016 3:12 PM, Ken Matlock wrote:
> As a relative 'outsider' I see a lot of finger-pointing and phrasing this
> as (effectively) someone else's fault.
> To me this is a failing on a number of levels all contributing to the
> problem.
> 1) The manufacturer - Backdoors, hidden accounts, remote access
> capabilities, no proper security testing. No enforcing of security updates.
> 2) The end-user - No initiative on the end-user's perspective to gain even
> a basic understanding of how the device works, connects, etc. Also no tools
> or understanding of how to recognize *which* of their many devices on the
> network might be compromised and participating in the botnet. (Only
> indication they get is maybe their internet is slow)
> 3) The service providers - No effective monitoring of outgoing traffic from
> the end users to identify botnets and DDoS in a real-time fashion
> I contend that all 3 levels have failed in this, and nothing has
> fundamentally changed (today it's IoT, before it was unpatched windows
> boxes, etc) in decades. We keep talking about the problem but very little
> actual action has occurred to *fix* the underlying issues.
> - Manufacturers need to be held accountable for devices that go on the
> internet (that includes *anything* that's connected. PCs, servers, routers,
> IoT devices, etc)
> - End users need to have ways to easily see what's going on over their
> local networks, to see botnet-like activity and DDoS participation (among
> other things) in a more real-time fashion
> - Service providers need to be much more proactive in watching for threats
> and identifying/blocking them at the source, not allowing the traffic to
> flow to your peers and making it someone else's problem. Right now there's
> a financial disincentive to doing this, in both real costs (standing up
> monitoring gear/etc), and imagined (my ISP is SPYING on me!).
> Until we fix all 3 of these main issues we're just going to keep going in
> the same set of circles we do every time a 'new' threat/vector comes in.
> Now, are these issues *easy*? Oh, heck no!  Are they *cheap*? Once again,
> heck no! But to 'fix' this issue it will take all 3 levels being fixed.
> If we continue to keep pointing fingers at "the other guy" as the root of
> the problem we're inviting external forces (Legislation) to step in and
> 'fix' the problem for us (and it will just make it worse).
> My 2 cents (adjust for inflation)
> Ken
> On Wed, Oct 26, 2016 at 1:40 PM, jim deleskie <deleskie at gmail.com> wrote:
>> So device is certified,  bug is found 2 years later.  How does this help.
>> The info to date is last week's issue was patched by the vendor in Sept
>> 2015, I believe is what I read. We know bugs will creep in, (source anyone
>> that has worked with code forever) Also certification assuming it would
>> work, in what country, would I need one, per country I sell into?  These
>> are not the solutions you are looking for ( Jedi word play on purpose)
>> On Wed, Oct 26, 2016 at 3:53 PM, JORDI PALET MARTINEZ <
>> jordi.palet at consulintel.es> wrote:
>>> Exactly, I was arguing exactly the same with some folks this week during
>>> the RIPE meeting.
>>> The same way that certifications are needed to avoid radio interferences,
>>> etc., and if you don’t pass those certifications, you can’t sell the
>>> products in some countries (or regions in case of EU for example),
>>> authorities should make sure that those certifications have a broader
>>> scope, including security and probably some other features to ensure that
>>> in case something is discovered in the future, they can be updated.
>>> Yes, that means cost, but a few thousand dollars of certification price
>>> increase, among thousands of millions of devices of the same model being
>>> manufactured, means a few cents for each unit.
>>> Even if we speak about 1 dollar per each product being sold, it is much
>>> cheaper than the cost of not doing it and paying for damages, human
>>> resources, etc., when there is a security breach.
>>> Regards,
>>> Jordi
>>> -----Mensaje original-----
>>> De: NANOG <nanog-bounces at nanog.org> en nombre de Leo Bicknell <
>>> bicknell at ufp.org>
>>> Organización: United Federation of Planets
>>> Responder a: <bicknell at ufp.org>
>>> Fecha: miércoles, 26 de octubre de 2016, 19:19
>>> Para: <nanog at nanog.org>
>>> Asunto: Re: Spitballing IoT Security
>>>      In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich
>>> Kulawiec wrote:
>>>      > The makers of IoT devices are falling all over themselves to rush
>>> products
>>>      > to market as quickly as possible in order to maximize their
>>> profits.  They
>>>      > have no time for security.  They don't concern themselves with
>>> privacy
>>>      > implications.  They don't run networks so they don't care about the
>>> impact
>>>      > their devices may have on them.  They don't care about liability:
>>> many of
>>>      > them are effectively immune because suing them would mean
>>> trans-national
>>>      > litigation, which is tedious and expensive.  (And even if they
>> lost:
>>>      > they'd dissolve and reconstitute as another company the next day.)
>>>      > They don't even care about each other -- I'm pretty sure we're
>>> rapidly
>>>      > approaching the point where toasters will be used to attack garage
>>> door
>>>      > openers and washing machines.
>>>      You are correct.
>>>      I believe the answer is to have some sort of test scheme (UL
>>>      Labratories?) for basic security and updateability.  Then federal
>>>      legislation is passed requiring any product being imported into the
>>>      country to be certified, or it is refused.
>>>      Now when they rush to market and don't get certified they get $0
>>>      and go out of business.  Products are stopped at the boader, every
>>>      shipment is reviewed by authorities, and there is no cross boarder
>>>      suing issue.
>>>      Really it's product safety 101.  UL, the CPSC, NHTSA, DOT and a
>>>      host of others have regulations that if you want to import a product
>>>      for sale it must be safe.  It's not a new or novel concept, pretty
>>>      much every country has some scheme like it.
>>>      --
>>>      Leo Bicknell - bicknell at ufp.org
>>>      PGP keys at http://www.ufp.org/~bicknell/
>>> **********************************************
>>> IPv4 is over
>>> Are you ready for the new Internet ?
>>> http://www.consulintel.es
>>> The IPv6 Company
>>> This electronic message contains information which may be privileged or
>>> confidential. The information is intended to be for the use of the
>>> individual(s) named above. If you are not the intended recipient be aware
>>> that any disclosure, copying, distribution or use of the contents of this
>>> information, including attached files, is prohibited.

More information about the NANOG mailing list