Krebs on Security booted off Akamai network after DDoS attack proves pricey

Wed Sep 28 12:30:08 UTC 2016

On 09/28/2016 12:33 AM, Eliot Lear wrote:
> It's not just consumers that need to understand this.  Manufacturers of
> Things are right now on a steep learning curve.  Consider that
> thermostat, for just a moment.  In The Gold Old Days, before it had a
> network interface, the manufacturer cared about a handful of things like
> at what temperature to turn the heat or A/C on maybe with some
> adjustments for time of day or day or week.  And that was it.  That is
> their domain of expertise.  Not security.
>
> Now the Internet looks like a new shiny object that promises to provide
> some cool new world capabilities, like letting people adjust the temp
> while they're away, or using weather forecasts to manage hysteresis
> effects.  And so, the manufacturer initially thinks, we'll add an
> interface to the product, and a little bit of code, and we're done.  Now
> the manufacturer has stepped outside their domain of expertise, and
> doesn't have a full understanding of the risks that need to be
> addressed.  We as experts in this domain can help by informing
> manufacturers of those risks.

Many manufacturers will outsource the Internet portion of their product 
to a software provider, not build from scratch "in house".  The people 
we really need to get to are the ones that *provide* those packages the 
manufacturers use.

In the case of embedded Linux solutions, the discussion need only be 
about what knobs to turn, and how far.