IoT security

Rich Kulawiec rsk at
Wed Feb 8 15:12:54 UTC 2017

On Tue, Feb 07, 2017 at 10:01:29PM +0000, Ed Lopez quoted Bruce Schneier:
> There is no market solution, because the insecurity is what economists
> call an externality: It's an effect of the purchasing decision that
> affects other people.

This is precisely correct.  The only way to change this is to make
*our* problem *their* problem.   Let me remind everyone of one of
very best things ever said on this mailing list:

	If you give people the means to hurt you, and they do it, and
	you take no action except to continue giving them the means to
	hurt you, and they take no action except to keep hurting you,
	then one of the ways you can describe the situation is "it isn't
	scaling well".
		--- Paul Vixie

This movie has been playing here 24x7 for the last few decades with
the spam problem (among others): most operations which emit it will
take absolutely no action of any kind until/unless it stops being *our*
problem and starts being *their* problem.  Having observed and studied
that particular issue since it existed to be observed and studied,
I've concluded that the only thing that has ever worked effectively is
blacklisting: that is, the revocation of access/service privileges.

And that's because it makes *our* problem *their* problem.  Everything
else is just avoidance and evasion.  It's feel-good stuff that might,
on a good day, deal with the symptoms of the problem -- but that's
all it is.  And dealing with symptoms isn't bad, per se: it makes the
patient feel better.  But it should never be accepted as a substitute
for dealing with the underlying problem.

Now we can either spend another couple more decades trying to tapdance
around this or we can learn the lesson that's been taught to us thousands
of times over many years and just cut to the chase.

So how about if we save some time?

If IOT-driven attacks and abuse are coming from X, then that needs to be
made X's problem.  Because right now X has no idea that this is happening,
and even if told, will take no action because it's not X's problem.

So make it X's problem.

And I don't just mean "X", the person who bought some badly-designed
poorly-engineered rushed-to-market never-tested piece of shiny
new cruft that was pre-compromised at the factory and hijacked by
attackers the moment it went live: I mean "X" the vendor who pulled that
stunt in order to make a quick buck and then dumped it on us.

We, for many values of "we" are not obligated to provide services to that
vendor.  (I do recognize that some are, due to contractual agreements.)
We should cut them off until/unless they recall all those devices,
get them removed from service, and solve what is now *their* problem
to *our* satisfaction.  I strongly suspect that it'll only take a
few pointed lessons in order for the message that this conduct is
unacceptable to be communicated in a language they understand.

I don't like this.   In a better world, vendors would be far more
responsible, professional, and ethical.  But we don't live in that
world.  We live in one where they will happily dump toxic waste on
the Internet as fast as they can shovel it -- as long as it's not
their problem.

We need to make it their problem.


More information about the NANOG mailing list