nanog mailing list archives
Re: Spitballing IoT Security
From: "Ronald F. Guilmette" <rfg () tristatelogic com>
Date: Mon, 07 Nov 2016 21:05:32 -0800
In message <20161108035148.2904B5970CF1 () rock dv isc org>, Mark Andrews <marka () isc org> wrote:
* Deploying regulation in one country means that it is less likely to be a source of bad traffic. Manufactures are lazy. With sensible regulation in single country everyone else benefits as manufactures will use a single code base when they can.
I said that too, although not as concisely.
* Automated updates do reduce the numbers of vulnerable machines to known issues. There are risks but they are nowhere as bad as not doing automated updating.
I still maintain, based upon the abundant evidence, that generallized hopes that timely and effective updates for all manner of devices will be available throughout the practical lifetime of any such IoT thingies is a mirage. We will just never be there, in practice. And thus, manufacturers should be encouraged, by force of law if necessary, to design software with a belt-and-suspenders margin of safety built in from the first day of shipping. You don't send out a spacecraft, or a medical radiation machine, without such addtional constraints built in from day one. You don't send out such things and say "Oh, we can always send out of firmware update later on if there is an issue."
From a software perspective, building extra layers of constraints is not
that hard to do, and people have been doing this kind of thing already for decades. It's called engineering. The problem isn't in anybody's ability or inability to do safety engineering in the firmware of IoT things. The only problem is providing the proper motivation to cause it to happen. Regards, rfg
Current thread:
- Re: Spitballing IoT Security Mark Andrews (Nov 07)
- Re: Spitballing IoT Security Ronald F. Guilmette (Nov 07)
- Re: Spitballing IoT Security Eliot Lear (Nov 10)
- Re: Spitballing IoT Security Marcel Plug (Nov 11)
- Re: Spitballing IoT Security Eliot Lear (Nov 11)
- Re: Spitballing IoT Security Eliot Lear (Nov 10)
- Re: Spitballing IoT Security Ronald F. Guilmette (Nov 07)