Re: Spitballing IoT Security

[Eliot Lear <lear () ofcourseimright com>]

Moving offlist on this. For those who are interested, send ping.


On 11/11/16 4:42 PM, Marcel Plug wrote:
> On Fri, Nov 11, 2016 at 1:55 AM, Eliot Lear <lear () ofcourseimright com
> <mailto:lear () ofcourseimright com>> wrote:
>
>     It is worth asking what protections are necessary for a device that
>     regulates insulin.  
>
>
> Insulin pumps are an example of devices that have been over-regulated
> to the point where any and all innovation has been stifled.  There
> have been hardly any changes in the last 10+ years, during a time when
> all other technology has advanced quite a bit.  Its off-topic for
> Nanog, but i promise you this is very frustrating and annoying topic
> that hits me close to home.
>
> There has to be a middle ground.  I guarantee we do not want home
> firewalls, and all the IoT devices to be regulated like insulin pumps
> and other medical devices.  I think I'm starting to agree with those
> that want to keep government regulation out of this arena...
>
> Marcel
>  
>
>     Eliot
>
>
>     On 11/8/16 6:05 AM, Ronald F. Guilmette wrote:
>     > In message <20161108035148.2904B5970CF1 () rock dv isc org
>     <mailto:20161108035148.2904B5970CF1 () rock dv isc org>>,
>     > Mark Andrews <marka () isc org <mailto:marka () isc org>> wrote:
>     >
>     >> * Deploying regulation in one country means that it is less likely
>     >>  to be a source of bad traffic.  Manufactures are lazy.  With
>     >>  sensible regulation in single country everyone else benefits as
>     >>  manufactures will use a single code base when they can.
>     > I said that too, although not as concisely.
>     >
>     >> * Automated updates do reduce the numbers of vulnerable machines
>     >>  to known issues.  There are risks but they are nowhere as bad as
>     >>  not doing automated updating.
>     > I still maintain, based upon the abundant evidence, that
>     generallized
>     > hopes that timely and effective updates for all manner of
>     devices will
>     > be available throughout the practical lifetime of any such IoT
>     thingies
>     > is a mirage.  We will just never be there, in practice.  And thus,
>     > manufacturers should be encouraged, by force of law if necessary, to
>     > design software with a belt-and-suspenders margin of safety built in
>     > from the first day of shipping.
>     >
>     > You don't send out a spacecraft, or a medical radiation machine,
>     without
>     > such addtional constraints built in from day one.  You don't
>     send out
>     > such things and say "Oh, we can always send out of firmware
>     update later
>     > on if there is an issue."
>     >
>     > From a software perspective, building extra layers of
>     constraints is not
>     > that hard to do, and people have been doing this kind of thing
>     already
>     > for decades.  It's called engineering.  The problem isn't in
>     anybody's
>     > ability or inability to do safety engineering in the firmware of IoT
>     > things.  The only problem is providing the proper motivation to
>     cause
>     > it to happen.
>     >
>     >
>     > Regards,
>     > rfg
>     >

Attachment: signature.asc
Description: OpenPGP digital signature