Re: Spitballing IoT Security

["Eric S. Raymond" <esr () thyrsus com>]

Rich Kulawiec <rsk () gsp org>:
> I think our working assumption should be that there will be zero cooperation
> from the IoT vendors.  (Yeah, once in a while one might actually step up,
> but that will merely be a happy anomaly.)

I agree.

There is, however, a chokepoint we have more hope of getting decent software
deployed to.  I refer to home and small-business routers.  OpenWRT and kin
are already minor but significant players here. And there's an NRE-minimization
aregument we can make for router manufacturers to use rebranded versions
rather than rolling their own crappy firmware.

I think the anti-IoT-flood strategy that makes the most sense is:

1. Push open-source firmware that doesn't suck to the vendors with a
   cost- and risk-minimization pitch.

2. Ship it with egress filters.  (And telnet blocked.)

It wouldn't be technically very difficult to make the firmware
rate-limit outbound connections.  Cute trick: if we unlimit any 
local IP address that is a port-forwarding target, most users
will never notice because their browser sessions won't be effected.
-- 
                <a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>