Re: Spitballing IoT Security

[jim deleskie <deleskie () gmail com>]

So device is certified,  bug is found 2 years later.  How does this help.
The info to date is last week's issue was patched by the vendor in Sept
2015, I believe is what I read. We know bugs will creep in, (source anyone
that has worked with code forever) Also certification assuming it would
work, in what country, would I need one, per country I sell into?  These
are not the solutions you are looking for ( Jedi word play on purpose)

On Wed, Oct 26, 2016 at 3:53 PM, JORDI PALET MARTINEZ <
jordi.palet () consulintel es> wrote:

> Exactly, I was arguing exactly the same with some folks this week during
> the RIPE meeting.
>
> The same way that certifications are needed to avoid radio interferences,
> etc., and if you don’t pass those certifications, you can’t sell the
> products in some countries (or regions in case of EU for example),
> authorities should make sure that those certifications have a broader
> scope, including security and probably some other features to ensure that
> in case something is discovered in the future, they can be updated.
>
> Yes, that means cost, but a few thousand dollars of certification price
> increase, among thousands of millions of devices of the same model being
> manufactured, means a few cents for each unit.
>
> Even if we speak about 1 dollar per each product being sold, it is much
> cheaper than the cost of not doing it and paying for damages, human
> resources, etc., when there is a security breach.
>
> Regards,
> Jordi
>
>
> -----Mensaje original-----
> De: NANOG <nanog-bounces () nanog org> en nombre de Leo Bicknell <
> bicknell () ufp org>
> Organización: United Federation of Planets
> Responder a: <bicknell () ufp org>
> Fecha: miércoles, 26 de octubre de 2016, 19:19
> Para: <nanog () nanog org>
> Asunto: Re: Spitballing IoT Security
>
>     In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich
> Kulawiec wrote:
>     > The makers of IoT devices are falling all over themselves to rush
> products
>     > to market as quickly as possible in order to maximize their
> profits.  They
>     > have no time for security.  They don't concern themselves with
> privacy
>     > implications.  They don't run networks so they don't care about the
> impact
>     > their devices may have on them.  They don't care about liability:
> many of
>     > them are effectively immune because suing them would mean
> trans-national
>     > litigation, which is tedious and expensive.  (And even if they lost:
>     > they'd dissolve and reconstitute as another company the next day.)
>     > They don't even care about each other -- I'm pretty sure we're
> rapidly
>     > approaching the point where toasters will be used to attack garage
> door
>     > openers and washing machines.
>
>     You are correct.
>
>     I believe the answer is to have some sort of test scheme (UL
>     Labratories?) for basic security and updateability.  Then federal
>     legislation is passed requiring any product being imported into the
>     country to be certified, or it is refused.
>
>     Now when they rush to market and don't get certified they get $0
>     and go out of business.  Products are stopped at the boader, every
>     shipment is reviewed by authorities, and there is no cross boarder
>     suing issue.
>
>     Really it's product safety 101.  UL, the CPSC, NHTSA, DOT and a
>     host of others have regulations that if you want to import a product
>     for sale it must be safe.  It's not a new or novel concept, pretty
>     much every country has some scheme like it.
>
>     --
>     Leo Bicknell - bicknell () ufp org
>     PGP keys at http://www.ufp.org/~bicknell/
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the use of the
> individual(s) named above. If you are not the intended recipient be aware
> that any disclosure, copying, distribution or use of the contents of this
> information, including attached files, is prohibited.