nanog mailing list archives
Re: Spitballing IoT Security
From: Leo Bicknell <bicknell () ufp org>
Date: Thu, 27 Oct 2016 04:26:01 -0700
In a message written on Wed, Oct 26, 2016 at 04:40:57PM -0300, jim deleskie wrote:
So device is certified, bug is found 2 years later. How does this help. The info to date is last week's issue was patched by the vendor in Sept 2015, I believe is what I read. We know bugs will creep in, (source anyone that has worked with code forever) Also certification assuming it would work, in what country, would I need one, per country I sell into? These are not the solutions you are looking for ( Jedi word play on purpose)
You're referencing a wider problem set than I am trying to solve. Problems I think consumer safety legislation can solve: * SSH and Telnet were enabled, but there was no notification in the UI that they were enabled and no way to turn them off. Requirements could be set to show all services in the UI and if they are on or off. * There was a hard coded user + pass that the consumer COULD NOT CHANGE, and did not display. Requirements could be set to never hard code an account. * That the system has a user-friendly way to update. "Click here to check for update." "Click here to install update." What consumer safety legislation can't do is insure a patch is made available at some point in the future. As for certification, I will point out minimally all of these products are already geting CE, UL, and FCC (if Wireless). They also have to meet other regulations (e.g. RoHS) to be imported. To really minimize burden, these security items could be added to one of the existing schemes so there is no additional org. But the idea that a certification per country is difficult is pretty much debunked by the fact that it is that way already, multiple times over in most cases. -- Leo Bicknell - bicknell () ufp org PGP keys at http://www.ufp.org/~bicknell/
Attachment:
_bin
Description:
Current thread:
- Re: Spitballing IoT Security, (continued)
- Re: Spitballing IoT Security Geoffrey Keating (Oct 27)
- Re: Spitballing IoT Security John Levine (Oct 27)
- Re: Spitballing IoT Security Leo Bicknell (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Chris Boyd (Oct 26)
- Re: Spitballing IoT Security Mark Andrews (Oct 26)
- Re: Spitballing IoT Security Mel Beckman (Oct 26)
- Re: Spitballing IoT Security tim () pelican org (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 27)
- Re: Spitballing IoT Security knack via NANOG (Oct 27)
- Re: Spitballing IoT Security Leo Bicknell (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 27)
- Re: Spitballing IoT Security Ken Matlock (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 27)
- Re: Spitballing IoT Security Laszlo Hanyecz (Oct 27)
- Re: Spitballing IoT Security bzs (Oct 26)
- Re: Spitballing IoT Security Valdis . Kletnieks (Oct 26)
- Re: Spitballing IoT Security Josh Reynolds (Oct 26)
- Re: Spitballing IoT Security Randy Bush (Oct 26)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Mark Andrews (Oct 26)