Re: Spitballing IoT Security

["Ronald F. Guilmette" <rfg () tristatelogic com>]

In message <20161027112601.GA17170 () ussenterprise ufp org>, 
Leo Bicknell <bicknell () ufp org> wrote:

> Problems I think consumer safety legislation can solve:
>
> * SSH and Telnet were enabled, but there was no notification in the UI
>  that they were enabled and no way to turn them off.  Requirements
>  could be set to show all services in the UI and if they are on or
>  off.
>
> * There was a hard coded user + pass that the consumer COULD NOT CHANGE,
>  and did not display.  Requirements could be set to never hard code an
>  account.
>
> * That the system has a user-friendly way to update.  "Click here to
>  check for update."  "Click here to install update."


I say again, #3 is useless, unless and until you also have legislation
that:

     *)  Forces tech companies to never go bankrupt.

     *)  Forces tech companies to -timely- issue security patches for all
         "critical" security issues (and good luck legally defining THAT).

     *)  Forces tech companies to continue to issue security patches for
         as long as any "significant" number of the relevant devices
         remain actively in use, even if that turns out to be 20 years
         or more.

You can force a company to implement a "user-friendly way to update",
but what's the point of doing that if the company never issues any
updates?

I say again, the only way to solve these problems is if the devices
are fundamentally secure by design, on the day they first ship to
customers.  Post-sale patching is an ad hoc and haphazard catch-as-
catch-can solution at best, and it's not something that most manufacturers
have -any- financial incentive to even do.  They already got their
money, on the day when the consumer bought the device.  The rest is
just an afterthought.

Regards,
rfg