RE: Spitballing IoT Security

["Keith Medcalf" <kmedcalf () dessus com>]

On Thursday, 27 October, 2016 22:09, Eliot Lear <lear () ofcourseimright com> said:

> On 10/28/16 1:55 AM, Keith Medcalf wrote:

> > > > The problem is in allowing inbound connections and going as far as
> doing
> > > > UPnP to tell the CPE router to open a inbound door to let hackers
> loging
> > > > to that IoT  pet feeder to turn it into an agressive DNS destroyer.
> > > Well yes.  uPnP is a problem precisely because it is some random device
> > > asserting on its own that it can be trusted to do what it wants.  Had
> > > that assertion come from the manufacturer, at least you would know that
> > > the device was designed to require that sort of access.**

> > And why would anyone in their right mind trust the manufacturer to make
> > this decision?  <Shudder>

> Because the manufacturer designed the device and knows best as to what
> sort of access it will require.

Manufacturers of devices and Operating Systems (particularly Microsoft WIndows) have proven over and over and over 
again that they cannot be trusted to make that decision.  One of the worst offenders, any versions of Windows 
subsequent to Windows XP, insists in dropping its knickers (opening the firewall) so that anything that wants to can 
fuck about with (connect to unrestricted from the internet) all the myriad of ever growing piles of shit included by 
Microsoft.  Even if you close the firewall, the Manufacturer believes it knows better and changes your settings, 
without your permission.  If you are stupid enough to run UPNP on your network, then all the drivel flarn filth is 
directly accessible from the internet (and beyond) without restriction.

Preventing the manufacturer from doing that takes a *LOT* of *DEEP* surgery.

I wish that Ballmer fellow would just up and die, and that damn indian too, even more so.  If they got some help along 
those lines the world would be a lot better place.  They are both total asshats and enemies of security and 
functionality everywhere.

However, it is not just a microsoft thing -- ALL of them think they know better and they should all fuck off and die.

> Consider that today most devices have
> unfettered outbound access, and many can arrange for unfettered inbound
> access.  That's Not Good®.

Yes, because that is what the device manufacturers have programmed the device to do and to have, and to go to 
inordinate lengths to ignore any directions from the OWNER to the contrary.  They should all be strung up by their 
balls and dropped with dull rusty pinking shears!

> That doesn't mean that network
> administrators shouldn't be the kings and queens of their castles, but
> as I'm sure you well know, home users don't really know how to rule, and
> so they need some good defaults.

What is wrong with OFF?  That is a good default.

> Put it another way: you bring home a NEST and the first thing you the
> expert might do is read the net to figure out which ports to open.  Are
> you really going to not open those ports?

First of all, I would NEVER bring home a NEST, nor would I ever allow a NEST or anything like it to be connected to my 
network.  It is an evil device that does nothing of any use to me whatsoever.  It is also dangerous and malicious and 
will not permit me to control the damn thing, nor to retrieve data from it.  It is a hunk of useless shit.

And no.  Under no circumstances whatsoever do I open ports unless I know what they are for.  And inbound port openings 
require proof of paid up indemnity insurance in the millions per incident (trillion in total).  Therefore, no inbound 
ports get opened since no one has ever been able to satisfy this requirement.

End of Line.