Re: Spitballing IoT Security

Top posting to provide some clarity: 1) Many IoT devices are connected via some cloud service, think Nest (for example) 2) Many IoT devices have cloud management, think of Ruckus, UBNT UniFi, etc that phone out to a site via DHCP option or otherwise. 3) Many IoT devices are something like a se

RE: Spitballing IoT Security

May as well throw in my idea here too. Can ISPs just block their clients from being reached by CNC servers? If we could get a service like Spamhaus for botnets and have service providers automatically blackhole those CNC IPs. Having this done at the tier 1 level would probably cause some pain to

Re: Spitballing IoT Security

On Mon, 24 Oct 2016, Steve Mikulasik wrote: > if we automatically blackholed those IPs as they get updated it could put a > big dent in the effectiveness of Zeus. > That would involve someone lifting a finger and implement a config change. Much easier to implement BCP38 or was it RFC 4732? Woul

Re: Spitballing IoT Security

IoT is not a well-defined term. IoT implementations depend on system constraints. These constraints may relate to security (problems/solutions). It would be helpful to be more specific. See https://tools.ietf.org/html/rfc7228, for example. Cheers matthias On Mon, 24 Oct 2016, Jared Mauch wrote

Re: Spitballing IoT Security

- Original Message - From: "J. Oquendo" To: "Steve Mikulasik" Cc: nanog@nanog.org Sent: Monday, October 24, 2016 3:53:25 PM Subject: Re: Spitballing IoT Security On Mon, 24 Oct 2016, Steve Mikulasik wrote: > if we automatically blackholed those IPs as they get u

Re: Spitballing IoT Security

com Midwest-IX http://www.midwest-ix.com - Original Message - From: "J. Oquendo" To: "Steve Mikulasik" Cc: nanog@nanog.org Sent: Monday, October 24, 2016 3:53:25 PM Subject: Re: Spitballing IoT Security On Mon, 24 Oct 2016, Steve Mikulasik wrote: if we automatical

Re: Spitballing IoT Security

quot; To: "Mike Hammett" Cc: nanog@nanog.org Sent: Monday, October 24, 2016 5:21:48 PM Subject: Re: Spitballing IoT Security It's possible you might have wanted to read the link for the context that pointed this out as sarcastic hyperbole, though the text as-is could (unfortu

Re: Spitballing IoT Security

On October 24, 2016 at 13:24 r...@tristatelogic.com (Ronald F. Guilmette) wrote: >1) First, I will successfully complete my campaign to be elected King >of the World. (Given the current poltical climate, worldwide, this >should not be a problem, because I lie a lot.) Too

Re: Spitballing IoT Security

In message , Jared Mauch wrote: >Top posting to provide some clarity: That's funny. Personally, I have always felt that top posting -destroys- clarity. But as Chaplin Tapman said in Catch-22 "I'm not here to judge you." >1) Many IoT devices are connected via some cloud service, think Nest

Re: Spitballing IoT Security

On 2016-10-25 04:10, Ronald F. Guilmette wrote: > If all of the *&^%$# damn stupid vacation pet feeders had originally shipped > with outbound rate limits hard-coded in the kernel, maybe this could have > been avoided. I view this differently. The problem is in allowing inbound connections and

Re: Spitballing IoT Security

On 25 October 2016 at 09:37, Jean-Francois Mezei < jfmezei_na...@vaxination.ca> wrote: > > One way around this is for the pet feeder to initiate outbound > connection to a central server, and have the pet onwer connect to that > server to ask the server to send command to his pet feeder to feed the

Re: Spitballing IoT Security

In message <580f19bf.2070...@vaxination.ca>, Jean-Francois Mezei wrote: >One way around this is for the pet feeder to initiate outbound >connection to a central server, and have the pet onwer connect to that >server to ask the server to send command to his pet feeder to feed the dog. > >This wa

Re: Spitballing IoT Security

> On Oct 25, 2016, at 3:10 AM, Ronald F. Guilmette > wrote: > > An IoT is -not- a general purpose computer. In the latter case, it is > assumed that the owner will "pop the hood" when it comes to the software > configuration. Ah, but they are. In many cases you can ship a product faster and

Re: Spitballing IoT Security

On Tue, Oct 25, 2016 at 12:09:26AM +0200, Matthias Waehlisch wrote: > IoT is not a well-defined term. Agreed. This is why I call it Internet of Trash. > IoT implementations depend on system constraints. Of course, this is how you see LoWPAN pop up as a possible solution. > Thes

Re: Spitballing IoT Security

> On Oct 25, 2016, at 3:49 AM, Aled Morris wrote: > > On 25 October 2016 at 09:37, Jean-Francois Mezei < > jfmezei_na...@vaxination.ca> wrote: >> >> One way around this is for the pet feeder to initiate outbound >> connection to a central server, and have the pet onwer connect to that >> server

Re: Spitballing IoT Security

On October 25, 2016 at 01:10 r...@tristatelogic.com (Ronald F. Guilmette) wrote: > > In message , > Jared Mauch wrote: > > >Top posting to provide some clarity: > > That's funny. Personally, I have always felt that top posting -destroys- > clarity. But as Chaplin Tapman said in Catc

Re: Spitballing IoT Security

On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote: >2) Second, once elected I will decree that in future all new IoT devices, > and also all updates to firmware for existing IoT devices will have, > BUILT IN TO THE KERNEL, code/logic which (a) prevents all outbound

Re: Spitballing IoT Security

Rich Kulawiec : > I think our working assumption should be that there will be zero cooperation > from the IoT vendors. (Yeah, once in a while one might actually step up, > but that will merely be a happy anomaly.) I agree. There is, however, a chokepoint we have more hope of getting decent softw

Re: Spitballing IoT Security

Eric, I agree that the home router is a viable choke point, and even though we can’t quickly roll out new firmware, if we had started this ten years ago we’d be done by now! So this is the ten-year plan, but still worth doing. I also really like the idea of offering open source options to vendo

Re: Spitballing IoT Security

In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec wrote: > The makers of IoT devices are falling all over themselves to rush products > to market as quickly as possible in order to maximize their profits. They > have no time for security. They don't concern themselves

Re: Spitballing IoT Security

While I agree that fixing home routers is the best approach, something bugs me. If an IoT vendor doesn't even know that its devices have telnet or ssh enabled by default (and hence, no management interface to change passwords) and only focuses on the web interface it has added , then how come the

Re: Spitballing IoT Security

security breach. Regards, Jordi -Mensaje original- De: NANOG en nombre de Leo Bicknell Organización: United Federation of Planets Responder a: Fecha: miércoles, 26 de octubre de 2016, 19:19 Para: Asunto: Re: Spitballing IoT Security In a message written on Wed, Oct 26, 2016 at 08:06

Re: Spitballing IoT Security

Mel Beckman : > I also really like the idea of offering open source options to vendors, many > of whom seem to illegally take that privilege anyway. A key fast-path > component, though, is in my opinion a new RFC for IoT security best > practices, and probably some revisions to UPNP. > > The I

Re: Spitballing IoT Security

is a security breach. > > Regards, > Jordi > > > -Mensaje original- > De: NANOG en nombre de Leo Bicknell < > bickn...@ufp.org> > Organización: United Federation of Planets > Responder a: > Fecha: miércoles, 26 de octubre de 2016, 19:19 > Para:

Re: Spitballing IoT Security

re: having gadgets certified (aka UL/CSA for electric stuff). Devil is in the details. Who would certify it ? And who would set the standards for certification? How fast would those standards change? updated with each new attack? Would standards update require agreement of multiple parties who ra

Re: Spitballing IoT Security

Why does everyone think the Master Plan for World Domination has to be Evil? :) -mel beckman > On Oct 26, 2016, at 12:40 PM, Eric S. Raymond wrote: > > Mel Beckman : >> I also really like the idea of offering open source options to vendors, many >> of whom seem to illegally take that privileg

Re: Spitballing IoT Security

few cents for each unit. > > > > Even if we speak about 1 dollar per each product being sold, it is much > > cheaper than the cost of not doing it and paying for damages, human > > resources, etc., when there is a security breach. > > > > Regards, > > Jordi > &

Re: Spitballing IoT Security

Re: certification of IoT devices analogous to UL etc Another potentially useful channel to give this idea legs are insurance companies, get them involved if possible. They underwrite the risks particularly liability risks for manufacturers. That's why "Underwriters Laboratory" is called that, ul

Re: Spitballing IoT Security

se, among thousands of millions of devices of the same model bein= > g > > > manufactured, means a few cents for each unit. > > > > > > Even if we speak about 1 dollar per each product being sold, it is much > > > cheaper than the cost of not doing it and payi

Re: Spitballing IoT Security

On 2016-10-26 16:58, Mark Andrews wrote: > > Actually things have changed a lot in a positive direction. > > * Router manufactures are using device specific passwords. > * Microsoft, Apple, Linux and *BSD issue regular fixes for their > products and users do intall them. > * My smart TV has auto

Re: Spitballing IoT Security

In message <20161026120634.ga20...@gsp.org>, Rich Kulawiec wrote: >On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote: >>2) Second, once elected I will decree that in future all new IoT devices, >> and also all updates to firmware for existing IoT devices will have, >

Re: Spitballing IoT Security

In message <11718.1477517...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > In short, if sensible regulations requiring "safe" designs for IoT products > were to come into force in one locale, it is not only possible, but > actually quite likely that they would affect the whole mark

Re: Spitballing IoT Security

On Wed, 26 Oct 2016 20:53:51 +0200, JORDI PALET MARTINEZ said: > Even if we speak about 1 dollar per each product being sold, it is much > cheaper than the cost of not doing it and paying for damages, human resources, > etc., when there is a security breach. This only works if the company perceiv

Re: Spitballing IoT Security

In message <20161026123043.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >There is, however, a chokepoint we have more hope of getting decent software >deployed to. I refer to home and small-business routers. OpenWRT and kin >are already minor but significant players here. And there's an NRE

Re: Spitballing IoT Security

On Wed, 26 Oct 2016 15:02:46 -0700, "Ronald F. Guilmette" said: > i.e. a multitude of wall plates in every room, each one bristling with a > multitude of RJ11 sockets into which all manner of shiny new IoT things > will be directly plugged, thence to be issued their own IPv6 addresses > directly v

Re: Spitballing IoT Security

On 2016-10-26 18:02, Ronald F. Guilmette wrote: > http://p.globalsources.com/IMAGES/PDT/BIG/053/B1088622053.jpg > > i.e. a multitude of wall plates in every room, each one bristling with a > multitude of RJ11 sockets into which all manner of shiny new IoT things > will be directly plugged, th

Re: Spitballing IoT Security

In message Ken Matlock wrote: >- End users need to have ways to easily see what's going on over their >local networks, to see botnet-like activity and DDoS participation (among >other things) in a more real-time fashion This is an interesting point. I'm not actually an ISP guy, although I do

Re: Spitballing IoT Security

> On Oct 26, 2016, at 6:40 PM, Ronald F. Guilmette > wrote: > > Point: I have a DSL line which is limited to 6Mbps down and 756Kbps up. > My guess is that if any typical/average user is seen to be using more > than, say, 1/10 of that amount of "up" bandwidth in any one given 10 > minute time p

Re: Spitballing IoT Security

In message <12301.1477525...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message m> > Ken Matlock wrote: > > >- End users need to have ways to easily see what's going on over their > >local networks, to see botnet-like activity and DDoS participation (among > >other thin

Re: Spitballing IoT Security

In message <20161026205800.7188d57b2...@rock.dv.isc.org>, Mark Andrews wrote: >Actually things have changed a lot in a positive direction. >... >* Microsoft, Apple, Linux and *BSD issue regular fixes for their > products and users do intall them. At the risk of repeating a point I have alread

Re: Spitballing IoT Security

On Wed Oct 26, 2016 at 05:10:44PM -0400, Jean-Francois Mezei wrote: > My smart TV not only hasn't gotten updates in years, but Sharp has > stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere). > > When manufacturers provide a 2 year support on a device that will last > 10 yea

Re: Spitballing IoT Security

In message <58111bd4.80...@vaxination.ca>, Jean-Francois Mezei wrote: >My smart TV not only hasn't gotten updates in years, but Sharp has >stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere). A little more than 2 years ago, I bought a last-of-its-kind demo model of a 50

Re: Spitballing IoT Security

In message <12573.1477530...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <58111bd4.80...@vaxination.ca>, > Jean-Francois Mezei wrote: > > >My smart TV not only hasn't gotten updates in years, but Sharp has > >stopped selling TVs in Canada. (not sure if they still

Re: Spitballing IoT Security

People under appreciate the power of a million-strong IoT bot net. Just a few K per second from each bot becomes gigabits per second at the target. -mel > On Oct 26, 2016, at 4:41 PM, Ronald F. Guilmette > wrote: > > > In message > > Ken Matlock wrote: > >> - End users need to have wa

Re: Spitballing IoT Security

In message <89795.1477520...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu wrote: >> Given that, and given that "OpenWRT and kin" often provide the end-user >> with readily accessible dials and knobs via which the user can force the >> device to *exceed* legal/FCC limits on power output, I a

Re: Spitballing IoT Security

i think this would be the most effective route proposed so far. May the force be with you :) On Wed, Oct 26, 2016 at 12:19 PM, Leo Bicknell wrote: > In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec > wrote: >> The makers of IoT devices are falling all over themselves

Re: Spitballing IoT Security

In message <58112f9f.6060...@vaxination.ca>, Jean-Francois Mezei wrote: >A camera showing the baby in 4K resolution along witgh sounds of him >crying on dolby surround to the mother who is at work would likely >saturate upload just as much as the virus sending DNS requests. This >falls into the

Re: Spitballing IoT Security

actually, the one technical hack i liked the most so far was the suggestion to put throttling into openwrt/lede, as they are used for the base in much cpe. randy

Re: Spitballing IoT Security

Hi Jean-Francois, On 10/25/16 10:37 AM, Jean-Francois Mezei wrote: > On 2016-10-25 04:10, Ronald F. Guilmette wrote: > >> If all of the *&^%$# damn stupid vacation pet feeders had originally shipped >> with outbound rate limits hard-coded in the kernel, maybe this could have >> been avoided. > >

Re: Spitballing IoT Security

In message <12439.1477528...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <20161026205800.7188d57b2...@rock.dv.isc.org>, > Mark Andrews wrote: > > >Actually things have changed a lot in a positive direction. > >... > >* Microsoft, Apple, Linux and *BSD issue regul

Re: Spitballing IoT Security

On Thursday, 27 October, 2016 00:40, "Ronald F. Guilmette" said: > Point: I have a DSL line which is limited to 6Mbps down and 756Kbps up. > My guess is that if any typical/average user is seen to be using more > than, say, 1/10 of that amount of "up" bandwidth in any one given 10 > minute time

Re: Spitballing IoT Security

On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear may have written: > Well yes. uPnP is a problem precisely because it is some random device > asserting on its own that it can be trusted to do what it wants. Had From my own personal use (and I'm aware that this isn't a general solution), I'd like

Re: Spitballing IoT Security

In a message written on Wed, Oct 26, 2016 at 04:40:57PM -0300, jim deleskie wrote: > So device is certified, bug is found 2 years later. How does this help. > The info to date is last week's issue was patched by the vendor in Sept > 2015, I believe is what I read. We know bugs will creep in, (so

Re: Spitballing IoT Security

In a message written on Wed, Oct 26, 2016 at 05:27:08PM -0700, Ronald F. Guilmette wrote: > do let me know how I can obtain this month's security patches for my iPhone > 3GS. > > (Note that Wikipedia says that this device was only formally discontinued > by the manufacturer as of September 12, 20

Re: Spitballing IoT Security

"Ronald F. Guilmette" writes: > My iPhone 3GS "goes on the Internet". > > Through no fauly of my own, it is also, apparently, destined in short order > to "go onto" a landfill, if not here, then in China or India, where a > pitiful plethora of shoeless and sad-eyed third-world waifs will spend >

Re: Spitballing IoT Security

security and probably some other features to ensure that in case something is discovered in the future, they can be updated. Yes, that means cost, but a few thousand dollars of certification price increase, among thousands of millions of devices of the same model being manufactured, means a few

Re: Spitballing IoT Security

Requiring manual approval is an excellent idea for the ThingSafe RFC! -mel > On Oct 27, 2016, at 2:10 AM, Mike Meredith wrote: > > On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear > may have written: >> Well yes. uPnP is a problem precisely because it is some random device >> asserting on its

Re: Spitballing IoT Security

>Please don't, bring it to your nearest Apple Store instead where it >will be properly recycled, . My nearest Apple stores are 50 miles away. I'm not sure 100 miles in the car is a good tradeoff for one phone.

Re: Spitballing IoT Security

In a message written on Tue, Oct 25, 2016 at 04:52:58AM -, John Levine wrote: > My nearest Apple stores are 50 miles away. I'm not sure 100 miles in > the car is a good tradeoff for one phone. Scroll down a bit further: "Tell us which device you have, and we’ll email you a prepaid mailing l

Re: Spitballing IoT Security

In message <20161027084939.5bdf457d0...@rock.dv.isc.org>, Mark Andrews wrote: >Well the last update for the 3GS was iOS 6.1.6 in Feb 2014. Bingo! Less than a year and a half after they stopped selling it, they effectively stopped supporting it.

Re: Spitballing IoT Security

In message <1477558411.730528...@apps.rackspace.com>, "t...@pelican.org" wrote: >...I back up to the cloud... Yes, I confess that this reasonable use case had not occured to me, and yes, it utterly negates what I was saying. (I myself am the paranoid type, so I -do not- back up -any- of my st

Re: Spitballing IoT Security

In message <20161027112601.ga17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Problems I think consumer safety legislation can solve: > >* SSH and Telnet were enabled, but there was no notification in the UI > that they were enabled and no way to turn them off. Requirements > could be set

Re: Spitballing IoT Security

On 27 Oct 2016, at 19:02, Ronald F. Guilmette wrote: > > > In message <20161027084939.5bdf457d0...@rock.dv.isc.org>, > Mark Andrews wrote: > >> Well the last update for the 3GS was iOS 6.1.6 in Feb 2014. > > Bingo! > > Less than a year and a half after they stopped selling it, they > effecti

Re: Spitballing IoT Security

In message <20161027112940.gb17...@ussenterprise.ufp.org>, Leo Bicknell wrote: >Actually, they encourage you to trade {your old iPhone} in... >... >If your device is too old for that program, they will still take >it for free and recycle it in an enviornmentally friendly way... OK, so good on

Re: Spitballing IoT Security

And I contend that the device manufacturer is only one part in this. Yes, the manufacturers need to get better in securing their devices (that's never been in question). *But* the end users need to have better CPE that can do NetFlow/Sflow/etc in a near real-time fashion. This would allow the end

Re: Spitballing IoT Security

Perhaps something which is needed is analogous to Maritime Law's "Law of Salvage". If a manufacturer abandons all support of a technical product then they lose various intellectual property rights which might prevent a third-party from providing support. Including reasonable assistance such as p

Re: Spitballing IoT Security

Hi, >At which point the 3GS was almost 5 years old (having originally been >released in June 2009) and had been already superseded by the iPhone 4, >4S, 5 and 5S/5C. But the release of and presence of those phones does not make the older phone suddenly stop working. As noted, the phone might

Re: Spitballing IoT Security

In message <16193.1477594...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <20161027112940.gb17...@ussenterprise.ufp.org>, > Leo Bicknell wrote: > > >Actually, they encourage you to trade {your old iPhone} in... > >... > >If your device is too old for that program,

Re: Spitballing IoT Security

In message <56b9abd3-6911-42cb-9c9d-81fb33ca5...@lboro.ac.uk>, Alan Buxey write s: > Hi, > > > >At which point the 3GS was almost 5 years old (having originally been > >released in June 2009) and had been already superseded by the iPhone 4, > >4S, 5 and 5S/5C. > > But the release of and presence

Re: Spitballing IoT Security

On Thu, 27 Oct 2016, Ronald F. Guilmette wrote: My iPhone 3GS still works just fine, I still have a "functional" iPhone 3G (no S). I don't think AT&T will activate service on it at this point, and it's been relegated to iPod service when I do yard work. You can't *force* people to throw

Re: Spitballing IoT Security

On Thursday, October 27, 2016, Mark Andrews wrote: > > In message <16193.1477594...@segfault.tristatelogic.com >, > "Ronald F. Guilmette" writes: > > > > In message <20161027112940.gb17...@ussenterprise.ufp.org > >, > > Leo Bicknell > wrote: > > > > >Actually, they encourage you to trade {your o

RE: Spitballing IoT Security

(deleted for ambiguity) > > Which is the point. These things stay out there...like those winXP > > boxes. There are 2 choices > > > > 1) manufacturers are responsible for the devices. No longer caring for > >them? Recall them. Compensate the users. > > > > 2) stronger obsolescence. eg kil

Re: Spitballing IoT Security

> On 27 Oct 2016, at 21:25, Alan Buxey wrote: > > Hi, > > >> At which point the 3GS was almost 5 years old (having originally been >> released in June 2009) and had been already superseded by the iPhone 4, >> 4S, 5 and 5S/5C. > > But the release of and presence of those phones does not make t

RE: Spitballing IoT Security

>On Thu, 27 Oct 2016, Ronald F. Guilmette wrote: > >> My iPhone 3GS still works just fine, > >I still have a "functional" iPhone 3G (no S). I don't think AT&T will >activate service on it at this point, and it's been relegated to iPod >service when I do yard work. > >> You can't *force* people t

Re: Spitballing IoT Security

In message Ken Matlock wrote: >Fixing the current wave of 'IoT' devices and phones and Tv's etc is only >putting a bandaid on a broken arm. It gives the illusion of progress... >Until we accept that it's *everyone's* problem and work to fix the things >under our control and work as an advocate

RE: Spitballing IoT Security

> > The problem is in allowing inbound connections and going as far as doing > > UPnP to tell the CPE router to open a inbound door to let hackers loging > > to that IoT pet feeder to turn it into an agressive DNS destroyer. > Well yes. uPnP is a problem precisely because it is some random devic

Re: Spitballing IoT Security

In message <20161027204258.cd18057d5...@rock.dv.isc.org>, Mark Andrews wrote: >> The problem is, as I have said, this device is now the Apple equivalent >> of Windows XP. There could be a horrendous collection of a dozen or >> more known critical security bugs in the thing by now, but as someo

Re: Spitballing IoT Security

On 2016-10-27 23:24, Ronald F. Guilmette wrote: I put forward what I think is a reasonbly modest scheme to try to get IoT things to place hard limits on their "unsolicited" packet output at the kernel level, and I'm going to go off now and try to find and then engage some Linux embedded kernel pe

RE: Spitballing IoT Security

I suppose someone could modify this Mirai virus to instead inject antivirus software. I know, illegal. What would the manufacturers' response be if this virus had instead just shut down, possibly in some cases physically damaged the devices or otherwise caused them to cease functioning ever again

Re: Spitballing IoT Security

Hi Keith, On 10/28/16 1:55 AM, Keith Medcalf wrote: >>> The problem is in allowing inbound connections and going as far as doing >>> UPnP to tell the CPE router to open a inbound door to let hackers loging >>> to that IoT pet feeder to turn it into an agressive DNS destroyer. >> Well yes. uPnP

RE: Spitballing IoT Security

On Thursday, 27 October, 2016 22:09, Eliot Lear said: > On 10/28/16 1:55 AM, Keith Medcalf wrote: > >>> The problem is in allowing inbound connections and going as far as > doing > >>> UPnP to tell the CPE router to open a inbound door to let hackers > loging > >>> to that IoT pet feeder to tu

Re: Spitballing IoT Security

On Thu, Oct 27, 2016 at 05:13:31PM -0400, Jon Lewis wrote: > This is one of my bigger concerns every time I buy something that's "cloud > controlled". Not so much that the manufacturer will force it's retirement, > but "what happens if they go belly up, or just kill the division that > supports my

Re: Spitballing IoT Security

On 10/27/16 22:59, b...@theworld.com wrote: What would the manufacturers' response be if this virus had instead just shut down, possibly in some cases physically damaged the devices or otherwise caused them to cease functioning ever again (wiped all their software or broke their bootability), rat

Re: Spitballing IoT Security

On October 28, 2016 at 00:07 j...@jxh.com (Jim Hickstein) wrote: > On 10/27/16 22:59, b...@theworld.com wrote: > > What would the manufacturers' response be if this virus had instead > > just shut down, possibly in some cases physically damaged the devices > > or otherwise caused them to cease

Re: Spitballing IoT Security

On 10/28/2016 10:14 PM, b...@theworld.com wrote: > Thus far the goal just seems to be mayhem. Thus far, the goal on the part of the botnet opearators is to make money. The goal of the CUSTOMERS of the botnet operators? Who knows?

Re: Spitballing IoT Security

Hi Mike, On 10/27/16 11:04 AM, Mike Meredith wrote: > On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear > may have written: >> Well yes. uPnP is a problem precisely because it is some random device >> asserting on its own that it can be trusted to do what it wants. Had > From my own personal use

Re: Spitballing IoT Security

Hi Chris, On 10/25/16 1:51 PM, Chris Boyd wrote: >> On Oct 25, 2016, at 3:10 AM, Ronald F. Guilmette >> wrote: >> >> An IoT is -not- a general purpose computer. In the latter case, it is >> assumed that the owner will "pop the hood" when it comes to the software >> configuration. > Ah, but the

Re: Spitballing IoT Security

On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote: > On 10/28/2016 10:14 PM, b...@theworld.com wrote: > > Thus far the goal just seems to be mayhem. > > Thus far, the goal on the part of the botnet opearators is to make > money. The goal of the CUSTOMERS of the botnet

Re: Spitballing IoT Security

b...@theworld.com : > > On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote: > > On 10/28/2016 10:14 PM, b...@theworld.com wrote: > > > Thus far the goal just seems to be mayhem. > > > > Thus far, the goal on the part of the botnet opearators is to make > > money. The go

Re: Spitballing IoT Security

On October 29, 2016 at 14:07 e...@thyrsus.com (Eric S. Raymond) wrote: > b...@theworld.com : > > > > On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote: > > > On 10/28/2016 10:14 PM, b...@theworld.com wrote: > > > > Thus far the goal just seems to be mayhem. > > >

Re: Spitballing IoT Security

On 2016-10-29 14:07, Eric S. Raymond wrote: > You don't build or hire a botnet on Mirai's scale with pocket change. > And the M.O. doesn't fit a criminal organization - no ransom demand, > no attempt to steal data. it is wrong to underestimate script kiddies and open source code. It is wrong to u

Re: Spitballing IoT Security

"That means the motive was prep for terrorism or cyberwar by a state-level actor. " Or, quite possibly ( I would argue probably) it was marketing. Show off the capabilities of the botnet to garner more interest amongst those who pay for use of such things. On Sat, Oct 29, 2016 at 2:07 PM, Eric S.

Re: Spitballing IoT Security

On October 29, 2016 at 15:35 beec...@beecher.cc (Tom Beecher) wrote: > "That means the motive was prep for terrorism or cyberwar by a > state-level actor. " > > Or, quite possibly ( I would argue probably) it was marketing. Show off the > capabilities of the botnet to garner more interest am

Re: Spitballing IoT Security

Hi, Hi, >Put it another way: you bring home a NEST and the first thing you the >expert might do is read the net to figure out which ports to open. Are >you really going to not open those ports? Put onto its own isolated vlan with only internet access. Unfortunately no basic routers that are f

Re: Spitballing IoT Security

In message <20161029180730.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >You don't build or hire a botnet on Mirai's scale with pocket change. Proof please? Sorry, but I am compelled to call B.S. on the above statement. This is a really important point that I, Krebs, and others have been t

Re: Spitballing IoT Security

Ronald F. Guilmette : > Two kids with a modest amount of knowledge > and a lot of time on their hands can do it from their mom's basement. I in turn have to call BS on this. If it were really that easy, we'd be inundated by Mirais -- we'd have several attacks a *day*. --

Re: Spitballing IoT Security

In message <20161030044342.ga18...@thyrsus.com>, "Eric S. Raymond" wrote: >Ronald F. Guilmette : >> Two kids with a modest amount of knowledge >> and a lot of time on their hands can do it from their mom's basement. > >I in turn have to call BS on this. If it were reall

Re: Spitballing IoT Security

Ronald F. Guilmette : > > In message <20161030044342.ga18...@thyrsus.com>, > "Eric S. Raymond" wrote: > > >Ronald F. Guilmette : > >> Two kids with a modest amount of knowledge > >> and a lot of time on their hands can do it from their mom's basement. > > > >I in turn ha

Re: Spitballing IoT Security

On 10/29/2016 9:43 PM, Eric S. Raymond wrote: I in turn have to call BS on this. If it were really that easy, we'd be inundated by Mirais -- we'd have several attacks a*day*. Some of us are seeing many significant attacks a day. That's because botnets are frequently used to hit game servers a

Re: Spitballing IoT Security

On Fri, Oct 28, 2016 at 12:07:17AM -0500, Jim Hickstein wrote: > A virus that kills its host (too much of the time) is not successful. True. On the other hand: "Some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with.

  1   2   >