On Thu, Feb 9, 2017 at 12:04 PM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Feb 08, 2017 at 08:30:15AM -0800, Damian Menscher wrote:
The devices are trivially compromised (just log in with the default root password). So here's a modest proposal: log in as root and brick the device.
No. It's never a good idea to respond to abuse with abuse.
Hi Rich, On that we agree. Vigilantism is a non-starter.
[regarding the tattler kill switch] 2. This will allow ISPs to build a database of which customers have which IOT devices. This is an appalling invasion of privacy.
Is there some way an industry association could overcome this? Perhaps have some trivial way to assign each model of IoT device some kind of integer and have the device report the integer instead of its plain text manufacturer and hardware model number? Where the assigned integer is intentionally not published by the industry association though of course trivially determinable by anyone who owns one of the devices. Wouldn't especially impair building a database of vulnerable devices but it would raise the bar for trying to turn the self-reporting in to business intelligence. Particularly if industry association rules forbid retaining a record of device self-reports on pain of whatever. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>