On Tue, Feb 07, 2017 at 06:56:40AM -0500, William Herrin wrote:
Immaterial. The point is to catch vulnerable devices before they're hacked. That can't always happen (even with customers and vendors engaged in best practice patching), but it need only happen often enough to limit the size of the resulting botnets.
This won't work on the majority of devices: they're pre-compromised at the factory. By the time you see the first packet from them, IF you see the first packet from them, it will already be too late. And a lot of them are deliberately designed and built to conduct attacks, e.g.: Vizio tracked and sold your TV viewing habits without consent https://www.engadget.com/2017/02/06/vizio-smart-tv-viewing-history-settlemen... What a nice favor to do for attackers: Vizio spent its time and money putting this in place for them, so they didn't have to. This is going to get worse -- MUCH worse -- as the few flimsy consumer protections in place are systematically dismantled and the agencies charged with enforcing them defunded.
As I envision it, it's an opt-out system.
No. In fact, HELL NO. Too many ISPs have already put absolutely clinching proof on the table that they will silently opt-in customers to all manner of tracking, surveillance, and security/privacy attacks. (I'm looking at you, Verizon, at the moment.) Opt-out is inherently abusive.
Possible, though an ISP which retains the data opens itself to a class action lawsuit if it can't keep control of it.
First, that's a meaningless remedy. Even if someone has the financial resources to sue an ISP, they're going to wind up quietly settling years later, the lawyers will get rich(er), the settlement will be sealed, and they'll just keep right on doing it. See the Vizio case above. Did anybody go to prison? No. Did it cost them anything? Not really: the fine is just chump change. Will Vizio do it again? OF COURSE they will, they'd be crazy not to. All they have to do is wait a little while, rename it, shuffle things around a bit, and they'll be fine. Second, the most likely outcome here is that the ISP will use this data to spy on its users and market to them. The next outcome is that someone inside the ISP will figure out that this is a potential revenue source and start selling it, under the argument that consumers didn't opt-out, therefore they WANT their private data sold. So let's not pretend that the delusional fiction of a successful class-action lawsuit is a deterrent. It's just a belly laugh for the executives and a windfall for the attorneys.
If the ISP can't keep control of its security head-end then sure, at least until the ISP regains control.
I think you're severely underestimating the threat. And note that even though you're just thinking about the problem from the perspective of ISPs, they're not the only ones affected. There are a lot of attack vectors available to anyone who's already on the inside.
Regardless, I encourage you to suggest alternate solutions which don't run afoul of the problems you mention. The problem isn't going away.
I'm aware of that. But this is not the way. I've seen this movie WAY too many times: 1. We must do something 2. This is something. 3. Let's do this. 4. We have done something. 5. Congrats and awards all around, everybody. ---rsk