On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote:
2) Second, once elected I will decree that in future all new IoT devices, and also all updates to firmware for existing IoT devices will have, BUILT IN TO THE KERNEL, code/logic which (a) prevents all outbound TCP session initiation and which also (b) strictly rate-limits all other protocols to some modest value.
I like this idea. But unfortunately, I think it has no chance of succeeding. The makers of IoT devices are falling all over themselves to rush products to market as quickly as possible in order to maximize their profits. They have no time for security. They don't concern themselves with privacy implications. They don't run networks so they don't care about the impact their devices may have on them. They don't care about liability: many of them are effectively immune because suing them would mean trans-national litigation, which is tedious and expensive. (And even if they lost: they'd dissolve and reconstitute as another company the next day.) They don't even care about each other -- I'm pretty sure we're rapidly approaching the point where toasters will be used to attack garage door openers and washing machines. I think our working assumption should be that there will be zero cooperation from the IoT vendors. (Yeah, once in a while one might actually step up, but that will merely be a happy anomaly.) After all, why should they care? It doesn't impact their profits, and profits are all they care about. They're not the ones fielding support calls or frantically trying to stop a DoS or trying to work out a mitigation strategy or participating in this discussion thread. So they don't care. They don't have to. ---rsk