Hi Keith, On 10/28/16 1:55 AM, Keith Medcalf wrote:
The problem is in allowing inbound connections and going as far as doing UPnP to tell the CPE router to open a inbound door to let hackers loging to that IoT pet feeder to turn it into an agressive DNS destroyer. Well yes. uPnP is a problem precisely because it is some random device asserting on its own that it can be trusted to do what it wants. Had that assertion come from the manufacturer, at least you would know that the device was designed to require that sort of access.** And why would anyone in their right mind trust the manufacturer to make this decision? <Shudder>
Because the manufacturer designed the device and knows best as to what sort of access it will require. Consider that today most devices have unfettered outbound access, and many can arrange for unfettered inbound access. That's Not Good®. That doesn't mean that network administrators shouldn't be the kings and queens of their castles, but as I'm sure you well know, home users don't really know how to rule, and so they need some good defaults. Put it another way: you bring home a NEST and the first thing you the expert might do is read the net to figure out which ports to open. Are you really going to not open those ports? Eliot