* John R. Levine:
On Sun, 9 Oct 2016, Florian Weimer wrote:
If we want to make consumers to make informed decisions, they need to learn how things work up to a certain level. And then current technology already works.
I think it's fair to say that security through consumer education has been a failure every time anyone has tried it. Why do you think this would be any different?
People start to care once they have to. Currently, there is not much reason to worry about which devices you connect to your home network. Even the interaction with Internet banking appears to be benign these days. If your Internet connection goes down because something starts spewing packets, you can probably find it by disconnecting everything until you have found the culprit. It's probably not much different from how you find which device triggers the breaker. Anything that's more proactive requires some level of knowledge, and if we assume that it cannot be dispersed to consumers, then it means someone else gets to manage their home networks. And I'm not sure if the ISPs should be doing this (or if they want any part in this, maybe except if it enables them to charge per connected device and function).
There is little interest in this, however. There's a comparable business case for providing managed PCs to consumers, and I'm not sure if any such companies are still left.
There's at least two large ones: Microsoft and Apple. Try installing Windows 10 without letting Microsoft update and reconfigure the software any time they want, any way they want.
I don't think I can phone Microsoft if something goes wrong. In most countries, they even disclaim responsiblity for breakage introduced by updates and point to the PC makers instead (from whom most consumers baught their OEM version). Apple may be different.
Expecting consumers to evaluate the security behavior of their lightbulbs and their refrigerator is absurd. We need to figure out how to have the devices and routers configure themselves so the devices can do what they need to do without doing what we really don't want them to do.
We already have UPnP. Clearly, it does not work, but it's not obvious to me why any different solution would end up as being just as ineffective.