Krebs <3's The IoT
-
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@zuphzuph said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
wow, how much of the internet as a whole is affected by these attacks? The potential to bring it all down seems pretty high.
It's sad how the IoT never thought of true security and many companies still probably aren't...
It's not that IoT makers don't think of it, it's that their customers won't pay for it. Customers drive demand.
Bullshit. Customer consume. Consumers are not supposed to have technical knowledge to even be able to make this kind of informed decision, let alone the technical knowledge to test it.
That's not how it works. That's why car makers advertise safety features - because consumers make decisions on how much safety matters to them. It's why people install their own door locks. It's why you select and buy a security system. It's why you install your own security cameras.
Consumers just consuming are still accountable for the ramifications of their decisions. Are there secure IoT products on the market? Yes. Are people buying cheaper stuff because they don't care? Yes.
It is never the manufacturer's fault for making what customers demand, unless what they make is illegal. If security was a value-add, manufacturers would be all over it to make more money. But security cost money to include and customers aren't willing to pay more. The result is a forced situation where makers cutting corners win the market.
Unless you change consumers, manufacturers really have no choice. The cheaper to make product will command the market.
-
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@zuphzuph said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
wow, how much of the internet as a whole is affected by these attacks? The potential to bring it all down seems pretty high.
It's sad how the IoT never thought of true security and many companies still probably aren't...
It's not that IoT makers don't think of it, it's that their customers won't pay for it. Customers drive demand.
Bullshit. Customer consume. Consumers are not supposed to have technical knowledge to even be able to make this kind of informed decision, let alone the technical knowledge to test it.
That's not how it works. That's why car makers advertise safety features - because consumers make decisions on how much safety matters to them. It's why people install their own door locks. It's why you select and buy a security system. It's why you install your own security cameras.
This reinforces my point. Consumers cannot make this decision. This is not comparable to a simply to understand thing like a security system. Consumers have to be able to understand to make the decision. At this point in the knowledge level of consumers regarding IoT, there is no ability to know anything. This means it was all simply the manufacturers choice to create a shit product because it was cheaper. Not because it is what the consumers demanded.
Your examples of auto safety features is a good reinforcement also. People did not buy for safety features until the government started mandating safety safety features and causing the consumers to get educated on the subject.
-
-
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@zuphzuph said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
wow, how much of the internet as a whole is affected by these attacks? The potential to bring it all down seems pretty high.
It's sad how the IoT never thought of true security and many companies still probably aren't...
It's not that IoT makers don't think of it, it's that their customers won't pay for it. Customers drive demand.
Bullshit. Customer consume. Consumers are not supposed to have technical knowledge to even be able to make this kind of informed decision, let alone the technical knowledge to test it.
That's not how it works. That's why car makers advertise safety features - because consumers make decisions on how much safety matters to them. It's why people install their own door locks. It's why you select and buy a security system. It's why you install your own security cameras.
This reinforces my point. Consumers cannot make this decision. This is not comparable to a simply to understand thing like a security system. Consumers have to be able to understand to make the decision. At this point in the knowledge level of consumers regarding IoT, there is no ability to know anything. This means it was all simply the manufacturers choice to create a shit product because it was cheaper. Not because it is what the consumers demanded.
Your examples of auto safety features is a good reinforcement also. People did not buy for safety features until the government started mandating safety safety features and causing the consumers to get educated on the subject.
But they do, car makers advertised that stuff and high end ones like Volvo made their market based on that.
If consumers won't do what is necessary, the government has to step in and mandate it because the manufactures can't do it because all it takes is one cutting corners to kill the market for those that do not. It's fine to say that consumers are too negligent or ignorant or uncaring to do what is right here.... but that doesn't shit blame to the makers, it shifts it to the government.
-
@scottalanmiller said in Krebs <3's The IoT:
. but that doesn't shit blame to the makers, it shifts it to the government.
Whoops
-
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
With regards to IOT things now, we're definitely in a 'for the betterment of man' situation. I guess it's time for Uncle SAM to step up and mandate better security. Of course, that just brings it's own issues.
-
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
-
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
-
@Dashrender said in Krebs <3's The IoT:
With regards to IOT things now, we're definitely in a 'for the betterment of man' situation. I guess it's time for Uncle SAM to step up and mandate better security. Of course, that just brings it's own issues.
Yes, LOTS of issues. Like determining what is IoT and what is not. Determining when a device should be regulated. Determining what security regulation looks like. How do you make a regulation that actually makes things secure without accidentally making them insecure, etc.
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
-
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
-
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important. -
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
-
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.Scott's younger than I am, I don't recall such brain washing. I don't have kids, so safety ratings on cars aren't something I consider, other than the guillotine 9000 (I think it was the Montero Sport where in a front end crash, the hood wouldn't buckle, instead it came straight through the windshield and well, you can figure it out) that I know about so I avoid them.
-
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.
-
@JaredBusch said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.
I recall they cut this off long before spam bots were a real problem. I saw them doing this because they wanted businesses to use business priced connections instead of consumer ones. Sure still comes down to a money reason though.
-
Now the question is, will they see an better cost savings in shutting down connections that have bad traffic spewing on it? Probably not. They probably don't actually monitor much of that traffic directly, so they themselves don't know what it is, so they would have to start monitoring that - and that would cost money. And then they would have a HUGE uptick in customer service calls - massive cost increases.
Yeah it's unlikely they would ever voluntarily do this.
-
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government
-
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
If that was going to happen, it should be government mandated, again. ISPs should not be in a position of making "judgment calls" on those sorts of things. That's the wrong way to go. That paves the way for ISPs to make some pretty broad claims about what is and isn't malicious traffic.
-
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government
Safety education across the board is important. However, those that ignore what they are taught about safety should be naturally selected for removal from the gene pool.
I'm not sure that safety education from the government is a great idea when you look at the public education system these days. Sadly, I don't have a better idea for how to teach safety, aside from involvement in the lives of the people you care about.
-
ISPs are the wrong place to look. Think about this... if an ISP cuts off malicious traffic correctly, they mostly just help someone that isn't likely their customer with no benefit to themselves. If they cut something off as a false positive, they take on liability and risk and hurt their real customers.
There is effectively no incentive for an ISP to block bad traffic and a bit of incentive for them to allow whatever people decide to put on the wire.