[191835] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Eliot Lear)
Wed Sep 28 03:33:14 2016
X-Original-To: nanog@nanog.org
To: "Patrick W. Gilmore" <patrick@ianai.net>, NANOG list <nanog@nanog.org>
From: Eliot Lear <lear@cisco.com>
Date: Wed, 28 Sep 2016 09:33:07 +0200
In-Reply-To: <3DAC3247-AC1E-43E7-830E-E21E24C3849C@ianai.net>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--2gUeJNCx9CvlGn6hl2sh4jOV4RJE2Ffva
From: Eliot Lear <lear@cisco.com>
To: "Patrick W. Gilmore" <patrick@ianai.net>, NANOG list <nanog@nanog.org>
Message-ID: <a475a678-ec92-16e7-2385-2ab8b998df45@cisco.com>
Subject: Re: Krebs on Security booted off Akamai network after DDoS attack
proves pricey
References: <20160926155649.14061.qmail@ary.lan>
<20160926230946.685605514EDF@rock.dv.isc.org>
<03DC1038-024A-4D9F-AC5B-3E88CDF56246@cable.comcast.com>
<20160926234142.6E7705515473@rock.dv.isc.org>
<20160926234939.B1961551553A@rock.dv.isc.org>
<CAL9jLaZNBP9GWFzHnB1AGG8MRnK3dH=qeQb_KeigKc198zDaJw@mail.gmail.com>
<B796C128-AFDF-45A1-B5AF-C29BFF06E54B@arbor.net>
<30d73fd7-e183-2a43-9929-67e039684023@2mbit.com>
<B0920A66-295C-462B-A393-2D7FD675BED1@arbor.net>
<E86D45CB-8396-404A-8DC9-E2ACE19D4419@ianai.net>
<9FCA63C8-3011-4391-B4C6-055EB0B75792@arbor.net>
<3DAC3247-AC1E-43E7-830E-E21E24C3849C@ianai.net>
In-Reply-To: <3DAC3247-AC1E-43E7-830E-E21E24C3849C@ianai.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
It's not just consumers that need to understand this. Manufacturers of
Things are right now on a steep learning curve. Consider that
thermostat, for just a moment. In The Gold Old Days, before it had a
network interface, the manufacturer cared about a handful of things like
at what temperature to turn the heat or A/C on maybe with some
adjustments for time of day or day or week. And that was it. That is
their domain of expertise. Not security.
Now the Internet looks like a new shiny object that promises to provide
some cool new world capabilities, like letting people adjust the temp
while they're away, or using weather forecasts to manage hysteresis
effects. And so, the manufacturer initially thinks, we'll add an
interface to the product, and a little bit of code, and we're done. Now
the manufacturer has stepped outside their domain of expertise, and
doesn't have a full understanding of the risks that need to be
addressed. We as experts in this domain can help by informing
manufacturers of those risks.
Eliot
On 9/27/16 6:05 PM, Patrick W. Gilmore wrote:
> On Sep 27, 2016, at 11:49 AM, Roland Dobbins <rdobbins@arbor.net> wrote=
:
>> =08On 27 Sep 2016, at 22:37, Patrick W. Gilmore wrote:
>>> All the more reason to educate people TODAY on why having vulnerable =
devices is a Very Bad Idea.
>> Yes, but how do they determine that a given device is vulnerable?
> Easy: Can you ping it? It=E2=80=99s vulnerable.
>
> :-)
>
> Hey, I said we would have to educate them. I did not say how that would=
happen.
>
--2gUeJNCx9CvlGn6hl2sh4jOV4RJE2Ffva
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
iQEcBAEBCAAGBQJX63I0AAoJEIe2a0bZ0nozQWoH/1VyQKO8iGDmqye3jIaQUcbq
A/bqw41zxZp/4BB7CQpGIuwMmRBT4WU0zcsyZXqhoaqGM7p8EjYFdLCgrXIFdQs9
m5pwU0Nr6TCVgzFRoUFYT68ynH5VWq69ZS5DqT/SJbz1GGgllbGyNd+DhM3skZpD
Rb/YhjpLLdrROTbVvjLuWt87axDDLdkRuoWJFa7wQkNSUzv1T08K/06BonAaokCI
rnC05LsFoaMIRvWne2YVTTAwZI7NxZ6tWUZJZqVplAuM/+rc8K1/rY2NgdXwUwxO
BbMcKckJPpCFcYVkwCjk9iIlgacsIc8wNHbOKz0ckRlW4AFqU6svL9wa0S4rhT4=
=1vPZ
-----END PGP SIGNATURE-----
--2gUeJNCx9CvlGn6hl2sh4jOV4RJE2Ffva--
