[191837] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Stephen Satchell)
Wed Sep 28 08:30:12 2016
X-Original-To: nanog@nanog.org
To: NANOG list <nanog@nanog.org>
From: Stephen Satchell <list@satchell.net>
Date: Wed, 28 Sep 2016 05:30:08 -0700
In-Reply-To: <a475a678-ec92-16e7-2385-2ab8b998df45@cisco.com>
Errors-To: nanog-bounces@nanog.org
On 09/28/2016 12:33 AM, Eliot Lear wrote:
> It's not just consumers that need to understand this. Manufacturers of
> Things are right now on a steep learning curve. Consider that
> thermostat, for just a moment. In The Gold Old Days, before it had a
> network interface, the manufacturer cared about a handful of things like
> at what temperature to turn the heat or A/C on maybe with some
> adjustments for time of day or day or week. And that was it. That is
> their domain of expertise. Not security.
>
> Now the Internet looks like a new shiny object that promises to provide
> some cool new world capabilities, like letting people adjust the temp
> while they're away, or using weather forecasts to manage hysteresis
> effects. And so, the manufacturer initially thinks, we'll add an
> interface to the product, and a little bit of code, and we're done. Now
> the manufacturer has stepped outside their domain of expertise, and
> doesn't have a full understanding of the risks that need to be
> addressed. We as experts in this domain can help by informing
> manufacturers of those risks.
Many manufacturers will outsource the Internet portion of their product
to a software provider, not build from scratch "in house". The people
we really need to get to are the ones that *provide* those packages the
manufacturers use.
In the case of embedded Linux solutions, the discussion need only be
about what knobs to turn, and how far.
