[192349] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Eric S. Raymond)
Wed Oct 26 15:40:46 2016
X-Original-To: nanog@nanog.org
Date: Wed, 26 Oct 2016 15:40:40 -0400
From: "Eric S. Raymond" <esr@thyrsus.com>
To: Mel Beckman <mel@beckman.org>
In-Reply-To: <EB31DFCA-CA9D-4D44-B2A0-9E0BD6CC209B@beckman.org>
Reply-To: esr@thyrsus.com
Cc: "nanog@nanog.org" <nanog@nanog.org>, Rich Kulawiec <rsk@gsp.org>
Errors-To: nanog-bounces@nanog.org
Mel Beckman <mel@beckman.org>:
> I also really like the idea of offering open source options to vendors, many of whom seem to illegally take that privilege anyway. A key fast-path component, though, is in my opinion a new RFC for IoT security best practices, and probably some revisions to UPNP.
>
> The IoT RFC would spell out basic rules for safe devices: no back doors, no default passwords, no gratuitous inbound connections, etc. It would also make encryption a requirement, and limit how existing UPNP is deployed to prevent unnecessarily exposing vulnerable TCP/UDP ports to the wild. With this RFC in hand, and an appropriate splashy icon for vendor packaging (“RFC 9999 ThingSafe!”), vendors will have a competitive reason for compliance as a market differentiator, whether they deploy with open-source or proprietary code.
That is a good idea and I am officially adopting it as part of the Evil
Master Plan for World Domination. :-)
I may recruit you to help draft the RFC.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
