[192383] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (knack via NANOG)
Thu Oct 27 09:39:36 2016
X-Original-To: nanog@nanog.org
Date: Wed, 26 Oct 2016 22:46:36 -0500
To: nanog@nanog.org
In-Reply-To: <CAF-Wqd5sO0x5muw6uPDxMXd+h1ebCCtL9Ke9uMEc7k364OfHLA@mail.gmail.com>
From: knack via NANOG <nanog@nanog.org>
Reply-To: knack <nanog@deltasly.com>
Errors-To: nanog-bounces@nanog.org
I agree wholeheartedly.
----
Yes, BCP (any relevant to your business), filtering, active tit-for-tat=20
with abuse teams, calling out manufacturers, ISPs doing /anything/ (most=20
already block 25 and 80, not that they give you the upload to bother=20
with the latter and it's not necessarily for the good of the 'net as a=20
whole) - they're all things we absolutely should be doing. That doesn't=20
change the fact that all of those are just*ambulances in the valley*.=20
<http://www.tonycooke.org/stories-and-illustrations/ambulance_valley/> =20
If we're going to solve this, we need to be better as a species - we're=20
about to the place where we can't progress much farther (without some=20
sort of caste system nightmare - /The Diamond Age/ comes to mind) *until=20
basic computing and good practice are as pervasive as the ability to=20
read and write.* Hint: I don't mean 'can do an app on the smartphone'=20
- real understanding and appreciation.
I'm not saying everyone needs to be a savant, but a basic understanding=20
of the technology you*^1 use *every.single.day* for almost=20
*every.single.function* of your life isn't asking much, I don't think. =20
The ability to think logically and problem solve is something that I see=20
declining in even the brighter of the youths I've encountered in the=20
past few years.
This "it just works/should work" willfully (almost maliciously=20
sometimes) ignorant mentality - pushed by vendors and craved by the=20
overworked - is stunting our potential. Christ, the people who are *in=20
charge of the world* (not necessarily those who /run/ it...but I'd be a=20
good portion still) don't even understand the basics of how these=20
machines, and this thing that facilitates the global economy, work. The=20
root problem is much, much more significant than DoS attacks and spam.
Maybe we need to start younger - I can't speak for all schools, but my=20
'computer course' was "here's Mavis Beacon - play games and...whatever"=20
- I hope it's not [really | still] like that. Maybe we, the community,=20
create and sponsor course material, maybe there's a push for more than=20
Cisco Academy - at this point this knowledge a public safety issue and=20
should be a respected part of the general education syllabus (too bad=20
we're all too busy with standardized tests to care). Something so=20
inherently part of everyday life cannot be just for the 'nerds' or even=20
the especially interested, anymore.
I don't know what to do about manufacturers - it's been a global race to=20
bottom for years now. Someone mentioned a device certification=20
earlier. It's something and a start at least, so I'm on board and=20
willing to devote some time. I'm not sure this is something the=20
community alone will be able to drive, silently, from the shadows. The=20
cynic in me wants to throw in to buy a politician or two.
The usual trick is to hit them where it hurts - in the wallet. Their=20
wallets are so large these days (and constantly consolidating, lessening=20
the chance of real change and competition) that I'm at a loss as to how.
Maybe a slow increase in user-required configurations, decisions, and=20
interaction...complete with logical explanations to help with said=20
decisions? I don't know...that could affect profits this quarter=20
(because who looks farther ahead than that...long term effects and=20
progress aren't important anymore, right?). Pavlovian training? Seems=20
a bit totalitarian.
The /last/ thing I want is government (on the country or global scale)=20
intervention..the 2nd to last is to use this upcoming metaphor (but I=20
haven't a better one).
Look at cars - in more places then not, it's damn near impossible to be=20
a functional and contributory adult without a car; some might even call=20
it a 'right' in the 1st world. Does that stop us from driver's ed=20
courses**^2 in school? Do we not teach the basics of safe operation,=20
maintenance, and even a bit about how it works under the hood (my school=20
did)? Does the ubiquity of the automobile stop the removal of that=20
(legal) ability for those who *endanger others* or otherwise abuse the=20
driving privilege? No...no it doesn't. Granted, there are still those=20
who are going to do what they're going to do - but that number is=20
lessened (and some even come around to see the harm).
That does *not* mean I think there should be a 'compu-tar license' - not=20
at all. But it *does* mean that everyone should be taught responsible=20
computing, the harms of carelessness, and the fun in knowing how these=20
things work.
Anyway - thanks for the rant (been bothering me for a while now)...I do=20
believe we should address and minimize the symptoms as they appear, but=20
without surgical attacks directed at the dark heart of the beast (be=20
that people, intrinsically, or just our social norms) we're going to end=20
up with either a horribly censored, totalitarian internet "app" regime,=20
or burnt to the ground in chaos - too distracted by inane, emotionally=20
infused, bullshit pumped forth day-to-day at an ADD inducing pace (meant=20
to give us the ol' numb & dumb - I'll admit I succumb more often than=20
I'd like - not trying to high-horse here), to notice the fires until=20
it's too late to stomp them out. I never imagined we***^3 could become=20
so dichotomous-ly obsessed yet ignorant.
Yes, there will always be malicious people but, in the same way we=20
convinced most of the world that sacrificing humans is murder and kinda=20
wrong (and engaged them in at least a few active prevention tactics), we=20
need to stigmatize -- really */really/* stigmatize (to the core of the=20
soul) this bullshit. On a side note: giving 10 years to the guy who=20
just wanted to tinker with "his own" (because we don't /own/ anything=20
anymore, in a hyperbolic way) equipment isn't the way to do it.
Everything seems overly fatalistic and over-dramatized until the moment=20
it's not - how many disasters could have been prevented if people just=20
listened to the engineers (ask the Challenger)? Of course, we're still=20
prescribing antibiotics for virii in the face of MRSA and worse - hell=20
Pompeii partied until they were literally dying in the streets...so=20
let's drink up, add a little duct tape, and worry about it in a few=20
years (/s). Or, we keep pushing, wherever possible, and maybe something=20
will pop.
Seldom do I wish to be proven incorrect - here I do. Contrary to what=20
it may seem, I think we***^3 still have a chance.
*1: That's /you, the generalization I'm referring to/, and not /you, the=20
specific people reading this./
**2: Though, unfortunately due to that government intervention, we spent=20
more time memorizing the specific BAC to age ratio to determine your=20
fine and loss of license than honing basic knowledge and skills.
***3: Again, that's /we, as a society of 7 billion - call it a median or=20
mode/ rather than /we, individuals in a set/.
----
(Disclaimer: I don't like speaking publicly, especially at this length=20
(though I've cut out a good 60%, as I admit I have a rambling problem). =20
I've spent the last week writing and re-writing versions of this; I=20
still don't like it (both overly idealistic and fatalistic at the same=20
time, and the "voice" is much harsher than I would have liked - the=20
tradeoff of curtailing the rambling I suppose), but I had a strong=20
reaction to this subject. ...And yes I even debated the disclaimer, as=20
it's hokey as all getout...best I could muster was to move it to the=20
end. My apologies if I've overlooked points below being covered=20
previously in the thread - /thank you for the ear & I'm sorry/=E2=84=A2).
~knack
On 10/26/2016 3:12 PM, Ken Matlock wrote:
> As a relative 'outsider' I see a lot of finger-pointing and phrasing th=
is
> as (effectively) someone else's fault.
>
> To me this is a failing on a number of levels all contributing to the
> problem.
>
> 1) The manufacturer - Backdoors, hidden accounts, remote access
> capabilities, no proper security testing. No enforcing of security upda=
tes.
> 2) The end-user - No initiative on the end-user's perspective to gain e=
ven
> a basic understanding of how the device works, connects, etc. Also no t=
ools
> or understanding of how to recognize *which* of their many devices on t=
he
> network might be compromised and participating in the botnet. (Only
> indication they get is maybe their internet is slow)
> 3) The service providers - No effective monitoring of outgoing traffic =
from
> the end users to identify botnets and DDoS in a real-time fashion
>
> I contend that all 3 levels have failed in this, and nothing has
> fundamentally changed (today it's IoT, before it was unpatched windows
> boxes, etc) in decades. We keep talking about the problem but very litt=
le
> actual action has occurred to *fix* the underlying issues.
>
> - Manufacturers need to be held accountable for devices that go on the
> internet (that includes *anything* that's connected. PCs, servers, rout=
ers,
> IoT devices, etc)
> - End users need to have ways to easily see what's going on over their
> local networks, to see botnet-like activity and DDoS participation (amo=
ng
> other things) in a more real-time fashion
> - Service providers need to be much more proactive in watching for thre=
ats
> and identifying/blocking them at the source, not allowing the traffic t=
o
> flow to your peers and making it someone else's problem. Right now ther=
e's
> a financial disincentive to doing this, in both real costs (standing up
> monitoring gear/etc), and imagined (my ISP is SPYING on me!).
>
> Until we fix all 3 of these main issues we're just going to keep going =
in
> the same set of circles we do every time a 'new' threat/vector comes in=
.
>
> Now, are these issues *easy*? Oh, heck no! Are they *cheap*? Once agai=
n,
> heck no! But to 'fix' this issue it will take all 3 levels being fixed.
>
> If we continue to keep pointing fingers at "the other guy" as the root =
of
> the problem we're inviting external forces (Legislation) to step in and
> 'fix' the problem for us (and it will just make it worse).
>
> My 2 cents (adjust for inflation)
> Ken
>
> On Wed, Oct 26, 2016 at 1:40 PM, jim deleskie <deleskie@gmail.com> wrot=
e:
>
>> So device is certified, bug is found 2 years later. How does this he=
lp.
>> The info to date is last week's issue was patched by the vendor in Sep=
t
>> 2015, I believe is what I read. We know bugs will creep in, (source an=
yone
>> that has worked with code forever) Also certification assuming it woul=
d
>> work, in what country, would I need one, per country I sell into? The=
se
>> are not the solutions you are looking for ( Jedi word play on purpose)
>>
>> On Wed, Oct 26, 2016 at 3:53 PM, JORDI PALET MARTINEZ <
>> jordi.palet@consulintel.es> wrote:
>>
>>> Exactly, I was arguing exactly the same with some folks this week dur=
ing
>>> the RIPE meeting.
>>>
>>> The same way that certifications are needed to avoid radio interferen=
ces,
>>> etc., and if you don=E2=80=99t pass those certifications, you can=E2=80=
=99t sell the
>>> products in some countries (or regions in case of EU for example),
>>> authorities should make sure that those certifications have a broader
>>> scope, including security and probably some other features to ensure =
that
>>> in case something is discovered in the future, they can be updated.
>>>
>>> Yes, that means cost, but a few thousand dollars of certification pri=
ce
>>> increase, among thousands of millions of devices of the same model be=
ing
>>> manufactured, means a few cents for each unit.
>>>
>>> Even if we speak about 1 dollar per each product being sold, it is mu=
ch
>>> cheaper than the cost of not doing it and paying for damages, human
>>> resources, etc., when there is a security breach.
>>>
>>> Regards,
>>> Jordi
>>>
>>>
>>> -----Mensaje original-----
>>> De: NANOG <nanog-bounces@nanog.org> en nombre de Leo Bicknell <
>>> bicknell@ufp.org>
>>> Organizaci=C3=B3n: United Federation of Planets
>>> Responder a: <bicknell@ufp.org>
>>> Fecha: mi=C3=A9rcoles, 26 de octubre de 2016, 19:19
>>> Para: <nanog@nanog.org>
>>> Asunto: Re: Spitballing IoT Security
>>>
>>> In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, R=
ich
>>> Kulawiec wrote:
>>> > The makers of IoT devices are falling all over themselves to r=
ush
>>> products
>>> > to market as quickly as possible in order to maximize their
>>> profits. They
>>> > have no time for security. They don't concern themselves with
>>> privacy
>>> > implications. They don't run networks so they don't care abou=
t the
>>> impact
>>> > their devices may have on them. They don't care about liabili=
ty:
>>> many of
>>> > them are effectively immune because suing them would mean
>>> trans-national
>>> > litigation, which is tedious and expensive. (And even if they
>> lost:
>>> > they'd dissolve and reconstitute as another company the next d=
ay.)
>>> > They don't even care about each other -- I'm pretty sure we're
>>> rapidly
>>> > approaching the point where toasters will be used to attack ga=
rage
>>> door
>>> > openers and washing machines.
>>>
>>> You are correct.
>>>
>>> I believe the answer is to have some sort of test scheme (UL
>>> Labratories?) for basic security and updateability. Then federa=
l
>>> legislation is passed requiring any product being imported into =
the
>>> country to be certified, or it is refused.
>>>
>>> Now when they rush to market and don't get certified they get $0
>>> and go out of business. Products are stopped at the boader, eve=
ry
>>> shipment is reviewed by authorities, and there is no cross board=
er
>>> suing issue.
>>>
>>> Really it's product safety 101. UL, the CPSC, NHTSA, DOT and a
>>> host of others have regulations that if you want to import a pro=
duct
>>> for sale it must be safe. It's not a new or novel concept, pret=
ty
>>> much every country has some scheme like it.
>>>
>>> --
>>> Leo Bicknell - bicknell@ufp.org
>>> PGP keys at http://www.ufp.org/~bicknell/
>>>
>>>
>>>
>>>
>>> **********************************************
>>> IPv4 is over
>>> Are you ready for the new Internet ?
>>> http://www.consulintel.es
>>> The IPv6 Company
>>>
>>> This electronic message contains information which may be privileged =
or
>>> confidential. The information is intended to be for the use of the
>>> individual(s) named above. If you are not the intended recipient be a=
ware
>>> that any disclosure, copying, distribution or use of the contents of =
this
>>> information, including attached files, is prohibited.
>>>
>>>
>>>
>>>
