[193654] in North American Network Operators' Group
Re: IoT security
daemon@ATHENA.MIT.EDU (bzs@theworld.com)
Fri Feb 10 03:49:20 2017
X-Original-To: nanog@nanog.org
Date: Thu, 9 Feb 2017 18:22:20 -0500
From: bzs@theworld.com
To: Rich Kulawiec <rsk@gsp.org>
In-Reply-To: <20170209170440.GA25494@gsp.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On February 9, 2017 at 12:04 rsk@gsp.org (Rich Kulawiec) wrote:
> On Wed, Feb 08, 2017 at 08:30:15AM -0800, Damian Menscher wrote:
> > The devices are trivially compromised (just log in with the default root
> > password). So here's a modest proposal: log in as root and brick the
> > device.
>
> No. It's never a good idea to respond to abuse with abuse. Not only
> is it unethical and probably illegal (IANAL, this is not legal advice)
> but it won't take more than a day for someone to figure out that this
> is happening and use some variety of misdirection to cause third parties
> to target devices that aren't actually part of the problem.
Ok but what if you broke in and fixed their security w/o breaking the
user experience? Would a vendor, presented with a good demo, sign off
on that? If so isn't it just a mandatory patch?
--
-Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
The World: Since 1989 | A Public Information Utility | *oo*
