undefined | Better HN

0 pointsandrewmitchell9y ago0 comments

There's a very strong argument to be made that regulation is the only way to improve this situation. A negative externality like this is unlikely to correct itself. Cheap manufacturers will continue to save money by cutting security features, and unaware or price-driven consumers will reinforce that behavior. What else can we do?

Note: this isn't something the US can solve. A lot of this traffic came from overseas. It's needs a coordinated response.

0 comments

6 comments · 2 top-level

dogma11389y ago· 4 in thread

The problem with most regulation is that it tends to be quite a bit behind the current trends.

You also need to acount for the fact that these devices are going to be alive for years maybe even decades which means that their security measures would become obsolete.

DDoS needs to be solved on the infrastructure level at this point, securing endpoint nodes is a game you are going to constantly lose.

cariaso9y ago

The same backdoors that owned the devices as a botnet, should be used to brick the devices. And the courts should support that purchasers are entitled to refunds and damages. Your IoT refrigerator got bricked? You can sue for $500 worth of spoiled food. Encourage class action lawsuits and watch how fast this is fixed.

https://github.com/jgamblin/Mirai-Source-Code

WildUtah9y ago

You can build secure devices. All it takes is putting quality engineers in charge.

But paying quality engineers isn't fun and they won't work for idiot management. So as long as management doesn't have to pay for the cost of disasters they cause, nothing will be secure.

It's the same thing that happened at Hillary's State Department.

So I agree: Brick those refrigerators.

idlewords9y ago

There are some basic "timeless" regulations that would make sense over an entire device lifespan. For example, requiring unique admin passwords, or an internet off switch.

Nor would this regulation have to come from government. The details could be delegated to a UL-like industry group.

dogma11389y ago

Until some one figures out that the admin PW is some hash of the MAC address or the serial number of the device or until some authbypass vulnerability affects 500,000 wifi enabled lava lamps.

Also while this attack did involve a botnet which used default credentials there will be attacks that infect via RCE or any other unauthenticated vector or simply don't require a botnet at all like say adding a multicast IP address to some wificamera or telemetry device that would cause it to send its traffic to a victim of your choice.

At the end you want to make sure your network and services are resilient to DDoS attacks, securing the endpoint source of choice everytime isn't that good of a strategy.

2 more replies

roel_v9y ago

Regulation, yes, like making someone responsible for these devices (owners, network operators, manufacturers, anyone would do, really). The 'internet of corporate things that the user is locked out of' aspect of the GP's comment is a red herring.

j / k navigate · click thread line to collapse