On Sun, Aug 13, 2017 at 10:39 AM, Michael Richardson <mcr+ietf@xxxxxxxxxxxx> wrote:
> The seller knew s system. When I made the order, they shipped a box of
> baking maps s address in Gilberts, Illinois, and then used the tracking
> number for my order.to S
So, to put this into something that IETFers can deal with, this would have
been detectable automatically if USPS had sent a signed artifact to Amazon
(or if such a thing was retrievable via the tracking order) that Amazon could
have compared with the correct destination address.
If this IETFs' direct problem? Not entirely; we have 20yr old protocols for
signing various objects, although PHB knows better than any how unsuccessful
we have been at getting them used.
If anything it outlines the gap between publishing an RFC and getting it
meaningful deployed. There is a gap in there for motivated early adopters
(such as governments, via procurement) and industry and government to adopt.
I think we are sleepwalking into a similar disaster with IoT. Right now, the message Congress is getting is that the biggest priority in IoT is to force devices to accept software updates.
Well no it is not. Software updates are only going to make things worse if you don't do it securely. The update mechanism provides the attacker with a vector to own the machine entirely unless you authenticate. Do you think the IoT folk do that right?
I can't use my Sonos device in one room because every time I try, it is updating. Same with one of the 'smart' TVs.
There is a real empathy gap in the industry. Its not just an inability to see things from the user's point of view, it is a refusal to accept that it even matters.