Re: Someone at Amazon fix this NOW

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

IMHO, It is not the problem of IETF or other standards, because standards can just say what to do but does not enforce it or also does not say how to do it.

It is the problem of training and knowledge of customers and as a result industries.

The enforcement cannot happen unless the industries feel the need of that or there is a kind of competition between industries to have it. This is not easy as at the moment, the IoT industries just thinking about adding nice features rather than security or privacy.  One possibility is that the customer are the one who ask for that. because if the customer ask for that, then industries will follow the needs of the customers. For doing that, there need to be a wide understanding and training for customers to understand the problem. 80% of people just buy IoT without having a knowledge of security and enjoy its features.

If there are common criterias and customer ask for that, then industries will follow that goal. Otherwise if security causes additional cost for industries and customer do not also understand this advantage, then they prefer to buy what they can have with less price!

Open source or other activities might help but they still cannot enforce big companies to take care of their security. Otherwise in world there are whitehat hackers that start activites to show the problems! But unfortunately based on many countries regulation, even whitehat hackers can be arrested if the industries did not ask for that....






On Sun, Aug 13, 2017 at 10:39 AM, Michael Richardson <mcr+ietf@xxxxxxxxxxxx> wrote:

> The seller knew s system. When I made the order, they shipped a box of
> baking maps s address in Gilberts, Illinois, and then used the tracking
> number for my order.to S

So, to put this into something that IETFers can deal with, this would have
been detectable automatically if USPS had sent a signed artifact to Amazon
(or if such a thing was retrievable via the tracking order) that Amazon could
have compared with the correct destination address.

If this IETFs' direct problem?  Not entirely; we have 20yr old protocols for
signing various objects, although PHB knows better than any how unsuccessful
we have been at getting them used.

If anything it outlines the gap between publishing an RFC and getting it
meaningful deployed.  There is a gap in there for motivated early adopters
(such as governments, via procurement) and industry and government to adopt.

​I think we are sleepwalking into a similar disaster with IoT. Right now, the message Congress is getting is that the biggest priority in IoT is to force devices to accept software updates.

Well no it is not. Software updates are only going to make things worse if you don't do it securely. The update mechanism provides the attacker with a vector to own the machine entirely unless you authenticate. Do you think the IoT folk do that right?

I can't use my Sonos device in one room because every time I try, it is updating. Same with one of the 'smart' TVs.​

There is a real empathy gap in the industry. Its not just an inability to see things from the user's point of view, it is a refusal to accept that it even matters.

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]