Dear Internet,
Through this beacon it was discovered that a vendor was squatting on BGP
Path Attribute value 30. And another vendor sat on 31.
So, a twisted turn of events, the Large BGP Communities effort has ended up
with BGP Path Attribute value 32 - very befitting if you look at the very
prob
Hi Jean-Francois,
On 10/25/16 10:37 AM, Jean-Francois Mezei wrote:
> On 2016-10-25 04:10, Ronald F. Guilmette wrote:
>
>> If all of the *&^%$# damn stupid vacation pet feeders had originally shipped
>> with outbound rate limits hard-coded in the kernel, maybe this could have
>> been avoided.
>
>
actually, the one technical hack i liked the most so far was the
suggestion to put throttling into openwrt/lede, as they are used
for the base in much cpe.
randy
In message <58112f9f.6060...@vaxination.ca>,
Jean-Francois Mezei wrote:
>A camera showing the baby in 4K resolution along witgh sounds of him
>crying on dolby surround to the mother who is at work would likely
>saturate upload just as much as the virus sending DNS requests. This
>falls into the
i think this would be the most effective route proposed so far.
May the force be with you :)
On Wed, Oct 26, 2016 at 12:19 PM, Leo Bicknell wrote:
> In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec
> wrote:
>> The makers of IoT devices are falling all over themselves
In message <89795.1477520...@turing-police.cc.vt.edu>,
valdis.kletni...@vt.edu wrote:
>> Given that, and given that "OpenWRT and kin" often provide the end-user
>> with readily accessible dials and knobs via which the user can force the
>> device to *exceed* legal/FCC limits on power output, I a
People under appreciate the power of a million-strong IoT bot net. Just a few K
per second from each bot becomes gigabits per second at the target.
-mel
> On Oct 26, 2016, at 4:41 PM, Ronald F. Guilmette
> wrote:
>
>
> In message
>
> Ken Matlock wrote:
>
>> - End users need to have wa
In message <12573.1477530...@segfault.tristatelogic.com>, "Ronald F. Guilmette"
writes:
>
> In message <58111bd4.80...@vaxination.ca>,
> Jean-Francois Mezei wrote:
>
> >My smart TV not only hasn't gotten updates in years, but Sharp has
> >stopped selling TVs in Canada. (not sure if they still
In message <58111bd4.80...@vaxination.ca>,
Jean-Francois Mezei wrote:
>My smart TV not only hasn't gotten updates in years, but Sharp has
>stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere).
A little more than 2 years ago, I bought a last-of-its-kind demo
model of a 50
On Wed Oct 26, 2016 at 05:10:44PM -0400, Jean-Francois Mezei wrote:
> My smart TV not only hasn't gotten updates in years, but Sharp has
> stopped selling TVs in Canada. (not sure if they still sell TVs elsewhere).
>
> When manufacturers provide a 2 year support on a device that will last
> 10 yea
In message <20161026205800.7188d57b2...@rock.dv.isc.org>,
Mark Andrews wrote:
>Actually things have changed a lot in a positive direction.
>...
>* Microsoft, Apple, Linux and *BSD issue regular fixes for their
> products and users do intall them.
At the risk of repeating a point I have alread
In message <12301.1477525...@segfault.tristatelogic.com>, "Ronald F. Guilmette"
writes:
>
> In message m>
> Ken Matlock wrote:
>
> >- End users need to have ways to easily see what's going on over their
> >local networks, to see botnet-like activity and DDoS participation (among
> >other thin
> On Oct 26, 2016, at 6:40 PM, Ronald F. Guilmette
> wrote:
>
> Point: I have a DSL line which is limited to 6Mbps down and 756Kbps up.
> My guess is that if any typical/average user is seen to be using more
> than, say, 1/10 of that amount of "up" bandwidth in any one given 10
> minute time p
In message
Ken Matlock wrote:
>- End users need to have ways to easily see what's going on over their
>local networks, to see botnet-like activity and DDoS participation (among
>other things) in a more real-time fashion
This is an interesting point.
I'm not actually an ISP guy, although I do
On 2016-10-26 18:02, Ronald F. Guilmette wrote:
> http://p.globalsources.com/IMAGES/PDT/BIG/053/B1088622053.jpg
>
> i.e. a multitude of wall plates in every room, each one bristling with a
> multitude of RJ11 sockets into which all manner of shiny new IoT things
> will be directly plugged, th
On Wed, 26 Oct 2016 15:02:46 -0700, "Ronald F. Guilmette" said:
> i.e. a multitude of wall plates in every room, each one bristling with a
> multitude of RJ11 sockets into which all manner of shiny new IoT things
> will be directly plugged, thence to be issued their own IPv6 addresses
> directly v
In message <20161026123043.ga10...@thyrsus.com>,
"Eric S. Raymond" wrote:
>There is, however, a chokepoint we have more hope of getting decent software
>deployed to. I refer to home and small-business routers. OpenWRT and kin
>are already minor but significant players here. And there's an NRE
On Wed, 26 Oct 2016 20:53:51 +0200, JORDI PALET MARTINEZ said:
> Even if we speak about 1 dollar per each product being sold, it is much
> cheaper than the cost of not doing it and paying for damages, human resources,
> etc., when there is a security breach.
This only works if the company perceiv
In message <11718.1477517...@segfault.tristatelogic.com>, "Ronald F. Guilmette"
writes:
> In short, if sensible regulations requiring "safe" designs for IoT products
> were to come into force in one locale, it is not only possible, but
> actually quite likely that they would affect the whole mark
In message <20161026120634.ga20...@gsp.org>,
Rich Kulawiec wrote:
>On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote:
>>2) Second, once elected I will decree that in future all new IoT devices,
>> and also all updates to firmware for existing IoT devices will have,
>
On 2016-10-26 16:58, Mark Andrews wrote:
>
> Actually things have changed a lot in a positive direction.
>
> * Router manufactures are using device specific passwords.
> * Microsoft, Apple, Linux and *BSD issue regular fixes for their
> products and users do intall them.
> * My smart TV has auto
In message
, Ken
Matlock writes:
> As a relative 'outsider' I see a lot of finger-pointing and phrasing this
> as (effectively) someone else's fault.
>
> To me this is a failing on a number of levels all contributing to the
> problem.
>
> 1) The manufacturer - Backdoors, hidden accounts, remot
Re: certification of IoT devices analogous to UL etc
Another potentially useful channel to give this idea legs are
insurance companies, get them involved if possible.
They underwrite the risks particularly liability risks for
manufacturers. That's why "Underwriters Laboratory" is called that,
ul
As a relative 'outsider' I see a lot of finger-pointing and phrasing this
as (effectively) someone else's fault.
To me this is a failing on a number of levels all contributing to the
problem.
1) The manufacturer - Backdoors, hidden accounts, remote access
capabilities, no proper security testing.
Why does everyone think the Master Plan for World Domination has to be Evil? :)
-mel beckman
> On Oct 26, 2016, at 12:40 PM, Eric S. Raymond wrote:
>
> Mel Beckman :
>> I also really like the idea of offering open source options to vendors, many
>> of whom seem to illegally take that privileg
re: having gadgets certified (aka UL/CSA for electric stuff).
Devil is in the details. Who would certify it ? And who would set the
standards for certification?
How fast would those standards change? updated with each new attack?
Would standards update require agreement of multiple parties who ra
So device is certified, bug is found 2 years later. How does this help.
The info to date is last week's issue was patched by the vendor in Sept
2015, I believe is what I read. We know bugs will creep in, (source anyone
that has worked with code forever) Also certification assuming it would
work,
Mel Beckman :
> I also really like the idea of offering open source options to vendors, many
> of whom seem to illegally take that privilege anyway. A key fast-path
> component, though, is in my opinion a new RFC for IoT security best
> practices, and probably some revisions to UPNP.
>
> The I
Exactly, I was arguing exactly the same with some folks this week during the
RIPE meeting.
The same way that certifications are needed to avoid radio interferences, etc.,
and if you don’t pass those certifications, you can’t sell the products in some
countries (or regions in case of EU for exam
While I agree that fixing home routers is the best approach, something
bugs me.
If an IoT vendor doesn't even know that its devices have telnet or ssh
enabled by default (and hence, no management interface to change
passwords) and only focuses on the web interface it has added , then
how come the
In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kulawiec
wrote:
> The makers of IoT devices are falling all over themselves to rush products
> to market as quickly as possible in order to maximize their profits. They
> have no time for security. They don't concern themselves
Eric,
I agree that the home router is a viable choke point, and even though we can’t
quickly roll out new firmware, if we had started this ten years ago we’d be
done by now! So this is the ten-year plan, but still worth doing.
I also really like the idea of offering open source options to vendo
Rich Kulawiec :
> I think our working assumption should be that there will be zero cooperation
> from the IoT vendors. (Yeah, once in a while one might actually step up,
> but that will merely be a happy anomaly.)
I agree.
There is, however, a chokepoint we have more hope of getting decent softw
On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote:
>2) Second, once elected I will decree that in future all new IoT devices,
> and also all updates to firmware for existing IoT devices will have,
> BUILT IN TO THE KERNEL, code/logic which (a) prevents all outbound
34 matches
Mail list logo
