Krebs <3's The IoT

scottalanmiller

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

JaredBusch

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

Exactly my point @scottalanmiller. It was never the consumers until something else forced it.

Volvo super markets safety now. They did not always.

scottalanmiller

@Dashrender said in Krebs <3's The IoT:

With regards to IOT things now, we're definitely in a 'for the betterment of man' situation. I guess it's time for Uncle SAM to step up and mandate better security. Of course, that just brings it's own issues.

Yes, LOTS of issues. Like determining what is IoT and what is not. Determining when a device should be regulated. Determining what security regulation looks like. How do you make a regulation that actually makes things secure without accidentally making them insecure, etc.

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

scottalanmiller

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

Exactly my point @scottalanmiller. It was never the consumers until something else forced it.

Volvo super markets safety now. They did not always.

THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.

JaredBusch

@scottalanmiller said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

Exactly my point @scottalanmiller. It was never the consumers until something else forced it.

Volvo super markets safety now. They did not always.

THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.

Yes, but you were brainwashed told that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.

Dashrender

@scottalanmiller said in Krebs <3's The IoT:

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.

I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.

Dashrender

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

Exactly my point @scottalanmiller. It was never the consumers until something else forced it.

Volvo super markets safety now. They did not always.

THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.

Yes, but you were brainwashed told that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.

Scott's younger than I am, I don't recall such brain washing. I don't have kids, so safety ratings on cars aren't something I consider, other than the guillotine 9000 (I think it was the Montero Sport where in a front end crash, the hood wouldn't buckle, instead it came straight through the windshield and well, you can figure it out) that I know about so I avoid them.

JaredBusch

@Dashrender said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.

I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.

They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.

Dashrender

@JaredBusch said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.

I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.

They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.

I recall they cut this off long before spam bots were a real problem. I saw them doing this because they wanted businesses to use business priced connections instead of consumer ones. Sure still comes down to a money reason though.

Dashrender

Now the question is, will they see an better cost savings in shutting down connections that have bad traffic spewing on it? Probably not. They probably don't actually monitor much of that traffic directly, so they themselves don't know what it is, so they would have to start monitoring that - and that would cost money. And then they would have a HUGE uptick in customer service calls - massive cost increases.

Yeah it's unlikely they would ever voluntarily do this.

scottalanmiller

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

Exactly my point @scottalanmiller. It was never the consumers until something else forced it.

Volvo super markets safety now. They did not always.

THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.

Yes, but you were brainwashed told that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.

I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government

scottalanmiller

@Dashrender said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.

I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.

If that was going to happen, it should be government mandated, again. ISPs should not be in a position of making "judgment calls" on those sorts of things. That's the wrong way to go. That paves the way for ISPs to make some pretty broad claims about what is and isn't malicious traffic.

dafyre

@scottalanmiller said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

Exactly my point @scottalanmiller. It was never the consumers until something else forced it.

Volvo super markets safety now. They did not always.

THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.

Yes, but you were brainwashed told that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.

I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government

Safety education across the board is important. However, those that ignore what they are taught about safety should be naturally selected for removal from the gene pool.

I'm not sure that safety education from the government is a great idea when you look at the public education system these days. Sadly, I don't have a better idea for how to teach safety, aside from involvement in the lives of the people you care about.

scottalanmiller

ISPs are the wrong place to look. Think about this... if an ISP cuts off malicious traffic correctly, they mostly just help someone that isn't likely their customer with no benefit to themselves. If they cut something off as a false positive, they take on liability and risk and hurt their real customers.

There is effectively no incentive for an ISP to block bad traffic and a bit of incentive for them to allow whatever people decide to put on the wire.

Dashrender

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.

I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.

If that was going to happen, it should be government mandated, again. ISPs should not be in a position of making "judgment calls" on those sorts of things. That's the wrong way to go. That paves the way for ISPs to make some pretty broad claims about what is and isn't malicious traffic.

of course, like Comcast basically killing most if not all Torrent traffic.

scottalanmiller

@JaredBusch said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.

I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.

They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.

That's one that they mostly did to reduce their traffic loads. I don't believe that it was actually about SPAM bots but trying to encourage lock in to ISP based email services.

scottalanmiller

@Dashrender said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

Realistically, the best option might just be holding people accountable for breaches caused by lax security.

OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.

I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.

They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.

I recall they cut this off long before spam bots were a real problem. I saw them doing this because they wanted businesses to use business priced connections instead of consumer ones. Sure still comes down to a money reason though.

Exactly. It predated the spam bots.

Dashrender

@dafyre said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@JaredBusch said in Krebs <3's The IoT:

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Interesting - The challenge is making people care.

Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?

It was probably health insurers.

Exactly my point @scottalanmiller. It was never the consumers until something else forced it.

Volvo super markets safety now. They did not always.

THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.

Yes, but you were brainwashed told that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.

I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government

Safety education across the board is important. However, those that ignore what they are taught about safety should be naturally selected for removal from the gene pool.

I'm not sure that safety education from the government is a great idea when you look at the public education system these days. Sadly, I don't have a better idea for how to teach safety, aside from involvement in the lives of the people you care about.

Do we really want to teach safety though? Do we want/need more people in the gene pool? I know this is pragmatic to consider that we need a culling, but...

scottalanmiller

@Dashrender said in Krebs <3's The IoT:

Now the question is, will they see an better cost savings in shutting down connections that have bad traffic spewing on it? Probably not. They probably don't actually monitor much of that traffic directly, so they themselves don't know what it is, so they would have to start monitoring that - and that would cost money. And then they would have a HUGE uptick in customer service calls - massive cost increases.

Yeah it's unlikely they would ever voluntarily do this.

And unlikely that they should do it, it's just not their place to determine what is and is not malicious. And IoT end points are impossible to identify. How would an ISP know that something is a source of malicious traffic versus just sending out normal data?

Dashrender

@scottalanmiller said in Krebs <3's The IoT:

@Dashrender said in Krebs <3's The IoT:

Now the question is, will they see an better cost savings in shutting down connections that have bad traffic spewing on it? Probably not. They probably don't actually monitor much of that traffic directly, so they themselves don't know what it is, so they would have to start monitoring that - and that would cost money. And then they would have a HUGE uptick in customer service calls - massive cost increases.

Yeah it's unlikely they would ever voluntarily do this.

And unlikely that they should do it, it's just not their place to determine what is and is not malicious. And IoT end points are impossible to identify. How would an ISP know that something is a source of malicious traffic versus just sending out normal data?

It's definitely a slippery slope. But really - things like thousands or more pings or Syn flood, etc, these things are pretty obvious, but perhaps they're less used these days.