Re: Security Considerations, IoT and Everything
Rich Kulawiec <rsk@gsp.org> Fri, 02 December 2016 00:45 UTC
Return-Path: <rsk@gsp.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA340129A16 for <ietf@ietfa.amsl.com>; Thu, 1 Dec 2016 16:45:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id othsPqk8RlzD for <ietf@ietfa.amsl.com>; Thu, 1 Dec 2016 16:45:07 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0C08129A15 for <ietf@ietf.org>; Thu, 1 Dec 2016 16:45:06 -0800 (PST)
Received: from gsp.org (localhost [127.0.0.1]) by taos.firemountain.net (8.15.1/8.14.9) with SMTP id uB20j4kx021109 for <ietf@ietf.org>; Thu, 1 Dec 2016 19:45:05 -0500 (EST)
Date: Thu, 01 Dec 2016 19:45:04 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: ietf@ietf.org
Subject: Re: Security Considerations, IoT and Everything
Message-ID: <20161202004504.GC21681@gsp.org>
References: <734ef353-487f-4f64-6cfe-f7909e705a41@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <734ef353-487f-4f64-6cfe-f7909e705a41@comcast.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/fhs62_j0OSPbLQa00sxpq6RxDDw>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2016 00:45:08 -0000
On Tue, Nov 22, 2016 at 03:25:36PM -0500, Michael StJohns wrote: > In the early days of the internet, connected devices were mostly big iron - > main frames and mini-computers. Next came the wave of PCs. Next the smart > phones and tablets. All of these had one thing mostly in common - there was > generally a Human in the loop somewhere watching the device. True, although one consequence of the rise of the bots 15-ish years ago, and their subsequent evolution, is that even if a human IS watching the device, they may not be aware of (all of) its activities. Reviewing that history: by 2007, we'd arrived here: Vint Cerf: one quarter of all computers part of a botnet http://arstechnica.com/news.ars/post/20070125-8707.html I thought the 150M estimate was a bit high: based on my own research and on conversations with others about theirs, I thought 100M was closer. But it's important to note that the number was (and is) not only unknown, but unknowable, since a bot which does nothing to make its presence known to detector will remain invisible indefinitely. Still: with the benefit of nearly a decade of hindsight, I think I was wrong: I now think 150M was probably a better estimate. But whether it was 100M or 150M or 200M: that's an alarming number. The security posture of all those systems was somewhat better than most of the devices now being deployed as part of the IoT. I think it's not unreasonable to expect the IoT ecosystem to be compromised far more quickly and to a much higher degree. "In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters." --- Jeff Jarmoc, October 21, 2016 ---rsk
- Security Considerations, IoT and Everything Michael StJohns
- Re: Security Considerations, IoT and Everything Kathleen Moriarty
- Re: Security Considerations, IoT and Everything Stephen Farrell
- Re: Security Considerations, IoT and Everything Carsten Bormann
- Re: Security Considerations, IoT and Everything Michael StJohns
- Re: Security Considerations, IoT and Everything Stephen Farrell
- Re: Security Considerations, IoT and Everything Michael StJohns
- Re: Security Considerations, IoT and Everything Kathleen Moriarty
- Re: Security Considerations, IoT and Everything Yoav Nir
- Re: Security Considerations, IoT and Everything Dave Taht
- Re: Security Considerations, IoT and Everything Rich Kulawiec