Probably these attacks would not be possible if all the money put into governmental surveillance activities would have been invested in building a secure and resilient internet.
This attack is the logical answer to the governmental attacks on all networked infrastructure.
The root cause for these problems is a primitive way of thinking that is a wrong recipe for the path humanity has to take to not destroy itself.
Competition, dominance, control, surveillance, fear vs. cooperation, consistency, trust, freedom, love.
This is not about ethics or morality. It is about the fact that this way of primitive thinking just does not work - it is a stupid recipe for complicated problems and just fails.
Neanderthalers that like to imprison themselves into hierarchies and dominate the whole world should be put into mental hospitals, but never into governmental institutions or positions.
We must stop the domination and hierarchy adoring primitives with their non-working and self-destroying ideas to find an appropriate way to prepare for the future and its challenges.
An important first step is to put the military dog back on the chain and show it the place where it belongs to and never ever allow it to infiltrate politics.
Military solutions must only be the last step of self-defense that we need to use when all politics failed.
A society that allows military thinking to penetrate or even dominate political ideas will be destroyed in the long run, as destruction is the only solution that militarism knows.
Again this is not about ethics or morality, it is about logic. If you throw a stone into water, it will make waves.
First off, putting a negative spin to competition already tells me you have either a very narrow view or see something I dont. When iojs forked from nodejs, it was a competitor. Linux is a competitive landscape. Browsers are a competitive landscape. The idea that cooperation and consistancy leads to the best possible product is only as accurate as who is trusted to be the leader. There are some pretty dumb leaders out there but convincing enough to be trusted with millions of dollars.
Second off, the government didnt force all devices to be vulnerable. "Agile" development practices which we trust so much are what led us here. Build first, worry about security later. The fact that a persons information is valuable to the creator of these devices and they provide a direct gateway so they could be accessed by a third party. And the fact that consumers ignore any possible issues that may arise because they see the benefits.
You talk about logic, well logically we wouldnt have computers or any of this if it wasnt for competition abd the desire to evolve. And logically trust and freedom allowed these vulnerabilities to ho unchecked because the software is not open source and companies are free to do whatever they want since its up to the consumer to judge whether its worth it or not.
I understand why you want to make this political and pro-love because arguably any problem can be answered by pro-love. But logically, you should think before you dpeak and attempt to frame your argument with a consistant locigal tree than start blaring out hatred for the capitalist system
> "Agile" development practices which we trust so much are what led us here. Build first, worry about security later
Hardly. It's not like everyone stopped caring about security once they moved to Agile flows. The industry never cared about security.
This last attack on Dyn appears to be Mirai again, so devices with unchangeable default username/password combinations. The same poor practices that have existed since there were engineering practices at all.
It's not just Agile, it's competitive enterprises at work.
Ship a product now (before your competitor), get EMA; or spend many extra months pentesting and laboriously auditing your code OpenBSD-style.
It's much easier to win the market first and then go on PR damage control the next time there's a security incident, pointing the blame on those "evil hackers" while your software has more holes than Swiss cheese.
Meanwhile, as an engineer, it's much easier to appease upper management and meet your deadlines (set artificially close by people who don't understand the development process) by writing unsecure code, shipping, and then if something happens, talking your way out of said responsibility.
Meanwhile, you're stressed out because of how impossibly unrealistic the deadlines are, and so you're making more mistakes; maybe you're also running off solely caffeine and three hours of sleep the night before while on the trajectory towards burn-out because you're putting in so many hours.
I think their first point was the massive amount of money NSA uses is to make weaknesses in the internet infrastructure. While this likely isn't an example of a specific NSA hack being exploited, with all that time, money, and expertise it's likely one they could have fixed.
We've had some pretty nasty hacks in recent years, and with the National Security Agency that takes the public's money and actively makes our systems less secure, they're sure not helping our problems...
> An important first step is to put the military dog back on the chain and show it the place where it belongs to and never ever allow it to infiltrate politics.
You seem to be under the impression that military largely controls the politics and that's why there are wars. It's not true, at least not in western democracies. Most wars start when they are popular (and they are made popular by career politicians and not military) and end very soon after becoming unpopular (and the military can't do anything about it).
> Military solutions must only be the last step of self-defense that we need to use when all politics failed.
That's a nice thing to say but politics fails all the time. In fact, politics fails way more often than military is used - in most cases, the solution for politics failing is just sigh and wait until maybe something changes, military is used in rare occasion where it's politically feasible and seems to be achievable by military.
- If you don't have a very well defined need for a short DNS time to live, set your time to live to a large value, perhaps a day. Then, as long as someone can get at least one DNS request through, they can reach your site all day. (Ycombinator.com, why do you have a TTL of 12 seconds?.)
- Get multiple DNS services now. Not just two. Get four or five, some of which are not widely used.
Those two things will probably get you through future DNS attacks.
> Ycombinator.com, why do you have a TTL of 12 seconds?
You either meant to say 60 seconds, or forgot to factor your local caching DNS resolver in. Here:
$ dig +short soa ycombinator.com
ns-225.awsdns-28.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
$ dig a ycombinator.com @ns-225.awsdns-28.com. | grep -A3 'ANSWER SECTION'
;; ANSWER SECTION:
ycombinator.com. 60 IN A 54.240.184.14
ycombinator.com. 60 IN A 54.240.184.154
ycombinator.com. 60 IN A 54.240.184.206
It doesn't help if the DNS provider has multiple servers, and they're being attacked. You need unrelated DNS providers, and not the same unrelated DNS servers others are using.
I've always thought about expanding on this and just keeping a constantly-updating cache of any DNS requests I make (Where the system keeps them and serves them even after expiry if not updateable).
The only problem is this seems be a tough one to get right config-wise and I just haven't had time to figure it out.
Anybody know of any good tutorials for this specific use case? I've googled it a few times and they never seem too easy.
Sorry to chime in late, a day after this comment was added.
If you set a long DNS TTL, then you will not be able to move your IP addresses quick enough. In the DDoS world, you may need to nullroute an HTTP server IP. If you do that, you assume you can point the DNS to another, not-nulled IP. For this reason, keeping the DNS TTL to low values will make you more resilient.
Multiple DNS providers is probably a good advice, although hard to do in practice. The api's of different vendors don't always match. (cname flattening? geo-routing?). Also a real big attack will just likely take down all your providers. Using multiple providers may well _decrease_ the stability of the internet at large.
DDoS against DNS is not trivial problem. As sad as it may be, I'd say we must just assume DNS infrastructure in the world works. If it stops, then, many users will be affected.
Can anyone comment on the best way to run multiple DNS services?
Is this as simple as setting up the same records on multiple providers and updating your nameservers to point to the different providers? Or is there more involved?
Are there any providers which will replicate records from your 'master' provider, or is this going to be manual?
We use BuddyNS (https://www.buddyns.com/) as our secondary DNS provider. They use AXFR to automatically sync their servers with your primary DNS servers.
You just need a primary DNS vendor which supports AXFR, such as DNS Park (https://www.dnspark.com/).
To put it simply, yes. You have multiple NS records, and each points to a server that can act as an authoritative name server for your zone. When clients query for your zone from parent zones, they'll get all your name servers. The hard part is how you keep those name servers synchronised.
IIRC, bind has multiple built-in methods of keeping zone files synchronised between boxes.
Ignorant thinking out loud here. Is it feasible for certain infrastructure providers to team up and collect the ip addresses of the requests. This gives us a list of IPs with bots. THEN google, Facebook, Twitter, etc (major web properties) use this list to notify any of its users that one or more of their devices have been compromised and point them to a how to guide for securing it. Or more simple a script to patch it.
My thinking is that the only way to stop this is to get users to lock down their insecure devices.
A constant banner would annoy most people to action. Especially if it was really easy to issue a fix. Download and run. Script determines the actual device causing the harm and patches it. Possibly asking for a new password from user. I guess this assumes that a script could be written to issue a patch for the majority of cases. If not, then how is this device connected? Script could detect router and apply fix at that point.
So we need:
1. IP addresses for the sources of the attack load.
2. A way to distribute patches for those IP addresses.
I propose:
1. Those suffering the attacks can provide this.
2. Notify users via websites coordinating on displaying an alert with tools to patch.
Alternative solution to #2:
Can some part of the ISPs that connect these IPs be patched to detect and block malicious attacks?
This is an attack over UDP. The source address is likely spoofed. Simply blocking an IP will do nothing but banning somebody not related to the attack at all.
I don't think you understand how spoofing works. And no, this attack was not spoofed. It was just hundreds of thousands of IoT devices each pushing a small amount of traffic (0.5-1mbps).
Back in the day, the Internet was far simpler, with far less bullshit. If your IP was spewing crap, you would hear about it. And you either resolved the problem, or got null-routed.
The Internet is far^N larger and more complex, for sure. But accountability still has a place, I think.
I wonder if Dyn will at least release a heat map of source IPs.
Or, ISPs could simply block all service to offending IP addresses. The customer would see a notice: "The following IP address delivered N Gb of traffic over our network as part of a malicious DDOS attack. Please patch or isolate the offending device and contact customer service at 123-456-7890 to restore service."
I guess that wouldn't make your customers super happy, but it would probably be effective.
I think there's might be a significant legal issue to an ISP patching customers devices. Also a spoofed IP renders the source meaningless.
">THEN google, Facebook, Twitter, etc (major web properties) use this list to notify any of its users that one or more of their devices have been compromised and point them to a how to guide for securing it."
I am not sure I want FB and Google policing the internet. They have enough power as it is. This would set a bad precedent.
Imagine if all those IP cameras, routers, NAT boxes and what-have-you had been designed with one simple policy: the internet port doesn't work until the user sets a password.
Even very lame passwords might be expected to reduce the effectiveness of this attack approach by an order of magnitude or two.
Most modem/routers that ISPs give you come with a password that is defaulted to something random - different for every device - and a sticker with that password somewhere on the physical device.
That seems like the best solution. Now we just need to enforce that as a standard with internet connected devices.
Haha, yes. Except when the password isn't random. The biggest ISP in Norway delivered multimodems with seemingly random SSID and password. That worked fine, until someone figured out that the password were derived from the SSID with an algorithm (Or something along those tracks, I can't remember the specifics). Now we had thousands upon thousands of basically free wifi hotspots!
After a period of time of coming out of the box and set to open, followed by predictable passwords, followed by a lack of rate limiting on WPS and vulnerable TR-06 setups and the always present mistakes in router firmware allowing remote exploits.
Now if only we could get a standard router manufactures to stick to :-P
Sadly I can see IoT having to go though the same slow learning curve.
I was just saying to a friend yesterday that this would be a great policy. I think it would go a long way.
But the problem remains that these devices, more often than not just don't get updated. So in a year or two, there will probably be a handful of exploitable issues that won't ever get patched...
How many Windows users are using a pirated version of their operating system that gets no updates? How many of those using the genuine version ignore/disabled it? How many update their anti-virus? Custom ROM users? How many Ubuntu users ignore the updates? ...
Or ship every new device with a different randomly generated 10+ character password and writing it on the device's label just like the MAC address. I agree you would need physical access to the device to gain access to it but you can always change the password to avoid this. There are vendors that already do this with the WiFi key.
If routers weren't such a crapshot security wise as well, they'd be a great integration point.
Most better routers nowadays can already isolate devices from the internet/whitelist specific domains (family filter functions) and offer VPNs from the outside. From a technology perspective that's most of the pieces you need. Make a better UPnP implementation with user confirmation, make it easier to configure and everybody can get their devices nicely isolated-but-accessible.
This would be a nice improvement, but as others point out, more flaws will exist and be exploited.
Really this is about incentives: manufactures and users have little incentive to worry about security if the losers are third-party the targets of a DDOS.
Things will only improve when there is liability: either the manufacturers or the users get fined when their stuff becomes an attack vector. Fining users will probably never be politically possible, but I suspect it would be the better option.
It's understood that the recent DDOS attack on Dyn via the Mirai bonet was entirely made of up IoT devices with just 62 default passwords https://news.ycombinator.com/item?id=12766950
You can imagine why that's a non-starter. You'd be locking millions of people out of their Internet access with no workable way for them to get it back.
Just imagine how many scammers would pop up to 'secure' things for people locked offline.
What's most concerning to me is that as hackers get more sophisticated with regards to tech, the US judicial system isn't and this is providing a lot of low hanging fruit for said hackers to use draconian laws like the Computer Fraud Act against innocent Americans by pwning their PC's and utilizing torrenting against them.
I have a friend that is pretty much being persecuted by the state of Oklahoma for this very thing right now because the DA, OSBI (oklahoma state bureau of investigations.) and defense attorneys didn't understand how somebody can coincidentally be innocent of the illegal torrenting that appears to being going on from their IP, albeit said activity being totally unbeknownst to them.
My experience from talking with non-techies suggests that they'll never understand the problem is the lack of security in their devices & network. All they do is act victim and get enraged about hackers. The thought that they should demand security from the companies who sold them the vulnerable devices doesn't cross their mind, and if try to sell them such an idea, they will protest and call for justice on the principle that it is the hackers who are being criminal and it's not the victim's or his devices' responsibility to keep themselves safe. Just as they don't expect to have to live in a bunker with inpenetrable locks to stay reasonably safe from burglary.
Many locks in real life are symbolic. Interior doors for instance are hollow and can be breached with no trouble. They serve mostly to keep the law-abiding from snooping casually, and to provide evidence of theft (forced entry).
A pity we can't have digital locks that 'break' when used, leaving some fingerprint from the perpretrator.
Stretching a bit the burglary analogy you could put it like: "imagine a guy selling you a door lock that can be opened by anyone and then you use it to lock a shootgun, can you shift all the blame to the guy who just took it an shoot your neighbor?"
It's kinda silly to make a dry run like that, because people in charge of the attacked systems will harden them and the attack is much less likely to work next time.
Not at all the case with IoT. See Bruce Schneier's recent article on the matter, where he makes the case that government regulation is the only feasible remedy at this point, as "The market can't fix this because neither the buyer nor the seller cares." [1].
I meant the servers being attacked. The owners of them definitely care.
As for the IoT, the appliances could have their firmware in ROM instead of flash. Then, the malmare would not survive a reboot. Many customers are large scale enough (Microsoft, Google, governments, etc.) that they can demand it of vendors and vendors will deliver. Really, how often do you desire to update the firmware on your hard drive, your USB stick, etc.?
(Another way to do it is to have the write-enable line controlled by a physical switch or jumper.)
The only thing I can figure is everyone has forgotten what ROM is.
Why? The rest of your comment doesn't address that.
>See Bruce Schneier's recent article on the matter, where he makes the case that government regulation is the only feasible remedy at this point
He also doesn't explain why. He literally writes:
>>In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
Why does it demonstrate that? "Neither the seller nor the buyer care" can also be applied to traditional botnets using computers - if the botnet is clever enough to not make any noise. He "justifies" the "sellers don't care" part with:
>>they're now selling newer and better models, and the original buyers only cared about price and features.
... again the same for smartphones or laptops. And furthermore, what regulation he proposes to solve this? I mean, he presents the issue as being:
>>The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently. This isn't true for all of the embedded IoT systems. They last for years, even decades. We might buy a new DVR every five or ten years. We replace our refrigerator every 25 years. We replace our thermostat approximately never.
Would he suggest that the companies selling these devices be obliged to push security patches? The same companies that he wrote could not even afford testing?:
>>Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered. Those companies can support such teams because those companies make a huge amount of money, either directly or indirectly, from their software -- and, in part, compete on its security. This isn't true of embedded systems like digital video recorders or home routers.
...
I have read "government is the only solution" at least 6 times in that short article, without exaggeration. Looks a lot like fearmongering and propaganda to me.
Readit News
Probably these attacks would not be possible if all the money put into governmental surveillance activities would have been invested in building a secure and resilient internet.
This attack is the logical answer to the governmental attacks on all networked infrastructure.
The root cause for these problems is a primitive way of thinking that is a wrong recipe for the path humanity has to take to not destroy itself.
Competition, dominance, control, surveillance, fear vs. cooperation, consistency, trust, freedom, love.
This is not about ethics or morality. It is about the fact that this way of primitive thinking just does not work - it is a stupid recipe for complicated problems and just fails.
Neanderthalers that like to imprison themselves into hierarchies and dominate the whole world should be put into mental hospitals, but never into governmental institutions or positions.
We must stop the domination and hierarchy adoring primitives with their non-working and self-destroying ideas to find an appropriate way to prepare for the future and its challenges.
An important first step is to put the military dog back on the chain and show it the place where it belongs to and never ever allow it to infiltrate politics.
Military solutions must only be the last step of self-defense that we need to use when all politics failed.
A society that allows military thinking to penetrate or even dominate political ideas will be destroyed in the long run, as destruction is the only solution that militarism knows.
Again this is not about ethics or morality, it is about logic. If you throw a stone into water, it will make waves.
Second off, the government didnt force all devices to be vulnerable. "Agile" development practices which we trust so much are what led us here. Build first, worry about security later. The fact that a persons information is valuable to the creator of these devices and they provide a direct gateway so they could be accessed by a third party. And the fact that consumers ignore any possible issues that may arise because they see the benefits.
You talk about logic, well logically we wouldnt have computers or any of this if it wasnt for competition abd the desire to evolve. And logically trust and freedom allowed these vulnerabilities to ho unchecked because the software is not open source and companies are free to do whatever they want since its up to the consumer to judge whether its worth it or not.
I understand why you want to make this political and pro-love because arguably any problem can be answered by pro-love. But logically, you should think before you dpeak and attempt to frame your argument with a consistant locigal tree than start blaring out hatred for the capitalist system
Hardly. It's not like everyone stopped caring about security once they moved to Agile flows. The industry never cared about security.
This last attack on Dyn appears to be Mirai again, so devices with unchangeable default username/password combinations. The same poor practices that have existed since there were engineering practices at all.
Ship a product now (before your competitor), get EMA; or spend many extra months pentesting and laboriously auditing your code OpenBSD-style.
It's much easier to win the market first and then go on PR damage control the next time there's a security incident, pointing the blame on those "evil hackers" while your software has more holes than Swiss cheese.
Meanwhile, as an engineer, it's much easier to appease upper management and meet your deadlines (set artificially close by people who don't understand the development process) by writing unsecure code, shipping, and then if something happens, talking your way out of said responsibility.
Meanwhile, you're stressed out because of how impossibly unrealistic the deadlines are, and so you're making more mistakes; maybe you're also running off solely caffeine and three hours of sleep the night before while on the trajectory towards burn-out because you're putting in so many hours.
We've had some pretty nasty hacks in recent years, and with the National Security Agency that takes the public's money and actively makes our systems less secure, they're sure not helping our problems...
You seem to be under the impression that military largely controls the politics and that's why there are wars. It's not true, at least not in western democracies. Most wars start when they are popular (and they are made popular by career politicians and not military) and end very soon after becoming unpopular (and the military can't do anything about it).
> Military solutions must only be the last step of self-defense that we need to use when all politics failed.
That's a nice thing to say but politics fails all the time. In fact, politics fails way more often than military is used - in most cases, the solution for politics failing is just sigh and wait until maybe something changes, military is used in rare occasion where it's politically feasible and seems to be achievable by military.
Deleted Comment
- If you don't have a very well defined need for a short DNS time to live, set your time to live to a large value, perhaps a day. Then, as long as someone can get at least one DNS request through, they can reach your site all day. (Ycombinator.com, why do you have a TTL of 12 seconds?.)
- Get multiple DNS services now. Not just two. Get four or five, some of which are not widely used.
Those two things will probably get you through future DNS attacks.
You either meant to say 60 seconds, or forgot to factor your local caching DNS resolver in. Here:
That said, 60 seconds is still ridiculously low.Why is this not a default feature by DNS providers themselves?
I always assumed they act as slave copies for each other to avoid this kind of situations
The only problem is this seems be a tough one to get right config-wise and I just haven't had time to figure it out.
Anybody know of any good tutorials for this specific use case? I've googled it a few times and they never seem too easy.
If you set a long DNS TTL, then you will not be able to move your IP addresses quick enough. In the DDoS world, you may need to nullroute an HTTP server IP. If you do that, you assume you can point the DNS to another, not-nulled IP. For this reason, keeping the DNS TTL to low values will make you more resilient.
Multiple DNS providers is probably a good advice, although hard to do in practice. The api's of different vendors don't always match. (cname flattening? geo-routing?). Also a real big attack will just likely take down all your providers. Using multiple providers may well _decrease_ the stability of the internet at large.
DDoS against DNS is not trivial problem. As sad as it may be, I'd say we must just assume DNS infrastructure in the world works. If it stops, then, many users will be affected.
Is this as simple as setting up the same records on multiple providers and updating your nameservers to point to the different providers? Or is there more involved?
Are there any providers which will replicate records from your 'master' provider, or is this going to be manual?
But I guess this excludes many of the popular DNS services that are used today.
You just need a primary DNS vendor which supports AXFR, such as DNS Park (https://www.dnspark.com/).
IIRC, bind has multiple built-in methods of keeping zone files synchronised between boxes.
- Put up a caching DNS server on your local network to keep your regular sites functioning.
My thinking is that the only way to stop this is to get users to lock down their insecure devices.
A constant banner would annoy most people to action. Especially if it was really easy to issue a fix. Download and run. Script determines the actual device causing the harm and patches it. Possibly asking for a new password from user. I guess this assumes that a script could be written to issue a patch for the majority of cases. If not, then how is this device connected? Script could detect router and apply fix at that point.
So we need:
1. IP addresses for the sources of the attack load.
2. A way to distribute patches for those IP addresses.
I propose:
1. Those suffering the attacks can provide this.
2. Notify users via websites coordinating on displaying an alert with tools to patch.
Alternative solution to #2:
Can some part of the ISPs that connect these IPs be patched to detect and block malicious attacks?
Back in the day, the Internet was far simpler, with far less bullshit. If your IP was spewing crap, you would hear about it. And you either resolved the problem, or got null-routed.
The Internet is far^N larger and more complex, for sure. But accountability still has a place, I think.
I wonder if Dyn will at least release a heat map of source IPs.
I guess that wouldn't make your customers super happy, but it would probably be effective.
">THEN google, Facebook, Twitter, etc (major web properties) use this list to notify any of its users that one or more of their devices have been compromised and point them to a how to guide for securing it."
I am not sure I want FB and Google policing the internet. They have enough power as it is. This would set a bad precedent.
Even very lame passwords might be expected to reduce the effectiveness of this attack approach by an order of magnitude or two.
That seems like the best solution. Now we just need to enforce that as a standard with internet connected devices.
Now if only we could get a standard router manufactures to stick to :-P
Sadly I can see IoT having to go though the same slow learning curve.
But the problem remains that these devices, more often than not just don't get updated. So in a year or two, there will probably be a handful of exploitable issues that won't ever get patched...
Deleted Comment
Most better routers nowadays can already isolate devices from the internet/whitelist specific domains (family filter functions) and offer VPNs from the outside. From a technology perspective that's most of the pieces you need. Make a better UPnP implementation with user confirmation, make it easier to configure and everybody can get their devices nicely isolated-but-accessible.
Really this is about incentives: manufactures and users have little incentive to worry about security if the losers are third-party the targets of a DDOS.
Things will only improve when there is liability: either the manufacturers or the users get fined when their stuff becomes an attack vector. Fining users will probably never be politically possible, but I suspect it would be the better option.
Just imagine how many scammers would pop up to 'secure' things for people locked offline.
Hacking a webcam would no longer lead to the ability to ddos websites, it would be a direct and total shutdown of the domestic internet supply.
There is already https://twitter.com/internetofshit of course. But that is more whimsy and fun "Oh look my toaster is tweeting, that's silly".
This attack is more like "Oh-oh, my toaster killed Twitter".
So even though as a thing IoT is here to stay, I think the phrase itself will sound negative and will be avoided.
I have a friend that is pretty much being persecuted by the state of Oklahoma for this very thing right now because the DA, OSBI (oklahoma state bureau of investigations.) and defense attorneys didn't understand how somebody can coincidentally be innocent of the illegal torrenting that appears to being going on from their IP, albeit said activity being totally unbeknownst to them.
A pity we can't have digital locks that 'break' when used, leaving some fingerprint from the perpretrator.
EDIT: this is the only realistic way of securing the devices.
[1] https://www.schneier.com/blog/archives/2016/10/security_econ...
As for the IoT, the appliances could have their firmware in ROM instead of flash. Then, the malmare would not survive a reboot. Many customers are large scale enough (Microsoft, Google, governments, etc.) that they can demand it of vendors and vendors will deliver. Really, how often do you desire to update the firmware on your hard drive, your USB stick, etc.?
(Another way to do it is to have the write-enable line controlled by a physical switch or jumper.)
The only thing I can figure is everyone has forgotten what ROM is.
Deleted Comment
Why? The rest of your comment doesn't address that.
>See Bruce Schneier's recent article on the matter, where he makes the case that government regulation is the only feasible remedy at this point
He also doesn't explain why. He literally writes:
>>In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
Why does it demonstrate that? "Neither the seller nor the buyer care" can also be applied to traditional botnets using computers - if the botnet is clever enough to not make any noise. He "justifies" the "sellers don't care" part with:
>>they're now selling newer and better models, and the original buyers only cared about price and features.
... again the same for smartphones or laptops. And furthermore, what regulation he proposes to solve this? I mean, he presents the issue as being:
>>The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently. This isn't true for all of the embedded IoT systems. They last for years, even decades. We might buy a new DVR every five or ten years. We replace our refrigerator every 25 years. We replace our thermostat approximately never.
Would he suggest that the companies selling these devices be obliged to push security patches? The same companies that he wrote could not even afford testing?:
>>Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered. Those companies can support such teams because those companies make a huge amount of money, either directly or indirectly, from their software -- and, in part, compete on its security. This isn't true of embedded systems like digital video recorders or home routers.
...
I have read "government is the only solution" at least 6 times in that short article, without exaggeration. Looks a lot like fearmongering and propaganda to me.
Deleted Comment