On Sun, Sep 25, 2016 at 12:11 AM, Steve Kinney <admin@pilobilus.net> wrote:
Maybe I'm going all Chicken Little here, maybe not. But I think this development may be the closest thing to an Internet Armageddon we are likely to see in our lifetimes.
http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecu rity-opens-a-troubling-chapter-for-the-net/
=or=
How does thee patch that which is Unpatchable? DDOS now includes the death of a million ankle biters: Not just unpatchable, but massively distributed, with a continuing profit motive and no liability for the manufacturers, paid for and plugged in by hundreds of millions of "regular folks" throughout the so-called Developed Nations.
So far every mitigation strategy relevant to "normal" users and use cases that occurs to me would be worse than the original problem.
The problem is that there's too much money to be made off of exploiting these holes TODAY, so it's very unlikely this huge vulnerability is going to be silently and slowly deployed and then suddenly mass-exploited, leading to some IoT-ageddon. There will almost certainly be some large happenings along the way, but those will in turn lead to the development of mitigation strategies, improvements in security, etc. Ironically, this is an advantage of Internet-dependent devices like Nest, Echo, etc: they get updated directly, so the patch problem is solved, though that just moves the problem around a bit. We need to not be deploying devices that can't be patched except in very special cases.