"I don't really see in this case how they (or mostly anyone) is unable to improve IoT (or general) security through other means"
Really? How about you show me the evidence that people are... through "other means"... improving IOT security of these devices enough that DDOS isn't a big problem any more. I'd love to hear what you've done to convince all the vendors to focus on secure devices instead of profit when targeting markets that will deliver profit regardless of security. Most of us in INFOSEC haven't been able to convince much past a subset of software and hardware developers to focus on improving security.
The only time vendors ever delivered secure or safe solutions was when sound regulations were forced on them with a requirement they were followed before a purchase was made. That was TCSEC and DO-178B respectively.
Altough i wonder: why didn't someone with deep security expertise, maybe ARM with it's mbed,created something developers can't harm, and on the other hand, issue a product label saying:"this is protected by our stack..." ?
I could see that be attractive to some b2b buyers, attracting devs, further strengthening the value of said label , increasing marketshare and reducing costs, and creating a positive feedback.
They did. It's mostly bs, though, since they cut corners too or cant impact the software lifecycle enough. Few people trust those labels. It could still be done, though, in a way along lines of Underwriter Laboratories and Consumer Reports with private evaluations.
Shouldn't the vigilantes try to DDOS the IoT vendor websites with their own devices (poetic justice) instead of what the bricker guy is doing? That way it seems the message he's sending would be as direct and unambiguous as it gets.
Attacks on the vendors are another good option if there's a low number of vendors. The DDOS idea has a weakness where they might barely be effective if sold through 3rd-party stores and ads.
You didn't make an argument. You made a false claim that there were other methods that work and/or an implication that there wasn't much effort on doing that. All kinds of people have spent decades doing that. They get ignored.
"Why is it at all relevant what I've done and especially since when you don't say what you've done?"
"I haven't seen much convincing being done."
Programmers, support people, architects, tech managers, security experts, and so on have failed to do what you suggested because of greed and apathy of manufacturers. They write about it all the time on blogs, esp basic QA. They write about it here, too. I asked what you had done since you might have seen people successful at convincing greedy, hardware manufacturers at doing security at a loss. We obviously haven't.
""INFOSEC" (all caps of course because we want to be cool like the military)"
People in the military invented computer security. They taught me. Don't get excited because they called it "COMPUSEC" to differentiate between it and "COMSEC." CompSci and business called it information security w/ INFOSEC being a short-hand. Later, many in business started calling it IT Security or ITSEC. It's a business term that people from high-security, regulated backgrounds, some civilians, and military all use these days. We speak differently to laypersons in management or policy-making vs how we talk to HN techies. Nice try at trolling, red herring, though.
"Yes, you're still not making an argument why these actions would in any way would be a effective way to regulation."
I just told you regulations on information security were passed that worked and led to secure devices hitting the market. It happened twice at least. Obviously, that means there's a good chance regulating in a similar way with modern knowledge would do the same thing again. Meanwhile, nobody is doing anything at any level, you can't convince businesses to do anything in general case, and so a vigilante breaching defective, damaging stuff might be only progress we can get in meanwhile. Reduces risk and decreases demand for garbage products. Vendors might get message like Microsoft did leading to their 180 in security.
I did make an argument, you just missed it. In most subcultures the thing your doing is the goal, therefor the actions themselves are meaningful (at least according to the participant). Since this isn't the case here, but more of a "the ends justify the means" situation, you have to argue that it actually does. The point isn't that there are other ways, which you incorrectly choose to focus on, but that you have to justify how these actions are appropriate both in themselves and relative to other actions.
> You made a false claim that there were other methods that work and/or an implication that there wasn't much effort on doing that.
As far as I know there isn't much effort going on. This is of course subjective, yet you haven't provided a real example of what you think is a substantial effort that should have lead to results.
> Programmers, support people, architects, tech managers, security experts, and so on have failed to do what you suggested because of greed and apathy of manufacturers.
Plenty of manufacturers make secure or at least not obviously insecure devices.
> They write about it all the time on blogs, esp basic QA. They write about it here, too.
The embedded ecosystem, especially in other countries, aren't going to see those blogs nor be able to act on it. They aren't ignored so much as not considered.
> People in the military invented computer security. They taught me.
I bet I have more military experience than you. The military operates in a different environment and different considerations than civilian infrastructure or products. Most civilian security researcher don't have formal training, yet frequently use terms like OPSEC without actually having an understanding what it means. Because if they did they would know that it to a large degree isn't transferable.
> Meanwhile, nobody is doing anything at any level, you can't convince businesses to do anything in general case, and so a vigilante breaching defective, damaging stuff might be only progress we can get in meanwhile. Reduces risk and decreases demand for garbage products. Vendors might get message like Microsoft did leading to their 180 in security.
This is just your opinion. If this how you do security work I'm not surprised you feel ignored.
The thing is I do have a number of suggestions on "other ways" to improve and/or promote IoT security. I see no point whatsoever mentioning them here though.
Really? How about you show me the evidence that people are... through "other means"... improving IOT security of these devices enough that DDOS isn't a big problem any more. I'd love to hear what you've done to convince all the vendors to focus on secure devices instead of profit when targeting markets that will deliver profit regardless of security. Most of us in INFOSEC haven't been able to convince much past a subset of software and hardware developers to focus on improving security.
The only time vendors ever delivered secure or safe solutions was when sound regulations were forced on them with a requirement they were followed before a purchase was made. That was TCSEC and DO-178B respectively.