You didn't make an argument. You made a false claim that there were other methods that work and/or an implication that there wasn't much effort on doing that. All kinds of people have spent decades doing that. They get ignored.
"Why is it at all relevant what I've done and especially since when you don't say what you've done?"
"I haven't seen much convincing being done."
Programmers, support people, architects, tech managers, security experts, and so on have failed to do what you suggested because of greed and apathy of manufacturers. They write about it all the time on blogs, esp basic QA. They write about it here, too. I asked what you had done since you might have seen people successful at convincing greedy, hardware manufacturers at doing security at a loss. We obviously haven't.
""INFOSEC" (all caps of course because we want to be cool like the military)"
People in the military invented computer security. They taught me. Don't get excited because they called it "COMPUSEC" to differentiate between it and "COMSEC." CompSci and business called it information security w/ INFOSEC being a short-hand. Later, many in business started calling it IT Security or ITSEC. It's a business term that people from high-security, regulated backgrounds, some civilians, and military all use these days. We speak differently to laypersons in management or policy-making vs how we talk to HN techies. Nice try at trolling, red herring, though.
"Yes, you're still not making an argument why these actions would in any way would be a effective way to regulation."
I just told you regulations on information security were passed that worked and led to secure devices hitting the market. It happened twice at least. Obviously, that means there's a good chance regulating in a similar way with modern knowledge would do the same thing again. Meanwhile, nobody is doing anything at any level, you can't convince businesses to do anything in general case, and so a vigilante breaching defective, damaging stuff might be only progress we can get in meanwhile. Reduces risk and decreases demand for garbage products. Vendors might get message like Microsoft did leading to their 180 in security.
I did make an argument, you just missed it. In most subcultures the thing your doing is the goal, therefor the actions themselves are meaningful (at least according to the participant). Since this isn't the case here, but more of a "the ends justify the means" situation, you have to argue that it actually does. The point isn't that there are other ways, which you incorrectly choose to focus on, but that you have to justify how these actions are appropriate both in themselves and relative to other actions.
> You made a false claim that there were other methods that work and/or an implication that there wasn't much effort on doing that.
As far as I know there isn't much effort going on. This is of course subjective, yet you haven't provided a real example of what you think is a substantial effort that should have lead to results.
> Programmers, support people, architects, tech managers, security experts, and so on have failed to do what you suggested because of greed and apathy of manufacturers.
Plenty of manufacturers make secure or at least not obviously insecure devices.
> They write about it all the time on blogs, esp basic QA. They write about it here, too.
The embedded ecosystem, especially in other countries, aren't going to see those blogs nor be able to act on it. They aren't ignored so much as not considered.
> People in the military invented computer security. They taught me.
I bet I have more military experience than you. The military operates in a different environment and different considerations than civilian infrastructure or products. Most civilian security researcher don't have formal training, yet frequently use terms like OPSEC without actually having an understanding what it means. Because if they did they would know that it to a large degree isn't transferable.
> Meanwhile, nobody is doing anything at any level, you can't convince businesses to do anything in general case, and so a vigilante breaching defective, damaging stuff might be only progress we can get in meanwhile. Reduces risk and decreases demand for garbage products. Vendors might get message like Microsoft did leading to their 180 in security.
This is just your opinion. If this how you do security work I'm not surprised you feel ignored.
The thing is I do have a number of suggestions on "other ways" to improve and/or promote IoT security. I see no point whatsoever mentioning them here though.
