I did make an argument, you just missed it. In most subcultures the thing your doing is the goal, therefor the actions themselves are meaningful (at least according to the participant). Since this isn't the case here, but more of a "the ends justify the means" situation, you have to argue that it actually does. The point isn't that there are other ways, which you incorrectly choose to focus on, but that you have to justify how these actions are appropriate both in themselves and relative to other actions.
> You made a false claim that there were other methods that work and/or an implication that there wasn't much effort on doing that.
As far as I know there isn't much effort going on. This is of course subjective, yet you haven't provided a real example of what you think is a substantial effort that should have lead to results.
> Programmers, support people, architects, tech managers, security experts, and so on have failed to do what you suggested because of greed and apathy of manufacturers.
Plenty of manufacturers make secure or at least not obviously insecure devices.
> They write about it all the time on blogs, esp basic QA. They write about it here, too.
The embedded ecosystem, especially in other countries, aren't going to see those blogs nor be able to act on it. They aren't ignored so much as not considered.
> People in the military invented computer security. They taught me.
I bet I have more military experience than you. The military operates in a different environment and different considerations than civilian infrastructure or products. Most civilian security researcher don't have formal training, yet frequently use terms like OPSEC without actually having an understanding what it means. Because if they did they would know that it to a large degree isn't transferable.
> Meanwhile, nobody is doing anything at any level, you can't convince businesses to do anything in general case, and so a vigilante breaching defective, damaging stuff might be only progress we can get in meanwhile. Reduces risk and decreases demand for garbage products. Vendors might get message like Microsoft did leading to their 180 in security.
This is just your opinion. If this how you do security work I'm not surprised you feel ignored.
The thing is I do have a number of suggestions on "other ways" to improve and/or promote IoT security. I see no point whatsoever mentioning them here though.
I did make an argument, you just missed it. In most subcultures the thing your doing is the goal, therefor the actions themselves are meaningful (at least according to the participant). Since this isn't the case here, but more of a "the ends justify the means" situation, you have to argue that it actually does. The point isn't that there are other ways, which you incorrectly choose to focus on, but that you have to justify how these actions are appropriate both in themselves and relative to other actions.
> You made a false claim that there were other methods that work and/or an implication that there wasn't much effort on doing that.
As far as I know there isn't much effort going on. This is of course subjective, yet you haven't provided a real example of what you think is a substantial effort that should have lead to results.
> Programmers, support people, architects, tech managers, security experts, and so on have failed to do what you suggested because of greed and apathy of manufacturers.
Plenty of manufacturers make secure or at least not obviously insecure devices.
> They write about it all the time on blogs, esp basic QA. They write about it here, too.
The embedded ecosystem, especially in other countries, aren't going to see those blogs nor be able to act on it. They aren't ignored so much as not considered.
> People in the military invented computer security. They taught me.
I bet I have more military experience than you. The military operates in a different environment and different considerations than civilian infrastructure or products. Most civilian security researcher don't have formal training, yet frequently use terms like OPSEC without actually having an understanding what it means. Because if they did they would know that it to a large degree isn't transferable.
> Meanwhile, nobody is doing anything at any level, you can't convince businesses to do anything in general case, and so a vigilante breaching defective, damaging stuff might be only progress we can get in meanwhile. Reduces risk and decreases demand for garbage products. Vendors might get message like Microsoft did leading to their 180 in security.
This is just your opinion. If this how you do security work I'm not surprised you feel ignored.
The thing is I do have a number of suggestions on "other ways" to improve and/or promote IoT security. I see no point whatsoever mentioning them here though.