Krebs <3's The IoT
-
Now the question is, will they see an better cost savings in shutting down connections that have bad traffic spewing on it? Probably not. They probably don't actually monitor much of that traffic directly, so they themselves don't know what it is, so they would have to start monitoring that - and that would cost money. And then they would have a HUGE uptick in customer service calls - massive cost increases.
Yeah it's unlikely they would ever voluntarily do this.
-
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government
-
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
If that was going to happen, it should be government mandated, again. ISPs should not be in a position of making "judgment calls" on those sorts of things. That's the wrong way to go. That paves the way for ISPs to make some pretty broad claims about what is and isn't malicious traffic.
-
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government
Safety education across the board is important. However, those that ignore what they are taught about safety should be naturally selected for removal from the gene pool.
I'm not sure that safety education from the government is a great idea when you look at the public education system these days. Sadly, I don't have a better idea for how to teach safety, aside from involvement in the lives of the people you care about.
-
ISPs are the wrong place to look. Think about this... if an ISP cuts off malicious traffic correctly, they mostly just help someone that isn't likely their customer with no benefit to themselves. If they cut something off as a false positive, they take on liability and risk and hurt their real customers.
There is effectively no incentive for an ISP to block bad traffic and a bit of incentive for them to allow whatever people decide to put on the wire.
-
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
If that was going to happen, it should be government mandated, again. ISPs should not be in a position of making "judgment calls" on those sorts of things. That's the wrong way to go. That paves the way for ISPs to make some pretty broad claims about what is and isn't malicious traffic.
of course, like Comcast basically killing most if not all Torrent traffic.
-
@JaredBusch said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.
That's one that they mostly did to reduce their traffic loads. I don't believe that it was actually about SPAM bots but trying to encourage lock in to ISP based email services.
-
@Dashrender said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.
I recall they cut this off long before spam bots were a real problem. I saw them doing this because they wanted businesses to use business priced connections instead of consumer ones. Sure still comes down to a money reason though.
Exactly. It predated the spam bots.
-
@dafyre said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government
Safety education across the board is important. However, those that ignore what they are taught about safety should be naturally selected for removal from the gene pool.
I'm not sure that safety education from the government is a great idea when you look at the public education system these days. Sadly, I don't have a better idea for how to teach safety, aside from involvement in the lives of the people you care about.
Do we really want to teach safety though? Do we want/need more people in the gene pool? I know this is pragmatic to consider that we need a culling, but...
-
@Dashrender said in Krebs <3's The IoT:
Now the question is, will they see an better cost savings in shutting down connections that have bad traffic spewing on it? Probably not. They probably don't actually monitor much of that traffic directly, so they themselves don't know what it is, so they would have to start monitoring that - and that would cost money. And then they would have a HUGE uptick in customer service calls - massive cost increases.
Yeah it's unlikely they would ever voluntarily do this.
And unlikely that they should do it, it's just not their place to determine what is and is not malicious. And IoT end points are impossible to identify. How would an ISP know that something is a source of malicious traffic versus just sending out normal data?
-
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Now the question is, will they see an better cost savings in shutting down connections that have bad traffic spewing on it? Probably not. They probably don't actually monitor much of that traffic directly, so they themselves don't know what it is, so they would have to start monitoring that - and that would cost money. And then they would have a HUGE uptick in customer service calls - massive cost increases.
Yeah it's unlikely they would ever voluntarily do this.
And unlikely that they should do it, it's just not their place to determine what is and is not malicious. And IoT end points are impossible to identify. How would an ISP know that something is a source of malicious traffic versus just sending out normal data?
It's definitely a slippery slope. But really - things like thousands or more pings or Syn flood, etc, these things are pretty obvious, but perhaps they're less used these days.
-
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
Interesting - The challenge is making people care.
Frankly I don't understand why the government got involved in forcing auto makers to make safer cars? Was it advocacy groups putting pressure on the government to make laws because the people clearly didn't care enough to demand it themselves?
It was probably health insurers.
Exactly my point @scottalanmiller. It was never the consumers until something else forced it.
Volvo super markets safety now. They did not always.
THere is some from the consumer side. We look at safety differences when buying cars. Mostly because we have kids, I didnt care much when it was just me. But safer cars get more attention from some part of the market.
Yes, but you were
brainwashedtold that car safety is important while growing up. It became part of your normal thanks to government forced education that car safety was important.I can't dispute that. I have no conscious memory of that happening, but I suppose it likely did. But safety education across the board is important and everyone should have it. But like anything, consumers should demand that from the government
Definitely not saying safety is not important. But in consumer products it was never a big thing until the government started pushing it for whatever reason.
In today's world, it is now ingrained in the 1st world human psyche and that is a good thing.
-
@scottalanmiller said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
@scottalanmiller said in Krebs <3's The IoT:
Realistically, the best option might just be holding people accountable for breaches caused by lax security.
OK I like that, but really that holding should be little more than your ISP will cut you off until you call them, they rescan your network (that they can see)/sample outbound traffic and make sure you've solve whatever reason they shut you off in the first place.
I don't understand why ISPs don't to that already? Is it because they too don't care about anything but the all mighty dollar? It's not like most consumers have a choice in what ISP they can use from home anyway.
They do at a minor level but only because it cost them money. Many residential ISPs block outbound port 25 to prevent basic spam bots. It was pretty useless, but they did it.
I recall they cut this off long before spam bots were a real problem. I saw them doing this because they wanted businesses to use business priced connections instead of consumer ones. Sure still comes down to a money reason though.
Exactly. It predated the spam bots.
Maybe some providers did it prior to spam bots, but I know for a fact (because I was on the helpdesk for AT&T when it was added) that AT&T added it as a standard block long after spam bots were common. They also added it on business grade services. Businesses had to call in and get the port block lifted to use their internal mail servers.
-
@JaredBusch said in Krebs <3's The IoT:
In today's world, it is now ingrained in the 1st world human psyche and that is a good thing.
It is? what makes you say that?
I'd say that when people see it stated somewhere they consider it good, even though they will put almost zero effort into confirming the stated facts. But if it's not in their face, people generally don't care.
Look at all the hacks around z wave and zigbee, yet vendors are still selling tons of those things. The only way you MIGHT stop people from buying them is if you put a label on them saying - these devices are not technically secure. hackers can easily hack into them and destroy your network/life/world, etc. But even then, would they really care? probably not, just look at cigarettes.
-
-
@Dashrender said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
In today's world, it is now ingrained in the 1st world human psyche and that is a good thing.
It is? what makes you say that?
I'd say that when people see it stated somewhere they consider it good, even though they will put almost zero effort into confirming the stated facts. But if it's not in their face, people generally don't care.
Look at all the hacks around z wave and zigbee, yet vendors are still selling tons of those things. The only way you MIGHT stop people from buying them is if you put a label on them saying - these devices are not technically secure. hackers can easily hack into them and destroy your network/life/world, etc. But even then, would they really care? probably not, just look at cigarettes.
Car safety as important is most certainly ingrained now. It took generations though.
Cigarettes are supported by the government. or they would be gone.
-
Well JB and I are having an offline conversation - he says that some ISPs (AT&T for sure he worked there and saw this problem first hand) were/are blocking outbound port 25.
Cox has blocked (and I believe still does) inbound port 25 on consumer lines for ages, but they've never blocked port 25 in my service areas that I'm aware of.
As mentioned, when we say inbound blocking happening, it was to prevent consumers from hosting their own email server.
Mass blocking of outbound port 25 would break to much stuff to see it in mass use. I'm amazed customers didn't freak out on AT&T over that.
-
@JaredBusch said in Krebs <3's The IoT:
@Dashrender said in Krebs <3's The IoT:
@JaredBusch said in Krebs <3's The IoT:
In today's world, it is now ingrained in the 1st world human psyche and that is a good thing.
It is? what makes you say that?
I'd say that when people see it stated somewhere they consider it good, even though they will put almost zero effort into confirming the stated facts. But if it's not in their face, people generally don't care.
Look at all the hacks around z wave and zigbee, yet vendors are still selling tons of those things. The only way you MIGHT stop people from buying them is if you put a label on them saying - these devices are not technically secure. hackers can easily hack into them and destroy your network/life/world, etc. But even then, would they really care? probably not, just look at cigarettes.
Car safety as important is most certainly ingrained now. It took generations though.
Cigarettes are supported by the government. or they would be gone.
Right, one is about "preventing accidents." There is no product causing danger with cars, it's just stopping people from killing themselves and, keeping people alive and healthy on its own benefits the government.
Cigarettes are big business, it's a product that generates tons and tons of revenue. So not comparable to just "bad things happening."
The government would love to just stop shark attacks, bathtub electrocutions, falling down stairs, etc.
-
@Dashrender said in Krebs <3's The IoT:
Well JB and I are having an offline conversation - he says that some ISPs (AT&T for sure he worked there and saw this problem first hand) were/are blocking outbound port 25.
Cox has blocked (and I believe still does) inbound port 25 on consumer lines for ages, but they've never blocked port 25 in my service areas that I'm aware of.
As mentioned, when we say inbound blocking happening, it was to prevent consumers from hosting their own email server.
Mass blocking of outbound port 25 would break to much stuff to see it in mass use. I'm amazed customers didn't freak out on AT&T over that.
It's something like half of all carriers. I work around the country and port 25 blocking is super common. Not at all universal, but very common.
-
I don't know how many things blocking port 25 would break for consumers. No consumer device made for the last two decades has been able to assume working port 25, so what device would require that?