On 10 Oct 2018, at 13:21, Peter Steinhäuser <ps@embedd.com> wrote:
Naming & Shaming can raise awareness but will unlikely help a lot solving the issue in general. I think we have to live with the fact that there are many vendors that don’t care about security as long as it does not affect their revenue stream.
Think is partially a question on who you shame them to and which name you use. Reputation could be made into one of the drivers for consumers, but I fear that the real problematic space is with the low cost generic OEM items that get branded and sold in a million different varieties. Industry itself might be easier, but also probably far less of a problem area to begin with. Also because there appears to be a bit more awareness growing with regards to risk and compliance with (existing) regulations. And then of course there is the risk of naming & shaming itself. Things might backfire in that you actually trigger policy measures that also have impact on “the good ones” or, given the stakes are quite high and lots of money gets put in these “solutions”, there will be legal pressure on the messenger. Especially if you aim to address end users and the retail market places. How hard would you need to push to get a product out of the market this way? And what if you succeed? Also not sure how RIPE would fit in this picture. You could of course position the community as a place to collect issues and verify them by means of discussion, but would that be something this Working Group would be willing to engage in? MarcoH (RIPE NCC, but in this case just thinking out loud)