Hi Marco, I don’t think it’s RIPE’s and this working group’s purpose to get into the name & shame game. In my opinion we should define technical solutions that can be applied to address the security issues introduced by insecure devices. Ideally such solutions would affect the device operations in a way (i.e. initiall limiting&denying cloud access) that forces vendors to react - I’m not very enthusiatic about this but it’s a possibility… and would require wide adoption of the related technologies. - Peter
Am 10.10.2018 um 13:35 schrieb Marco Hogewoning <marcoh@ripe.net>:
On 10 Oct 2018, at 13:21, Peter Steinhäuser <ps@embedd.com> wrote:
Naming & Shaming can raise awareness but will unlikely help a lot solving the issue in general. I think we have to live with the fact that there are many vendors that don’t care about security as long as it does not affect their revenue stream.
Think is partially a question on who you shame them to and which name you use.
Reputation could be made into one of the drivers for consumers, but I fear that the real problematic space is with the low cost generic OEM items that get branded and sold in a million different varieties.
Industry itself might be easier, but also probably far less of a problem area to begin with. Also because there appears to be a bit more awareness growing with regards to risk and compliance with (existing) regulations.
And then of course there is the risk of naming & shaming itself. Things might backfire in that you actually trigger policy measures that also have impact on “the good ones” or, given the stakes are quite high and lots of money gets put in these “solutions”, there will be legal pressure on the messenger. Especially if you aim to address end users and the retail market places.
How hard would you need to push to get a product out of the market this way? And what if you succeed?
Also not sure how RIPE would fit in this picture. You could of course position the community as a place to collect issues and verify them by means of discussion, but would that be something this Working Group would be willing to engage in?
MarcoH (RIPE NCC, but in this case just thinking out loud) _______________________________________________ iot-wg mailing list iot-wg@ripe.net https://lists.ripe.net/mailman/listinfo/iot-wg
Peter Steinhäuser, CEO embeDD GmbH · Alter Postplatz 2 · 6370 Stans · Switzerland Phone: +41 (41) 784 95 85 · Fax: +41 (41) 784 95 64