On 21 Oct 2018, at 11:40, Peter Steinhäuser <ps@embedd.com> wrote:
The question here to me seems what we want to achieve. I’m totally on your page in terms of data collection and privacy. But that’s to a large part the end users choice - even if I have to admit most of them simply don’t care, just look at the amount of data people share via facebook: Happy social engineering!
Yes and no. I’d like to think that most people would be *far* more careful about their use of social media if they knew how their data were being exploited and/or thought about the long term consequences of that. Then again, users of social media are mostly idiots IMO. And that’s before we get to making the cost/benefit analysis of supposedly “free” services in exchange for reduced privacy and 24x7 surveillance by our corporate overlords.
My concern is more the integrity of the network infrastructure and how to reduce the impact of hacked IoT devices used by DDOS attacks.
That’s a big and scary problem Peter. But it’s not the only one. I’m also concerned about these home assistants^W^Wspyware people install with little or no consideration: “Hey Alexa/Siri/whatever, turn on the webcams in my neighbour’s house”. Then there's the damage that can be done by tampering with weakly secured door entry systems, so-called smart meters and allegedly smart thermostats. Imagine a 21st century version of the Internet worm that borks smart meters and leaves people without power or water.
MUD files can help to identify what’s a devices purpose and monitoring if the device is doing what it’s supposed to do. I agree that we should not have much hope that the device makers will do their job.
Indeed. However at least MUD files should (in principle anyway) give people an idea of what their latest IoT toy will do once it’s plugged in. Though just saying it phones home to google/Amazon/Facebook every so often isn’t much help if you don’t know what it's sending and receiving. Or why it’s doing that. MUD files are a small step in the right direction. Hopefully we’ll one day see this information printed on the IoT device itself and the box it comes in. BTW, Jelte spoke about the SPIN project at the WG meeting in Marseille. It was a revelation to see how much data was being sent outside his home network from its IoT devices. [And on a related note, why does my DVD player call the mothership and what data are being exchanged?] Michael’s idea of an IoT firewall would mean we can see what’s going on. This sort of thing will be essential if the concept of informed consent means anything.