[Chapter-delegates] DDOS attacks, IoT, and best practices
Richard Hill
rhill at hill-a.ch
Sun Nov 20 08:56:24 PST 2016
Nadira has asked participants on this list to comment on the existing ISOC
Policy Briefs, which are at:
http://www.internetsociety.org/policybriefs
I presume that everybody on this list is aware of the fact that low-end IP
devices, such as IP cameras, have apparently been used recently to
perpetrate distributed denial of service attacks (DDOS). Such attacks are
facilitated by the fact that such devices ship with default admin passwords,
and that many users don't change the default password.
The security issues raised by the inevitable proliferation of devices
connected to the Internet (the Internet of Things) are gathering increasing
attention, see for example:
http://www.dailydot.com/layer8/bruce-schneier-internet-of-things/
Our Policy Brief "Internet Invariants" states that one of the invariants
is:
"Innovation without requiring permission: ... Any person or organization can
set up a new service that abides by the existing standards and best
practices and make it available to the rest of the Internet-without asking
permission. ..."
That Policy Brief is at:
http://www.internetsociety.org/policybriefs/internetinvariants
I wonder whether we should add a footnote, or something, to make it clear
that "abiding by the existing standards and best practices" must include
adequate consideration of normal security standards, which might include
schemes that force users to change default passwords when they connect IoT
devices to the public Internet.
Best,
Richard
More information about the Chapter-delegates
mailing list