W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: "Secure Introduction of Internet-Connected Things" (was Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT)

From: Jeffrey Walton <noloader@gmail.com>
Date: Tue, 21 Oct 2014 21:06:38 -0400
Message-ID: <CAH8yC8kYe1J4JEW6bJoA_fxCOOzOuCQZTFTZ2wjPQiSh1F7xQw@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
>>> if a device is only marketable if its price point is so low that it
>>> cannot be secure, perhaps it should disable itself after some
>>> reasonable life-time
>> -1
>> Users will perceive it as planned obsolescence for business reasons, and
>> I wouldn't be surprised if producers treated it like that, too.
> Otherwise it's planned unsafety.
> Perhaps vendors could open source their abandonware.

Dan geer posits the code should be seized and placed into open source.
>From http://www.lawfareblog.com/2014/04/heartbleed-as-metaphor/:

Suppliers that refuse both field upgradability and open source access
to their products should be said to be in a kind of default by
abandonment.  Abandonment of anything else of value in our world has a
regime wrapped around it that eventually allocates the abandoned car,
house, bank account, or child to someone new.  All of the technical
and procedural fixes to the monoculture problem need that kind of
backstop, viz., if you abandon a code base in common use, it will be
seized.  That requires a kind of escrow we’ve never had in software
and digital gizmos, but if we are to recover from the fragility we are
building into our “digital life,” it is time...
Received on Wednesday, 22 October 2014 01:07:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC