W3C home > Mailing lists > Public > www-tag@w3.org > July 2014

Re: Food for thought (resurfacing)

From: Alex Russell <slightlyoff@google.com>
Date: Tue, 29 Jul 2014 22:48:22 -0700
Message-ID: <CANr5HFVjP2YbhzMtT11fmeUjqEedvfn6uJg-0tJdZW02ViL7eQ@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Cc: Noah Mendelsohn <nrm@arcanedomain.com>, Marc Fawzi <marc.fawzi@gmail.com>, Marcos Caceres <w3c@marcosc.com>, "www-tag@w3.org List" <www-tag@w3.org>
On Tue, Jul 29, 2014 at 10:44 PM, Larry Masinter <masinter@adobe.com> wrote:

>  I know the Nest does auto-update. But it’s also $249.
>
> How much would a non-auto-update one cost?
>
> What if I want a 3rd-party security scan of my company’s thermostat code?
>
> The thermostats of a building can become critical infrastructure.
>
> Imagine a thermostat where all the web part does is show weather warnings.
>
> Is auto-update really important here?
>

If it's critical infrastructure, then auto-uppdate really is really
important.


> You don’t want to support a web
> thermostat where the browser is in ROM and optional?
>
>
>
> I have lots of devices on my home network – printers, pcs, mobiles, pads,
>
> receiver, remote, thermostat, tv, blue-ray, roku, cable box, routers,
>
> personal peripheral (FitBIt).
>
>
>
> Most of them could logically use the web. And most aren’t auto-update,
>
> don’t need it, don’t need updates, the web is just a piece of what they
>
> do. I’m spending way too much time babying updates. This is a good
>
> architecture for whom?
>

For everyone else connected to the web. Once these devices reach out and
touch someone, they can do so in inappropriate ways when subverted. I
recommend checking out one of HD Moore's talks to get a sense for the scale
of the problem and the worst offenders:

    https://www.youtube.com/watch?v=VuYi7gVy3dI

Hint: it's old, unupdated, unloved software. Don't be That Guy (TM).


>
>
> Yes, and if you have a Nest, you'll understand that it DOES auto-update.
>
>
>
> Rather, than, say, sandboxing the display module? Auto-update isn't a
> security panacea.
>
> Doesn't it cost more to build auto-updating thermostats; are non-updating
> ones out of scope for the web?
>
>
>
>
Received on Wednesday, 30 July 2014 05:49:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:03 UTC