[Jtsummers]

Similarly, a single bad device on my network would block the whole of my network from the internet. It's another sort of denial of service attack.

We need IPv6 and have devices either access the internet with their own IP address or not access it at all. This solution, then, would only impact bad actor devices, not your other (non-compromised) devices. Still, not easy.

[cpncrunch]

I think it's fair to block the entire network. It is then up to the network administrator to fix the problematic device.

[Jtsummers]

While technically accurate to describe them as such, the vast majority of consumers (and internet service subscribers) lack the actual technical expertise to be network administrators.

Where these devices are being attacked inside, ostensibly, professional organizations (companies, schools, government buildings), I agree. But there you have, again ostensibly, an actual network administrator capable of dealing with the issue (and paid to do so).

[matthewmacleod]

I think that's okay.

We don't expect all homeowners to be, say, experts in electrical wiring, or gas supply, plumbing, drainage, or waste management. But all of these things—if they are poorly modified, managed, or maintained—can cause impacts on third parties. In the case of networked devices, the possible impact on third parties is even greater. We also enforce strong regulation on these systems – defining what may and may not be legally connected to public utility networks, for example.

We would probably expect a homeowner to hire a tradesperson to maintain these services, and in some cases it's legally mandated that only a qualified person may install or modify these systems. Is it then unreasonable to kick consumers off of the Internet when they install poorly-maintained devices, and require them to resolve the problem – perhaps by hiring the networking equivalent of a qualified plumber?

[Jtsummers]

Then we need to regulate the installation and maintenance of home networks like we do plumbing and electric. This is not a small requirement, and given the current ubiquity of home networks and networked devices it will be an incredible challenge to implement.

Probably a startup idea or two would come out of that sort of regulation. Now that, to install that Nanny Cam, I have to hire a certified network administrator.

[jessaustin]

If the ISP were held responsible by contract, the ISP could either transfer that responsibility as described above or they could just filter their outbound a little harder. The latter solution seems more practical.

[pavel_lishin]

Or they could go the cheap route, and have a whitelist of devices you're allowed to use on your network.

Huh, weird, this whitelist seems to mostly consist of devices the ISP would be glad to rent out to you on a monthly basis...

[nradov]

What sort of regulation are you referring to? I'm not a plumber or electrician but I replace broken faucets and light switches. No certification required.

[Jtsummers]

I was more referring to requiring homes be up to code. You're right that individual projects don't really require anything special, more important when building new buildings.

[twic]

It's oscillation all over again:

http://airminded.org/2015/09/30/the-oscillation-of-r33/

[empath75]

I feel like Amazon, Best Buy and new egg could get together and create a standard for IoT devices, no? Though I guess they'd get hit with antitrust.

[grzm]

I'm not all that familiar with standards bodies, but is it common for retailers to create standards? Isn't it often the case that industry does this?

[guelo]

That's fine, if you connect some cheap webcam and it causes you to be knocked off the internet you're going to be mad, leave a bad review for the camera, and not buy from them again. Market forces would then incentivize better security to be built into these devices.

[Jtsummers]

But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.

The solutions available (and there are more, just enumerating some):

IPv6 so everything is directly on the internet or not hidden behind a common router like they are now. This allows direct blocking of bad actors.

Security certifications for all software and hardware that ever connects to the internet. Well, guess I won't be doing as much programming at home anymore. And good luck getting that open source project of yours certified without getting some Patreon supporters with deep pockets.

Arbitrarily, from the consumers perspective, block their access to the internet when they "did nothing wrong".

Hold the creators of the devices accountable for making shitty, exploitable systems. Sue them directly for the financial harm they've permitted (millions of dollars today alone). But good luck suing them, they're in a foreign and will cease to exist tomorrow (under that corporate entity).

[cpncrunch]

>But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.

In theory the user could be presented with a "here is why you've been blocked" explanation when they try to browse any site. They could then (probably) figure out what is the offending device, take it off the network, then click "please let me back on the internet, the bad device has been removed". (Somewhat similar to how the MX blacklists work at present).

[notatoad]

"the vast majority of consumers (and internet service subscribers) lack the actual technical expertise to be network administrators."

that's true, but the vast majority of internet service subscribers aren't their own network administrators. If you're using an ISP-supplied modem/router combo, i'd say that your ISP is your network administrator. If my ISP wants that kind of access into my local network (and they don't give me any other option) then they should be doing some actual administration.

[Jtsummers]

Under this concept, they'd be able to specify precisely what kinds of computers and IoT devices you'd be allowed to use on your home network. This would be a net-negative for the world.