[lifeisstillgood]

We seem to be needing more concerted action on what is a consumer minimum standard for an internet connected device.

Consumer devices have to be more secure because if the low user skill level - and interest.

I am always reluctant to say "there should be a law against it" but frankly if we cannot mandate minimum standards of uogradbility and security for devices we will just keep handing over our devices to the first person to scan them.

[mjevans]

Or you need to make it easier for the 'black hole' solution to be pushed further and further back to the sources of the bad traffic.

A remote site shouldn't be able to get you banned from the Internet (by it's self); but it MUST be able to say, "This host is being abusive, restrain them from sending me data". ISPs SHOULD use that information to evaluate if a host from their network might be compromised or otherwise a negative player. ISPs SHOULD also take steps to inform, and link to educational resources, customers which are being bad citizens of the Internet. ISPs SHOULD also be financially motivated (punishments to them) for allowing too many uncivil customers online; this might take the form of instead banning that ISP from the Internet as a whole.

[jlgaddis]

So, as your ISP, I'm going to be held responsible for the actions of you, my customer/user?

Okay, if I'm going to be liable, financially or otherwise, well, then we're gonna have to make some changes around here.

First off, I'm going to have to heavily filter and restrict what traffic you can send out to the Internet. What isn't filtered or restricted is going to have to be inspected, logged, and retained for a period of time.

Next, because I can't be certain that you're RFC3514 compliant and that at least some of the bits you're sending aren't malicious, I'm going to have to prevent you from sending out any encrypted traffic. Instead of allowing you to use any DNS servers you want, you're going to have to use mine (DNS is heavily abused for DDoS attacks). Outgoing e-mail will be automatically redirected to my internal smart host (STARTTLS will be blocked, by the way) and I'm gonna have to log, read, and retain it all. HTTP traffic will be transparently proxied and all requests and responses will be logged and retained.

That's just the beginning. Are you sure this is what you prefer as your "solution"?

As a network operator, I believe that your ISP should be nothing more than a dumb pipe and allow the bits that you send to pass through freely. As an ISP customer, that's how I want my ISP to act. (If something gets reported or I "notice" you for some reason then, sure, I'll look into it. Otherwise, I try to fuck with my customer's traffic as little as possible.)

I'll agree that there is certainly a problem, but it is not because of ISPs.

[snarfy]

> this might take the form of instead banning that ISP from the Internet as a whole.

I agree with some of your points, but fracturing the internet is not a viable option. It might make sense if it were a healthy, competitive market instead of the near monopolies that exist today. Imagine banning Comcast, or AT&T.

[tapoxi]

It's controversial, but I kind of agree. You need FCC approval to broadcast a radio signal due to the risk of interfering with other traffic, and you should have FCC approval that your IOT device meets minimum security standards before being sold.

[dwheeler]

It may be controversial, but I think there ought to be a law. Some ideas: http://www.dwheeler.com/essays/law-security.html

[codedokode]

Why rely on end devices? The infrastructure itself should be designed so that it cannot be broken that easily. Maybe we should return to metered connections, maybe we should implement a protocol to control routing.

The Internet has grown without proper planning using a lot of "quick and dirty" hacks (for example NATs, peering agreements) and today we just see the result. It reminds me of poorly designed email protocols that resulted in spam being the biggest part of email traffic.

[woliveirajr]

I'd say [i]the Internet has grown using a lot of "quick and dirty" hacks [/i]

If internet should wait until all use cases were created, it wouldn't exist. It's power was exactly that people could think on how to create things on top of was available. Many RFCs came afterwards.

[ozaark]

If only there were an app for consumers to securely scan their own network for unspoken traffic in these connected devices.

The amount of consumer IoT currently connected with default and often outdated device settings is beyond belief.

[mhaymo]

The standards don't need to be raised much. Banning the sale of internet-connected devices with non-random default passwords doesn't seem too intrusive for the benefits it will bring.

[lifeisstillgood]

As noted below, you need FCC or similar licences for wifi radio, why not something similar for the packers emitted.

Downside is that radio leakage licensing is fairly simple scientifically. Proving something is unhackable is harder ...