[Animats]

It's time to apply some serious pain to the junk IoT manufacturers, retailers, distributors, and importers. A nice big billion-dollar lawsuit against Amazon for gross negligence would be a good way to start. US consumer law allows suing everybody in the supply chain. (They can then sue each other and try to sort out who pays, but that's not the victim's problem.)

We also need some big recalls. If Homeland Security tells the Consumer Product Safety Commission this is a national safety issue, the CPSC can order a recall. Something like this worked with those exploding "hoverboards". CPSC ordered recalls, Amazon took the junk back, and Amazon refused to pay manufactures in Shentzen. The manufacturers were furious, but hoverboards with crap batteries disappeared from the market very fast.

[verroq]

I think the more realistic solution is that a vigilante group of hackers continuously scan and take over vulnerable IOT boxes with the intention of bricking and/or disabling their network access would be the most feasible.

[snowwrestler]

The problem with this idea is that it is illegal, and federal agents are much better at tracking people down on the Internet than they were even 5 years ago. So while I think a lot of us would cheer the vigilantes on, they would be taking a serious personal risk.

[jazoom]

If they were so good at that then this wouldn't be a problem in the first place. The hackers can be in the same country as the DDOSers.

[camhenlin]

But then wouldn't they be better off doing DDOSing for hire? Just a thought

[atmosx]

There is shodan.io which is pretty good.

The vigilante hackers is for for comic books IMHO. I would trust a 3-letter gov org. Maybe the NSA would be a lot more useful if instead of breaking the internet, trying to fix it.

[bmh_ca]

> US consumer law allows suing everybody in the supply chain

IIRC, US consumer law requires the consumer to be the victim. (IAAL/NY, but not practicing) This restriction is called privity – the exceptions to privity are narrow, and no exception comes to mind here.

In this case the primary victims, the online services, are third parties, with any consumer recourse blocked by privity.

These third parties arguably have a couple options, though. The first and perhaps most theoretically interesting is the "class defence", the procedural complement of a "class action", where a few people (the third party online services) can sue multitudes (owner-operators responsible for malicious devices on the Internet) in a single process. Were such a case brought forward, these consumers could sue the manufacturers for indemnity. While as a litigator this makes the most theoretical sense, and this procedure exists in at least one jurisdiction I know of, I have never seen it tested.

Arguably a better option would be for the third parties to sue the manufacturers for negligence, based on the obligation that the manufacturers have to the public.

Any litigation is fraught with uncertainty though, not least of which is having a member of the judicial bench who is capable of properly evaluating the facts (which is not to say they are not out there, but they remain rare).

Like most externalized costs, the recourses of affected individuals are slim and ineffective.

> If Homeland Security tells the Consumer Product Safety Commission this is a national safety issue, the CPSC can order a recall

Proper regulation is a better choice, IMHO, though I don't know what the best process might be.

[bogomipz]

>"A nice big billion-dollar lawsuit against Amazon for gross negligence would be a good way to start."

Wait why is Amazon responsible? Why should they be sued?

[Spooky23]

They sell lots of the garbage, and have a track record of ignoring supply chain issues.

[quantumhobbit]

It sounds pretty harsh but I agree. Companies aren't going to take this stuff seriously until it really starts to hurt the bottom line. Now that politicians are starting to wake up to "the cyber" there may finally be the public will to take security seriously.

[draw_down]

Feels wrong to blame this on Amazon of all parties.

[gorbachev]

That's a game of whack a mole, and even if you whack them down, the devices are already out there and are going to stay online for years.

The only thing that will make a dent at the problem quickly, is wholesale filtering of all Internet traffic by all network providers originating from the IP addresses identified for being part of these botnets.

[Silhouette]

Unfortunately, unless either you can get that sort of result across a substantial part of the developed world or it happens that most of the insecure devices used here were sold to US-based customers, the US legal system alone isn't necessarily going to help much.

[segmondy]

You can't litigate your way to a fix. Lots of those devices will be in parts of the world where your lawsuit can't reach. Asia, Eastern Europe, Africa. We must engineer better solutions.