[nickpsecurity]

"I don't really see in this case how they (or mostly anyone) is unable to improve IoT (or general) security through other means"

Really? How about you show me the evidence that people are... through "other means"... improving IOT security of these devices enough that DDOS isn't a big problem any more. I'd love to hear what you've done to convince all the vendors to focus on secure devices instead of profit when targeting markets that will deliver profit regardless of security. Most of us in INFOSEC haven't been able to convince much past a subset of software and hardware developers to focus on improving security.

The only time vendors ever delivered secure or safe solutions was when sound regulations were forced on them with a requirement they were followed before a purchase was made. That was TCSEC and DO-178B respectively.

[petra]

That's true.

Altough i wonder: why didn't someone with deep security expertise, maybe ARM with it's mbed,created something developers can't harm, and on the other hand, issue a product label saying:"this is protected by our stack..." ?

I could see that be attractive to some b2b buyers, attracting devs, further strengthening the value of said label , increasing marketshare and reducing costs, and creating a positive feedback.

[nickpsecurity]

They did. It's mostly bs, though, since they cut corners too or cant impact the software lifecycle enough. Few people trust those labels. It could still be done, though, in a way along lines of Underwriter Laboratories and Consumer Reports with private evaluations.

[gspetr]

Shouldn't the vigilantes try to DDOS the IoT vendor websites with their own devices (poetic justice) instead of what the bricker guy is doing? That way it seems the message he's sending would be as direct and unambiguous as it gets.

[nickpsecurity]

Attacks on the vendors are another good option if there's a low number of vendors. The DDOS idea has a weakness where they might barely be effective if sold through 3rd-party stores and ads.