[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do

[John Levine]

In article <1488075708.5907.2.camel at virginia.edu> you write:
>In this case, strict liability for security failures seems like a
>reasonable approach.  IoT vendors are free to try different things, but
>if their devices are hacked, they have to pay the device owners. 

That wouldn't help.  The mirai botnet consists largely of hacked CCTV
cameras.  The cameras still work, but have an extra feature of sending
DDoS traffic.  The people who bought the cameras have no idea that
their devices have been hacked, and usually wouldn't care even if they
did, since they're not suffering.

Even without strict liability there are ways to push the pain back on
the owners of the hacked devices to give them an incentive to fix
them.  At a recent conference we talked about ways of codifying
industry practice so ISPs can cut off or firewall customers who are
sending malicious traffic from hacked IoT devices.

R's,
John