
This is why people fear the Internet of Things - wtbob
http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/
======
bane
What concerns me, as somebody who has absolutely zero interest in internet
connected thermostats or fridges or whatever, is that as IoT devices become
more and more ubiquitous, I'll probably still end up with some kind of quasi-
surveillance garbage in my house. Either because I didn't mean to purchase it,
or because there was no alternative because in the future every under-sink
garbage disposal requires a wi-fi connection or some nonsense.

Due to smart phones, computers and tablets, I already have all my internet
habits being recorded, and half a dozen cameras and microphones all over the
house.

Whats just as concerning is how many quasi-legitimate service providers, for
reasons of people desperately trying to secure themselves from bad actors, end
up finding technical solutions that are indistinguishable from malware and
other kinds of network attacks/exfil techniques.

Argh, this is a stupid future, I want to go back and try again.

~~~
imglorp
I look forward to the future where I can come home and my space will welcome
me individually, turning on lights, media, and climate to my personal
preferences, and respond to "tea, earl gray, hot" at any time. My groceries
and other expendables will replenish as they run low; menu planning will stock
more. I'll get a chime when my kids arrive home, and another if their love
interest show up after hours. Etc etc. All this information will be held
strictly per my privacy settings and is fully encrypted when offsite.

Now, the real question is, how do we get there, integrated and private,
without selling out the whole stack to 100 different vendors with different
API's, without one of them hacking the rest of your network, and without your
government either hacking you, hacking one of those vendors, or just
pressuring them for your data?

I don't have an answer.

~~~
vlunkr
I honestly don't think that future is worth the cost. Some of those things
would be great, but controlling lights with Iot? Why? Aren't we solving a
problem that doesn't need to be solved? I currently spend roughly 0% of my
time thinking about and managing light switches, the system works great as is.
Same goes for turning on media and setting the temperature. These things just
work and they are bug free. I can only see them getting worse by adding
networking and software.

Of course, it's a different argument when your house starts making food for
you, but but I think I'll still lean towards maintaining my current system.

~~~
maxerickson
Media devices don't really work that well.

For example, my cable box comes with a remote that has a 'turn everything on'
macro button. Except there's no integration, it just blasts the power toggle
IR for the TV. Does it work? Yeah. Does it work well? No.

Buying a single brand and carefully selecting devices can help with that sort
of thing, but it's BS you have to be careful to get any integration, it should
just work.

~~~
joncrocks
A good number of newer devices ship with
[https://en.wikipedia.org/wiki/HDMI#CEC](https://en.wikipedia.org/wiki/HDMI#CEC)
which is meant to help with this type of thing.

I'd agree that a lot of the time it still doesn't work 'well' though.

~~~
maxerickson
I vaguely remembered that HDMI had something and had looked it up and checked
if the cable box supported it before I posted; it doesn't (unsurprisingly).

The sad thing is that it is so easy to imagine so much more. If the cable box
provided the available programming as data, I could use whatever interface I
wanted to access it. Instead, I'm stuck with their customer hostile crap (no
way to hide channels, etc.).

------
tjohns
Between IoT and the deployment of IPv6 (meaning no more automatic NAT
firewalling), I feel like we need to take a fresh look at how home routers are
designed.

I'd love to see products that provide a user-friendly way to help me audit
what my network is doing, and create firewall rules for different classes of
devices. For example, if you're running a DVR server, the camera mentioned in
this article probably shouldn't have been granted Internet access.

While some routers have basic firewall support, it's really rudimentary and
nowhere near sufficient when you have several dozen (or more) relatively
unknown devices on your network. And definitely not user-friendly enough for
most home users.

~~~
pdkl95
> no more automatic NAT firewalling

NAT != firewall

IPv6 doesn't take away your stateful firewall, and NAT isn't providing _ANY_
security. Your private IP addresses are betrayed all the time by your browser
(and TCP option headers). NAT has done an incredible amount of damage to the
internet; it prevented the development of true peer-to-peer software and
forced everything to centralize.

The solution - even for IoT in the few places IoT isn't a surveillance scam -
is to _remove NAT_ by using IPv6.

~~~
nly
> IPv6 doesn't take away your stateful firewall, and NAT isn't providing ANY
> security.

That's not really true. By its nature, stateful/dynamic NAT, which is what the
majority of the consumer world is using, means internal services aren't
exposed to the Internet. Short of layer 7 stateful packet inspection, or some
other IDSy type thing, a consumer-focused 'firewall' isn't going to do any
better... they have to be generic and fuss-free. Just go back to the early 00s
or mid-90s to see the ramifications that exposing ports from Windows machines
to the Internet had, then tell me NAT hasn't had a positive security impact.

~~~
simoncion
> Just go back to the early 00s or mid-90s to see the ramifications that
> exposing ports from Windows machines to the Internet had, then tell me NAT
> hasn't had a positive security impact.

NAT has had the same _security_ impact that a default REJECT ingress firewall
policy would have. (Coincidentally, this is the default firewall policy for
non-Enterprise Windows Firewall configurations.)

If you combine default REJECT with a port opening protocol like uPnP, you have
a really nice, reasonably secure, self-maintaining border firewall.
(Hyperventilation about security issues with particular implementations of
uPnP notwithstanding.)

~~~
nly
I'm not saying we need NAT, just that without prior _need for NAT_ ,
perpetuated by ISPs only giving us one IP, I doubt anybody would have _any_
ingress filtering at the border. It's a lot easier just to block ingress to
the whole house than it is to ensure a dozen devices are secure against
unwanted incoming connections... this problem will present itself with the IoT
sooner or later.

~~~
simoncion
> ...just that without the _need for NAT_ , perpetuated by ISPs only giving us
> one IP, I doubt anybody would have any ingress filtering at the border.

I disagree. Defaults are a powerful thing. If one's router ships with a
default REJECT ingress firewall, a non-technical user is not likely to change
it.

------
acomjean
I worked in a company that provided remote power monitoring. We put a box in
your circut breaker panel and monitor your power use. Its kinda neat, but way
more intrusive than I imagined.

It didn't occur to me how much you can learn until looking at power
consumption home page of our demo house when the owner was on vacation (owner
= boss). All the circuits are flat. A manager at the company who installed it
too, came hold and told his wife "I see you came home at 3". He knew because
he could watch the power come on. We could count loads of laundry done and
watch the sun rise from solar panel output. Then there is the awkward
conversations when you know the dog walker didn't walk as long as they said
they did.

I was glad the company transitioned to monitoring businesses, but I left after
a few years for unrelated reasons.

~~~
JoeAltmaier
Trust, but verify. I like the idea of knowing when the teenager actually got
home, or how much the dog walker is stiffing me.

~~~
dangerlibrary
Do you like the idea of service providers being able to monitor those things
about you? How about the fact that by providing the data to a third party
you've abandoned your expectation of privacy re: when and what you do within
your own home?

------
AdmiralAsshat
I think the bigger problem is that not _enough_ people fear the Internet of
Things.

------
fixermark
The zen of the Internet is this: it minimizes the significance of physical
location from the interaction equation. This seems small, but is in fact huge:
as any high school social studies student can tell you, most of human history
is a story of "Location, location, location."

This is the huge feature that the Internet of Things is built upon, but sadly,
far too few players in this market have yet accepted the full ramifications of
the feature---while all the devices you own are now functionally within
speaking distance of each other, every criminal on the planet is _also_ now
within speaking distance of them.

Hopefully, more manufacturers will wise up to this concern. Until then, I'm
rolling my own IoT solutions.

------
trm42
Maybe there should be some kind of IoT security standards or maybe some
Security Company testing and handling "Secure IoT device" rubber stamps to
every tested and compliant device?

This is because every company that has been making "Things" for the last 5-100
years are now thinking about making IoT devices without understanding anything
about Internet or Security. The Nissan Leaf or that toy maker Vtech cases are
good examples of this.

A Quick starter for the rubber stamp list: 1\. Authenticate every request 2\.
Use encryption in every phase (transport, passwords etc) 3\. Really, handle
basic Web security 4\. Be really, really protective about your customers data
in every way 5\. Don't sell the data without consent from the customer

~~~
CaptSpify
Although I agree with your premise, I don't know if it would work out. Look at
PCI compliance nowadays: it's all bullshit. PCI is really there for the bank
to pass the buck when something goes wrong. It pretends that it's making
things more secure, but IME, it does not.

I don't know the answer to this problem though

~~~
trm42
Don't have any experience with PCI compliance but I assume this kind of stuff
_should_ remove the most idiotic security holes.

~~~
CaptSpify
You'd think so, and it's supposed to. IME: As long as your not audited, nobody
cares. I know of a place that was PCI approved for over 3 years that was doing
_every single_ item on the "do not do list". Since they weren't audited,
nobody cared.

------
pencilcode
The IoT startups are trying to get market share right now so they don't care
at all about security. About a year ago I went to an IoT startup interview and
asked if they used ssl when transferring data to and from the devices. Answer:
at this stage it doesn't justify the investment, we're on vc money now and we
need to get clients first.. It's going to get crazy when this becomes a real
fad..

------
EA
My coffee pot and your water heater are touching each other via strips of
metal.

~~~
paulsutter
Why was this down voted? Yes he could have made a far better post, but it is
an interesting point.

~~~
CPLX
It's about as interesting as noticing that my house and your house are on the
same street, if you think about it.

~~~
c22
Whenever people ask me if I'm lost I just remind them that all streets are
connected and if we just keep trying novel turns we're bound to reach our
destination at some point.

------
jjuhl
Related: "I bought some awful light bulbs so you don't have to" \-
[https://news.ycombinator.com/item?id=11171839](https://news.ycombinator.com/item?id=11171839)

------
IshKebab
I'm surprised he's surprised about this. What they claim to be doing is
totally reasonable, and pretty much every IoT device works like this. There's
simply no good way to get out-of-the-home communication to work reliably
without having the device connect to the cloud. At least they (claim to) use
NAT punching when possible.

I guarantee Nest, Canary, Ring, etc. all do the same thing. HomeKit and Weave
do to (although they use Apple/Google's servers which you probably trust
more).

~~~
phkahler
>> What they claim to be doing is totally reasonable, and pretty much every
IoT device works like this. There's simply no good way to get out-of-the-home
communication to work reliably without having the device connect to the cloud.

None of these devices need out-of-the-home communication for the users
benefit. Not even Nest.

~~~
zaroth
To change the temp on my Nest when I'm away from home there are 4 options I
can see;

\- central control via the manufacturer (thermostat talks to nest server, my
app talks to nest server)

\- dyndns with NAT hole punching or upnp (a way for my app to know what IP the
nest is listening on and connect directly to it

\- a vpn from my phone to my home and the app discovers the nest as a local
network device. You still need a way to make the VPN connection to your
router, bringing us back to dyndns or some way to discover your IP or hope it
is static

\- a P2P overlay network, such as what Krebs is complaining about, or more
securely, a Tor hidden service.

------
hackuser
As we increase the mass surveillance of our citizens, consider what a certain
U.S. Presidential candidate - who advocates religious and ethnic
discrimination, torture, reduction of press freedoms etc. - would do with that
power. Consider what it would be like to be Muslim, constantly under threat of
official and unofficial discrimination in many Western countries, and have
this surveillance everywhere around you, in your home, on your phone, etc.

------
zaroth
This is a perfect use case for Tor hidden services. They punch the NAT, they
encrypt, there's a robust discovery network, and the entire setup could be
either scanning a QR code from the app on the phone or delivered over
Bluetooth or local LAN or hypersonically or even clicking a link in an email
the device sends you directly via SMTP (prepare to check your Spam folder).

I believe the latest gen hidden service descriptors also effectively
_authenticate_ as well because the unique domain is kept secret and has enough
entropy. I'm not sure if it's quite as simple as hash(domain) is public and
the preimage is used as a key, but something like that.

I thought this article was going to be about the camera emailing snapshots
back to China we talked about a few weeks back. A bit disappointed that it's
mostly FUD over simple IP discovery with perhaps some STUN/TURN added in. So,
in that regard using Tor instead may not help.

However IMO anything that makes .onion become mainstream is a very good thing.

------
quadrangle
[https://twitter.com/internetofshit](https://twitter.com/internetofshit)

------
hackuser
The typical end user has no hope of sniffing their network traffic, analyzing
it, and configuring their firewall to block undesired transmissions. I don't
have the time to do it myself.

We need a hosted VPN service that provides a user-friendly firewall that
defaults to deny all and offers a whitelist. Does that exist?

------
mark_l_watson
I am losing my enthusiasm for IoT because of concerns over how strong the
security and privacy will be. It is not just concern over governments' desire
to backdoor and monitor: I think there are valid concerns that organized crime
will also exploit weak security in IoT devices.

------
dominotw
People don't 'fear' IOT, they just don't care about it.

I am yet to see a single IOT device with would compel a non-techy-nerd to buy
it.

IOT is stupid as it stands now.

------
exodust
Not an expert but I like my IP cameras.

Most people won't want to setup DDNS through their router with a service such
as DynDNS (expensive at $40 per year). So the IP camera manufacturers offer
DDNS as part of the product. Register the device, and you're up and running
with the live camera feed appearing on your phone.

Increasingly the cameras have 2-way mic capability, so it's actually very cool
to access it from your phone.

It's possible some of the fear is coming from not understanding the
connections taking place as part of the DDNS. The actual video stream does not
need to be uploaded to the manufacturer, unless they offer media management,
backup etc and you've opted in. I prefer saving the video triggered from
motion sensors etc to a local NAS.

------
iofj
There are many features that a P2P network would enable for this sort of
hardware that would require large central infrastructure if done any other
way.

Probably, it's either something like this or paying a subscription fee for
these devices, as having them use other local hardware infrastructure is a
non-starter.

I'd love a device like this that does P2P and lets me build meeting rooms
across the different P2P devices. Just something that looks like a webcam, or
like this, plug into the TV, and maybe have a button to start a meeting. That
it gives access to my home network, oh well. I let anyone who visits more than
once on my home network anyway, and also devices by a dozen manufacturers that
I know aren't secure.

------
rufugee
Anyone know how the cameras specifically punch through firewall? I have a
number of Apexis cameras which I believe are essentially rebranded Foscams. I
set them up with static DHCP leases, placed them in a DMZ, and specifically
blocked all outbound communication from those cameras to the outside world.
Now I'm curious whether this would be enough if they had this p2p feature. In
my case, all they seem to do is register with a Chinese based dynamic DNS
service. Still, I don't need them to communicate with the outside world and
would prefer to prevent it.

~~~
dimman
Hole punching is nothing spectacular, let me explain simply:

You're on your computer connected to a regular home router. You hit google.com
in your browser. What happens is that you create an outgoing request towards
google.com port 443 (TLS/HTTPS). The router opens up a temporary firewall rule
allowing responses from google.com port 443. (Without it you wouldn't get any
response)

Holepunching is simply using that fact, your device A and B shares their
external IP:port with eachother (outside of STUN/TURN scope) and then does a
simple connect() to eachothers external ip:port. When A does
connect(B_IP:B_port) it opens up for B to respond to that channel, and since B
is doing connect(A_IP:A_PORT) his request will be let through and they can
connect to eachother. A direct connection, a P2P (peer to peer) connection
between those two clients, no one else.

Imagine it as a temporary port forwarding that's most importantly limited to
one specific IP and PORT that can use it: the other device.

(There's some technical limitations to this like the type of NAT/firewall you
have, but for the simple home router the above usually works.)

~~~
rufugee
I'm still not sure I follow you regarding how the above applies to my
situation. I believe in your case, you mean to say that A is a local machine
and B is a remote machine, and if they're complicit together, allowing A to
connect outbound to B then allows B to communicate back to A, which could
allow the two of them to do things you really don't want.

However, if I have the cameras on a completely separate subnet and network
interface on the firewall and block communication from this subnet to my
regular lan _and_ to the outside world, I should be immune to this, correct? A
is in my DMZ, and can't communicate with the outside world based on my
firewall rules, so A would never reach B.

~~~
dimman
If the device can't communicate outbound then no you're completely safe.
There's no magic into this, hole punching is just a silly name for a simple
technique.

Hole punching works when both A and B are behind NAT. It also allows B to
contact A if A is behind a NAT (no matter if B is behind one or not). If both
A and B have public IP's then the hole punching is "already done", they can
already connect to eachother.

------
njharman
Network webcams aren't even close to what iot will be. They are 1990s gopher
servers compared to today's WWW.

And the fear mongering(ooh Chinese, be scared! Must be worse than all American
company/gov soon same.) Scenario presented is by far not one of the scary
scenarios that ubiqitous, constant, and networked sensors of all types make
possible.

------
nibs
I know this is in the context of "consumers", but is that how most people see
Internet of Things? I thought IoT was more of a name for business
applications, or the trend in general, rather than the category of device. I
thought that "smart (appliance)" was how the devices are sold to "consumers",
and that Internet of Things referred to a trend that mostly means businesses
using internet-connected devices to simplify IT and get information about
assets. In that context, it doesn't seem like people are afraid as they are
just skeptical and curious about what value it could provide. It is a strange
future indeed if fridges that enforce thought crime fall into the same
category of technology as a plant floor weight sensor. At that point, they
just become "things" again.

------
dchmiel
For those trying to build privacy and security into their products is there
some resources for what should be done before putting a product out?

I have seen a list from Brian Knopf for some preliminary criteria in an
article.(1) I am always looking for more standards or advice on how to create
a useful product that doesn't expose the user especially marginal gain
products. I mean why give up all the privacy and security just to control our
lights? The gain is small but the harm is very large.

1\. [http://arstechnica.com/security/2016/01/how-to-search-the-
in...](http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-
things-for-photos-of-sleeping-babies/2/)

EDIT: Grammar

------
gloves
There was a talk at an event I work for (that's the full disclosure done) on
building security into the IoT. It was made by a Hardware Manager of the
original iPhone, a patent holder for NEST and is now CEO at Electric Imp. In
short, he argued that security has to be layered into every stage of the
design process. The current paradigm is to make something and try to retrofit
security features into it.

[http://iot.thebln.com/2016/02/building-security-into-iot-
int...](http://iot.thebln.com/2016/02/building-security-into-iot-internet-of-
things-forum-electric-imp/)

------
gardano
Question borne of ignorance: Have any of these vendors opened themselves up
for any legal liability for these shenanigans?

Also, if some small developer wrote a mobile app to control such devices,
would they also see themselves liable?

------
xg15
Meanwhile, if the same camera would only phone home to <manufacturer>.com and
all the peer-to-peer stuff would be handled at the manufacturer's servers,
there were probably no outrage at all...

~~~
frandroid
By definition, if it phones home, it defeats the purpose of a P2P network.

~~~
xg15
Well, that was kinda the point.

I agree with the stance of this post that this demonstrates the dangers of the
internet of things. But I think it's misleading (and a little funny) that it's
the p2p aspect that causes all the outrage.

You could move all the p2p stuff from the device to a central, manufacturer-
controlled proxy, relabel the p2p connections "3rd party APIs" and suddenly
your former security nightmare has transformed into an ordinary, industry-
standard IoT product, even though the data that gets transmitted is exactly
the same...

Instead the focus should be on what data is transmitted at all, but that is an
old, well-known problem of course...

------
gloves
It's only when companies take security in IoT devices seriously are we likely
to see any meaningful progress in the sector. Security is an afterthought
right now for companies who design products, but don't necessarily have the
expertise in security to counter those who wish to hack their products. The
reality is security today is as important part of the initial design in IoT
products, as look and functions of the product is.

------
guelo
This would be a good place to mention Silk Labs' Sense. They're an ex-Mozilla
team designing an IoT platform with privacy baked in from the ground up. They
recently launched a successful Kickstarter,
[https://www.kickstarter.com/projects/gal/sense-
personalized-...](https://www.kickstarter.com/projects/gal/sense-personalized-
intelligence-for-your-connected)

------
brbsix
Every time I read a headline like this, I can just picture a raving Alex Jones
"They want to spy on you through your dishwasher! They want to look at your
naked daughter! Ahhhhhhh it makes me so sick!".

Unfortunately this is one of those issues that he is right about.[0]

[0]: [http://www.wired.com/2012/03/petraeus-tv-
remote/](http://www.wired.com/2012/03/petraeus-tv-remote/)

------
fblp
Open source software like [https://kerberos.io/](https://kerberos.io/) enables
many standard USB cameras to become wifi cameras. It'd be great to see things
like this become a consumer product, there's no reason surveillance software
should be propriety.

------
dimman
This sounds basically like a STUN/TURN + P2P solution which in itself _does
not_ mean it's unsafe! It can be unsafe just as anything else out there if
it's made unsafe.

As explained by the company representative (including my own added
explanations) the devices, when behind NAT, can not receive any incoming
requests without setting up port forwarding in the router (this is done
automatically and temporarily for outgoing requests to allow incoming
respones, but thats another story). Setting up port forwarding is not a good
solution so what I pressume they are doing is that they are connecting to a
TURN/STUN server from the camera outwards to be able to communicate. When the
application wants to connect that one also connects to this server to have the
camera create a p2p link (that means direct connection between camera and the
device the app is running on). If that one fails then they are relaying the
data through their servers.

Now there's some ceveats for the above solution. If one relies solely on
encrypted channels and certificate security it should be as safe as the
encryption is strong or the strength of the certificates. If not done
properly, say client/peer verification is missing or the encryption chain
isn't complete, then it's most likely bad. However:

The single most important thing is that the _functionality itself_ and the
technique used is not unsafe per se.

The author makes it sound like it's a giant P2P-pool of camera devices,
however this does not seem to be the case. Rather it seems to be a big network
of relay servers to reduce latency for the connected devices. Big big
difference there.

(Then one may question the inability to turn it off or that its enabled by
default, but thats another question)

~~~
wmt
Maybe you should read the story again. The core focus of the criticism is
directed at punching holes through firewalls by default, and in this case you
cannot even disable it.

"This is a concern because the P2P function built into Foscam P2P cameras is
designed to punch through firewalls and can’t be switched off without applying
a firmware update plus an additional patch that the company only released
after repeated pleas from users on its support forum."

Later he quotes Nicholas Weaver from ICSI:

"Given the seemingly cavalier attitude and the almost certain lack of
automatic updates, it is almost certain that these devices are remotely
exploitable."

~~~
dimman
I do fully understand how the technology works. Let me explain:

"punching holes through firewalls" <\-- This _simply_ means that the device
does a connect() call towards the clients IP:port while the client does a
connect() towards the device:port at roughly the same time. You simply use the
fact that a simple home router opens up a temporary rule allowing the
destination:port to respond to your outgoing request. This won't work on
symmetric NAT's for instance.

It's basically a completely safe method and does not open up for anyone else
to connect ...

(The enabled by default is as I wrote in my original post is another question.
The way I read the article it seems like the core focus of the post is to say
that the solution used is bad or unsafe, which with given information cannot
be said).

~~~
wmt
There you go again, misunderstanding what was actually said. I never
questioned your understanding of the technology, but your understanding of
what Krebs says.

Krebs also understands the technology, and quotes David Qu from Foscam about
how their P2P technically works.

~~~
dimman
Yeah I noticed that it sounded like I misunderstood you, however I did not.
Lets just get it straight:

I agree with you and him that it would be a lot nicer to let the user choose
to enable this, and definitly not make it impossible to disable.

With that said, I'm still not sure that the author actually understand the
technology behind or how it works.

Reading David Qu's answers they just align with what I'm saying about the
technical part though. No matter what the author says, I think it's easy to
misunderstand the text and make it sound like the manufacturer are doing
something unsafe...

------
noonespecial
_> Now imagine that the geek gear you bought doesn’t actually let you block
this P2P communication without some serious networking expertise or hardware
surgery that few users would attempt._

They forgot the part where my government keeps trying to make it illegal to
fix it even if I know how.

------
clock_tower
With all the talk of phoning home to particular manufacturer networks in this
thread, does anyone know what happens when an IoT manufacturer goes bankrupt?
Are their devices left as useless bricks?

------
compactmani
I know IoT sounds scary and privacy invasive (it is), but in reality, most of
the IoT devices are not dependent on the internet. For example, my toaster,
refrigerator, washing machine, dish washer, coffee machine, TV would never
benefit at all from using the internet, so I would never connect them.

The only device that actually benefits from the internet is a computer, and
maybe a mobile phone (because there is this app craze). The rest I predict
will fade when consumers discover the devices were fine the way they were.

~~~
bigfudge
You're right but you won't have a choice. Many devices will require connection
to the internet to be configured, and you won't always know ahead of time what
they are because most people won't care enough to put it in a review. For
example it drives me crazy that my washing machine beeps for over an hour when
it's done... I don't care - just stop making that noise... However, it's
impossible to search for "doesn't beep like crazy" when buying a new product
on amazon.

~~~
compactmani
I can't see how any appliance would be required to be online for use or
configuration. Even every laptop off the shelf doesn't have such a
requirement. The only device I know that does is a smart phone (maybe?).

~~~
tremon
Just as an example: the Logitech Harmony range of remotes. The only way to
program those remotes is to go through Logitech's application portal.

I'm not saying it has to be done that way; I'm just saying that it is.

------
giancarlostoro
On the other hand DIY IoT doesn't sound as scary so long as your Raspberry Pi
or Arduino board don't phone home.

------
djhn
So apparently everyone on HN agrees IoT is bad. Who can make/ or has made a
reasonable argument defending this progress? Why is this progress happening?

------
elorant
What we really need is a universal IoT OS. Something like Android for devices.
Then we can enforce the same set of safety rules that apply for smartphones
and have some relative ease of mind. Otherwise it's gonna be hell because on
top of everything we'd have to deal with manufacturer's incompetence to build
decent software.

~~~
roymurdock
The IoT encompasses a huge number of heterogeneous devices - for consumer
electronics you have webcams, smart TVs, wearables, smart white goods,
thermostats, etc. - all with vastly different hardware that requires varying
levels of complexity at the OS level.

On top of that, the space is very immature and a huge nascent market, so you
have all the big players trying to beat each other out for a large slice of
the pie - Alphabet, Apple, Amazon, Intel+Qualcomm+Microsoft+Samsung (OCF
Alliance), etc.

What you really need is a strong vendor with a compelling security story who
you can credibly trust to create good devices with a lot of thought on end-to-
end security...any guesses who that might be?

