I'm the executive editor over at The Wirecutter; I responded to your comment over on our site but came over here after another commenter mentioned that you'd had more to say via your own social accounts (and then I figured I'd come read your full argument here).
I think one issue we have at WC when dealing with these kinds of issues is framing them in a way that speaks to readers who aren't always very tech-savvy, so often we are looking, as you mention here, recommending things like "Going with brand names is probably a good proxy for many of these requirements." We tend to take a most people perspective. Grant's argument in that piece is coming from a statistical perspective, rather than one that attempts to encompass all possible situations — and those situations do include real threats to real people.
We don't want to give up on the idea of IoT security in any way, and we do understand that there are cases where this is going to be insufficient, and I do think we caution our readers in that post that there is always a risk, and that any device out there is exploitable.
The case you mention (a threat from someone known to the user) is one we didn't address in particular, and it's a good point. I'd love to see more data about the frequency of this sort of attack if you can link me to some resources.
As I'd mentioned over on our site I'd love to be in touch further as we work on developing a protocol for testing the variety of random IoT objects we're coming across in increasing numbers.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2016-11-04 03:18 pm (UTC)I'm the executive editor over at The Wirecutter; I responded to your comment over on our site but came over here after another commenter mentioned that you'd had more to say via your own social accounts (and then I figured I'd come read your full argument here).
I think one issue we have at WC when dealing with these kinds of issues is framing them in a way that speaks to readers who aren't always very tech-savvy, so often we are looking, as you mention here, recommending things like "Going with brand names is probably a good proxy for many of these requirements." We tend to take a most people perspective. Grant's argument in that piece is coming from a statistical perspective, rather than one that attempts to encompass all possible situations — and those situations do include real threats to real people.
We don't want to give up on the idea of IoT security in any way, and we do understand that there are cases where this is going to be insufficient, and I do think we caution our readers in that post that there is always a risk, and that any device out there is exploitable.
The case you mention (a threat from someone known to the user) is one we didn't address in particular, and it's a good point. I'd love to see more data about the frequency of this sort of attack if you can link me to some resources.
As I'd mentioned over on our site I'd love to be in touch further as we work on developing a protocol for testing the variety of random IoT objects we're coming across in increasing numbers.
Thanks much, and keep up the good work,
Mike