> The same as the fact I did not lock my door do not allow anyone to rob my home, that I did not replace my fire detector batteries is no excuse for anyone to set it alight, etc.

First, let's fix your analogy: If you don't lock your door, this is generally not an issue for the general public, i.e. it doesn't impact anyone else negatively, just you in case you get robbed. A better analogy for this case here would be that you leave your door unlocked every day on purpose AND have a huge arsenal of guns, rifles, etc. right in your entrance room, all loaded up ready to be used. If I'd encounter that, the least I'd do is call the cops; the only problem here is that if I call the police telling them my neighbor Bob is running an insecure IoT device that can be used for DDoS attacks against anyone on this planet, they won't do shit. So if the police told me they don't care about your publicly accessible arsenal of weaponry then yes, I think it would be a good idea to try and prevent anyone from accessing it.

> Only when one had been hold accountable for what he has done should we go after companies for negligence, no?

That would mean we shouldn't punish anyone for putting individual people or the general public in danger unless something bad actually happenes. This is not true in other scopes too, there's a lot of things you can get fined/arrested for that don't actually hurt anyone but just have the potential to.

> "I discovered this security hole then proceeded to exploit it and damage some random system/workflow for the sake of demonstration" should not be acceptable.

My take on this: "I discovered this security hole that others were exploiting to DDoS other parties on the Internet, so I proceeded to exploit it too and damage some random system/workflow to prevent this abuse from continuing"

Ok my analogy was not great, but yours is also a bit exaggerated I think, for two reasons: Obviously an iot device is not obviously a weapon, and secondly not only compromised devices were targeted ; arguably a non easy task since once it's compromised it is likely to be "locked".

Still, I want to reiterate that the society I want to live in is not one where we are protected by perfect bulletproof fences but one where vandalism is not a cause of fame.

I don't have a final opinion of who's right in this debate, but I can come up with a counter-argument.

Your "lock my door" analogy is not complete. Imagine if you don't only don't lock your door, but also abandon your home, so criminals squat in there - and they end up terrorizing the whole neighborhood. Wouldn't it be logical for the police to at least barricade the place somehow? May be even fill doors and windows with cement, or take other measures to prevent squatting.

It would still make it unusable for you, and you'd have to renovate if you ever return - but many would argue that it's a reasonable way of preventing the damage to the whole community around you.

I want to add that I am not sure yet what my position on this is. But I think your analogy is not correct - and please feel free to correct me if I am wrong!

Imagine the following scenario: Manufacturer's sell weapons cabinets to people. Only weapons cabinets are not hidden in your home, instead they are put out on the street. And now comes the dangerous part: These weapon's cabinets do not lock. Because the manufacturer decided that locks are not necessary. If someone comes along, should he just ignore this or should he make the weapons unusable? Because that is what these devices will be used as: weapons.

My analogy would be he is welding them shut.

I think a big problem here is that people are discussing points like manufacturers should be blamed / fined, or that the owners of the devices should be responsible etc, but no one is addressing what seems to be the real issue that most owners of these devices don't understand them enough to actually know these issues potentially exist.

In your analogy I would say its not that people are leaving these weapons cabinets on the street unlocked, but don't know that its possible to lock or hide them.

Another good example would be cars, if you went to the showroom and someone showed you a two cars, one with no locks on the door that was easy to start without the keys, and one that had proper security the choice would be easy and you could understand what you're seeing.

If you go to a shop and someone shows you two IOT devices that do the same thing, and look identical, you cant really see anything that helps you learn about the security features, and as an average person if you're told one has certain "tech speak" security words you don't understand are you really going to make the choice to spend more money to protect against something you don't fully understand, that you don't see any effect from?

Yes manufacturers should be made to release products that are secure and respond to security issues in a timely manner, but we also need to educate people that computers aren't some magical box beyond their understanding, blaming owners in these cases would I think make the issue worse.

If you consider that the majority of people who have the internet get their ISP to set up their router, and only have a basic understanding of what that device does, how can we expect people to understand what the potential issues of open ports or vulnerable firmware are? And then could these people even be educated to the level we would need for them to be responsible for securing their own devices?

Forgetting to lock the house or batteries in detector running out is an accident. Not providing secure and up-to-date firmware for devices which are known to be an easy targets is a company policy, which comes out of incentives (the cost of security is huge compared to the cost of a breach to IoT manufacturers). While we cannot/should not legislate against accidents, we sure can and must legislate against harmful policies. Shifting blame from companies to hackers simply is not as productive as making companies responsible for the quality of their product.

Your unlocked door affects only you, buggy IoT devices affected thousands of devices and networks.

It's more like discovering a remote-controlled car can be hacked and allow terrorists to drive it into crowds of people, and you have an option to brick such cars. I'd brick them all.

Couple of alternate analogies being thrown out, but somehow no-one has mentioned vaccination?