IE, just liability isn't sufficient. Regulation were created to avoid a situation of liability because "raw liability" doesn't work.

The thing is, electrical regulations are not regulations merely on manufacturers, indeed, they only require particular, simple components. They are mainly for the users of electrical components, builders and the electrician they employ.

The constant whine here at HN is that software companies are held liable for their insecure applications. The problem is that the security isn't primarily about buying secure components. It's about having secure practices in place.

For "critical infrastructure", things like "don't connect shit that doesn't need connecting and "build from source, don't download anonymous binary blobs." are standards that should be on the end-user, just for example.

IoT and software isn’t special. It’s just getting a free pass because the vendors and solution providers want to dodge the responsibility for as long as they can.

To everyone else’s detriment.

-- Maybe I'm not saying it well. But my point is that until someone defines an overall use context, calling a given thing "unsafe" is futile. In an intranet not connected to the outside, an IP camera with no security at all is fine.

Without "customer classes" defined, without security use cases defined, and so-forth, of course manufactures will produce anything they want and why shouldn't they? The implicit standards of security now are the wild, wild west.

The original situation is IP cameras and other devices sold with pathetic security. Sure, it seems intuitively obvious that "these people were doing it wrong and ought to pay". But you can't really do that because there reasonable situation where these devices are reasonable.

IE, manufacturer responsibility can't exist, can't be pinned down, until standards exist.