One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 286648 |
| Date de publication | 2017-01-06 01:48:02 (vue: 2017-01-06 01:48:02) |
| Titre | Notes about the FTC action against D-Link |
| Texte | Today, the FTC filed a lawsuit against D-Link for security problems, such as backdoor passwords. I thought I'd write up some notes.The suit is not "product liability", but "unfair and deceptive" business practices for promising "security". In addition, they interpret "security" different from the cybersecurity community.This needs to be stressed because right now in our industry, there is a big discussion of product liability, insisting that everything attached to the Internet needs to be secured. People will therefore assume the FTC action is based on "liability".Instead, all six counts are based upon the fact that D-Link offers its products for securing networks, and claims they are secure. Because they have backdoor passwords, clear-text passwords, command-injection bugs, and public private-keys, the FTC feels the claims of security to be untrue.The key point I'm trying to make is that D-Link can resolve the suit (in theory) by simply removing all claims of "security". Sure, it can claim it supports stateful-inspection firewalls and WPA2, but not things like "WPA2 security". (Sure, the FTC may come back with a new lawsuit -- but it would solve the points raised in this one). On the other hand, while "deception" is the law the FTC uses, their obvious real intent is to improve security. They intend for D-Link to remove it's security weakness, not to change its claims. The lawsuit is also intended to scare all IoT makers into securing their products, not to remove claims of security.We see this intent in other posts on the FTC website. They've long been talking about IoT security. Recently, they announced a contest giving out $25,000 to the best solution for patching out-of-date IoT devices [*]. It's a silly contest, but shows what their real intent is.Thus, the language of the lawsuit is very much about improving security, while the actual counts are about unfair/deceptive practices.This is unfair for a number of reasons. Among their claims is that D-Link lied to their customers for saying "you need to change the default password to secure the device", because the device still had a command-injection bug. That's a shocking departure from common sense. We in the cybersecurity community repeatedly advise people to change passwords to make devices more secure, ignoring any other insecurity that might exist. It means I'm just as deceptive as D-Link is.The FTC's action is a clear violation of "due process". They didn't create a standard ahead of time of bugs that it would consider making a product "insecure", but instead arbitrarily punished D-Link for not meeting an unknown standard "secure". They never published a document saying "you can't advertise your product as being 'secure' if it contains this list of problems".More to the point, their idea of "secure" is at odds with the cybersecurity community. We would indeed describe WPA2 as secure, regardless of some other feature of the device that makes it insecure. Most IoT devices are intended to be used behind a firewall anyway, so the only attack surface is the WiFi network. In such cases, the device can have backdoor passwords up the ying-yang, and we in the cybersecurity community will still call is "secure".This is important because no product will ever be perfectly secure. Ten years from now, hackers will still dis |
| Envoyé | Oui |
| Condensat | $25 000 about action actual addition advertise advertising advise against ahead all also among announced any anyway apps arbitrarily are assume attached attack back backdoor based because been before behind being best big bug bugs business but call can cases change chilling claim claims clear come command common community companies consequence consider considered contains contest counterproductive counts create creating customers cybersecurity date deception deceptive default departure describe device devices didn different discover discussion document down due effect enormous ever everything exist fact feature feels filed firewall firewalls forefront from ftc giving goals: going hackers had hand have idea ignoring impact important improve improving incentive indeed industry injection innovation innovative insecure insecurity insisting inspection instead intend intended intent internet interpret iot its just key keys language law lawsuit liability lied like link list little long make makers makes making may means meeting might more most much need needs network networks never new nobody not notes now number obvious odds offers one only other out password passwords patching people perfectly point points posts practice practices private problems process produce product products proliferate promising public published punish punished raised real reasons recently regardless remove removing repeatedly resolve right same saying scare secure secured securing security see sense shocking shows silly simply six solution solve some standard stateful stop stressed such suit supports sure surface talking ten text that them theory therefore they things those thought thus time today trying unfair unfair/deceptive unknown untrue upon used uses very violation weakness website what wifi will would wpa2 write wrong yang years ying your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.