Slashdot Mirror
Why Companies Knowingly Ship Insecure Devices
wiredmikey writes "A recent survey which included responses from 800 engineers and developers that work on embedded devices revealed that 24% of respondents knew of security problems in their company's products that had not been disclosed to the public before the devices were shipped. But just what that means in terms of attitudes towards security may be more complex than it seems. Additionally, just 41% said their company has 'allocated sufficient time and money to secure' its device products against hacks and attacks. Despite this, 64 percent felt that when engineers call attention to potential security problems, 'those problems are addressed before the device is released.' So, what exactly does this illustrate about the state of security in the development process? The answer, some say, is a jumbled collage of business pressures, bug prioritization and varying attention to security."
Security isn’t important enough or visible enough to the end user, and insecurity doesn’t cost companies enough money.
If company A spends 100,020 extra on securing their product, whereas company B spends $1,020 extra .. and neither product “gets hacked” .. there is no perceived value increase. If company A has to sell their product at a higher cost .. most consumers will go with company B’s product.. _even if_ company A can somehow demonstrate that their product is more secure (and aside from a clean track record, this is hard).
If Company B’s product gets hacked, 99% of users don’t know or don’t care.. and company A gets exactly 3 new customers (always 3.. regardless of scale) who are concerned with company B’s security track record and assume company A makes a more secure product.
More importantly, if legislation went through saying that companies were liable for insecurity and the damage that is caused, everything would triple in cost and the masses with piss soup in rage
Nah, the author and submitter made a valiant attempt but the real reason is that we are "satisfied" to just release stuff and let the general public be un/underpaid debug labor.
If all that debug was properly full-costed these companies would lose years of profits.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Hmm cant tell if trolling or just stupid.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Engineers are saying their products are being rushed to market, and that they're not being given enough time to come out with a perfect product?
What's the world coming to?
Next thing you'll be seeing teachers complain about being underpaid and under-appreciated and the president saying that partisan bickering is preventing him from getting anything accomplished.
Just because it's true doesn't make it news.
Remember that sales people typically make percentages based on sales. You don't get that percentage until you ship. So you get a lot of pressure to deliver quickly. And you can't do security in a rush. Typically your engineering head will do a security assessment and sales will go over it (usually in a series of small hops and jumps) and then ship anyways, because that's how they get paid. They'll have engineering bang out patches later on. If anyone complains.
Bottom line is that engineers don't get to make these kinds of decisions usually.
Weaselmancer
rediculous.
This is pretty funny considering that all laptops are manufactured by the same company, including Apple's laptops. As for security, they just demonstrated a total kernel pwn for ios recently, so I'd be willing to go on record that all the companies suck at security. When it comes down to it, if you want to break into something you can find a way. These companies would get a lot farther if they realized that nothing is really secure and instead they decided to give people what they want out of the box instead of collectively dismissing our rights to purchase real property.
The dangers of knowledge trigger emotional distress in human beings.
GM engineers discovered a safety problem in a vehicle they were designing, and designed an extra part to fix it. But management decided to save $5 per vehicle and skip it. GM ended up getting their cabooses sued off for that decision after the legal "discovery" process found out about the intentional shortcut. They Jury handed them their ass.
Perhaps a similar situation has to happen with software in gizmos before companies "care".
Table-ized A.I.
Being manufactured by Foxconn does not mean that Foxconn does the hardware design and writes the bios and OS code too.
I hesitate to believe that the screwing, and and glueing that Foxconn does affects the security in any significant way.
there is a huge fucking difference inbetween "oops we left the programming interface exposed so some hacker can rewrite the firmware in his xbox controller" and "oops we just gave all your personal data to the Chinese, dont enter any credit cards"
And please drop this magic cloud of "embedded devices" just for the sake of clarity? Cause for fucks sake that could mean anything from the intellegent disk controllers in a C-64 to a ipad to a army rifle
Quite frankly, and in a nutshell: Why should a company spend time and money on securing a device if the customer does not honor it?
Take two companies, A and B. A spends engineering time on working out and ironing out all the security bugs and flaws, ending up with a more expensive product than company B who doesn't. Net result? Customer goes and buys the insecure product from company B.
Then there's that part where insecurity actually works in the customer's benefit. For reference, see DRM and how it gets circumvented ("softmodding" pretty much means "using a security bug to gain root access" nearly every time).
Companies will not spend time and money on securing a product if the customer does not care, or even prefers an insecure product. It's that simple.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because its cheaper
Here's a refreshing WHOOSH for you!
Don't feel bad, judging by the modding so far, you're not the only one...
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
can be approached from a standard of practicality. Those of us who have spent time working in computing and technology will readily concede security as an illusion and that devices can and will always manifest some element of insecurity. The question the author is trying to ask i suspect is 'are manufacturers doing enough to ensure the security of their devices.'
harkening back to the days of manufacturing before the CPSC, Americans basked in the glory of such products as stainless steel lawn darts and carcinogenic drink additives. the common board game 'operation' was unquestionably fed from a 120 volt AC source. In short it took a federal regulatory agency to ensure customers were protected against the ruthless profiteering of conglomerates willing to drive their product, in the case of lawn darts quite literally, into their market without so much as a second thought.
I cant propose a government agency because these days even the most controversial items to be regulated, for example hydraulic fracturing, are met with "cautious optimism" and nothing less. Our relentless pursuit of the golden calf called the free market has made us incapable of asking questions like 'why does my favorite company ship something insecure?' Because there are no penalties on their part for the insecurity of their product, theres no incentive. Because customers are barely capable of understanding the products controls in most cases, let alone the repercussions of misuse, the customer is complacent. And thanks to hardworking patrio-tastic lobbyists and ideological politicians, no regulatory body on the planet can approach the manufacturer with anything less than 'cautious optimism.'
the solution is death. more customers with more insecure products must exist and a tipping point must be reached before a digital CPSC is created to ensure your internet-capable refridgerator cant be hacked to burn down your house, or your pacemaker doesnt allow a malevolent 14 year old to use it as a midi controlled device. You arent a lobbyist, and you hold no corporate or political power beyond "voting" and "buying" dis-respectively.
Good people go to bed earlier.
Most people here on Slashdot understand very well the "engineering" perspective of product development. We tend to believe that a better product will sell better and that, conversely, products that sell better are presumed to be better products.
MBAs know better. What they know is that marketing, public relations and public image/perception is far more critical to "success" than quality.
So is it any wonder that quality takes a back seat to marketing and releasing a product?
Acer, for one, would not find that funny at all. They seem to think they manufacture laptops also.
There are more than three laptop manufacturers, even if you limit yourself to mainstream brands.
deleting the extra space after periods so i can stay relevant, yeah.
Whoosh much?
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
MBAs know better. What they know is that marketing, public relations and public image/perception is far more critical to "success" than quality.
No, that's what they believe... and in the short term they're correct. In the long term, however, it's hard to keep selling people crap when they've had too many bad experiences with your earlier products.
Look at Sony, for example. My first two Sony camcorders lasted a decade each; in fact, I'm still using the DV camcorder I bought in 1996 because of the design flaw in the HD camera I bought in 2004 where if you remove the battery before the hardware has completely shut down it fries the logic board and costs more to fix than the camera is worth.
Suffice it to say, my next camcorder probably won't be Sony, no matter how good their marketing and PR may be.
At my company, we code in Java. Memory leaks never happen either.
"First they came for the slanderers and i said nothing."
And doesn't necessarily increase revenue. Besides that, in my history anyway, managers do not want to spend another $5k because a product is "More Secure". They would much rather put the $5k into a product with a dead-simple API than put it into some hypothetical circumstance which they have no direct experience with.
Security is one of those things you can only truly understand by getting burned by it.
Join the Slashcott! Feb 10 thru Feb 17!
> Hmm cant tell if trolling or just stupid.
The choices are not mutually exclusive. Think checkboxes, not option buttons.
Which?
(*) Trolling
(_) Stupid
Which?
[x] Trolling
[x] Stupid
I'll see your senator, and I'll raise you two judges.
Security is only one element of a quality product. Adding a new feature or improving ease can increase a products quality at the expense of security.
Good for you, Mr. Engineer. You display logic and wisdom that few people display.
For example, people continue to vote for Democrats and Republicans and completely exclude alternatives despite the fact that the two leading "brand names" continually fail them. And Sony's continued success despite their quality issues is an important indicator that you are an anomaly and not a mainstream consumer. Mainstream consumers keep buying Sony because they believe Sony is cool technology.
You are presuming they are always mutually exclusive. While it is often the case, it is not ALWAYS the case.
But you are right in that people tend to favor convenience at the expense of security for consumer products. However, this is best coupled with consumer ignorance because once they discover there is something about their product that makes them or their information vulnerable to attack, they won't care that it was so they could have a more convenient user experience. They will just be pissed off.... and then they will buy "version 2" of the same thing from the same company.
Do the devices have a low self-esteem?
Or do you mean UNSECURED?
Yes they are.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I don't buy from Sony either, for the same reasons. However, I seen more than enough people walking home with a sony product under their arm to realize most people really don't care enough to do their research before buying. Heck, look at all the PS3s being sold, and the rabid fanboy community that exists around it.
So now I just sit back and laugh when someone gets all indignant that their Sony product either failed or somehow abused the purchaser.
The more secure you make an embedded device or appliance against information leakage and harvesting-type vulnerabilities, the more likely it is to end up getting returned to stores by frustrated consumers who can't get it to work.
Just look at WPA-2 -- it's unquestionably more secure than WEP. It's also rarely used in public settings because statistically, it never fucking works. You can take any access point, and any device that supposedly supports WPA-2, and know beyond doubt that there's about a 50-50 chance it won't work on the first try, and only slightly better odds that it'll eventually work after an hour or more of work (likely victims include anything with Vista or newer, or an Android phone that hasn't been rooted & reflashed to AOSP or Cyanogen.
If you ask me if a product I've worked on is 'secure', my immediate thought is 'what is your criteria?'. There are 'degrees' of secure and the line where someone says 'it's secure' shifts according to whose making the call. Some may say they 'secured' their unattended installer data because they base64 encoded the administrator password (looking at you, microsoft). They would argue they did enough to protect from over the shoulder (visual exposure only, with no opportunity to transcribe it to paper). The attacker couldn't remember the base64 string long enough to put it into a base64 decode. In theory they could have taken it a step farther (like kickstart and autoyast for example), and stored the NTLMv2 hash in the file instead of password. More would say 'secure', but then some would say 'NTLMv2 hashes are trivially broken by rainbow table, so it's not appreciably better'. Let's say they even went so far as to redo their local account store to use something as well salted as modern /etc/shadow entries. Some would still say it's insecure because even with the cipher text pretty well protected against practical rainbow tables, GPUs can crunch through the problem space too quickly.
Then when faced with the continuum between 'wide open' and 'uselessly secure', there are tradeoffs. For example, ssh keys are widely used for convenience (and frequently can be fairly considered 'more' secure). When used for convenience, they are often stored without a passphrase. This means some will say it's less secure because they fear an offline attack or other attack that compromises the key. So you slap a passphrase on and have to type it everytime. You are back to the same level of inconvenience of password every time. ssh-agent mitigates this and things like gnome-keyring mitigate it further, but I'm sure some would call the 'attack surface' larger and therefore less secure somehow.
Some tasks can be rendered impossible by 'perfect' security. Like auto-deploy of new equipment being enabled by well-known default credentials being very convenient, but we all know how 'default credentials' can be considered very very bad if a piece of equipment is popular and installers are lazy.
XML is like violence. If it doesn't solve the problem, use more.
I have worked long and hard in my profession to get devs to fix security bugs. The reaction mostly falls in one of these categories:
1. I do not understand the issue (read, I am just copying code of the interwebs and have no clue about my job).
2. I understand the issue but we are under the gun to release the product.
3. I understand the issue but the vulnerability is theoretical (read, I don't understand anything about large scale production infrastructure)
Bottom-line: Unless a security big breaks functionality, a dev doesn't care.
Sorry to devs who care but after a decade of trying devs to release secure code, my opinion maybe a bit biased.
"Companies will not pack up and leave"
I respectfully disagree. Why are most air ambulance / life flight helicopters in the US manufactured by Eurocopter (French) and Agusta Westland (Anglo/Italian), rather than Bell (US) these days, even though there are a few Bell helicopter models that are CAMTS certified?
when was the last time you even saw an air ambulance that didn't use a ducted fan tail rotor, i.e. one that wasn't an EC-135 (Eurocopter)?
-- Terry
So what if my cell phone can access voicemail without a 15 character minimum password.
So what if my Wii or Xbox can let people chat with me.
So what if my GPS could theoretically be told to trick me into turning into a lake.
For 99% of of devices I buy, security "features" are an annoyance end user's don't want.
When I buy a post card - it's OK someone who theoretically intercepts the mail can read it. I understand that and won't write my credit card number on the back of it. The last thing I want is some legislation saying that postcards must be wrapped in tinfoil with a tamper-proof seal.
Same should be true for hardware.
They surveyed engineers. Engineers *never* think they have enough time or resources for a project.