Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Companies Knowingly Ship Insecure Devices

Posted by Soulskill on from the not-enough-tps-reports dept.

wiredmikey writes "A recent survey which included responses from 800 engineers and developers that work on embedded devices revealed that 24% of respondents knew of security problems in their company's products that had not been disclosed to the public before the devices were shipped. But just what that means in terms of attitudes towards security may be more complex than it seems. Additionally, just 41% said their company has 'allocated sufficient time and money to secure' its device products against hacks and attacks. Despite this, 64 percent felt that when engineers call attention to potential security problems, 'those problems are addressed before the device is released.' So, what exactly does this illustrate about the state of security in the development process? The answer, some say, is a jumbled collage of business pressures, bug prioritization and varying attention to security."

6 of 123 comments (clear)

  1. Not important enough by Anrego · · Score: 4, Informative

    Security isn’t important enough or visible enough to the end user, and insecurity doesn’t cost companies enough money.

    If company A spends 100,020 extra on securing their product, whereas company B spends $1,020 extra .. and neither product “gets hacked” .. there is no perceived value increase. If company A has to sell their product at a higher cost .. most consumers will go with company B’s product.. _even if_ company A can somehow demonstrate that their product is more secure (and aside from a clean track record, this is hard).

    If Company B’s product gets hacked, 99% of users don’t know or don’t care.. and company A gets exactly 3 new customers (always 3.. regardless of scale) who are concerned with company B’s security track record and assume company A makes a more secure product.

    More importantly, if legislation went through saying that companies were liable for insecurity and the damage that is caused, everything would triple in cost and the masses with piss soup in rage

    1. Re:Not important enough by shadowfaxcrx · · Score: 2

      Done in 1. (I don't count the troll above you)

      Start fining the hell out of companies for knowingly exposing their customers to risk (any risk, whether security or e-coli) and companies will clean up their acts.

      Yes, regulating companies makes (sometimes) the end product cost more. That was true when airlines were regulated. We also didn't have incidents like Valujet when airlines were regulated. Safety/security costs more up front, but costs less in the long term.

      --
      "I disagree with you" does not equal "flamebait."
    2. Re:Not important enough by 0123456 · · Score: 2

      Start fining the hell out of companies for knowingly exposing their customers to risk (any risk, whether security or e-coli) and companies will clean up their acts.

      No, they'll stop making stuff because unlimited liability for 'any risk' is simply insane. If they can't get insurance then there'd be no point being in business if you could be bankrupted at any time (e.g. Joe Loser sues Dell for selling a PC with Windows installed, which clearly exposes them to serious risks).

    3. Re:Not important enough by Runaway1956 · · Score: 2

      Open source is distributed for free, as-is, with no warranty, and plenty of disclaimers that the product may not be suitable for your purposes, or any other purposes.

      Unlike the other side of the road, where the code is a closely held secret, you pay for the privilege of using it, and there are generally at least implied warranties that the product is fit for consumer use.

      In short - if the company is willing to rape the consumer for huge profits, while supplying shoddy products, then they DESERVE to be sued. Open source, not so much. "Yeah, you can mess with my code, if you like, but be warned, it's a mishmash of ideas that may or may not work, so you're on your own. Call me if you have problems, and MAYBE we can work things out!"

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    4. Re:Not important enough by Hadlock · · Score: 2

      Yep. Your job as a product manager is to
       
      1. Ship the product
      2. Ship the product on time and
      3. Do it under budget
       
      Pick any two. #1 is not optional. As long as conditions 1 and 2 or 3 are met you get to keep your job, and possibly a project completion bonus (if you're lucky). As long as security flaws aren't getting in the way of two of those three objectives, you can ignore them and patch them in a later firmware/software update.
       
      Complaining to your manager that you need to delay the product and that you're going to have to exceed your budget to address security concerns that a junior engineer mentioned in a memo is probably not going to net you that fully paid team building exercise that involves playing golf in the Cayman Islands for a week next month. The fact that you blew your project over something like "security" isn't helping matters with the wife; that $3000 bonus you decided to eschew in favor of security isn't helping pay for the pair of diamond earrings, the new 47" plasma TV, new PS3 for junior who made a 3.8 last semester, or the 15th wedding anniversary trip to hawaii.

      --
      moox. for a new generation.
  2. Re:Only Apple does security by Hognoxious · · Score: 2

    Hmm cant tell if trolling or just stupid.

    The choices are not mutually exclusive.

    Yes they are.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."