Slashdot Mirror
FTC Forces Asus To Improve Router Security (helpnetsecurity.com)
An anonymous reader writes: The FTC is actively trying to make sure that companies secure the software and devices that they provide to consumers, and a settlement with Taiwan-based hardware maker ASUSTeK Computer is one step towards that goal. The complaint was raised after well-meaning hackers exploited a weakness on Asus routers and left note on victims' drives notifying them of the matter. Later, a researcher discovered an exploit campaign that abused vulnerabilities to change vulnerable routers' DNS servers. According to the settlement, the company will have to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
OK, is Microsoft next?
I was about to post the exact same thing. I'm glad the foreign company was censured for its bad security practices, but when does our home-grown American company get the same?
Caveat Emptor is limited by sanity in areas where the state of the art is well beyond what you could reasonably expect the average consumer to know or be able to appraise for themselves.
Car analogy: It's unlikely that most readers could look at a vehicle they desire to purchase and determine whether its brakes work properly or are likely to fail under normal driving conditions, whether its airbag might be badly designed and not deploy (or deploy at inappropriate times), etc. So we trust government regulators to establish certain minimal safety standards and enforce car manufacturers' compliance with them.
Many readers here might be able to evaluate a router we have in our hands for obvious security issues. Few of our parents or grand parents could do so. Likewise, none of us could evaluate such things before purchase for a device we've never powered on. Given the importance and ubiquity of consumer network routers, it seems reasonable to hold manufacturers to a higher standard than, "Oops... Sorry we left your entire home network open to the Internet and anyone driving by. Here's a patch (maybe)."
I've generally preferred Asus routers to its peers for quite some time. They've been great with providing firmware updates four years after release (d-link, I'm looking at you), doing simultaneous dual-band as advertised (netgear, I'm looking at you), their firmware is responsive and generally very stable (Belkin, I'm looking at you). Their mid-range units support multi-wan and make excellent print servers, and they've been very supportive of the modding community - most of their gear supports merlin, padavan, ddwrt, openwrt, and tomato, and their recovery mode is near-brickproof.
Yes, it's obnoxious that they had security issues, and yes, I replaced my N56U with a linksys ea6900 (and regretted until tomato was installed), but they're definitely better than most in my experience.
More to the topic, I wonder if this will yield some case precedent for these requirements industry wide. I can dream...
Microsoft actively patches their software. Perhaps we should look at penalties for the glibc devs though.
You are tragically misinformed. glibc has been patched. On the other hand, MS has decided not to support Windows Vista in its totality up to its contractual EOL date.