Slashdot Mirror
FTC Forces Asus To Improve Router Security (helpnetsecurity.com)
An anonymous reader writes: The FTC is actively trying to make sure that companies secure the software and devices that they provide to consumers, and a settlement with Taiwan-based hardware maker ASUSTeK Computer is one step towards that goal. The complaint was raised after well-meaning hackers exploited a weakness on Asus routers and left note on victims' drives notifying them of the matter. Later, a researcher discovered an exploit campaign that abused vulnerabilities to change vulnerable routers' DNS servers. According to the settlement, the company will have to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
We don't want caveat emptor for this shit, we want companies who are accountable for the security of the products they make.
Do you want to live in a world where security boils down to "too bad, suckers"?
This bullshit of caveat emptor is why we have such shit security on the web in the first place.
More companies need to get their knuckles rapped and have penalties when they do an incompetent job at securing such stuff.
Lost at C:>. Found at C.
OK, is Microsoft next?
I was about to post the exact same thing. I'm glad the foreign company was censured for its bad security practices, but when does our home-grown American company get the same?
Did anyone else read the headline as:
FTC Forces Anus To Improve Router Security
?
"FTC has hand in Asus plugging hole in exploited router firmware." Better?
While we are at it, lets make seatbelts and airbags manufacturer optional as well. Oh and no oversight of drug and vaccine manufacturer.
Lead paint and toxic chemicals in your kids toys? Caveat emptor mother fucker, you should have known. Go check all the factories for all the parts in their toys and make an informed decision.
Oh, the chemical waste dump in your backyard? Caveat emptor again.. you should never have invited that company into town.
There is no question that regulations can overreach. There is no question that they introduce bureaucracy and potential for corruption and graft. On the whole though we are better for many of them.
Silence is a state of mime.
Caveat Emptor is limited by sanity in areas where the state of the art is well beyond what you could reasonably expect the average consumer to know or be able to appraise for themselves.
Car analogy: It's unlikely that most readers could look at a vehicle they desire to purchase and determine whether its brakes work properly or are likely to fail under normal driving conditions, whether its airbag might be badly designed and not deploy (or deploy at inappropriate times), etc. So we trust government regulators to establish certain minimal safety standards and enforce car manufacturers' compliance with them.
Many readers here might be able to evaluate a router we have in our hands for obvious security issues. Few of our parents or grand parents could do so. Likewise, none of us could evaluate such things before purchase for a device we've never powered on. Given the importance and ubiquity of consumer network routers, it seems reasonable to hold manufacturers to a higher standard than, "Oops... Sorry we left your entire home network open to the Internet and anyone driving by. Here's a patch (maybe)."
I've generally preferred Asus routers to its peers for quite some time. They've been great with providing firmware updates four years after release (d-link, I'm looking at you), doing simultaneous dual-band as advertised (netgear, I'm looking at you), their firmware is responsive and generally very stable (Belkin, I'm looking at you). Their mid-range units support multi-wan and make excellent print servers, and they've been very supportive of the modding community - most of their gear supports merlin, padavan, ddwrt, openwrt, and tomato, and their recovery mode is near-brickproof.
Yes, it's obnoxious that they had security issues, and yes, I replaced my N56U with a linksys ea6900 (and regretted until tomato was installed), but they're definitely better than most in my experience.
More to the topic, I wonder if this will yield some case precedent for these requirements industry wide. I can dream...
Caveat Emptor is fine with things that a consumer should be reasonably expected to notice or be aware of, and/or that aren't inherently life threatening. If I buy used furniture on Ebay or Craigslist, I should know that I'm taking a risk. On the other hand, things like tainted food? Yes, I want the government regulating that. What about things like lead paint on Childrens' toys? I sure wouldn't be able to tell the difference at a glance, so yes, absolutely.
Things like computer security? I don't expect that the government is necessarily going to be the one testing everything, but I'm perfectly happy with the government instituting penalties for companies that sell a supposedly "secure" product that turns out to be complete bullsh*t full of more holes than swiss cheese, because penalties are pretty much the only thing that's going to really get companies to take things seriously, at least in the SOHO market.
Apple, you have TOO MUCH security!
ASUS, you have TOO LITTLE security!
Make up you're friggin' mind Uncle Sam... Security is either good for everyone, or bad.
Microsoft actively patches their software. Perhaps we should look at penalties for the glibc devs though.
You are tragically misinformed. glibc has been patched. On the other hand, MS has decided not to support Windows Vista in its totality up to its contractual EOL date.
All the while the FCC and the EU are working on preventing users from protecting themselves by modifying the routers firmware:
http://tech.slashdot.org/story...
We don't want caveat emptor for this shit, we want companies who are accountable for the security of the products they make.
Do you want to live in a world where security boils down to "too bad, suckers"?
This bullshit of caveat emptor is why we have such shit security on the web in the first place.
More companies need to get their knuckles rapped and have penalties when they do an incompetent job at securing such stuff.
OK, if "Caveat Emptor" is an unacceptable solution for routers, what about phones? Verizon is notoriously slow at getting modern updates to its customers. Operating systems? Other IOT devices like lightbulbs and their respective controllers? Other software that's not completely self-contained/network unaware?
Are we going to lease hardware from everyone just to make sure we're all secure, so that the manufacturer will patch it for us, at least until they want to sell a newer model?
If we aren't going to lease hardware from everyone, does said hardware have to go away because we can't patch it (FTC rules say "no third party firmware on routers") and are we expected to replace something that works otherwise?
Is modern life so arcane and difficult that an average person can't have a remote possibility of actually being secure?
The middle ground has been "Caveat Emptor". While it's not great, I don't know that there is a good solution that doesn't drive up the price of a commodity device/product to "investment".
We don't want caveat emptor for this shit, we want companies who are accountable for the security of the products they make.
Do you want to live in a world where security boils down to "too bad, suckers"?
Sounds like North America. Coming from the UK to North America is a bit of a shock from a consumer protection point of view. In the UK a product must be, among other things, fit for the specific purpose it was bought for. So if I go to a shop and pick up some widget and ask the shop person "Can I use this widget for this specific job (explaining the purpose)?" and he says "Yes." and I buy it and find that it doesn't work for that specific job then I get to go back and get a refund. No bullshitting me with "You can buy another thing from our shop and we'll give you credit" an actual REFUND. Thats just one example.
You have to be SO careful shopping in North America. Its totally a 'caveat emptor' kind of place.
In the free world the media isn't government run; the government is media run.
OK, is Microsoft next?
I was about to post the exact same thing. I'm glad the foreign company was censured for its bad security practices, but when does our home-grown American company get the same?
This hasn't been true of MS for some time. They are actually pretty good now.
This post is about to be modded to oblivion as a troll, but I'll say it anyway. Last year OSX and iOS each had more security vulnerabilities than any Microsoft product. They had more vulnerabilities than FLASH.
(Yes, on /. a factual statement is a troll if it casts Apple in a bad light)
In the free world the media isn't government run; the government is media run.