Slashdot Mirror
Consumer Reports To Consider Cyber Security in Product Reviews (reuters.com)
Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of electronic products, cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products. From a report: The group, which issues scores that rank products it reviews, said on Monday it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured. Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organization's director of electronics testing, said in a phone interview. "This is a complicated area. There is going to be a lot of refinement to get this right," Rerecich said. The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things.
...and really, most products should get terrible marks to start with.
This is in many ways what IIHS did, that compelled the auto industry to make ever safer cars. The NHTSA crash testing is so hobbied by laws designed to make it ineffective that it took the insurance companies, tired of paying out claims for AD&D to embarrass car makers into making safer cars.
I have a feeling that if Consumer Reports isn't successful, increasing payouts by insurance companies when breaches occur might be.
Do not look into laser with remaining eye.
The fact is, people don't care, and can't be bothered to care until the machines rise up and terminate us all.
This is great. I've been promoting the idea that independent test labs such as uL, or standards such as the CE mark, should include product security as well. Having consumer ratings include them could significantly increase awareness of security. We, as tecnhologists and consumers, really need to hit hard against companies selling inherently insecure products. With the rise of botnets, insecure products are no longer just a threat to our own networks, but to national security as well.
I applaud the effort, but are they really qualified to be doing this, or are they going to limit it to basic "best practices?" I can see picking up that there is an open port, but backdoor accounts, phoning home, etc are equally important.
It's a nice concept, but Americans are too cheap to bother with security.
"Oh lookie, this one is insecure, but $5 cheaper. I'll buy the cheap Chinese garbage and then I'll have an extra five-spot to spend on today's supersized lunch."
One of the first things I thought of when I read this is how would they rate a Windows 10 PC, Mac or a Chromebook? What about a smartphone or tablet? Even many PCs with Linux already installed would be suspect with different packages that come with the system.
It's great that they'll rate connected appliances, cars and streaming boxes but that's leaving out the classes of devices which are the biggest risk to consumers data - the systems they handle almost literally 24 hours a day.
Ironically, CR doing this is a great way of making the great unwashed more aware and concerned about their cyber-security.
Mimetics Inc. Twitter
...that manages to give the VW Golf and VW Jetta distinctly different ratings for what is effectively the same car.
Say "cyber" one more time...
manufacturers to consider cyber security and privacy we'll be good to go.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
I mean, rampant incompetence of course matters. However you qualified that with '...are they going to limit it to basic "best practices?" '.
And if they can do just that, already it's a major win. Let's face it, most of these IoT devices suck, they Absolutely Suck Big Time when it comes to security. They don't even measure up to basic best practices.
If we could get conformance just to that, basic best practices, then the entire IoT field might have a chance. Without that IoT is going to faceplant big time on the reality of malware, bad actors and hacking on the Internet by LOLs, Lu2ers and Haxors.
Consumer Reports has shown REPEATEDLY that they don't know shit about computing, and I'd bet they don't know shit about cyber security either.
Their articles will contain shit like "use complex passwords", "use an anti-virus program", and "don't click on pop-up ads".
Fucking ninnies. They're good at hardware testing (usually) for cars and appliances but in the realm of computing they've proved to be dunderheads more times than I can count. Plus, computing is a moving target- the shit they test or advise on will be obsolete before the magazine gets to your mailbox.
Just cruising through this digital world at 33 1/3 rpm...
A copy of the two job descriptions:
https://jobs-consumers.icims.com/jobs/2778/product-testing---cybersecurity/job?mode=job&iis=Indeed&iisn=Indeed.com&mobile=false&width=1170&height=500&bga=true&needsRedirect=false&jan1offset=-300&jun1offset=-240
And also an Intern position in IS:
https://jobs-consumers.icims.com/jobs/2786/2017-summer-intern%2c-information-security/job?mode=job&iis=Indeed&iisn=Indeed.com
Key Responsibilities:
Within Privacy, manages complex programs , ensuring appropriate planning, coordination and oversight of test projects related to data privacy and internet security while monitoring timelines and costs.
Oversees, and approves elements of assigned programs from inception to completion. Responsible for program tactics, proposal development, product testing design, assessment of product and service evaluation methodologies, evaluation of outcomes and ratings as well as documenting reports of results.
Ensures that data meet established standards for accuracy, repeatability, reproducibility, and dependability.
Keeps abreast of industry testing standards and market trends, evaluating and providing recommendations to improve existing testing procedures.
Develops and maintains ratings and model descriptions based on product evaluations.
Reviews content to ensure the information is technically accurate, defensible, and current.
Ensures a holistic view of consumer needs is developed, understood and central to the product and services evaluation programs.
Develops, maintains relationships and coordinates activities with internal and external experts in related fields. Determines how best to utilize relevant internal and external resources.
Identifies and contracts with appropriate external resources to complete projects as necessary. Responsible for the Request for Proposal (RFP) process to engage resources and negotiates details of various vendor contracts and deliverables. Monitors and tracks work of external vendors to ensure strict adherence to negotiated contracts and protocols.
Partners with Content Development staff to ensure technical accuracy.
Drafts test protocols including identifying, updating and iterating methodologies as necessary.
Oversees the work of assigned project staff; scheduling and monitoring work. Trains and coaches project staff, providing feedback on performance as needed.
Coordinates with functional manager to enable appropriate availability of resources.
Performs other related duties as necessary.
Maybe they should start doing ratings on cyber security?
But around 2008 they switch to a pay for ratings and it was VERY OBVIOUS. Models that one month rated at the bottom of the list started showing up at the top of the list. Also, you can see models that have very public recorded issues still show up at the top of the list.
Sorry, but CR is no longer a reliable source for honest non-bias reviews of products.
Demand EOL Dates!
I don't plan to buy any google hardware again, because that company and I have very different ideas about when End of Life happens.
Should a $650 device EOL be 3 yrs? NO! 10 yrs is more like it.
To combat my issues with this in all electronics, if it doesn't run a user-installable version of a an OS freely available and actively maintained, I don't want it. Basically, that comes down to either Linux or BSD. This mainly applies to:
* routers
* smartphones
* tiny IoT devices
* Video players
* Computers
If the vendor makes it hard to put in a F/LOSS OS, I don't want it. Been burned a few times. It is the only way that I know to get reasonable value for my money.
Don't know what non-technical people are to do. I have enough issues of my own.
All that I want from Consumer Reports is their statistical data. I've never had much respect for their opinion. They don't have the same priorities as I do. For example, my number one concern for a car is reliability. If the car's not reliable, then it's unacceptable. I don't care if it's got some new gimmick or even if it's fun to drive. First, it has to get me there. Then, we can consider fun.
Consumer Report's approach to this massively complex problem has been a kluster-kludge from the get-go. Their first assumption (that all software systems written for Iot devices will be new) speaks to just how naive and ill-informed they really are.
An in-depth discussion (very well worth the read fro anyone interested in cyber-security) of the issues with Consumer Reports entry into ratings is available for free at the Certitude Digital website. From their main page on that site, go to the footer links at the bottom of the page and select the link labeled "Blog (from our CTO)". Library". Near the top of the blog is an article entitled "Should Consumer Reports Set Cybersecurity Standards?" (https://certitudedigital.com/reference/public_docs/ShouldConsumerReportsSetTheRules/ShouldConsumerReportsSetTheRules.pdf)
Alternatively, you can go to F. Scott Deaver's LinkedIn page and look for the "Should Consumer Reports Set Cybersecurity Standards?" topic among his other articles (https://www.linkedin.com/pulse/should-consumer-reports-set-cybersecurity-standards-f-scott-deaver).