Slashdot Mirror
Consumer Reports To Consider Cyber Security in Product Reviews (reuters.com)
Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of electronic products, cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products. From a report: The group, which issues scores that rank products it reviews, said on Monday it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured. Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organization's director of electronics testing, said in a phone interview. "This is a complicated area. There is going to be a lot of refinement to get this right," Rerecich said. The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things.
...and really, most products should get terrible marks to start with.
This is in many ways what IIHS did, that compelled the auto industry to make ever safer cars. The NHTSA crash testing is so hobbied by laws designed to make it ineffective that it took the insurance companies, tired of paying out claims for AD&D to embarrass car makers into making safer cars.
I have a feeling that if Consumer Reports isn't successful, increasing payouts by insurance companies when breaches occur might be.
Do not look into laser with remaining eye.
This is great. I've been promoting the idea that independent test labs such as uL, or standards such as the CE mark, should include product security as well. Having consumer ratings include them could significantly increase awareness of security. We, as tecnhologists and consumers, really need to hit hard against companies selling inherently insecure products. With the rise of botnets, insecure products are no longer just a threat to our own networks, but to national security as well.
I applaud the effort, but are they really qualified to be doing this, or are they going to limit it to basic "best practices?" I can see picking up that there is an open port, but backdoor accounts, phoning home, etc are equally important.
There's a difference between not caring and not being informed. Most people do not know what the risks are. When someone can hack your thermostat, you are going to care!
When someone can hack your thermostat, you are going to care!
When somebody hacks your thermostat, you are (probably) going to care. Nobody gives a rat's ass until the consequences are tangible.
He's getting rather old, but he's a good mouse.
One of the first things I thought of when I read this is how would they rate a Windows 10 PC, Mac or a Chromebook? What about a smartphone or tablet? Even many PCs with Linux already installed would be suspect with different packages that come with the system.
It's great that they'll rate connected appliances, cars and streaming boxes but that's leaving out the classes of devices which are the biggest risk to consumers data - the systems they handle almost literally 24 hours a day.
Ironically, CR doing this is a great way of making the great unwashed more aware and concerned about their cyber-security.
Mimetics Inc. Twitter
And that's assuming that they change the settings. If somebody hacks your thermostat, leaves the settings along, and uses it as part of a DDOS attack, there will still likely be zero cares given.
-gnick
nice stereotype there.
Anonymous Cowards are all trolls living in their mom's basement.
If you're scared of your govt then you need to further restrict its powers
Vote 3rd Party in 2016 and beyond
Say "cyber" one more time...
If someone hacks it to make it rise 1 degree a week, it'll be a minor annoyance. If they set it to +100 for 20 seconds then -100 for 20 seconds (or 2 ms each), alternating until your system catches fire and burns down your house, you'll care.
Learn to love Alaska
manufacturers to consider cyber security and privacy we'll be good to go.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
I live where water freezes at outside temperatures and I very definitely care if someone can hack my thermostat. Having the pipes all freeze while away for a few days is an insurance claim.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
I guess I was too general when I said "nobody gives a rat's ass". I should have said, "A typical user will not give a rat's ass until after there are tangible consequences." Unless there were widespread reports of systems being hacked and damage being done, most users will not bother to secure anything nor care about how easy they are to hack.
He's getting rather old, but he's a good mouse.
So, nobody will give a rats ass until they hear about it on the news? That's a much lower standard, because if 3 non-typical users are hacked, and make a big stink, it may end up on the news before any typical users are even hacked.
Learn to love Alaska
Same standard - I may have phrased things badly. When I said "tangible consequences," I didn't mean necessarily directly to the user. Just evidence that there have, indeed, been consequences. Right now, nobody's successfully blamed a fire or freeze on hackers to my knowledge, so "nobody's" doing anything to secure against it.
He's getting rather old, but he's a good mouse.
Consumer Reports has shown REPEATEDLY that they don't know shit about computing, and I'd bet they don't know shit about cyber security either.
Their articles will contain shit like "use complex passwords", "use an anti-virus program", and "don't click on pop-up ads".
Fucking ninnies. They're good at hardware testing (usually) for cars and appliances but in the realm of computing they've proved to be dunderheads more times than I can count. Plus, computing is a moving target- the shit they test or advise on will be obsolete before the magazine gets to your mailbox.
Just cruising through this digital world at 33 1/3 rpm...
A copy of the two job descriptions:
https://jobs-consumers.icims.com/jobs/2778/product-testing---cybersecurity/job?mode=job&iis=Indeed&iisn=Indeed.com&mobile=false&width=1170&height=500&bga=true&needsRedirect=false&jan1offset=-300&jun1offset=-240
And also an Intern position in IS:
https://jobs-consumers.icims.com/jobs/2786/2017-summer-intern%2c-information-security/job?mode=job&iis=Indeed&iisn=Indeed.com
Key Responsibilities:
Within Privacy, manages complex programs , ensuring appropriate planning, coordination and oversight of test projects related to data privacy and internet security while monitoring timelines and costs.
Oversees, and approves elements of assigned programs from inception to completion. Responsible for program tactics, proposal development, product testing design, assessment of product and service evaluation methodologies, evaluation of outcomes and ratings as well as documenting reports of results.
Ensures that data meet established standards for accuracy, repeatability, reproducibility, and dependability.
Keeps abreast of industry testing standards and market trends, evaluating and providing recommendations to improve existing testing procedures.
Develops and maintains ratings and model descriptions based on product evaluations.
Reviews content to ensure the information is technically accurate, defensible, and current.
Ensures a holistic view of consumer needs is developed, understood and central to the product and services evaluation programs.
Develops, maintains relationships and coordinates activities with internal and external experts in related fields. Determines how best to utilize relevant internal and external resources.
Identifies and contracts with appropriate external resources to complete projects as necessary. Responsible for the Request for Proposal (RFP) process to engage resources and negotiates details of various vendor contracts and deliverables. Monitors and tracks work of external vendors to ensure strict adherence to negotiated contracts and protocols.
Partners with Content Development staff to ensure technical accuracy.
Drafts test protocols including identifying, updating and iterating methodologies as necessary.
Oversees the work of assigned project staff; scheduling and monitoring work. Trains and coaches project staff, providing feedback on performance as needed.
Coordinates with functional manager to enable appropriate availability of resources.
Performs other related duties as necessary.
Maybe they should start doing ratings on cyber security?
As if fire damage wasn't bad enough. I totally forgot about water damage! Easily done in cold weather by hacking the thermostat to minimum for a few days then putting it on max the next.
But around 2008 they switch to a pay for ratings and it was VERY OBVIOUS. Models that one month rated at the bottom of the list started showing up at the top of the list. Also, you can see models that have very public recorded issues still show up at the top of the list.
Sorry, but CR is no longer a reliable source for honest non-bias reviews of products.