Slashdot Mirror
Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com)
Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."
Could be viewed as a failure on the FTCs part I guess, but does anyone have any examples of consumers being harmed by D_Link being cheap POS hardware with poor security?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
D-Link PR material consistently claimed the highest security standards.
Seems like they should have gone after them for fraud and false advertising, given the abysmal lack of security in the systems that were sold for the purpose of making networks secure.
Check your premises.
The government is never going to treat privacy as something important, much less protected or enforcible by law. And that makes sense: from a government PoV, privacy is a bad thing and we need laws to force there to be less of it. You and the government are never going to be on the same page, on this issue. Stop looking to the courts. They're The Peoples' prime adversary in this conflict.
That means security is up to you, not a vendor. Caveat emptor.
If you have no reason to believe the software has been inspected, then it's unsafe to use. If someone sells you hardware with pre-installed software instead of something that YOU first select (from many competing Free Software makers) or create yourself, and then you deploy, then that is a bad product and you shouldn't buy it.
Yes, this is hard to do. I don't know who sells a trustworthy wifi AP.
Since the Judge doesn't believe that the blatant existence of shitty default security can and often will lead to data breaches, I suggest we force the Judge to install the hardware inside every room of their personal home.
If the Judge thinks it's so fucking secure, then put your privacy where your ruling is.
The Judge made the right call. No evidence means no proof. No proof means they're innocent, even if they're guilty as hell.
There was plenty of evidence to show that the default security was absolute shit.
What was lacking here was common fucking sense that confirms when default security is absolute shit, data breaches are usually the end result.
Validation of that fact is likely strewn across decades of case law, so it was hiding about as well as an elephant herd in the room.
So now the legal standard is, "as long as no one ever got hurt, it's fine?" What if I build a cheap, shoddy bridge using unsafe practises? So long as it doesn't fall apart before the lawsuit, I'm not at fault? What a shitty country this is. I hope this gets appealed and overruled.
So.. You can now sue for negligence without having to prove any harm was actually done?
How on earth do you establish damages if you don't have evidence you where damaged in some way?
The judge did the right thing. The FTC dropped the ball and didn't have their ducks in a row. Sorry, go try again people...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I guess they just need to try again and hopefully find a judge that doesn't have his head completely up his a$$.
If D-Link had included statements that their products were secure, then the FTC would have probably had a stronger case. But because there was probably no security guarantee then no case. "Let the buyer beware."
There was plenty of evidence to show that the default security was absolute shit.
What was lacking here was common fucking sense that confirms when default security is absolute shit, data breaches are usually the end result.
Validation of that fact is likely strewn across decades of case law, so it was hiding about as well as an elephant herd in the room.
You and I see lots of evidence of poor security, but that is not the same thing as evidence of harm to the consumer. Schlage locks are very easy to pick, but I doubt that factors into most home burglaries.
The Daddy casts sleep on the Baby. The Baby resists!
For most homes a normal door lock is sufficient even in semi tough neighborhoods.
Sure nearly anyone can get in using a credit card or just some force. But most wont bother, so the basic lock is good enough for these people. If they are a storefront then they will normally have better locks.
So D-Link targeting consumers may have crap security but it may be good enough for average joe who is using it behind their cable modem router. Thus no one being harmed.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So FTC can not ban any device till it can demonstrate at least one instance of actual harm? At least one baby must die before a choking hazard toy must be banned?
Technology changes and advances must faster than the rate at which we retire and replace our judges.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
From TFA:
According to the original FTC complaint, an agency inquiry found that while D-Link PR material consistently claimed the highest security standards, little to nothing was done by the company to eliminate a number of "well-known and easily preventable security flaws" that potentially put millions of residential consumers at risk.
Check your premises.
Under civil tort law, one must be able to demonstrate actual damages in order to bring successful suit. The FTC was unable to provide a single instance where someone was actually harmed due to the lax security in D-Link products.
But, that was already said. The point that I want to bring up is that there is a disease epidemic surrounding Internet security - and that is this assumption that perfect security is not just theoretically possible, but trivially achievable.
Look at your house. You can take all reasonable measures to secure your home: locks on the windows, dead bolts on your doors, etc... but none of them will stop a determined burglar. You could have a house that was fully encased in 6-inch thick steel with no windows and no doors, and you might have very good security, but your house would be utterly unusable. You want windows to see out of and doors so that you can come and go. These are necessary functions of a house but also necessarily introduce security "flaws" that can be exploited by determined actors.
Computers are no different. You want to be able to use your computer for actual, productive things. In order to do that, you must connect to the Internet. Sure you have doors with locks, but locks can be picked. The FTC hasn't gone around suing lock makers because their locks get broken or picked. Nor should they be going around suing router/firewall makers because their security can be broken.
There is absolutely NO level of security that can't be broken, short of unplugging your computer and encasing it in concrete at the bottom of the ocean. Even then, a determined actor could retrieve it.
We really have to stop allowing this disease to spread because it is getting in the way of doing things that are actually productive for security. We spend so much time excoriating security vendors when their stuff breaks that there are no man-months left to spend actually improving security, a process which includes indirect actions like education, best practices and processes, and other things that aren't "making a better firewall."
Well, good luck to you, when yor identity is stolen. Remember what you said here today.
How on earth do you establish damages if you don't have evidence you where damaged in some way?
The judge did the right thing. The FTC dropped the ball and didn't have their ducks in a row. Sorry, go try again people...
The poor security (lack of auditing, not protecting logs against deletion) is to blame for the lack of evidence.
Sometimes proof of negligence by itself is, or should be, enough. Actual damages should be based on actual harm, but an injunction (you cannot sell these products until you fix their security) and/or punitive damages (you harmed someone's privacy, which can't be easily measured in dollars and cents) are different.
The judge only dismissed 3 of the 6 counts made by the FTC with leave to amend and refile. The FTC has until Oct. 20 to do so. The lawsuit is still in progress.
"PR material" is different from claims on the product or packaging or the warranty. And the
Well, good luck to you, when yor identity is stolen.
Now that would be actual damage. See, you really do understand what words mean (when it suits you).
This sounds like a remarkably testable theory. I wonder if the NSA has ever tried such an experiment, and which mis(sing)feature of the networks prevented them from easily discovering the identity of the perp. As humanitarian a travesty as the Great Firewall of China was/is, if geo-firewalling away foreign countries is all it takes to secure against that class of uncatchable-perp cybercrime, I think it might sell well as an opt-in for many people.
I think it's far less easy to get away with such botnet criminal activity than this common perception leads most to believe. Such widespread misunderstanding of cyber threat models is perhaps an even bigger problem than these crapware devices.
Maybe users should reconsider D-link purchases...
> Most of the harm is to the people in aggregate.
> botnets that attack systems in a distributed fashion, which harms the companies being attacked and the users that get locked out of their accounts.
> The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.
That's what the judge said. The FTC argued otherwise/
The judge wrote:
--
would likely be in the
ballpark of a âoesubstantial injury,â particularly when aggregated across a large group of consumers.
See Neovi, 604 F.3d at 1157 (âoeAn act or practice can cause substantial injury by doing a small
harm to a large number of peopleâ). But the FTC pursued a different and ultimately untenable track.
--
The FTC, in their complaint, could have, and probably should have, pursued an action on the basis of likelihood of "substantial injury by doing a small
harm to a large number of peopleâ. The FTC rejected that option because the relevant law is that D-Link would be liable if they KNOWINGLY made false statements which ended up causing the harm. Apparently the commission didn't think they could show that D-Link management or marketing people knew about the security problems.
Instead, the FTC sought damages based on unfair competition, which requires a more specific showing of damages.
Stupid. Stupid. Stupid.
You just converted all the white hackers into black.
It would be actual damage, but you enabled it.
So we shouldn't do anything to fix the problem until after it causes irreparable harm? Are you really this stupid?
So.. You can now sue for negligence without having to prove any harm was actually done?
How on earth do you establish damages if you don't have evidence you where damaged in some way?
The judge did the right thing. The FTC dropped the ball and didn't have their ducks in a row. Sorry, go try again people...
I think I'll go start an automotive company, and look to cut corners by removing all forms of safety restraints. No air bags. No seat belts. And I'll stand confident that I would never be found negligent until one of my customers is harmed or killed. I'll just make more profit and not care until some actual evidence of negligence manifests itself.
Yes, I'm well aware of the fact that such stupidity would never pass DOT regulation, ironically for the same fucking reason that blatantly shitty security practices that have been proven to cause considerable damage should be taken into consideration when looking for "evidence".
Then you are advocating that there should be a law or regulation to protect consumers from such stupidity, like the DOT's regulations keep you from selling vehicles which don't meet their safety standards.... Call your representatives and get that started.
However, in this case, the judge did the right thing in dismissing the case.
"You have no evidence of damages?"
"No sir."
"Then there is nothing to decide here, no damages to collect from D-Link.... Case Dismissed! Come back when you have evidence."
Understand?
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Yes, I do understand how historical evidence related to security breaches and common sense were all legally dismissed well before the judges gavel came down in this case. You are correct in that regulation and mandate are the only way you will ever get a manufacturer to pay attention to security.
Not sure even regulation or mandate will truly be effective. As we've seen in the financial sector, damn near any violation is well worth the fine, giving further evidence to show how fucked our legal system truly is.