Slashdot Mirror
Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com)
Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."
Could be viewed as a failure on the FTCs part I guess, but does anyone have any examples of consumers being harmed by D_Link being cheap POS hardware with poor security?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
DACA...is CACA.
D-Link PR material consistently claimed the highest security standards.
Seems like they should have gone after them for fraud and false advertising, given the abysmal lack of security in the systems that were sold for the purpose of making networks secure.
Check your premises.
The Judge made the right call.
No evidence means no proof.
No proof means they're innocent, even if they're guilty as hell.
The government is never going to treat privacy as something important, much less protected or enforcible by law. And that makes sense: from a government PoV, privacy is a bad thing and we need laws to force there to be less of it. You and the government are never going to be on the same page, on this issue. Stop looking to the courts. They're The Peoples' prime adversary in this conflict.
That means security is up to you, not a vendor. Caveat emptor.
If you have no reason to believe the software has been inspected, then it's unsafe to use. If someone sells you hardware with pre-installed software instead of something that YOU first select (from many competing Free Software makers) or create yourself, and then you deploy, then that is a bad product and you shouldn't buy it.
Yes, this is hard to do. I don't know who sells a trustworthy wifi AP.
Since the Judge doesn't believe that the blatant existence of shitty default security can and often will lead to data breaches, I suggest we force the Judge to install the hardware inside every room of their personal home.
If the Judge thinks it's so fucking secure, then put your privacy where your ruling is.
So now the legal standard is, "as long as no one ever got hurt, it's fine?" What if I build a cheap, shoddy bridge using unsafe practises? So long as it doesn't fall apart before the lawsuit, I'm not at fault? What a shitty country this is. I hope this gets appealed and overruled.
I guess they just need to try again and hopefully find a judge that doesn't have his head completely up his a$$.
If D-Link had included statements that their products were secure, then the FTC would have probably had a stronger case. But because there was probably no security guarantee then no case. "Let the buyer beware."
So FTC can not ban any device till it can demonstrate at least one instance of actual harm? At least one baby must die before a choking hazard toy must be banned?
Technology changes and advances must faster than the rate at which we retire and replace our judges.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
From TFA:
According to the original FTC complaint, an agency inquiry found that while D-Link PR material consistently claimed the highest security standards, little to nothing was done by the company to eliminate a number of "well-known and easily preventable security flaws" that potentially put millions of residential consumers at risk.
Check your premises.
Under civil tort law, one must be able to demonstrate actual damages in order to bring successful suit. The FTC was unable to provide a single instance where someone was actually harmed due to the lax security in D-Link products.
But, that was already said. The point that I want to bring up is that there is a disease epidemic surrounding Internet security - and that is this assumption that perfect security is not just theoretically possible, but trivially achievable.
Look at your house. You can take all reasonable measures to secure your home: locks on the windows, dead bolts on your doors, etc... but none of them will stop a determined burglar. You could have a house that was fully encased in 6-inch thick steel with no windows and no doors, and you might have very good security, but your house would be utterly unusable. You want windows to see out of and doors so that you can come and go. These are necessary functions of a house but also necessarily introduce security "flaws" that can be exploited by determined actors.
Computers are no different. You want to be able to use your computer for actual, productive things. In order to do that, you must connect to the Internet. Sure you have doors with locks, but locks can be picked. The FTC hasn't gone around suing lock makers because their locks get broken or picked. Nor should they be going around suing router/firewall makers because their security can be broken.
There is absolutely NO level of security that can't be broken, short of unplugging your computer and encasing it in concrete at the bottom of the ocean. Even then, a determined actor could retrieve it.
We really have to stop allowing this disease to spread because it is getting in the way of doing things that are actually productive for security. We spend so much time excoriating security vendors when their stuff breaks that there are no man-months left to spend actually improving security, a process which includes indirect actions like education, best practices and processes, and other things that aren't "making a better firewall."
The judge only dismissed 3 of the 6 counts made by the FTC with leave to amend and refile. The FTC has until Oct. 20 to do so. The lawsuit is still in progress.
"PR material" is different from claims on the product or packaging or the warranty. And the
This sounds like a remarkably testable theory. I wonder if the NSA has ever tried such an experiment, and which mis(sing)feature of the networks prevented them from easily discovering the identity of the perp. As humanitarian a travesty as the Great Firewall of China was/is, if geo-firewalling away foreign countries is all it takes to secure against that class of uncatchable-perp cybercrime, I think it might sell well as an opt-in for many people.
I think it's far less easy to get away with such botnet criminal activity than this common perception leads most to believe. Such widespread misunderstanding of cyber threat models is perhaps an even bigger problem than these crapware devices.
Maybe users should reconsider D-link purchases...
> Most of the harm is to the people in aggregate.
> botnets that attack systems in a distributed fashion, which harms the companies being attacked and the users that get locked out of their accounts.
> The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.
That's what the judge said. The FTC argued otherwise/
The judge wrote:
--
would likely be in the
ballpark of a âoesubstantial injury,â particularly when aggregated across a large group of consumers.
See Neovi, 604 F.3d at 1157 (âoeAn act or practice can cause substantial injury by doing a small
harm to a large number of peopleâ). But the FTC pursued a different and ultimately untenable track.
--
The FTC, in their complaint, could have, and probably should have, pursued an action on the basis of likelihood of "substantial injury by doing a small
harm to a large number of peopleâ. The FTC rejected that option because the relevant law is that D-Link would be liable if they KNOWINGLY made false statements which ended up causing the harm. Apparently the commission didn't think they could show that D-Link management or marketing people knew about the security problems.
Instead, the FTC sought damages based on unfair competition, which requires a more specific showing of damages.
Stupid. Stupid. Stupid.
You just converted all the white hackers into black.