Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com)

← Back to Stories (view on slashdot.org)

Judge Kills FTC Lawsuit Against D-Link for Flimsy Security (dslreports.com)

Posted by msmash on Thursday September 21, 2017 @06:05AM from the rubbishing-it dept.

Earlier this year, the Federal Trade Commission filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." Fast forward nine months, a judge has dismissed the FTC's case, claiming that the FTC failed to provide enough specific examples of harm done to consumers, or specific instances when the routers in question were breached. From a report: "The FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the [D-Link] devices," wrote the Judge. "The absence of any concrete facts makes it just as possible that [D-Link]'s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor."

60 of 100 comments (clear)

Min score:

Reason:

Sort:

Sounds about right... by Kenja · 2017-09-21 06:09 · Score: 1

Could be viewed as a failure on the FTCs part I guess, but does anyone have any examples of consumers being harmed by D_Link being cheap POS hardware with poor security?

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re: Sounds about right... by Anonymous Coward · 2017-09-21 06:16 · Score: 5, Funny
  
  Excellent precedent to cite should I ever get pulled for dangerous driving...
2. Re:Sounds about right... by Mr+D+from+63 · 2017-09-21 06:16 · Score: 2, Insightful
  
  Could be viewed as a failure on the FTCs part I guess, but does anyone have any examples of consumers being harmed by D_Link being cheap POS hardware with poor security?
  Possibly a failure to realize that they had a difficult case to make. While it is clear the there were deficiencies, this type of lawsuit requires harm to be shown. If a person was knowingly harmed due to this security lapse, I think we would have heard about it.
3. Re:Sounds about right... by Anonymous Coward · 2017-09-21 06:16 · Score: 1
  
  Windows seems to fit that description.
4. Re: Sounds about right... by Mr+D+from+63 · 2017-09-21 06:19 · Score: 2, Insightful
  
  Excellent precedent to cite should I ever get pulled for dangerous driving...
  If you ever get sued for dangerous driving, even though you didn't actually harm someone, it might help. But it has nothing to do with breaking the law.
5. Re:Sounds about right... by dgatwood · 2017-09-21 06:29 · Score: 5, Insightful
  
  IMO, the judge is wrong in this case. This sort of action shouldn't require showing harm to individuals, because the harm isn't necessarily to the individual device owners. Most of the harm is to the people in aggregate.
  Devices with security holes on the public Internet invariably eventually turn into botnets that attack systems in a distributed fashion, which harms the companies being attacked and the users that get locked out of their accounts. The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.
  And even in cases where the harm is to the individual owner, the harm could be impossible to prove, because you could never realistically be certain whether a password shared by several websites got stolen from one of those websites or from the unencrypted copy of the password on the user's router. But that doesn't mean that users weren't harmed. In effect, if this judge's opinion is allowed to stand, the government will be unable to prosecute the vast majority of cases in which consumers are harmed en masse by security-related negligence, and that's a bad thing.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
6. Re:Sounds about right... by Mr+D+from+63 · 2017-09-21 06:41 · Score: 2
  
  IMO, the judge is wrong in this case. This sort of action shouldn't require showing harm to individuals, because the harm isn't necessarily to the individual device owners. Most of the harm is to the people in aggregate.
  The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.
  Why is he wrong if the burden is on the plaintiff to show actual harm, and the plaintiff could not show actual harm? Would the judge have been right to not require evidence?
7. Re:Sounds about right... by bws111 · 2017-09-21 06:49 · Score: 3, Insightful
  
  Lawsuits are for righting wrongs. If you can't show anyone was wronged, then there is nothing to right.
  Protecting people in aggregate is what statutes are for, and neither the FTC nor the judge can create a statute.
  The judge ruled correctly.
8. Re:Sounds about right... by SeaFox · 2017-09-21 06:52 · Score: 1
  
  The easiest evidence would be to provide URLs to those sites that aggregate various unsecured cameras for voyeuristic viewing.
  The problem is they would have to prove the makers of those cameras to show they aren't all shady Chinese junk (the kind that doesn't have D-Link's name on it, I mean), and it could be argued the whole site is staged and the people in the feeds aware of the camera being publicly available.
9. Re:Sounds about right... by phantomfive · 2017-09-21 06:55 · Score: 1
  
  One route would be to find that those cameras were hacked, and were being used as parts of DDOS attacks.
  
  --
  "First they came for the slanderers and i said nothing."
10. Re:Sounds about right... by bws111 · 2017-09-21 07:02 · Score: 3, Informative
  
  Pretty much the first test of any civil lawsuit is whether there was any harm. If you can't demonstrate that, there is no case.
11. Re: Sounds about right... by alvinrod · 2017-09-21 07:15 · Score: 1
  
  That's poor comparison. Reckless driving is a citable offense in many places. A better example would be if the cop wouldn't even let you get into your car at all because you might drive recklessly. Typically they would have to show some cause for that such as you being inebriated, but most of them would probably just wait for you to get in the vehicle so they can actually bust you.
12. Re: Sounds about right... by jellomizer · 2017-09-21 07:17 · Score: 2
  
  Had people been injured from others who were doing dangerous driving. The FTC if showed harm from similar products from similar vulnerabilities then they may had a case.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
13. Re:Sounds about right... by jellomizer · 2017-09-21 07:25 · Score: 1
  
  After customers report harm the case can be opened again. The Fact that the FTC had raised caution in the past can be extra evidence.
  The law requiring to say your Coffee is hot on the cup only happens after someone burns themselves with it. For the Coffee case it would be trying to sue McDonnalds for brewing really hot coffee, where no one actually hurt themselves. Most people know pouring hot coffee can injure people. But it is legal to brew hot Coffee. However after proof the Coffee was too hot, then the case can be made.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
14. Re:Sounds about right... by dgatwood · 2017-09-21 07:49 · Score: 2, Insightful
  
  Why is he wrong if the burden is on the plaintiff to show actual harm, and the plaintiff could not show actual harm?
  But there was actual harm. The Mirai botnet attacked other computers on the Internet, and as a part of that botnet, D-Link's routers probably did tens of millions of dollars of economic damage to the Internet as a whole. So there was very clearly harm. It just wasn't directed specifically at the owners of the devices. Rather, the owners of the devices were unknowingly being complicit in that harm to others.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
15. Re:Sounds about right... by dgatwood · 2017-09-21 07:52 · Score: 4, Insightful
  
  Lawsuits are for righting wrongs. If you can't show anyone was wronged, then there is nothing to right.
  But there's ample proof that people were harmed by the Mirai botnet, and much of that harm was the direct result of D-Link routers getting p0wn3d. What they lacked was proof that the owners of the devices were harmed, and the judge incorrectly jumped from "the owners weren't harmed" to "no one was harmed", when in fact that is clearly not the case.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
16. Re:Sounds about right... by Mr+D+from+63 · 2017-09-21 08:01 · Score: 1
  
  probably did tens of millions of dollars
  Probably isn't good enough in court, and the malware you spoke of was not limited to D-Link.
17. Re:Sounds about right... by dgatwood · 2017-09-21 08:02 · Score: 1
  
  This isn't really like the coffee case. In that case, the product harmed the actual user of the product. This is more like a home safety system that watches for unknown home invaders, and because of a bug, occasionally shoots random strangers that walk by on the street, incorrectly believing that they are inside the house. The owner of the home safety system is never harmed directly, but the product still causes harm, even when used as intended, even without any negligence on the part of the user.
  Additionally, the ruling ignores that the harm caused by false advertising can be indirect. Users were told that these products were more secure than the competition when they were less so. That false advertising harms the free market by unjustly encouraging people to buy one product over another. This unfair competition presumptively causes indirect consumer harm by reducing competition. The onus should be on the false advertiser to prove that their false advertising does not constitute unfair competition, not on the government to prove that consumers were somehow directly harmed.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
18. Re:Sounds about right... by BlueStrat · 2017-09-21 08:05 · Score: 3, Insightful
  
  Why is he wrong if the burden is on the plaintiff to show actual harm, and the plaintiff could not show actual harm?
  
  But there was actual harm [wikipedia.org]. The Mirai botnet attacked other computers on the Internet, and as a part of that botnet, D-Link's routers probably did tens of millions of dollars of economic damage to the Internet as a whole. So there was very clearly harm. It just wasn't directed specifically at the owners of the devices. Rather, the owners of the devices were unknowingly being complicit in that harm to others.
  What seems 'off' about this case is that the FTC legal department's lawyers surely understood basic civil law, but yet did not prepare their case with the requisite evidence of harm any such case has to demonstrate.
  It makes me think maybe the FTC just wanted to *look like* they were "taking serious action" here when in reality they wanted the problem to quietly go away because of regulatory-capture/crony-capitalism.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
19. Re:Sounds about right... by dgatwood · 2017-09-21 08:17 · Score: 1
  
  Unfortunately, that's quite possible, particularly given the current political climate in Washington.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
20. Re:Sounds about right... by omnichad · 2017-09-21 08:55 · Score: 1
  
  Or, put another way - If it wasn't the fault of D-Link's negligence, then anyone harmed by the botnet has a claim against each individual owner of a compromised router.
21. Re:Sounds about right... by techno-vampire · 2017-09-21 09:01 · Score: 2
  
  "Probably" isn't good enough in a criminal case, where the standard is "beyond a reasonable doubt." This is, or was, a civil case where the standard is "the preponderance of evidence." That means that if the plaintiff can persuade the jury that there's a 51% chance that they're right, they win.
  
  --
  Good, inexpensive web hosting
22. Re:Sounds about right... by BlueStrat · 2017-09-21 09:03 · Score: 1
  
  Unfortunately, that's quite possible, particularly given the current political climate in Washington.
  And by "the current political climate in Washington" you mean the last several decades if not more, right? It's not like this sort of corruption just suddenly became a problem.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
23. Re:Sounds about right... by dgatwood · 2017-09-21 09:54 · Score: 1
  
  What I meant was that consumer protection in general tends to be a lower priority for Republicans, which compounds the problems caused by the corruption.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
24. Re: Sounds about right... by Impy+the+Impiuos+Imp · 2017-09-21 09:56 · Score: 1
  
  There are craploads of examples of dangerous driving harming people.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
25. Re:Sounds about right... by Mr+D+from+63 · 2017-09-21 10:02 · Score: 1
  
  Actually the legal definition of "reasonable doubt" is where you are less than 51% certain that a thing occurred.
  reasonable doubt has no place in a lawsuit. That is for criminal prosecution.
26. Re:Sounds about right... by BlueStrat · 2017-09-21 10:08 · Score: 1
  
  What I meant was that consumer protection in general tends to be a lower priority for Republicans, which compounds the problems caused by the corruption.
  I am unconvinced that (D)isney is any better in that regard.
  A pox on both their houses, I say.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
27. Re: Sounds about right... by Mr+D+from+63 · 2017-09-21 10:14 · Score: 2
  
  There are craploads of examples of dangerous driving harming people.
  OK. I agree. So what difference does that make? How many people have been sued for dangerous driving when nobody was harmed?
28. Re:Sounds about right... by techno-vampire · 2017-09-21 10:59 · Score: 1
  
  If that were true, the standard for criminal and civil cases would be the same, and there'd be no reason to describe them in two different ways. In a civil case, the jury finds for the side that's most likely right, but in a criminal case, they must acquit unless they're sure the defendant's guilty.
  
  --
  Good, inexpensive web hosting
29. Re:Sounds about right... by wonkavader · 2017-09-21 11:39 · Score: 1
  
  So as soon as someone is sued because their crappy camera was part of the botnet, there will be grounds against D-Link by the defendant of that lawsuit.
  Seems a little weird. If I run over someone because my car is poorly designed and spontaneously backs up without warning, does the victim sue me or the car company?
30. Re:Sounds about right... by jabuzz · 2017-09-22 01:10 · Score: 1
  
  The coffee didn't actually harm the "user" of the coffee as I am quite sure that putting coffee between your legs, then spilling it all over yourself and then not immediately removing the clothes is not how you are supposed to use coffee. Oh and I say that having just drunk a cup of coffee that was *hotter* than the one in question and I have not need admitting to hospital.
31. Re: Sounds about right... by fedos · 2017-09-22 05:04 · Score: 1
  
  But do you have any specific examples of the AC's reckless driving harming people?
Perhaps the FTC's approach was off. by forkfail · 2017-09-21 06:35 · Score: 3, Insightful

D-Link PR material consistently claimed the highest security standards.
Seems like they should have gone after them for fraud and false advertising, given the abysmal lack of security in the systems that were sold for the purpose of making networks secure.

--
Check your premises.
1. Re:Perhaps the FTC's approach was off. by ctilsie242 · 2017-09-21 07:13 · Score: 2
  
  With security standards as they stand today, claiming the highest can be just as easy as not falling off the floor.
  What is really needed is for an open standards body to function like UL, and have a set of security certifications for devices. Perhaps with a Sold Secure type of gold/silver/bronze level as well, where with the higher levels, the device is on more secure OS, there is auditing, the CPU is secure, and so on. Something where Joe Sixpack who wants something secure can buy something decent, or spend the bucks for something certified as more secure.
  We have a powerful tool for security on almost all recent CPUs -- virtualization. Done right, this can immensely improve security, even on embedded devices. Even the el cheapo ARM CPUs have this built in.
2. Re:Perhaps the FTC's approach was off. by wonkavader · 2017-09-21 12:23 · Score: 1
  
  Nah, that's just puffery.
Judge, PROVE your ruling. by geekmux · 2017-09-21 06:51 · Score: 2, Insightful

Since the Judge doesn't believe that the blatant existence of shitty default security can and often will lead to data breaches, I suggest we force the Judge to install the hardware inside every room of their personal home.
If the Judge thinks it's so fucking secure, then put your privacy where your ruling is.
1. Re:Judge, PROVE your ruling. by ShanghaiBill · 2017-09-21 07:02 · Score: 3
  
  Since the Judge doesn't believe that the blatant existence of shitty default security can and often will lead to data breaches
  The judge didn't believe that because the plaintiffs didn't provide any evidence that it is true.
  
  I suggest we force the Judge to install the hardware
  I suggest we require plaintiffs to provide evidence to support their claims.
2. Re:Judge, PROVE your ruling. by chispito · 2017-09-21 07:13 · Score: 3
  
  Since the Judge doesn't believe that the blatant existence of shitty default security can and often will lead to data breaches, I suggest we force the Judge to install the hardware inside every room of their personal home.
  If the Judge thinks it's so fucking secure, then put your privacy where your ruling is.
  Your comment makes my head hurt. If insufficient evidence of harm was provided, then it's not the judge's job to prove anything.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
3. Re:Judge, PROVE your ruling. by Anonymous Coward · 2017-09-21 07:41 · Score: 1
  
  The judge didn't rule that D-Link security was good. The judge ruled that the FTC did not have standing to sue, and did not bring a meritorious case, which was the correct ruling to make.
4. Re:Judge, PROVE your ruling. by stephanruby · 2017-09-21 09:18 · Score: 1
  
  I'm not sure what this would accomplish.
  The judge already knows to change the default password. Or if he didn't already know, after this lawsuit, he certainly knows to not to keep the default password.
5. Re:Judge, PROVE your ruling. by jezwel · 2017-09-21 14:30 · Score: 1
  
  Even if nobody realizes they've been hacked due to that in particular, it was shown that their hardware is not secure.
  And yet your FTC could cite no specific cases where unsecure hardware has caused harm. Your legal system lets D-Link get away with this. Is this how capitalism is meant to work? You get to do whatever you want until you're sued or charged and found guilty?
Re:Innocent Until Proven Guilty by geekmux · 2017-09-21 06:57 · Score: 3, Insightful

The Judge made the right call. No evidence means no proof. No proof means they're innocent, even if they're guilty as hell.
There was plenty of evidence to show that the default security was absolute shit.
What was lacking here was common fucking sense that confirms when default security is absolute shit, data breaches are usually the end result.
Validation of that fact is likely strewn across decades of case law, so it was hiding about as well as an elephant herd in the room.
What? by hackel · 2017-09-21 07:10 · Score: 1

So now the legal standard is, "as long as no one ever got hurt, it's fine?" What if I build a cheap, shoddy bridge using unsafe practises? So long as it doesn't fall apart before the lawsuit, I'm not at fault? What a shitty country this is. I hope this gets appealed and overruled.
1. Re:What? by supremebob · 2017-09-21 07:25 · Score: 1
  
  So, basically what we need a law punishing developers and system administrators for gross negligence in regards to security.
  While I like the idea in theory, I don't like the idea of personally getting fined because I forgot to install a security patch or put a tough password on a system service account.
2. Re:What? by Registered+Coward+v2 · 2017-09-21 08:07 · Score: 2
  
  So now the legal standard is, "as long as no one ever got hurt, it's fine?" What if I build a cheap, shoddy bridge using unsafe practises? So long as it doesn't fall apart before the lawsuit, I'm not at fault? What a shitty country this is. I hope this gets appealed and overruled.
  You bring up an interesting point. If you build a bridge using unsafe practices you would violate close and be subject to enforcement actions. Absent a law definingbminimum standards for routers then building one with poor security doesn't open you up to lawsuits until someone can prove actual damages. That's been part of the law for a long time, hypothetical future harms are not reason enough to be able to sue. To build on your bridge example, if you paint the entrance to look wider then it is someone can't sue you simply because they may hit a post if the drive over it. An interesting question is if you know dLink makes poor products but continue to use them how much liability do you assume when a breach does occur?
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
Re:Innocent Until Proven Guilty by bobbied · 2017-09-21 07:16 · Score: 2

So.. You can now sue for negligence without having to prove any harm was actually done?
How on earth do you establish damages if you don't have evidence you where damaged in some way?
The judge did the right thing. The FTC dropped the ball and didn't have their ducks in a row. Sorry, go try again people...

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I doubt D-Link claimed their products were secure by billrp · 2017-09-21 07:23 · Score: 1

If D-Link had included statements that their products were secure, then the FTC would have probably had a stronger case. But because there was probably no security guarantee then no case. "Let the buyer beware."
Re:Innocent Until Proven Guilty by chispito · 2017-09-21 07:24 · Score: 1

There was plenty of evidence to show that the default security was absolute shit.
What was lacking here was common fucking sense that confirms when default security is absolute shit, data breaches are usually the end result.
Validation of that fact is likely strewn across decades of case law, so it was hiding about as well as an elephant herd in the room.
You and I see lots of evidence of poor security, but that is not the same thing as evidence of harm to the consumer. Schlage locks are very easy to pick, but I doubt that factors into most home burglaries.

--
The Daddy casts sleep on the Baby. The Baby resists!
Re:Innocent Until Proven Guilty by jellomizer · 2017-09-21 07:33 · Score: 1

For most homes a normal door lock is sufficient even in semi tough neighborhoods.
Sure nearly anyone can get in using a credit card or just some force. But most wont bother, so the basic lock is good enough for these people. If they are a storefront then they will normally have better locks.
So D-Link targeting consumers may have crap security but it may be good enough for average joe who is using it behind their cable modem router. Thus no one being harmed.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The judge is a bigger threat to our security by 140Mandak262Jamuna · 2017-09-21 07:35 · Score: 1

Probably some old judge not familiar with the reach and extent of the internet and how inane dumb and dangerous the hard coded credentials are.
So FTC can not ban any device till it can demonstrate at least one instance of actual harm? At least one baby must die before a choking hazard toy must be banned?
Technology changes and advances must faster than the rate at which we retire and replace our judges.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:The judge is a bigger threat to our security by tomhath · 2017-09-21 08:46 · Score: 2
  
  More likely he's an experienced judge who understands the law.
  Suppose I walk past your house and see that one of the front steps is loose. Can I sue you for potentially harming me if I had tripped on that step (but didn't)?
  The law doesn't change because it's on the internet.
Re:I doubt D-Link claimed their products were secu by forkfail · 2017-09-21 07:36 · Score: 1

From TFA:

According to the original FTC complaint, an agency inquiry found that while D-Link PR material consistently claimed the highest security standards, little to nothing was done by the company to eliminate a number of "well-known and easily preventable security flaws" that potentially put millions of residential consumers at risk.

--
Check your premises.
Re:It's up to you/us by jellomizer · 2017-09-21 07:40 · Score: 1

The government normally reflects the will of the people. Most people don’t realize risking 0.1% of your security from attacks from bad guys your privacy and personal freedom can double.
Right now we as a world are afraid of the mean old other guy who may have a few random attacks a year which in theory can be preventable. So we cry out “why didn’t we stop this before it happened, we have the technology to do this!” So the government implements the technology and may or may not catch the bad guy from it. However this implementation in place now infringes more on our privacy and way of life.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Re:Innocent Until Proven Guilty by Anonymous Coward · 2017-09-21 08:00 · Score: 1

How on earth do you establish damages if you don't have evidence you where damaged in some way?
The judge did the right thing. The FTC dropped the ball and didn't have their ducks in a row. Sorry, go try again people...
The poor security (lack of auditing, not protecting logs against deletion) is to blame for the lack of evidence.
Sometimes proof of negligence by itself is, or should be, enough. Actual damages should be based on actual harm, but an injunction (you cannot sell these products until you fix their security) and/or punitive damages (you harmed someone's privacy, which can't be easily measured in dollars and cents) are different.
Re:I doubt D-Link claimed their products were secu by billrp · 2017-09-21 08:22 · Score: 1

"PR material" is different from claims on the product or packaging or the warranty. And the
The judge agrees with you, FTC doesn't by raymorris · 2017-09-21 12:20 · Score: 1

> Most of the harm is to the people in aggregate.
> botnets that attack systems in a distributed fashion, which harms the companies being attacked and the users that get locked out of their accounts.
> The harm to the owners is negligible, because they lose just a tiny bit of bandwidth. But the harm to society is huge.
That's what the judge said. The FTC argued otherwise/
The judge wrote:
--
would likely be in the
ballpark of a âoesubstantial injury,â particularly when aggregated across a large group of consumers.
See Neovi, 604 F.3d at 1157 (âoeAn act or practice can cause substantial injury by doing a small
harm to a large number of peopleâ). But the FTC pursued a different and ultimately untenable track.
--
The FTC, in their complaint, could have, and probably should have, pursued an action on the basis of likelihood of "substantial injury by doing a small
harm to a large number of peopleâ. The FTC rejected that option because the relevant law is that D-Link would be liable if they KNOWINGLY made false statements which ended up causing the harm. Apparently the commission didn't think they could show that D-Link management or marketing people knew about the security problems.
Instead, the FTC sought damages based on unfair competition, which requires a more specific showing of damages.
A request for domumented crimes? by BlueCoder · 2017-09-21 12:54 · Score: 1

Stupid. Stupid. Stupid.
You just converted all the white hackers into black.
Re:Innocent Until Proven Guilty by geekmux · 2017-09-25 09:58 · Score: 1

So.. You can now sue for negligence without having to prove any harm was actually done?
How on earth do you establish damages if you don't have evidence you where damaged in some way?
The judge did the right thing. The FTC dropped the ball and didn't have their ducks in a row. Sorry, go try again people...
I think I'll go start an automotive company, and look to cut corners by removing all forms of safety restraints. No air bags. No seat belts. And I'll stand confident that I would never be found negligent until one of my customers is harmed or killed. I'll just make more profit and not care until some actual evidence of negligence manifests itself.
Yes, I'm well aware of the fact that such stupidity would never pass DOT regulation, ironically for the same fucking reason that blatantly shitty security practices that have been proven to cause considerable damage should be taken into consideration when looking for "evidence".
Re:Innocent Until Proven Guilty by bobbied · 2017-09-25 10:15 · Score: 1

Then you are advocating that there should be a law or regulation to protect consumers from such stupidity, like the DOT's regulations keep you from selling vehicles which don't meet their safety standards.... Call your representatives and get that started.
However, in this case, the judge did the right thing in dismissing the case.
"You have no evidence of damages?"
"No sir."
"Then there is nothing to decide here, no damages to collect from D-Link.... Case Dismissed! Come back when you have evidence."
Understand?

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:Innocent Until Proven Guilty by geekmux · 2017-09-25 21:29 · Score: 1

Yes, I do understand how historical evidence related to security breaches and common sense were all legally dismissed well before the judges gavel came down in this case. You are correct in that regulation and mandate are the only way you will ever get a manufacturer to pay attention to security.
Not sure even regulation or mandate will truly be effective. As we've seen in the financial sector, damn near any violation is well worth the fine, giving further evidence to show how fucked our legal system truly is.