Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Tech Industry Lobbying Group Argues 'Right to Repair' Laws Endanger Consumers (securityledger.com)

Posted by EditorDavid on from the we-know-what's-best-for-you dept.

chicksdaddy brings this report from Security Ledger: The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers. The group released a survey last week warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members... In an interview with The Security Ledger, Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center's main purpose is to push back on efforts to pass right to repair laws in the states.

He said the group thinks such measures are dangerous, citing the "power of connected products and devices" and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves... Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety... "People say 'It's just my washing machine. Why can't I fix it on my own?' But we saw the Mirai botnet attack last year... Those kinds of products in the wrong hands can be used to do bad things."

29 of 146 comments (clear)

  1. AKA Security Through Obscurity by Zamphatta · · Score: 5, Insightful

    & history's shown that isn't a good idea. unfortunately, I'm guessing the not-so-tech-savvy politicians will fall for that argument, especially since they'll get a lot of money to do so.

    1. Re:AKA Security Through Obscurity by PolygamousRanchKid+ · · Score: 3, Insightful

      I'm guessing the not-so-tech-savvy politicians will fall for that argument, especially since they'll get a lot of money to do so.

      I'm guessing that the NSA is afraid that if we are allowed to open up the devices we own, we might find the "friend" that the NSA has planted in there.

      Like and Intel Management Engine, for instance.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  2. YEAH! They endanger customers! by Zurkeyon3733 · · Score: 3, Insightful

    They are in danger of NOT completely emptying their wallets to the fat-cats and the CEOs "Bonus" programs and Beer Funds.... Gotta fix that!

  3. Let's let the consumers decide by alvinrod · · Score: 4, Insightful

    Let's let the consumers be the judge of what's a danger to themselves. People who try to go around making laws and rules for someone else's good tend to do a spectacularly poor job of it and generally cause just as much harm as good, even in the case where they're well-meaning instead of clearly under some ulterior motives as is the case here.

    If people want to accept some increased risk (which I don't believe exists) by using third party repair services, that's on them. If a company wants to warn their customers about the possibility of danger, that's as far as they should go.

    1. Re:Let's let the consumers decide by careysub · · Score: 5, Informative

      I don't think you are following along with this subject (though mysteriously you are currently rated "Score:4 Insightful").

      It sounds like you think that there is a movement afoot to pass laws to ban people from repairing their own property. That is the opposite of what is happening here. Businesses are trying to take away the ability to repair products through purchase contracts, designing products that can only be repaired by the manufacturer (there are various ways of doing this), and restricting access to spare parts. People are trying to get legislation passed to preserve the ability to repair products, which has up to now been assumed to exist.

      The whole point is that corporations are trying to take away the ability of letting consumers decide.

      --
      Starships were meant to fly, Hands up and touch the sky - Nicky Minaj
    2. Re:Let's let the consumers decide by El+Cubano · · Score: 3, Interesting

      Let's let the consumers be the judge of what's a danger to themselves. People who try to go around making laws and rules for someone else's good tend to do a spectacularly poor job of it and generally cause just as much harm as good, even in the case where they're well-meaning instead of clearly under some ulterior motives as is the case here.

      I totally 100% agree with you. However, I feel it necessary to point out that the logic being used by these industry trade groups boils down to "these are dangerous things which must be kept out of the wrong hands."

      Coincidentally, or not coincidentally depending on how conspiracy-minded you are, that is the same argument used by gun control advocates.

      Now the merits of the position can certainly be argued as to how they pertain to both smart electronics and also firearms. However, I would consider anyone that supports right-to-repair and gun control, or who opposes both, to be engaging in some sort of congnitive dissonance. People can either choose for themselves or they cannot.

    3. Re:Let's let the consumers decide by burtosis · · Score: 2, Insightful

      "Which has up to now been assumed to exist" assumed by who? Because I clearly remember apple trying to claim and also fight in court that jailbreaking is illegal Also that fixing your home button is illegal - they bricked phones over it before the backlash of stupid forced them to recant (FFS just disable the print reader not the phone) Tell this to farmers who can't repair thier own tractors because it's illegal, it goes on and on. We wouldn't need right to repair laws if it was always assumed.

    4. Re:Let's let the consumers decide by fido_dogstoyevsky · · Score: 2

      Sounds standard for mission critical systems where hundreds or thousands of lives could be at stake. Don't like
      boenig's exorbitant maintenance fees? Come to Bob's discount 787 repair.

      Provided Bob is licenced (ie they've proved they really understand how to fix stuff properly) - there really isn't a problem.

      --
      It's NOT a conspiracy... it's a plot.
    5. Re:Let's let the consumers decide by William+Baric · · Score: 5, Insightful

      You just repeated the nonsensical argument of the industry. I do think the "overrated" mod was appropriate.

      Is it possible that a repair shop would install a Trojan horse on one of their customers' devices? I guess. Is it probable? No. Believe it or not, but not every technician is a criminal who wants to empty your bank account and then flee the country.

      Do you also believe company should forbid people to change their hard drive and to reinstall the OS on their computer because they would end up being "controlled like a puppet?"

    6. Re: Let's let the consumers decide by Puls4r · · Score: 5, Insightful

      By your reasoning , we'd be finding gps trackers installed in our cars so independent repairman can sell or location data. Plumbers would install remote shutoffs so we had to call them back. By your logic, no repair would ever be a safe repair if done by a third party. You are an idiot.

    7. Re:Let's let the consumers decide by clovis · · Score: 2

      If, as these industry leaders say, these products are so dangerous, then liability for errors in their design needs to be written into law.
      And especially for well known bad design errors such as common admin passwords, backdoors, and ports open by default to incoming connections.

      At first I agreed that letting the consumers be the judge of what's a danger. There's no way a consumer can know about the internal design of these products, and it's probably illegal to try to find out anything if the manufacturer chooses not to publish.
      It's not always the purchaser that gets harmed. Buying a device that becomes part of a botnet may cause much more harm to third parties than the purchaser. Who is liable for that harm? Right now, pretty much no one. I can't support making the consumer responsible for making a poor choice of a device that has an obfuscated design and interface.

      They claim these are dangerous products. So, let's take their word for it, and make these dangerous products have lawfully required minimum standards in the same way that cars, airplanes, household electric devices, and plumbing do. And make the manufacturer liable for civil and criminal charges if they fail.

    8. Re:Let's let the consumers decide by CrashNBrn · · Score: 3, Insightful

      However, I feel it necessary to point out that the logic being used by these industry trade groups boils down to

      This is a "Lobbying Group." And much like most such groups,
      1) Claims to represent companies|people that it doesn't,
      2) Chooses a name "Security Innovation Center," that is the polar opposite of it's actual intent,
      3) And like most Lobying Groups exists soley to bring about specialist protectionist legislation that will screw over the most people for the least amount of money.

    9. Re:Let's let the consumers decide by JaredOfEuropa · · Score: 3, Insightful

      Neither of these are black and white issues, unless you believe in an absolute right to bear arms or repair stuff. There's always a trade-off, and usually there are multiple options between the 2 extremes. Someone may want the right to repair because the upside (cheaper repairs because of no monopoly, more devices being repaired instead of thrown out) outweighs the downside (a very very very farfetched scenario where a rogue repairman called Harry Tuttle installs an illegal little bypass in your aircon). There's no contradiction in that same person weighing the upside of owning guns for self defense against the fact that with guns we invariably end up with a bunch of dead kids from time to time, and deciding that a ban on guns is better. Or maybe to push for gun control and registration, if that means we can have guns but no dead kids. It's not about whether or not people can choose for themselves or not, but what the potential consequences of their choices are.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  4. Security, privacy and safety? by quonset · · Score: 4, Insightful

    WTF? These "smart" devices already aren't secure, send your data to someone at a distant location, and don't always work as the manufacturer says they should. And these same people are worried someone might hack them?

    What next? Making computers where the bits and pieces are welded on so one can't upgrade it?

    1. Re:Security, privacy and safety? by LinuxIsGarbage · · Score: 2

      What next? Making computers where the bits and pieces are welded on so one can't upgrade it?

      Isn't that basically what Apple has been doing for years?

  5. stop putting crap on the internet by Anonymous Coward · · Score: 5, Insightful

    "People say 'It's just my washing machine. Why can't I fix it on my own?' But we saw the Mirai botnet attack last year... Those kinds of products in the wrong hands can be used to do bad things."

    Problem number 1 is you stupid fucks decided to put Wifi in a washing machine. I have an older washing machine with a clockwork type timer control mechanism. I had the replace he timer about 6 months ago, took all of 15 minutes to repair. My washing machine doesn't need to be internet connected.

    1. Re:stop putting crap on the internet by Bing+Tsher+E · · Score: 3, Interesting

      Sadly, I used to work for one of the companies that made the clockwork timers in white goods. The big appliance companies have transitioned away from electromechanical. That's part of the reason I no longer work for that company. Their business dried up.

      Now I am working as a repair tech on stuff that includes John Deere products....

    2. Re:stop putting crap on the internet by b0s0z0ku · · Score: 2

      For what it's worth, quite a few low-end and commercial appliances (e.g. Speed Queen washer/dryers) still have clockwork timers. I'm not sure if they're better than digital. Digital control panels are sealed and have no moving parts -- a well-designed system should last decades and be immune to entry of dirt or liquids.

    3. Re:stop putting crap on the internet by Mashiki · · Score: 5, Interesting

      Well that's because electromechanical devices have a low failure rate. If they can't charge out the ass by forcing the customer to buy an entire new front-end array for half the cost of the washing machine it's really bad for the bottom line.

      Now I am working as a repair tech on stuff that includes John Deere products....

      Bet that's fun, most farmers around here dumped their Deere stuff a few years ago when they decided to be pricks over the farmers ability to control their equipment. You can pick up a 2yr old Deere tractor loaded to the gills for $20k but no-one is buying. On the other side of that, the price for Fendt and Deutz-Fahr have gone up around 30% and there's parts shortages.

      --
      Om, nomnomnom...
    4. Re:stop putting crap on the internet by b0s0z0ku · · Score: 2

      Electromechanical devices (with moving parts) fail more than a properly designed all-electronic control panel. Key phrase: properly designed.

    5. Re:stop putting crap on the internet by Mashiki · · Score: 3, Insightful

      Electromechanical devices (with moving parts) fail more than a properly designed all-electronic control panel. Key phrase: properly designed.

      Except for those millions of cases where they don't right? Ask yourself how many times you've heard from someone saying that their brand new electronic whatever has already failed in warranty, but their parents 30 year old whatever is still chugging along and hasn't stopped. Or you have some asshat of a company like Samsung that built their fridges to fail just outside of the warranty phase(all electronic bits fyi). Here's the thing, we're really good at making electromechanical devices that last long, and have low rates of failure. The relays and emr-switches that our company uses have a failure rate of 1:900k over 10 years. They have to handle wet, dry, humid, extreme heat/cold and keep going day in and day out.

      I'll agree that some stuff has a higher failure rate, cars for example with non-electronic ignition had multiple points of failure and were prone for the simplest no-start problems mostly relating to the rotor. On the other side, for every $1k central console in car that fails and takes out the: radio, navigation, heater, signals, and so on. That 20 year old clunker next to you with all mechanical relays, wires, and switches is still going strong.

      --
      Om, nomnomnom...
  6. Annoys me that the used the word "security" by raymorris · · Score: 5, Insightful

    It bugs me that they called themselves the "Security Innovation Center". Those of us in security have consistently advocated for the need to be able to work on devices in order to secure them. Most recently the Obama administration tried to push through regulations requiring manufacturers to "prevent the installation of OpenWRT and similar third-party firmware" on routers. We successfully argued that preventing firmware upgrades often prevents security fixes.

    These jack asses do NOT represent security anything.

    1. Re:Annoys me that the used the word "security" by burtosis · · Score: 4, Insightful

      Just run it through the BS inverter:
      Security Innovation Center" - Illegal Corporate Lock In Center
      "Right to work" - Divide and Conquer
      "Patriot Act" - Unconstitutional Removal of Privacy Act
      etc...

  7. Leave barn door open, blame cows for results by rgriff59 · · Score: 4, Insightful

    So the very tech industry actors that created the stage for the Mirai botnet think letting consumer take any control of those same actors' faulty devices will create significant new dangers? I think allowing those manufacturers any more unsupervised commercial activity is far more dangerous.

  8. Okay by c · · Score: 5, Insightful

    If you're arguing that consumers shouldn't be able to fix stuff "because security", then we presume that you're promising the stuff you sell actually is secure and that you're willing to accept 100% liability when things get hacked?

    * crickets *

    Well then, fuck you too.

    --
    Log in or piss off.
  9. Re:Paging Richard Stallman... by LinuxIsGarbage · · Score: 2

    The IT world needs your commentary, Mr. Stallman.

    Give him some time. He needs to wait for his cron job to finish. He surfs the internet as follows:

    "I usually fetch web pages from other sites by sending mail to a program (see https://git.savannah.gnu.org/g...) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly. I usually try lynx first, then a graphical browser if the page needs it (using konqueror, which won't fetch from other sites in such a situation)."

  10. Then why do they churn out abandonhardware? by anon+mouse-cow-aard · · Score: 2

    I have never walked into a house that had a router less than five years old. I keep mine for 10 years at least, it's a natural lifetime. Do any manufacturers provide software updates for hardware > 2 years old? no. I have two google nexus 5 phones, no software support at all I'm sure appliance companies said, sorry your washer is two years old, we don't stock those parts, they wouldn't stay in business very long. I don't understand making objects smart suddenly makes their useful lives shorter than a gerbil's.

  11. Re:Points for chutzpah anyway by PolygamousRanchKid+ · · Score: 2

    If your washing machine is even capable of identity fraud, you're doing something wrong.

    My robot has its own Facebook page and plans to hack the next election in the US.

    It is also apparently fluent in Russian, because it chats Russian late at night.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  12. They should be held responsible for security by 140Mandak262Jamuna · · Score: 2
    Now that the industry has admitted how dangerous these products could be, they should be held 100% responsible for securing them. Any breach, especially on a locked down device that the consumer did not or could not mess with, would be their liability.

    Since the devices might outlive the companies that sold them, all such devices must carry insurance, premium paid by the manufacturer, to make good on any damage they might cause.

    Only when there is an actual cost that affects their bottom line these guys will take security seriously. Forcing them to buy liability insurance will make some one look at the devices and assess the security.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact