Slashdot Mirror
California May Ban Terrible Default Passwords On Connected Devices (engadget.com)
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.
About time, its a good start. But devices should also have a 'BACKDOOR INSTALLED" sticker if that is the case.
And another sticker 'Device will be unsupported after 1 2 or n years. This way consumers will discriminate against throw away trash
And a fine if string length overflows happen because of lazy coding and lazy compiles.
You would have thought the FCC or similar would have demanded this decades ago, or a list where you can scan your device and find out if defective with no firmware upgrades available.
aren't most of these account compromises due to stuff like an incompetent company leaving its database in plaintext or some kid phishing it from or fooling an employee somehow instead of some master hacker bruteforcing individual passwords that don't follow silly rules like having upper case and symbols?
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation...
Looking at the actual bill, it has already passed in both the CA Senate and Assembly.
That makes it more than a draft. That's a bill ready to be signed into law, or possibly vetoed.
Maybe it means something else to other people, but when I send someone a draft, it's to solicit comments.
https://www.senate.ca.gov/legislativeprocess
Now instead of a default router password, users will be prompted to change it, thus setting it to 'Password1'.
Progress!
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
As so many people who are talking about "dieting" they are both wrong, and have a very short-sighted view.
"Eating less" seems to be the answer, but results in hunger pangs, leading to the person not being able to think about anything else than food, and thus stress himself out. And guess what that tends to lead to ...
So, start with eathing three good, full meals. That definitily helps to quench the snack attacks.
But foremost, try to figure out why you are eating all that stuff (did I already mention stress ? I think I did), and try to get it clear in your mind.
Being aware of what makes you eat definitly helps in breaking the habit. Ofcourse, as you now aware of what bothers you you also have a chance to eliminate the cause of that stress.
Go figure a somewhat reasonable default is replaced by a consumer who decides they cannot remember the password so they change it to 12345.
You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
While having the source code available is helpful to see if there are security issues, that doesn't mean they will be found. Open source doesn't provide for greater security though. Open source == licensing model, not a security process.
With many software projects, open source or closed, there are often only a few people who understand the software well enough to even notice those bugs.
I don't think forcing a particular operating system down vendors throat is the solution. My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
sure, as with any law it will be incomplete, contain loopholes and be vague in certain areas, but at least it is better then nothing.
default passwords are a big part of security issues of IoT devices, so if we can already scrap that of the list of things to worry about, that can only be a good thing.
On a long enough timeline, the survival rate for everyone drops to zero.
I've also heard there are new laws in the planning that will require everyone in California be happy and rich.
Can't wait to see how those are enforced.
OK. I drop my toothbrush and it breaks. So I go to the store and find all six of the toothbrushes I can choose from are internet connected. I pick one, go home, plug it in. Now I enter a new password. How do I do that? It's a toothbrush.
------
My (conceptual and imaginary) grandmother buys a new "smart" TV. (Seriously, "They" apparently don't make dumb TVs any more). She plugs it in getting many of the connections right. It asks (in colloquial Latvian because it's a bit confused about where it is) for a new password. She at least has an input device-- the remote. She pushes random buttons until the weird prompt(s) go away. Congratulations grandma, you've set an unknown password and effectively bricked your new TV. Who is going to unbrick it? How?
-----
I'm not sure the world needs politicians "solving" problems nobody understands. Quite likely a case of "Now you have two Problems"
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
If you keep actual personal information in your honeypot, then i guess yes, but this bill does not seem to be about that.
It's about manufacturer putting some sort of ID or serial based password for each manufactured device instead of "password" by default or making sure user changes it on first start. If you manufacture honeypot devices, then user just changes the password to something easy to guess.
Does everyone in the tech industry have to use vegan references in an analogy that is completely preposterous?
The better analogy would be like classifying all driver's licenses as aviation licenses. Then you'll have millions of untrained, and uneducated pilots flying airplanes.
The moral of the story; A vast majority of people who use a network, should probably not be allowed to use the network or internet without a personal administrator. If you are going to allow all people to use the internet without IT supervision, than deal with the consequences of delinquency on the internet. You can't fix it. No sense in bitching about it.
Dieting is keeping check on what you eat. If you want to gain weight you eat more if you want to lose weight you eat less (than you burn).
If people are going to use analogies they should be sure that they understand the thing they use as an analogy.
The problem is that fat people have a massive Leptin resistance. Meaning they are numb to their body's signal that they are full.
Which is caused by certain gut bacteria flooding the body with it.
Which, itself, is caused by there being so damn many of those bacteria.
And those are there, because they feed on pure carbs. Not whole natural cells, like any plant, but extracted, processed, and condensed carbs, without the required accompanying ingredients, that keep the bacteria from causing an inflammation.
(So carbs are not bad per se. It's the imbalance and denaturation. Any other imbalance [like pure salt] or denaturation [like denatured dairy] would be just as bad.)
When you eat an actually balanced and natural diet, all that happens with high-energy food like fat, is that you are full much quicker. And you can still stuff yourself with low-energy food to the max, and not get fat.
So you simply cannot eat too much, since you will not want to.
The will to eat more than you need, is the illness. And no amount of "willpower" (read: harmful ignorance of the body's signals to freakin change!) is going to fix that. You will only become a stupid ignorant masochist. Only banning those highly purified things, that are essentially drugs, from your life, can.
I'm not sure this is going to cause anything other than a bunch of insecure devices disappearing off store shelves in California specifically. Don't get me wrong, this is progress, but it's not the kind of really fast progress that is actually needed seeing how really badly secured devices being sold today are going to be causing us issues decades from now.
The fundamental issue is that most IOT gear is really just really cheaply made and designed white box devices from obscure Chinese vendors consumers have never heard of and which the companies under whose name the devices are sold to consumers just order them from the vendor with their name and logos slapped on at the vendor's factory. Until you can force the white box vendors to properly secure their cheaply made and designed hardware, we're just not going to be able to make a dent in the problem.
"Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
typical non-thinking government. create abstract rules/laws, that actually do nothing or more harm
You can't "law" stupid away. Some things you just have to let them work themselves out. If you have a brand of devices that are constantly getting compromised. People will stop buying them. i
How about internet connected devices are required to have a built-in (and network assisted, since by definition the network is available when this matters) password cracking subsystem. When the subsystem guesses your password, you are required to change your password.
And, for good measure, when a password is reset due to a self-breaking, the broken password is added to the networked repository of passwords-to-check-first.
a unique password made by a password generator at the time of programming or when they load the software/firmware on it, and a label printed on a card or tag tied or taped on to the device included with that password during packaging
Politics is Treachery, Religion is Brainwashing
Instead of doing dumb laws that no one could implement realistically, how about you put a ban on routers who allow NAT/port forward?!? This way, all those IoT devices would work in LAN and if you so damn want to , i don't know, control your lights from your workplace to feel good about yourself, just use a VPN (OpenVPN is a decent free alternative), connect to your local network and do w/e the fuck you wanted to do in the first place. This way your devices will never be exposed to outside threads. There, boom, problem solved.
The actual issue is that it's way too easy to open router ports. And a lot of people abuse this right.
Even if you are on a dynamic IP you can use stuff like DynDNS to have a single endpoint to your home network.
Once that's done, your bloody IoT password could be randomized 4 zeroes or some shit.
You can't "law" stupid away. Some things you just have to let them work themselves out. If you have a brand of devices that are constantly getting compromised. People will stop buying them. i
"Voting with your dollars" doesn't always work.
(IMO it rarely works. But that's another debate)
You think "security" is something that can be "built in." Security in software development is a mindset.
A mindset in a software developers head is a useless thing to an end user. It might start there but it has to actually become something more than that. Ultimately security has to manifest itself in products (software and hardware) and processes to use those products. A developer's mindset will not keep a network or device or data safe any more than and engineer thinking about how to stop a car will actually cause one to halt. So yes, security ultimately has to be built into whatever device(s) and software you are using.
My idea is, everytime a vendor has a security issue on their device, I want a refund.
Then you would have no devices because it's impossible to prove that non trivial devices and software have no security issues. Nobody could ship a product and be sure there was no security issue they missed. It is arguably reasonable however to apply strict product liability laws to software and to hold companies financially accountable for damages. Current application of product liability laws routinely provide software makers too much wiggle room to avoid responsibility for their failures, particularly with regard to security.
Unfortunate the California doesn't ban California. That would be progress.
So, start with eathing three good, full meals. That definitily helps to quench the snack attacks.
I'm guessing you've never really actually tried to lose weight. That is definitively NOT the advice you will receive from experts on the subject. The three squares a day idea does not derive from any actual evidence about its utility for weight maintenance or health. In fact if most people tried just eating three meals a day and not snacking with an eye towards weight control then they will very likely fail to maintain that regimen for any significant length of time. This has been demonstrated time and again in research on the topic.
Also while they are working at that, why not ban also stupid users, who don't change their default password.
Oh damn, he got hacked in the beginning of a sentense. Stupid default router admin password.
Is this the most pressing need? CA is a state full of idealists that "fix" things, then move on to the next shiny issue. Five years later, they fix the "fix" that never worked. All the while bleeding money.
You can't "law" stupid away.
No but you can make penalties for it for companies that do stupid things. Companies are supposed to be able to hire smart people to figure this stuff out and if they fail to do that there should be consequences with teeth.
Some things you just have to let them work themselves out.
Product liability isn't one of them. Neither is negligence.
If you have a brand of devices that are constantly getting compromised. People will stop buying them.
HAHAHAHAHAHAAAA!!!! I refer you to Microsoft Windows, Adobe Flash, and Microsoft Office. Not to mention countless shitty routers and IOT devices that get pnwned every day. People buy things all the time with vast security problems that are well known about prior to purchase. Your argument is not supported by facts.
Like requiring unlimited full purchase price refunds wouldnâ(TM)t be a nuclear strike on any industry.
Modern systems already contain functionality to allow any too obvious passwords. It would not be hard, to grab one of those "most popular passwords" lists, and block any passwords in there. Frankly, I'm surprised that isn't already built into modern GNU.
California Government: I need to see your password in order to determine if it's secure. (facepalm)
In general, legislating one particular best practice does not fix an industry. And there are better ways than writing laws. Some ideas:
Any of the above would mean that, for example, California government would no longer buy Western Digital hard drives. These suggestions intentionally do not state what the specific best practices is, and other than the last one they don't require laws, which are slow to change. The specific practices can be defined by some of the many organizations that already do that. Ex: OWASP top 10, static analysis, pen testing, etc. This is similar to what the FDA did with medical devices, to make manufacturers stop doing idiotic things like using unauthenticated Wifi on insulin pumps so hackers could remotely kill people.
I would upvote you. But you're a coward.
How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
Well the IoT manufacturer also has to do their job in building whatever web interface they build, but it certainly helps to start from a secure OS.
While having the source code available is helpful to see if there are security issues, that doesn't mean they will be found. Open source doesn't provide for greater security though.
Well it doesn't inherently completely make for better security. It does have some advantages, though. There's the obvious fact that there are generally more eyes on an open source project, so security problems may be more likely to be noticed. Also, frankly, security is hard to do well, and having a bunch of random developers coming up with their own solution will result in a lot of those developers doing it wrong. If you can create a coherent security standard that everyone can work from, then a lot of people have a vested interest in doing it well, and it'll probably be done well.
Obviously there are also downsides. The fact that there are a lot of eyes on the source also might make it easier for someone malicious to find an opening. Also, everyone standardizing on one security standard (or one OS) makes a monoculture. It means there's one big target to exploit, and if you can exploit it, you can get access to pretty much everything.
On the whole, I think it is smart for IoT manufacturers to use an established open source OS, both to save themselves money and to start from a point of relative security... but I think they already do that. AFAIK, a lot of those things are somehow built on Linux or a BSD. I don't think we need a singe OS, but I do think we need to figure out some security standards that establish what constitutes an acceptable level of security for an internet connected device.
I also think that, for consumer protection reasons, there should be some kind of push to open source the software computerized devices and appliances. Manufacturers can too easily stop updating things and drop support, leaving the people who owned it with no options but to replace the device.
You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
Security in everything is a mindset... However a good mindset on it's own is useless. You need to give the user the tools as well.
What we have needed for years in connected home appliances is for the first configuration screen to be "Change this default password before the device becomes usable". Laws here in the UK have meant that ISP's aren't permitted to hand out devices with generic or default passwords, so every router you get has a sticker on it with your individual password.
Calling someone a "hater" only means you can not rationally rebut their argument.
So the details are vague? Morons. If they had any sense, we'd know already if "bad passwords" were defined by a lack of entropy (smart) or a lack of uppercase letters, numbers and symbols (dumb). The lack of any further information suggests California will see the latter, not the former, become law -- especially if the intel community has anything to do with it. Forcing people to adopt the illusion of a strong password would be much more effective than proper password education.
Meanwhile, I'll continue turning my friends and family onto Diceware. It's worked very well so far, most people find it fun.
I'm told that the big drug dealers are already pushing doctors so hard to sell them, that half the US students pop them like candy. (And the other half either soon will, or already takes others that are basically the same thing but illegal for "some reason".)
And given that the US does not have a government, but a council by the corporate oligarchy, which writes all of their laws... as soon as it becomes necessary for profit reasons, it will become a law.
My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
Everything internet connected should be sold with a lifespan and support for X number of years (and labeled as such on the package). They do this with carbon monoxide detectors. After 7 years, they turn off and won't work anymore and just beep constantly. This is safety feature. IOT devices should probably come with the same thing. After they stop receiving patches, they should stop connecting to the internet. This would be a safety feature not only for the purchaser but to protect the rest of the internet too. (On a somewhat unrelated note, DRM "purchases" should also be clearly labeled with an expiration date thru which the company guarantees your ability to play that song/movie)
As far as a bug being a defect, bug free software doesn't exist. For that matter, defect free anything doesn't really exist. We already have a system in place for unknown problems that are discovered after the fact. The products are either recalled and repaired or recalled and replaced depending on what the defect is and how hard it is to fix it. Software shouldn't be treated any different than car seats, airbags, or anything else where defects are sometimes discovered after the fact. With software, it should be easier as in most cases it can be remotely fixed without actually having to send the devices in to be repaired.
California is really becoming a nanny-state now. Laws shouldn't be passed to protect people from stupidity. The only protection against stupidity is education. People should take time to learn a thing or two.
main software developers all building a single OS for IoT with security built in
A software monoculture is great for security. Much more efficient to take down the entire globe at once when a flaw is discovered.
The governor and state legislature in California are doing their best to advance the nanny state to protect all of us. Just recently, they passed a state law that schools could not open before 8:30 am so that the students would get enough sleep. And, of course, the plastic bag and plastic straw bans are spreading across California like a fungus. Now they are passing a law to force us to lock up our wireless routers properly. Next will be a law prescribing a particular method of shoe-tying so that none of us will trip on our laces and get a boo-boo.
SO I a guess all the important issues in California are fix they can now worry about my NEST password.
My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
Do you happen to own a buggy whip factory? Cause your proposal would result in a complete backslide in technology. Humans err. If they did not intentionally create a defect and are willing to help you get it fixed, why do you think you ought to get a refund? Did you get zero utility out of the software before a defect was found?
Provide funding to startup a commercial product security certification organization, similar to what underwriters laboratory (UL) [wikipedia.org] does for safety.
You know what underwriters do? They back insurance risks. Fires are very expensive. There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
You give that front-end dev a API which is easier to use than rolling their own system (laziness always wins), that is secure (handles salting, peppering, etc. for them).
So I want to set up a honeypot to trap intruders, with 1234 as password.
The state of California is telling me that I can't do that?
No, but apparently actually reading (TFA or even just TFS) is illegal in your state. This is talking about DEFAULT passwords...you know, the one that comes on the device when you first get it. The proposed law says absolutely nothing about the strength of passwords you can set on your own.
LOL stop.
It should require every device that has is connected to have a unique default password, and that password should be printed on a sticker that is afixed to the device in a location that is consumer-accessible, but does not affect functionality or aesthetic appeal (ie, on the bottom or back of the device) if possible, or if and only if the device has no such convenient location, on a similarly sized piece of paper that is packaged with the device.
File under 'M' for 'Manic ranting'
This is how Idiocracy becomes real.
By preventing the stupid from hurting themselves.
My cameras are on an isolated LAN that is air gapped. Since all IP cameras require credentials I use the same username and password for each one. That's only one thing to remember 18 months from now when I might need to mess with one. I don't want a different password that I have to keep track of for each camera. There are many layers to security and user credentials are only one. We don't need legislatures making things more complicated. KISS is the best security.
Stuff like this sounds great in practice, and even makes a good amount of sense - why not use capitalism itself to promote desired behavior? But these kind of restrictions on government purchasing are why government pays twice as much to make what should be easy purchases. "Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork. This also excludes small companies who don't have staff dedicated to filling out government paperwork.
The California Government doesn't do this, they should start with themselves first, and all the county and city governments also.
Call the DMV and they only verify you with common, public information.
Isn't it freedom of speech for all my passwords to be 'password'?
Did you forget what the word "serial" means?
Because we want to be sure that we know what person the surveillance devices are watching.
The real question is why we need so many miscelaneous devices connected to the internet with with anything more than a one-way data link.
Just make the default password some ugly long gibberish and the users are likely to change it to their dog's name just because they don't want to type that monstrosity again.
I refuse to sign
Did the driver get use from the vehicle before it burst into flame and killed all of the occupants? I guess the owner has no room to complain. Bugs and security issues will arise. It's how the manufacture deals with the flaws, not if there are flaws. Perfect is the enemy of good, but much software is down right bad. Lets have internal services listen on the WAN with a static password with root access and NEVER gets fixed.
The obvious, but difficult to define, solution is to require the manufacturers to fix security issues in a practical "timely" fashion.
Ivory tower theory is disconnected from reality. Uninformed people looking for the cheapest product will not stop buying. We don't need laws making things illegal, we need lemon laws allowing customers monetary recourse.
You think "security" is something that can be "built in." Security in software development is a mindset.
You mean I can't just order my embedded software from a Chinese menu and check the box for "Yes, security please" ?
My crash course in security paired down to what I could reasonably fit into a post:
The process of threat modeling is a formal analysis of the security of a system. One easy to remember process is to use the mnemonic STRIDE - Spoofing, Tampering, Repudiation (sharing of access tokens or accounts between users, man-in-the-middle, social engineering, phishing scams, etc), Information disclosure, Denial of service, Elevation of privilege.
You can begin to build a picture of your threat models with a tool like SeaMonster. That's only one example there are many other tools available of course, such as Microsoft's SDL Threat Modeling Tool.
A formal process is pretty important, even if it's as basic as a spreadsheet that lists the threats you came up with. Reviewing the list, prioritizing it, and determining a schedule for addressing threats is better than an ad hoc hand waive to developers a week before release. ("Guys, ya, um I'm going to need you to make it secure."). An iterative process for security that begins the same day you start architectural talks is the better way to approach the problem.
“Common sense is not so common.” — Voltaire
that sounds suspiciously like the windows 10 update mindset, and it's a fiasco.
If you buy hardware, it is yours, and you should retain ultimate control over it.
If i'm a dummy and don't update my webcam's password, or refuse to heed the warnings that its security has been compromised -- well guess what? That's my fault, and no on elses.
You know what underwriters do? They back insurance risks. Fires are very expensive.
That's what UL was for back in the 1800s. Things do a lot more than fire safety these days.
There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
That's why all of my options included making security a liability for those companies. My last bullet point was explicit financial liability. The other options involved liability of the form "This is a liability because a large organization won't buy my product."
...pays twice as much...
Yes, security costs money. And auditing companies to make sure they comply costs money. Today people demand the cheapest parts possible, so companies don't bother with proper security. If we want security, we have to pay for it. If I had the choice between a Western Digital Passport drive (regarding the story earlier today), and another vendor that had real security but cost twice as much, I would take the one with security. And if California wants secure devices, they should too. Hopefully, we can make a security mindset infectious and it is just the default behavior.
"Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork.
Those things already exist so California is already paying for it. No new costs here.
This also excludes small companies who don't have staff dedicated to filling out government paperwork.
It definitely does not. I personally know several 1 to 10-person companies who have gone through that paperwork. Going back to your first point about government contracts being more expensive, this is why it is worth it for a small company to go through that paperwork.
When those security holes are exploited to create botnets that then attack a 3rd party it's not a personal freedom to be stupid issue. Antivaxxers threatening herd immunity is a rather direct analogy.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
Fuck California and the socialist hell hole it is. I'm pro-security- but it's not up to the government to tell us how to design shit. If customers want security let them speak with there pocket book. If people actually care about security they will seek out our products over the shit most companies put on offer. We probably aren't compliant actually with one of our security-conscious products- but anybody following the directions isn't at risk of anything. The device itself is well designed from a security perspective and changing the design would have significant consequences to the price- needlessly.
Another bull shit socialist law my company refuses to comply with. Fuck the UK. Fuck California. It's not that I think this is a bad practice. It's just that such laws are an abuse of power. Governments should not be doing shit like this in violation of fundamental freedoms. I support free markets and governments tend to cause markets that would otherwise be free markets to get really fucked up. If people want security like me they can purchase the products that don't suck and help fund the projects that lead to products that don't suck. I've funded to the tune of $60,000 of a single critical free software project over the past couple years. Freedom and security don't require government. All it requires is people caring. If you don't care about your security you have no right to bitch or to demand others pay [via government violence] the costs of investigating those who hurt you.
A single OS for IoT is ridiculous. IoT is not like a PC or smartphone where one size fits almost everyone. Every IoT device is unique with unique goals and purposes. What is appropriate for a sensor device that runs unattended for twenty years in the field on a single battery should not have to have the same OS as a consumer IoT device that tells you if your refrigerator is on or not.
This depends upon what the security is for. Validating passwords sounds like an application front end, most IoT devices usually only talk to other devices. So you need to make sure your networking security is good so that you can't be spoofed, and you can verify certificates from neighboring devices or a back office (pre-shared keys is a recipe for disaster). Then you want security so that your device can't be cloned more cheaply by someone else, so lock down the firmware and encrypt it, etc.
Then there are the generic security issues, not related to crypto or authentication. Such as buffer overflows, allowing a drive-by attacker to reboot your device by exploiting known crashes, etc.
Is the web interface on the actual device, or in the back office? I've worked on devices that don't have room to fit even the simplest web interface and with no convenient way to talk to them without specialized equipment. From the devices I've worked on, the security doesn't start in the OS, most small operating systems don't come with security built in and when they do they're inappropriate for your product (ie, you'll rarely find a PKI solution). The OS has no idea what you need as security, what protocols you will be using, how your hardware crypto worksm etc.
Maybe people need to stop thinking of Linux as a "tiny" OS that can be a starting point, when it is gargantuan compared to most small embedded systems. Or maybe people are thinking like "iOS" which has more application framework than actual operating system.
This is fine if a person's freedoms don't interfere with other people's freedoms. Often there's a collision; once two people meet the freedoms they had as isolated individuals are now diminished (either through physical intimidation by one party or a set of rules and guidelines set up by a government). This is not socialism except by the distorted rewriting of the dictionary by the alt-right. Even many rabid libertarians I know agree that government has a responsibility here.
A government clearly has a vested interest in protecting customers from badly built products, including wifi routers. Not every customer should be required to be a guru or to fully educate yourself. The end customer is freely allowed to ignore safety features if they want (but beware of lawsuits if someone else gets hurt).
I say this because I would love incentives for companies to not make gadgets network connected. Some do not need to be. This goes back to how frustrated I get that my microwave insists I enter a date after a power outage. Time is fine. Its a convenient area for a clock to be. There is no reason it needs to know the date and even less of a reason it ever needs to connect to a network.
There's a new breed of libertarian that thinks freedom is about letting a corporation do whatever it wants to do. Apparently even citizens believe that corporations are people too.
If i'm a dummy and don't update my webcam's password, or refuse to heed the warnings that its security has been compromised -- well guess what? That's my fault, and no on elses.
That's fine but ISPs should also start terminating connections of people whose devices are unknowing participants of botnets.
The other problem is that you're assuming there are updates. What happens when that webcam has a security flaw and the company doesn't fix its firmware (or even has the ability to do so). Changing the default password isn't the only problem, it is the idea that the manufacturer's responsibility ends as soon as money is exchanged. There should probably some sort of contract with all but the cheapest devices that the device will get security updates for X number of years. Many cell phones never get a single update after they are sold and cheaper consumer devices get even fewer updates if any.
in the streets of their big cities, used needles too, and the resulting Hep-A debacles. They have taken the "golden state" and made it the state with the highest poverty rates, highest income inequality, and with nearly the worst K through 12 education system - but HEY! they want to write laws about the features of software produced by private companies and sold to free individuals.
[sigh]
These people have no priorities and no common sense, and they despise the free markets.
Many cell phones never get a single update after they are sold and cheaper consumer devices get even fewer updates if any.
How does a cheaper device get fewer than zero updates? Do they revert to an earlier version?
The intent of the law is to make your device more secure, and the initial password change (or any p/w change) is an ideal time to enforce strong p/w security rules.
How long before that happens?
User name: SLIPPERY
Password: SLOPE
Update from the future: The law passed