California May Ban Terrible Default Passwords On Connected Devices

According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.

dieting? Don't even *think* about it.

Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less."

As so many people who are talking about "dieting" they are both wrong, and have a very short-sighted view.

"Eating less" seems to be the answer, but results in hunger pangs, leading to the person not being able to think about anything else than food, and thus stress himself out. And guess what that tends to lead to ...

So, start with eathing three good, full meals. That definitily helps to quench the snack attacks.

But foremost, try to figure out why you are eating all that stuff (did I already mention stress ? I think I did), and try to get it clear in your mind.

Being aware of what makes you eat definitly helps in breaking the habit. Ofcourse, as you now aware of what bothers you you also have a chance to eliminate the cause of that stress.

Re:It should be

all building a single OS for IoT with security built in

You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.

updated everytime a change happens and then have this open sourced to provide greater security and code verification.

While having the source code available is helpful to see if there are security issues, that doesn't mean they will be found. Open source doesn't provide for greater security though. Open source == licensing model, not a security process.

With many software projects, open source or closed, there are often only a few people who understand the software well enough to even notice those bugs.

I don't think forcing a particular operating system down vendors throat is the solution. My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.

White boxes

[The+Cynical+Critic]

I'm not sure this is going to cause anything other than a bunch of insecure devices disappearing off store shelves in California specifically. Don't get me wrong, this is progress, but it's not the kind of really fast progress that is actually needed seeing how really badly secured devices being sold today are going to be causing us issues decades from now.

The fundamental issue is that most IOT gear is really just really cheaply made and designed white box devices from obscure Chinese vendors consumers have never heard of and which the companies under whose name the devices are sold to consumers just order them from the vendor with their name and logos slapped on at the vendor's factory. Until you can force the white box vendors to properly secure their cheaply made and designed hardware, we're just not going to be able to make a dent in the problem.