Slashdot Mirror
California May Ban Terrible Default Passwords On Connected Devices (engadget.com)
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.
It should be a worldwide concerted effort with the main software developers all building a single OS for IoT with security built in and updated everytime a change happens and then have this open sourced to provide greater security and code verification. currently any old bit of software is dumped on devices with little regard for security etc
on california government shitsites!! also first
It is called private enforcement. Same way I got a rebate on my DVD player, a replacement Bluetooth speaker when Sony dropped Dash support and that thing with RamBUS.
Yay libertarianism.
About time, its a good start. But devices should also have a 'BACKDOOR INSTALLED" sticker if that is the case.
And another sticker 'Device will be unsupported after 1 2 or n years. This way consumers will discriminate against throw away trash
And a fine if string length overflows happen because of lazy coding and lazy compiles.
You would have thought the FCC or similar would have demanded this decades ago, or a list where you can scan your device and find out if defective with no firmware upgrades available.
aren't most of these account compromises due to stuff like an incompetent company leaving its database in plaintext or some kid phishing it from or fooling an employee somehow instead of some master hacker bruteforcing individual passwords that don't follow silly rules like having upper case and symbols?
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation...
Looking at the actual bill, it has already passed in both the CA Senate and Assembly.
That makes it more than a draft. That's a bill ready to be signed into law, or possibly vetoed.
Maybe it means something else to other people, but when I send someone a draft, it's to solicit comments.
https://www.senate.ca.gov/legislativeprocess
Now instead of a default router password, users will be prompted to change it, thus setting it to 'Password1'.
Progress!
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
So I want to set up a honeypot to trap intruders, with 1234 as password.
The state of California is telling me that I can't do that?
As so many people who are talking about "dieting" they are both wrong, and have a very short-sighted view.
"Eating less" seems to be the answer, but results in hunger pangs, leading to the person not being able to think about anything else than food, and thus stress himself out. And guess what that tends to lead to ...
So, start with eathing three good, full meals. That definitily helps to quench the snack attacks.
But foremost, try to figure out why you are eating all that stuff (did I already mention stress ? I think I did), and try to get it clear in your mind.
Being aware of what makes you eat definitly helps in breaking the habit. Ofcourse, as you now aware of what bothers you you also have a chance to eliminate the cause of that stress.
Go figure a somewhat reasonable default is replaced by a consumer who decides they cannot remember the password so they change it to 12345.
sure, as with any law it will be incomplete, contain loopholes and be vague in certain areas, but at least it is better then nothing.
default passwords are a big part of security issues of IoT devices, so if we can already scrap that of the list of things to worry about, that can only be a good thing.
On a long enough timeline, the survival rate for everyone drops to zero.
I've also heard there are new laws in the planning that will require everyone in California be happy and rich.
Can't wait to see how those are enforced.
OK. I drop my toothbrush and it breaks. So I go to the store and find all six of the toothbrushes I can choose from are internet connected. I pick one, go home, plug it in. Now I enter a new password. How do I do that? It's a toothbrush.
------
My (conceptual and imaginary) grandmother buys a new "smart" TV. (Seriously, "They" apparently don't make dumb TVs any more). She plugs it in getting many of the connections right. It asks (in colloquial Latvian because it's a bit confused about where it is) for a new password. She at least has an input device-- the remote. She pushes random buttons until the weird prompt(s) go away. Congratulations grandma, you've set an unknown password and effectively bricked your new TV. Who is going to unbrick it? How?
-----
I'm not sure the world needs politicians "solving" problems nobody understands. Quite likely a case of "Now you have two Problems"
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Does everyone in the tech industry have to use vegan references in an analogy that is completely preposterous?
The better analogy would be like classifying all driver's licenses as aviation licenses. Then you'll have millions of untrained, and uneducated pilots flying airplanes.
The moral of the story; A vast majority of people who use a network, should probably not be allowed to use the network or internet without a personal administrator. If you are going to allow all people to use the internet without IT supervision, than deal with the consequences of delinquency on the internet. You can't fix it. No sense in bitching about it.
Dieting is keeping check on what you eat. If you want to gain weight you eat more if you want to lose weight you eat less (than you burn).
If people are going to use analogies they should be sure that they understand the thing they use as an analogy.
The problem is that fat people have a massive Leptin resistance. Meaning they are numb to their body's signal that they are full.
Which is caused by certain gut bacteria flooding the body with it.
Which, itself, is caused by there being so damn many of those bacteria.
And those are there, because they feed on pure carbs. Not whole natural cells, like any plant, but extracted, processed, and condensed carbs, without the required accompanying ingredients, that keep the bacteria from causing an inflammation.
(So carbs are not bad per se. It's the imbalance and denaturation. Any other imbalance [like pure salt] or denaturation [like denatured dairy] would be just as bad.)
When you eat an actually balanced and natural diet, all that happens with high-energy food like fat, is that you are full much quicker. And you can still stuff yourself with low-energy food to the max, and not get fat.
So you simply cannot eat too much, since you will not want to.
The will to eat more than you need, is the illness. And no amount of "willpower" (read: harmful ignorance of the body's signals to freakin change!) is going to fix that. You will only become a stupid ignorant masochist. Only banning those highly purified things, that are essentially drugs, from your life, can.
I'm not sure this is going to cause anything other than a bunch of insecure devices disappearing off store shelves in California specifically. Don't get me wrong, this is progress, but it's not the kind of really fast progress that is actually needed seeing how really badly secured devices being sold today are going to be causing us issues decades from now.
The fundamental issue is that most IOT gear is really just really cheaply made and designed white box devices from obscure Chinese vendors consumers have never heard of and which the companies under whose name the devices are sold to consumers just order them from the vendor with their name and logos slapped on at the vendor's factory. Until you can force the white box vendors to properly secure their cheaply made and designed hardware, we're just not going to be able to make a dent in the problem.
"Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
typical non-thinking government. create abstract rules/laws, that actually do nothing or more harm
You can't "law" stupid away. Some things you just have to let them work themselves out. If you have a brand of devices that are constantly getting compromised. People will stop buying them. i
How about internet connected devices are required to have a built-in (and network assisted, since by definition the network is available when this matters) password cracking subsystem. When the subsystem guesses your password, you are required to change your password.
And, for good measure, when a password is reset due to a self-breaking, the broken password is added to the networked repository of passwords-to-check-first.
a unique password made by a password generator at the time of programming or when they load the software/firmware on it, and a label printed on a card or tag tied or taped on to the device included with that password during packaging
Politics is Treachery, Religion is Brainwashing
Instead of doing dumb laws that no one could implement realistically, how about you put a ban on routers who allow NAT/port forward?!? This way, all those IoT devices would work in LAN and if you so damn want to , i don't know, control your lights from your workplace to feel good about yourself, just use a VPN (OpenVPN is a decent free alternative), connect to your local network and do w/e the fuck you wanted to do in the first place. This way your devices will never be exposed to outside threads. There, boom, problem solved.
The actual issue is that it's way too easy to open router ports. And a lot of people abuse this right.
Even if you are on a dynamic IP you can use stuff like DynDNS to have a single endpoint to your home network.
Once that's done, your bloody IoT password could be randomized 4 zeroes or some shit.
You can't "law" stupid away. Some things you just have to let them work themselves out. If you have a brand of devices that are constantly getting compromised. People will stop buying them. i
"Voting with your dollars" doesn't always work.
(IMO it rarely works. But that's another debate)
You think "security" is something that can be "built in." Security in software development is a mindset.
A mindset in a software developers head is a useless thing to an end user. It might start there but it has to actually become something more than that. Ultimately security has to manifest itself in products (software and hardware) and processes to use those products. A developer's mindset will not keep a network or device or data safe any more than and engineer thinking about how to stop a car will actually cause one to halt. So yes, security ultimately has to be built into whatever device(s) and software you are using.
My idea is, everytime a vendor has a security issue on their device, I want a refund.
Then you would have no devices because it's impossible to prove that non trivial devices and software have no security issues. Nobody could ship a product and be sure there was no security issue they missed. It is arguably reasonable however to apply strict product liability laws to software and to hold companies financially accountable for damages. Current application of product liability laws routinely provide software makers too much wiggle room to avoid responsibility for their failures, particularly with regard to security.
Unfortunate the California doesn't ban California. That would be progress.
So, start with eathing three good, full meals. That definitily helps to quench the snack attacks.
I'm guessing you've never really actually tried to lose weight. That is definitively NOT the advice you will receive from experts on the subject. The three squares a day idea does not derive from any actual evidence about its utility for weight maintenance or health. In fact if most people tried just eating three meals a day and not snacking with an eye towards weight control then they will very likely fail to maintain that regimen for any significant length of time. This has been demonstrated time and again in research on the topic.
Also while they are working at that, why not ban also stupid users, who don't change their default password.
Oh damn, he got hacked in the beginning of a sentense. Stupid default router admin password.
Is this the most pressing need? CA is a state full of idealists that "fix" things, then move on to the next shiny issue. Five years later, they fix the "fix" that never worked. All the while bleeding money.
You can't "law" stupid away.
No but you can make penalties for it for companies that do stupid things. Companies are supposed to be able to hire smart people to figure this stuff out and if they fail to do that there should be consequences with teeth.
Some things you just have to let them work themselves out.
Product liability isn't one of them. Neither is negligence.
If you have a brand of devices that are constantly getting compromised. People will stop buying them.
HAHAHAHAHAHAAAA!!!! I refer you to Microsoft Windows, Adobe Flash, and Microsoft Office. Not to mention countless shitty routers and IOT devices that get pnwned every day. People buy things all the time with vast security problems that are well known about prior to purchase. Your argument is not supported by facts.
Modern systems already contain functionality to allow any too obvious passwords. It would not be hard, to grab one of those "most popular passwords" lists, and block any passwords in there. Frankly, I'm surprised that isn't already built into modern GNU.
California Government: I need to see your password in order to determine if it's secure. (facepalm)
In general, legislating one particular best practice does not fix an industry. And there are better ways than writing laws. Some ideas:
Any of the above would mean that, for example, California government would no longer buy Western Digital hard drives. These suggestions intentionally do not state what the specific best practices is, and other than the last one they don't require laws, which are slow to change. The specific practices can be defined by some of the many organizations that already do that. Ex: OWASP top 10, static analysis, pen testing, etc. This is similar to what the FDA did with medical devices, to make manufacturers stop doing idiotic things like using unauthenticated Wifi on insulin pumps so hackers could remotely kill people.
I would upvote you. But you're a coward.
So the details are vague? Morons. If they had any sense, we'd know already if "bad passwords" were defined by a lack of entropy (smart) or a lack of uppercase letters, numbers and symbols (dumb). The lack of any further information suggests California will see the latter, not the former, become law -- especially if the intel community has anything to do with it. Forcing people to adopt the illusion of a strong password would be much more effective than proper password education.
Meanwhile, I'll continue turning my friends and family onto Diceware. It's worked very well so far, most people find it fun.
I'm told that the big drug dealers are already pushing doctors so hard to sell them, that half the US students pop them like candy. (And the other half either soon will, or already takes others that are basically the same thing but illegal for "some reason".)
And given that the US does not have a government, but a council by the corporate oligarchy, which writes all of their laws... as soon as it becomes necessary for profit reasons, it will become a law.
California is really becoming a nanny-state now. Laws shouldn't be passed to protect people from stupidity. The only protection against stupidity is education. People should take time to learn a thing or two.
The governor and state legislature in California are doing their best to advance the nanny state to protect all of us. Just recently, they passed a state law that schools could not open before 8:30 am so that the students would get enough sleep. And, of course, the plastic bag and plastic straw bans are spreading across California like a fungus. Now they are passing a law to force us to lock up our wireless routers properly. Next will be a law prescribing a particular method of shoe-tying so that none of us will trip on our laces and get a boo-boo.
SO I a guess all the important issues in California are fix they can now worry about my NEST password.
Provide funding to startup a commercial product security certification organization, similar to what underwriters laboratory (UL) [wikipedia.org] does for safety.
You know what underwriters do? They back insurance risks. Fires are very expensive. There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
It should require every device that has is connected to have a unique default password, and that password should be printed on a sticker that is afixed to the device in a location that is consumer-accessible, but does not affect functionality or aesthetic appeal (ie, on the bottom or back of the device) if possible, or if and only if the device has no such convenient location, on a similarly sized piece of paper that is packaged with the device.
File under 'M' for 'Manic ranting'
This is how Idiocracy becomes real.
By preventing the stupid from hurting themselves.
My cameras are on an isolated LAN that is air gapped. Since all IP cameras require credentials I use the same username and password for each one. That's only one thing to remember 18 months from now when I might need to mess with one. I don't want a different password that I have to keep track of for each camera. There are many layers to security and user credentials are only one. We don't need legislatures making things more complicated. KISS is the best security.
Stuff like this sounds great in practice, and even makes a good amount of sense - why not use capitalism itself to promote desired behavior? But these kind of restrictions on government purchasing are why government pays twice as much to make what should be easy purchases. "Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork. This also excludes small companies who don't have staff dedicated to filling out government paperwork.
The California Government doesn't do this, they should start with themselves first, and all the county and city governments also.
Call the DMV and they only verify you with common, public information.
Isn't it freedom of speech for all my passwords to be 'password'?
Did you forget what the word "serial" means?
Because we want to be sure that we know what person the surveillance devices are watching.
The real question is why we need so many miscelaneous devices connected to the internet with with anything more than a one-way data link.
Just make the default password some ugly long gibberish and the users are likely to change it to their dog's name just because they don't want to type that monstrosity again.
I refuse to sign
Ivory tower theory is disconnected from reality. Uninformed people looking for the cheapest product will not stop buying. We don't need laws making things illegal, we need lemon laws allowing customers monetary recourse.
You know what underwriters do? They back insurance risks. Fires are very expensive.
That's what UL was for back in the 1800s. Things do a lot more than fire safety these days.
There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
That's why all of my options included making security a liability for those companies. My last bullet point was explicit financial liability. The other options involved liability of the form "This is a liability because a large organization won't buy my product."
...pays twice as much...
Yes, security costs money. And auditing companies to make sure they comply costs money. Today people demand the cheapest parts possible, so companies don't bother with proper security. If we want security, we have to pay for it. If I had the choice between a Western Digital Passport drive (regarding the story earlier today), and another vendor that had real security but cost twice as much, I would take the one with security. And if California wants secure devices, they should too. Hopefully, we can make a security mindset infectious and it is just the default behavior.
"Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork.
Those things already exist so California is already paying for it. No new costs here.
This also excludes small companies who don't have staff dedicated to filling out government paperwork.
It definitely does not. I personally know several 1 to 10-person companies who have gone through that paperwork. Going back to your first point about government contracts being more expensive, this is why it is worth it for a small company to go through that paperwork.
When those security holes are exploited to create botnets that then attack a 3rd party it's not a personal freedom to be stupid issue. Antivaxxers threatening herd immunity is a rather direct analogy.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
Fuck California and the socialist hell hole it is. I'm pro-security- but it's not up to the government to tell us how to design shit. If customers want security let them speak with there pocket book. If people actually care about security they will seek out our products over the shit most companies put on offer. We probably aren't compliant actually with one of our security-conscious products- but anybody following the directions isn't at risk of anything. The device itself is well designed from a security perspective and changing the design would have significant consequences to the price- needlessly.
I say this because I would love incentives for companies to not make gadgets network connected. Some do not need to be. This goes back to how frustrated I get that my microwave insists I enter a date after a power outage. Time is fine. Its a convenient area for a clock to be. There is no reason it needs to know the date and even less of a reason it ever needs to connect to a network.
in the streets of their big cities, used needles too, and the resulting Hep-A debacles. They have taken the "golden state" and made it the state with the highest poverty rates, highest income inequality, and with nearly the worst K through 12 education system - but HEY! they want to write laws about the features of software produced by private companies and sold to free individuals.
[sigh]
These people have no priorities and no common sense, and they despise the free markets.
Update from the future: The law passed