Slashdot Mirror
California May Ban Terrible Default Passwords On Connected Devices (engadget.com)
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.
About time, its a good start. But devices should also have a 'BACKDOOR INSTALLED" sticker if that is the case.
And another sticker 'Device will be unsupported after 1 2 or n years. This way consumers will discriminate against throw away trash
And a fine if string length overflows happen because of lazy coding and lazy compiles.
You would have thought the FCC or similar would have demanded this decades ago, or a list where you can scan your device and find out if defective with no firmware upgrades available.
aren't most of these account compromises due to stuff like an incompetent company leaving its database in plaintext or some kid phishing it from or fooling an employee somehow instead of some master hacker bruteforcing individual passwords that don't follow silly rules like having upper case and symbols?
Now instead of a default router password, users will be prompted to change it, thus setting it to 'Password1'.
Progress!
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Go figure a somewhat reasonable default is replaced by a consumer who decides they cannot remember the password so they change it to 12345.
You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
While having the source code available is helpful to see if there are security issues, that doesn't mean they will be found. Open source doesn't provide for greater security though. Open source == licensing model, not a security process.
With many software projects, open source or closed, there are often only a few people who understand the software well enough to even notice those bugs.
I don't think forcing a particular operating system down vendors throat is the solution. My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
I've also heard there are new laws in the planning that will require everyone in California be happy and rich.
Can't wait to see how those are enforced.
OK. I drop my toothbrush and it breaks. So I go to the store and find all six of the toothbrushes I can choose from are internet connected. I pick one, go home, plug it in. Now I enter a new password. How do I do that? It's a toothbrush.
------
My (conceptual and imaginary) grandmother buys a new "smart" TV. (Seriously, "They" apparently don't make dumb TVs any more). She plugs it in getting many of the connections right. It asks (in colloquial Latvian because it's a bit confused about where it is) for a new password. She at least has an input device-- the remote. She pushes random buttons until the weird prompt(s) go away. Congratulations grandma, you've set an unknown password and effectively bricked your new TV. Who is going to unbrick it? How?
-----
I'm not sure the world needs politicians "solving" problems nobody understands. Quite likely a case of "Now you have two Problems"
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Does everyone in the tech industry have to use vegan references in an analogy that is completely preposterous?
The better analogy would be like classifying all driver's licenses as aviation licenses. Then you'll have millions of untrained, and uneducated pilots flying airplanes.
The moral of the story; A vast majority of people who use a network, should probably not be allowed to use the network or internet without a personal administrator. If you are going to allow all people to use the internet without IT supervision, than deal with the consequences of delinquency on the internet. You can't fix it. No sense in bitching about it.
I'm not sure this is going to cause anything other than a bunch of insecure devices disappearing off store shelves in California specifically. Don't get me wrong, this is progress, but it's not the kind of really fast progress that is actually needed seeing how really badly secured devices being sold today are going to be causing us issues decades from now.
The fundamental issue is that most IOT gear is really just really cheaply made and designed white box devices from obscure Chinese vendors consumers have never heard of and which the companies under whose name the devices are sold to consumers just order them from the vendor with their name and logos slapped on at the vendor's factory. Until you can force the white box vendors to properly secure their cheaply made and designed hardware, we're just not going to be able to make a dent in the problem.
"Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
typical non-thinking government. create abstract rules/laws, that actually do nothing or more harm
You can't "law" stupid away. Some things you just have to let them work themselves out. If you have a brand of devices that are constantly getting compromised. People will stop buying them. i
a unique password made by a password generator at the time of programming or when they load the software/firmware on it, and a label printed on a card or tag tied or taped on to the device included with that password during packaging
Politics is Treachery, Religion is Brainwashing
You think "security" is something that can be "built in." Security in software development is a mindset.
A mindset in a software developers head is a useless thing to an end user. It might start there but it has to actually become something more than that. Ultimately security has to manifest itself in products (software and hardware) and processes to use those products. A developer's mindset will not keep a network or device or data safe any more than and engineer thinking about how to stop a car will actually cause one to halt. So yes, security ultimately has to be built into whatever device(s) and software you are using.
My idea is, everytime a vendor has a security issue on their device, I want a refund.
Then you would have no devices because it's impossible to prove that non trivial devices and software have no security issues. Nobody could ship a product and be sure there was no security issue they missed. It is arguably reasonable however to apply strict product liability laws to software and to hold companies financially accountable for damages. Current application of product liability laws routinely provide software makers too much wiggle room to avoid responsibility for their failures, particularly with regard to security.
Is this the most pressing need? CA is a state full of idealists that "fix" things, then move on to the next shiny issue. Five years later, they fix the "fix" that never worked. All the while bleeding money.
You can't "law" stupid away.
No but you can make penalties for it for companies that do stupid things. Companies are supposed to be able to hire smart people to figure this stuff out and if they fail to do that there should be consequences with teeth.
Some things you just have to let them work themselves out.
Product liability isn't one of them. Neither is negligence.
If you have a brand of devices that are constantly getting compromised. People will stop buying them.
HAHAHAHAHAHAAAA!!!! I refer you to Microsoft Windows, Adobe Flash, and Microsoft Office. Not to mention countless shitty routers and IOT devices that get pnwned every day. People buy things all the time with vast security problems that are well known about prior to purchase. Your argument is not supported by facts.
California Government: I need to see your password in order to determine if it's secure. (facepalm)
In general, legislating one particular best practice does not fix an industry. And there are better ways than writing laws. Some ideas:
Any of the above would mean that, for example, California government would no longer buy Western Digital hard drives. These suggestions intentionally do not state what the specific best practices is, and other than the last one they don't require laws, which are slow to change. The specific practices can be defined by some of the many organizations that already do that. Ex: OWASP top 10, static analysis, pen testing, etc. This is similar to what the FDA did with medical devices, to make manufacturers stop doing idiotic things like using unauthenticated Wifi on insulin pumps so hackers could remotely kill people.
I would upvote you. But you're a coward.
How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
Well the IoT manufacturer also has to do their job in building whatever web interface they build, but it certainly helps to start from a secure OS.
While having the source code available is helpful to see if there are security issues, that doesn't mean they will be found. Open source doesn't provide for greater security though.
Well it doesn't inherently completely make for better security. It does have some advantages, though. There's the obvious fact that there are generally more eyes on an open source project, so security problems may be more likely to be noticed. Also, frankly, security is hard to do well, and having a bunch of random developers coming up with their own solution will result in a lot of those developers doing it wrong. If you can create a coherent security standard that everyone can work from, then a lot of people have a vested interest in doing it well, and it'll probably be done well.
Obviously there are also downsides. The fact that there are a lot of eyes on the source also might make it easier for someone malicious to find an opening. Also, everyone standardizing on one security standard (or one OS) makes a monoculture. It means there's one big target to exploit, and if you can exploit it, you can get access to pretty much everything.
On the whole, I think it is smart for IoT manufacturers to use an established open source OS, both to save themselves money and to start from a point of relative security... but I think they already do that. AFAIK, a lot of those things are somehow built on Linux or a BSD. I don't think we need a singe OS, but I do think we need to figure out some security standards that establish what constitutes an acceptable level of security for an internet connected device.
I also think that, for consumer protection reasons, there should be some kind of push to open source the software computerized devices and appliances. Manufacturers can too easily stop updating things and drop support, leaving the people who owned it with no options but to replace the device.
If you lookup low carb high fat (LCHF), ketogenic, and carnivore proponents and experimenters, they're the ones getting the long lasting results.
I call myself "semi-keto". Greatly reduced carbs (was eating rice probably 3-4 times a week and potatoes 2-3 times a week), but also trying to stay away from really high fat (cook mostly with olive oil, not butter). Pretty sure I haven't gone into ketosis but still down about 15 lbs since Aug 1 and it's still a pretty filling diet.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
Security in everything is a mindset... However a good mindset on it's own is useless. You need to give the user the tools as well.
What we have needed for years in connected home appliances is for the first configuration screen to be "Change this default password before the device becomes usable". Laws here in the UK have meant that ISP's aren't permitted to hand out devices with generic or default passwords, so every router you get has a sticker on it with your individual password.
Calling someone a "hater" only means you can not rationally rebut their argument.
My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
Everything internet connected should be sold with a lifespan and support for X number of years (and labeled as such on the package). They do this with carbon monoxide detectors. After 7 years, they turn off and won't work anymore and just beep constantly. This is safety feature. IOT devices should probably come with the same thing. After they stop receiving patches, they should stop connecting to the internet. This would be a safety feature not only for the purchaser but to protect the rest of the internet too. (On a somewhat unrelated note, DRM "purchases" should also be clearly labeled with an expiration date thru which the company guarantees your ability to play that song/movie)
As far as a bug being a defect, bug free software doesn't exist. For that matter, defect free anything doesn't really exist. We already have a system in place for unknown problems that are discovered after the fact. The products are either recalled and repaired or recalled and replaced depending on what the defect is and how hard it is to fix it. Software shouldn't be treated any different than car seats, airbags, or anything else where defects are sometimes discovered after the fact. With software, it should be easier as in most cases it can be remotely fixed without actually having to send the devices in to be repaired.
California is really becoming a nanny-state now. Laws shouldn't be passed to protect people from stupidity. The only protection against stupidity is education. People should take time to learn a thing or two.
main software developers all building a single OS for IoT with security built in
A software monoculture is great for security. Much more efficient to take down the entire globe at once when a flaw is discovered.
The governor and state legislature in California are doing their best to advance the nanny state to protect all of us. Just recently, they passed a state law that schools could not open before 8:30 am so that the students would get enough sleep. And, of course, the plastic bag and plastic straw bans are spreading across California like a fungus. Now they are passing a law to force us to lock up our wireless routers properly. Next will be a law prescribing a particular method of shoe-tying so that none of us will trip on our laces and get a boo-boo.
My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
Do you happen to own a buggy whip factory? Cause your proposal would result in a complete backslide in technology. Humans err. If they did not intentionally create a defect and are willing to help you get it fixed, why do you think you ought to get a refund? Did you get zero utility out of the software before a defect was found?
Provide funding to startup a commercial product security certification organization, similar to what underwriters laboratory (UL) [wikipedia.org] does for safety.
You know what underwriters do? They back insurance risks. Fires are very expensive. There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
Nothing would be better compared to a law that is incomplete, full of loopholes, vague, with little enforcement possible, and used selectively as a political tool.
But as usual you proved why Democrats and Republicans keep getting elected.
Yup, you are correct. Then on top of that we can add Civil Asset Forfeiture. Govt: We are keeping your iPhone X because it was used during a violation of the password law.
Then there will be the #1234 movement. In the future, a conservative Supreme Court nominee will get borked because of a weak password used on a device 35 years ago was in violation of the law. Some ideologically driven IT person will rat the nominee out with a letter sent to 120 year old Senator Feinstein.
I call myself "semi-keto". [...] Pretty sure I haven't gone into ketosis
That's not even vaguely semi-keto, then. Keto is short for ketogenic, not for low-carb. And it isn't low fat, either. All you're doing is calorie reduction, which has no relation to the ketogenic diet whatsoever.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you lookup low carb high fat (LCHF), ketogenic, and carnivore proponents and experimenters, they're the ones getting the long lasting results.
I call myself "semi-keto". Greatly reduced carbs (was eating rice probably 3-4 times a week and potatoes 2-3 times a week), but also trying to stay away from really high fat (cook mostly with olive oil, not butter). Pretty sure I haven't gone into ketosis but still down about 15 lbs since Aug 1 and it's still a pretty filling diet.
Yes, I gather the point at which people go into ketosis will be different for different people. As the other person said, that's not what keto looks like on paper, but then, if you are eating few enough carbs that you can manage to go into a fasting state overnight, whilst asleep, you might find you are in ketosis by the time you wake up, especially if it has been over 12 or maybe 16 hours since last eating.
Unfortunately the testing strips are expensive, but they're interesting to use. I do full fat, lots of fat, and fat fat fat, and pretty much almost no carb most days, and whenever I try testing my blood, I'm in ketosis. But I slid into that over many years.
It should require every device that has is connected to have a unique default password, and that password should be printed on a sticker that is afixed to the device in a location that is consumer-accessible, but does not affect functionality or aesthetic appeal (ie, on the bottom or back of the device) if possible, or if and only if the device has no such convenient location, on a similarly sized piece of paper that is packaged with the device.
File under 'M' for 'Manic ranting'
This is how Idiocracy becomes real.
By preventing the stupid from hurting themselves.
My cameras are on an isolated LAN that is air gapped. Since all IP cameras require credentials I use the same username and password for each one. That's only one thing to remember 18 months from now when I might need to mess with one. I don't want a different password that I have to keep track of for each camera. There are many layers to security and user credentials are only one. We don't need legislatures making things more complicated. KISS is the best security.
Stuff like this sounds great in practice, and even makes a good amount of sense - why not use capitalism itself to promote desired behavior? But these kind of restrictions on government purchasing are why government pays twice as much to make what should be easy purchases. "Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork. This also excludes small companies who don't have staff dedicated to filling out government paperwork.
Did you forget what the word "serial" means?
Because we want to be sure that we know what person the surveillance devices are watching.
The real question is why we need so many miscelaneous devices connected to the internet with with anything more than a one-way data link.
Just make the default password some ugly long gibberish and the users are likely to change it to their dog's name just because they don't want to type that monstrosity again.
I refuse to sign
You think "security" is something that can be "built in." Security in software development is a mindset.
You mean I can't just order my embedded software from a Chinese menu and check the box for "Yes, security please" ?
My crash course in security paired down to what I could reasonably fit into a post:
The process of threat modeling is a formal analysis of the security of a system. One easy to remember process is to use the mnemonic STRIDE - Spoofing, Tampering, Repudiation (sharing of access tokens or accounts between users, man-in-the-middle, social engineering, phishing scams, etc), Information disclosure, Denial of service, Elevation of privilege.
You can begin to build a picture of your threat models with a tool like SeaMonster. That's only one example there are many other tools available of course, such as Microsoft's SDL Threat Modeling Tool.
A formal process is pretty important, even if it's as basic as a spreadsheet that lists the threats you came up with. Reviewing the list, prioritizing it, and determining a schedule for addressing threats is better than an ad hoc hand waive to developers a week before release. ("Guys, ya, um I'm going to need you to make it secure."). An iterative process for security that begins the same day you start architectural talks is the better way to approach the problem.
“Common sense is not so common.” — Voltaire
that sounds suspiciously like the windows 10 update mindset, and it's a fiasco.
If you buy hardware, it is yours, and you should retain ultimate control over it.
If i'm a dummy and don't update my webcam's password, or refuse to heed the warnings that its security has been compromised -- well guess what? That's my fault, and no on elses.
You know what underwriters do? They back insurance risks. Fires are very expensive.
That's what UL was for back in the 1800s. Things do a lot more than fire safety these days.
There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
That's why all of my options included making security a liability for those companies. My last bullet point was explicit financial liability. The other options involved liability of the form "This is a liability because a large organization won't buy my product."
...pays twice as much...
Yes, security costs money. And auditing companies to make sure they comply costs money. Today people demand the cheapest parts possible, so companies don't bother with proper security. If we want security, we have to pay for it. If I had the choice between a Western Digital Passport drive (regarding the story earlier today), and another vendor that had real security but cost twice as much, I would take the one with security. And if California wants secure devices, they should too. Hopefully, we can make a security mindset infectious and it is just the default behavior.
"Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork.
Those things already exist so California is already paying for it. No new costs here.
This also excludes small companies who don't have staff dedicated to filling out government paperwork.
It definitely does not. I personally know several 1 to 10-person companies who have gone through that paperwork. Going back to your first point about government contracts being more expensive, this is why it is worth it for a small company to go through that paperwork.
When those security holes are exploited to create botnets that then attack a 3rd party it's not a personal freedom to be stupid issue. Antivaxxers threatening herd immunity is a rather direct analogy.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
A single OS for IoT is ridiculous. IoT is not like a PC or smartphone where one size fits almost everyone. Every IoT device is unique with unique goals and purposes. What is appropriate for a sensor device that runs unattended for twenty years in the field on a single battery should not have to have the same OS as a consumer IoT device that tells you if your refrigerator is on or not.
This depends upon what the security is for. Validating passwords sounds like an application front end, most IoT devices usually only talk to other devices. So you need to make sure your networking security is good so that you can't be spoofed, and you can verify certificates from neighboring devices or a back office (pre-shared keys is a recipe for disaster). Then you want security so that your device can't be cloned more cheaply by someone else, so lock down the firmware and encrypt it, etc.
Then there are the generic security issues, not related to crypto or authentication. Such as buffer overflows, allowing a drive-by attacker to reboot your device by exploiting known crashes, etc.
Is the web interface on the actual device, or in the back office? I've worked on devices that don't have room to fit even the simplest web interface and with no convenient way to talk to them without specialized equipment. From the devices I've worked on, the security doesn't start in the OS, most small operating systems don't come with security built in and when they do they're inappropriate for your product (ie, you'll rarely find a PKI solution). The OS has no idea what you need as security, what protocols you will be using, how your hardware crypto worksm etc.
Maybe people need to stop thinking of Linux as a "tiny" OS that can be a starting point, when it is gargantuan compared to most small embedded systems. Or maybe people are thinking like "iOS" which has more application framework than actual operating system.
This is fine if a person's freedoms don't interfere with other people's freedoms. Often there's a collision; once two people meet the freedoms they had as isolated individuals are now diminished (either through physical intimidation by one party or a set of rules and guidelines set up by a government). This is not socialism except by the distorted rewriting of the dictionary by the alt-right. Even many rabid libertarians I know agree that government has a responsibility here.
A government clearly has a vested interest in protecting customers from badly built products, including wifi routers. Not every customer should be required to be a guru or to fully educate yourself. The end customer is freely allowed to ignore safety features if they want (but beware of lawsuits if someone else gets hurt).
There's a new breed of libertarian that thinks freedom is about letting a corporation do whatever it wants to do. Apparently even citizens believe that corporations are people too.
If i'm a dummy and don't update my webcam's password, or refuse to heed the warnings that its security has been compromised -- well guess what? That's my fault, and no on elses.
That's fine but ISPs should also start terminating connections of people whose devices are unknowing participants of botnets.
The other problem is that you're assuming there are updates. What happens when that webcam has a security flaw and the company doesn't fix its firmware (or even has the ability to do so). Changing the default password isn't the only problem, it is the idea that the manufacturer's responsibility ends as soon as money is exchanged. There should probably some sort of contract with all but the cheapest devices that the device will get security updates for X number of years. Many cell phones never get a single update after they are sold and cheaper consumer devices get even fewer updates if any.
Many cell phones never get a single update after they are sold and cheaper consumer devices get even fewer updates if any.
How does a cheaper device get fewer than zero updates? Do they revert to an earlier version?
The intent of the law is to make your device more secure, and the initial password change (or any p/w change) is an ideal time to enforce strong p/w security rules.
How long before that happens?
User name: SLIPPERY
Password: SLOPE
Let me guess. You're under 40.
Update from the future: The law passed