In message <20161027112601.GA17170@ussenterprise.ufp.org>, Leo Bicknell <bicknell@ufp.org> wrote:
Problems I think consumer safety legislation can solve:
* SSH and Telnet were enabled, but there was no notification in the UI that they were enabled and no way to turn them off. Requirements could be set to show all services in the UI and if they are on or off.
* There was a hard coded user + pass that the consumer COULD NOT CHANGE, and did not display. Requirements could be set to never hard code an account.
* That the system has a user-friendly way to update. "Click here to check for update." "Click here to install update."
I say again, #3 is useless, unless and until you also have legislation that: *) Forces tech companies to never go bankrupt. *) Forces tech companies to -timely- issue security patches for all "critical" security issues (and good luck legally defining THAT). *) Forces tech companies to continue to issue security patches for as long as any "significant" number of the relevant devices remain actively in use, even if that turns out to be 20 years or more. You can force a company to implement a "user-friendly way to update", but what's the point of doing that if the company never issues any updates? I say again, the only way to solve these problems is if the devices are fundamentally secure by design, on the day they first ship to customers. Post-sale patching is an ad hoc and haphazard catch-as- catch-can solution at best, and it's not something that most manufacturers have -any- financial incentive to even do. They already got their money, on the day when the consumer bought the device. The rest is just an afterthought. Regards, rfg