The difference between involvement and commitment is like ham and eggs. The chicken is involved; the pig is committed.
- any Internet-connected device,
- "powned" by cybercriminals,
- that cause significant harm,
- the manufacturer receiving notice of the defect, and
- did not, or can not, provide a timely, zero-cost update
THEREFORE the Consumer Product Safety Commission shall require that the manufacturer provide a security update to the device within 30 day of first notice; or failing that, to issue a complete recall of the defective devices.
I don't care if it's a television, camera, refrigerator, light bulb, thermostat, washing machine, wireless access router, smart phone, desktop computer, server, you-name-it...if it's broke, and can't (or won't) be fixed, it gets recalled.
That's the only way manufacturers will take Internet security seriously. If they have to upgrade the stuff they sell, without exception, the manufacturers will find a method that will keep their expense for upgrades down. Upgrades should not be charged to the customer — the manufacturer screwed up, they should fix the problem, at their expense. I further suggest that security testing should be specifically permitted under law, not be considered part of "reverse engineering", or other shrink-wrap or copyright restriction.
The CSPC should develop guidelines for product with embedded computers that connect to the Internet at large, either directly or indirectly.
There are a number of things to consider, when building such a regulation, that come into play that complicated things
This is an off-the-top-of-my-head idea. I think it's worth considering over other "solutions" I've seen proposed.
I have a Lenovo laptop with Windows 7 Professional on it. Sometime in the last nine months, Windows has forgotten how to talk with much of the hardware in the laptop. This includes the finger reader and all networking devices. I called both Microsoft and Lenovo, and both refused to help.
So I never see the nags!
The hardware works fine, as proven by the copy of Fedora 20 I have running on the thing -- when I need to network, I just boot into Linux and have at it. RJ-45 port. Wifi. All happy. (I haven't tried installing the finger reading software yet, because I don't have much use for it.
When I need to copy software across, USB sticks and Blu-Ray drive work just swell. That's how I keep the DVD/BR reader up to date on the laptop that runs in the Windows side.
So, no problem. That doesn't help the folks in hospitals or out in the field...
I've been worrying about the ability for wireless routers to withstand any significant attack, particularly given the reponsiveness of the manufacturers of the things (like, none at all) to exploits. So I made a decision to put my wireless router behind a firewall that keeps bad people in the cloud from playing.
Yes, the firewall would cost money ($70 for the computer, $0 for the firewall software -- I'm using CentOS and IPTABLES) and it's another box, but that box protects my inside network, so that I abide by the rule "Never expose Microsoft gear to the bare Internet." As a bonus, I run the router in bridge mode, so that my firewall gets to answer DHCP requests instead of the router. Makes packages like Dropbox work properly even for wireless devices.
I use LANsync quite a bit, because the repository at work has some DVD ISO images, and an update or addition causes quite a bit of network traffic without LANsync. With LANsync, the traffic is between my fileserver and the wireless device, and the uplink carries only the administrative traffic.
What I'm looking for is a wireless card I can put into a CentOS 7 box, so that I don't have to have the lashup I have now. It also means my resulting wireless router/server would be considerably more future-proof than my no-longer-supported Cisco branded router is. (Rebanded Linksys, I think.)
It is very easy to whip up a systemd script to manage the software no matter what quirks the software has about running as a daemon.
I've been looking for a concise, complete HOWTO on how to take an existing daemon program running in the old init-script environment and make minimal changes to have it run in the systemd environment. Can you point me to a URL?
This is the greatest thing to happen to the libre firmware movement.
Mr. Cerf and Mr. Taht have used the VW issue in their response to the FCC in ET Docket No. 15-170, the wireless-router lockdown issue. From the contribution: "Requiring all manufacturers of Wi-Fi devices to make their source code publicly available and regularly maintained, levels the playing field as no one can behave badly. The recent Volkswagen scandal with uninspected computer code that cheated emissions testing demonstrates that this is a real concern."
I don't understand why we're seeing all these gasoline hybrids instead of diesel ones. Aren't diesels running in their optimum range much more efficient? And with all these emissions issues turning up, isn't it feasible to set up diesel hybrids to basically always run in a narrow range with the best emissions and efficiency possible?
I wonder about this, in the context of long-haul semis. I've wondered what it would be like if someone, say Peterbilt, would make a truck tractor with a fixed-speed diesel driving a generator, and the output driving motors on the wheels of the tractor and perhaps even the trailer? This would make it *exactly* like a long-haul train locomotive.
Or perhaps a turbine driving a generator.
You don't have the same limitations about size with a truck tractor.
I've also read in the last day or two that VW is (predictiably) trying to claim that management knew nothing about the emissions and that "a handful" of engineers were responsible. While there were obviously engineers responsible I have NO doubt whatsoever that management requested and signed off on this. They're just trying to throw a few peons under the bus to save their own skin.
Have you ever worked in a larger corporation? There are quite a few layers of managers and worker bees, so the upper layers don't necessarily know what the lower layers are doing. I saw this at Motorola and Rockwell in my career. So the managers may well have been in the dark about the "defeat device", because the managers are not engineers, and would not have seen that level of report. All they would see is a single bullet item on a PowerPoint slide: "meets EPA limits for emissions."
Or, as the old saying goes, "Never attribute to conspiricity that which is adequately explained by stupidity."
Is there some compelling reason why these tests aren't being conducted in realistic conditions in the first place?
Repeatability. If you can't repeat the measurement, then the result can result in a "he said"/"she said" fight in the courts or in administrative hearings. That said, the testing you do on the dynamometer should bear some relation to what actually happens in the field. Engineers will tune their products to the tests. Some engineers will also test "in real life", but only if they have time and budget. And, when all else fails, they will fall back on what works in the tests. Or worse, if you can't pass the tests without a "tweak".
While Warner/Chapple says they are not considering an appeal, they say "we are reading the long opinion to see what our options are." [paraphrase] So they may decide to appeal after all. Then there is the other issue: repayment of royalties already received, going back decades. That may indeed trigger an appeal of the ruling, to hold off that fiscal event. At two million a year for decades, the cost of the appeal starts to look cheap...
First, in NoScript I whitelist those sites that appear to take responsibility for their content. That leaves lots of unrecognized domain names in the list of forbidden-to-script. Ghostery has perhaps three out of the thousands of trackers enabled, and Facebook isn't one of them.
I also use
"What a wonder is USENET; such wholesale production of conjecture from such a trifling investment in fact." -- Carl S. Gutekunst