Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday January 07 2017, @06:27AM   Printer-friendly
from the something-desperately-needed dept.

The Federal Trade Commission announces

The Federal Trade Commission (FTC) is hosting a prize competition that challenges the public to create a technical solution ("tool") that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.

The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.

The prize for the competition is up to $25,000, with $3,000 available for each [of three] honorable mention winner(s).

However, not only do the gov't workers not put ALL of the details on ONE page like people with normal intelligence, you also can't see the part of the page that contains the Registration and Submission link unless you have JavaScript enabled.

In their coverage, El Reg notes

Anyone who gets a genuinely good solution to this stuff won't need the $25,000 for long: they'll be scooped up by Silicon Valley in less time than it takes to say "elevator pitch".

Submissions for the [FTC] contest open on March 1, 2017 and close on May 22, 2017. Winners will be announced on July 27, 2017.

They also have a not-exactly-short list of IoT stuff that has already been pwned or has shipped with insecure configurations.

We can probably all agree that the current situation with insecure devices that can be hijacked and used as bots is unsatisfactory, but has anyone got any suggestions that would still enable a company to market secure devices while keeping the costs at a reasonable level?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Saturday January 07 2017, @07:52AM

    by Anonymous Coward on Saturday January 07 2017, @07:52AM (#450648)

    Yeah, see here's the thing. A lot of people never change the default password, and a lot of people are bad at inputting random junk, so if you make it too long, people will call support and complain that their default password doesn't work, every time they try to use it. Have fun with those support calls, especially when your company is paying for them.

  • (Score: 2) by MostCynical on Saturday January 07 2017, @09:00AM

    by MostCynical (2589) on Saturday January 07 2017, @09:00AM (#450671) Journal

    And there you have the thing that will win the money - come up with a way to make users *work* for security.

    2000 volts to the private parts every time a password is no good?

    200,000 volts to the QA or designer who made a password validator that forces bad passwords, and won't allow good ones?

    Or a device that takes every insecure IoT device (tautology?) and shoves it back where it came from?

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
  • (Score: 2) by maxwell demon on Saturday January 07 2017, @09:42AM

    by maxwell demon (1608) on Saturday January 07 2017, @09:42AM (#450672) Journal

    Integrate a password manager into the app that comes with the device. Indeed, you could even use a Bluetooth connection to transfer that password once during initialization, so you never have to enter it manually, requiring to press a physical button to initiate the password transfer.

    Yes, this is still vulnerable to physical access, but then, physical access is always a vulnerability, and physically securing your home is a problem that you have to solve anyway (and breaking into every home is certainly not a practical method of building a botnet).

    --
    The Tao of math: The numbers you can count are not the real numbers.