Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Monday January 09 2017, @04:11PM   Printer-friendly
from the theoretical-harm dept.

A Federal Trade Commission attempt to rein in a poorly secured IoT device is raising questions over whether the U.S. regulator has the power to crack down on vendors suspected of shoddy practices.

On Thursday, the FTC filed a complaint against Taiwanese manufacturer D-Link Systems that charged the company's internet routers and web cameras can easily be hacked, putting consumers at risk.

But the FTC's complaint doesn't cite evidence that the products have been breached, only the potential for harm to consumers.

That's among the reasons D-Link is contesting the complaint. "Notably, the complaint does not allege any breach of a D-Link Systems device," it said in a statement.

"Instead, the FTC speculates that consumers were placed 'at risk' to be hacked, but fails to allege, as it must, that actual consumers suffered," the company said.

-- submitted from IRC


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday January 09 2017, @04:41PM

    by Anonymous Coward on Monday January 09 2017, @04:41PM (#451496)

    When is it not a test power? The losers who have never done anything of use just see yet another moment to exert some sense of power over those who actually produce something useful for society. Don't let these Harvard Schmucks get any break; they are the true fools.

  • (Score: 3, Interesting) by DannyB on Monday January 09 2017, @04:48PM

    by DannyB (5839) Subscriber Badge on Monday January 09 2017, @04:48PM (#451498) Journal

    Should the FTC be able to take action against the vendor of a toaster that is known to burn down people's homes?

    I tend to think of IoT vulnerabilities in the same category as that toaster. When I buy an appliance device (eg, smart tv, router, light bulb) I don't expect it to get hacked and participate in a botnet.

    If not the FTC then what government agency would deal with the toaster that burns down homes? Maybe that is the same agency that should deal with defective IoT devices.

    The damage caused by defective IoT devices is no less real, and possibly just as much or more costly than the house burning toaster. It's just that the damage from IoT devices is far away and possibly disbursed where the IoT owner doesn't see it.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0, Flamebait) by Anonymous Coward on Monday January 09 2017, @04:56PM

      by Anonymous Coward on Monday January 09 2017, @04:56PM (#451504)

      People should takes responsibility for their own choices; if your house burns down, then FUCK YOU; wrong choice.

      • (Score: 1, Insightful) by Anonymous Coward on Monday January 09 2017, @05:04PM

        by Anonymous Coward on Monday January 09 2017, @05:04PM (#451508)

        Why should the manufacturer be allowed to continue to produce house-burning toasters without some kind of penalty? If that's a known defect in their product and they continue to make it anyway, shouldn't they be liable for some of the damages that their product causes? They chose to continue making it, which is also a "wrong choice."

        • (Score: 4, Funny) by Anonymous Coward on Monday January 09 2017, @05:06PM

          by Anonymous Coward on Monday January 09 2017, @05:06PM (#451512)

          The Invisible Hand will take care of it, comrade. About twenty years down the road or so, word will get out that Burn Your House Down Toasters might cause a house fire, and consumers will buy from a competitor instead.

        • (Score: 1, Flamebait) by Grishnakh on Monday January 09 2017, @07:06PM

          by Grishnakh (2831) on Monday January 09 2017, @07:06PM (#451573)

          No, they shouldn't be liable at all. This is bad for business. Consumers should have the complete responsibility to research their purchases, and if they die due to their mistakes, or the entire subdivision burns down because of them, then too bad. When Trump takes over with his libertarian advisors, I fully expect all this unnecessary government regulation to be repealed or at least not enforced, and also for new laws to be passed which prevent consumers from suing manufacturers, which will greatly improve our economy so that it resembles economic powers like Somalia. I can't wait!

      • (Score: 5, Interesting) by MrGuy on Monday January 09 2017, @05:14PM

        by MrGuy (1007) on Monday January 09 2017, @05:14PM (#451516)

        If the plane you are in crashes, then you should have done more research on the airline and their maintenance practices. FUCK YOU; wrong choice.

        If you did do your homework, and it turns out the airline was lying about its maintenance practices to cover up their shoddy work, then you should have demanded independent certification of all their records before relying on them. FUCK YOU; wrong choice

        If the independent certification authority was in cahoots with the airline to deceive customers, you should have demanded a second independent certification of the process. FUCK YOU; wrong choice

        At some point, in my view, there's some responsibility of a provider of a product or service to provide something that's of a reasonable fitness for use, as opposed to putting the burden of discovering fitness for use exclusively on the consumer.

        Whether an IoT device being reasonably robust against being rooted and used in a botnet (or for surveillance of the owner) falls within that definition of "reasonable fitness" is, to me, a reasonable question to ask.

        • (Score: 0) by Anonymous Coward on Monday January 09 2017, @08:42PM

          by Anonymous Coward on Monday January 09 2017, @08:42PM (#451612)

          If that airline declares bankruptcy after the crash and fails to pay your family for killing you, you should have demanded a surety bond for your flight. FUCK YOU; wrong choice.

          Yeah, I know, its a little off-topic. I'm just not happy about IoT companies seeding homes with millions of vulnerable doodads and then going out of business but leaving all their customers vulnerable without any way to get a security update or a refund. Too many of these companies are fly-by-night operations. (pun intended).

    • (Score: 0) by Anonymous Coward on Monday January 09 2017, @05:04PM

      by Anonymous Coward on Monday January 09 2017, @05:04PM (#451509)

      This isn't my idea, but it made an incredible amount of sense to me. There should be an organization like Underwriter's Laboratories that can certify devices.

      If you buy an uncertified toaster, it might burn your house down. Neither homeowners nor insurance companies want houses burning down, so it's in the mutual best interest of both parties to look for UL certification. Insurers created a body to certify electric devices (UL), and consumers want to buy devices that have been certified by UL.

      Now, I'm sure this part is where I'm going to give Ancaps an aneurysm. Because the consequences of a device joining a botnet are small per device and far away, there should be some kind of authority to ticket people whose devices are found to be participating in a botnet. Nothing too grand, something more like a parking ticket. The IT industry has already shown interest in not having servers be DDoSed. It would behoove them to create a body to certify information devices. If consumers might get a ticket for having an insecure device, that would give them an incentive to want to buy certified devices.

      I'm sure an Ancap will helpfully point out how this can also be done through billions of contracts, which it can in theory. Having government issue the ticket seems more practical.

      • (Score: 0) by Anonymous Coward on Monday January 09 2017, @05:29PM

        by Anonymous Coward on Monday January 09 2017, @05:29PM (#451525)

        Yep, at some point the volunteer posse ran out of steam. The sheriff was funded to police the town, as a job.

      • (Score: 5, Insightful) by Uncle_Al on Monday January 09 2017, @05:43PM

        by Uncle_Al (1108) on Monday January 09 2017, @05:43PM (#451532)

        Think about that name for a second. UNDERWRITER'S laboratories, as in INSURANCE UNDERWRITERS

        There is a strong motivation for people paying out claims to NOT have toasters burn down houses.

        Until there is some strong financial reason for botnets and pwning etc. etc. not to exist, nothing real will happen.

      • (Score: 3, Interesting) by nobu_the_bard on Monday January 09 2017, @05:55PM

        by nobu_the_bard (6373) on Monday January 09 2017, @05:55PM (#451536)

        The companies involved should create their own independent organization to do this. The video game industry in the US did something like this in the 90s, starting up the ESRB, to mitigate the problem of content control (censorship, etc). The more sensible/lucky companies in other nations did this too, where they could. The idea was, by having an independent (but industry-friendly) organization to vet everything, the video game industry could decide among themselves what the standards should be without the government getting directly involved.

        Now, you could argue about the ESRB's effectiveness, implementation, and whether the problem it solves was even an actual problem, as there's all kinds of complexities, compromises, and inefficiencies have resulted from it, but it's probably still a smoother sailing ship than government oversight would be. If they let the government decide this stuff, you can be sure it'll be a total mess, and they'll have to spend more time learning to work around its arcane standards than anything.

        • (Score: 3, Interesting) by DannyB on Monday January 09 2017, @06:50PM

          by DannyB (5839) Subscriber Badge on Monday January 09 2017, @06:50PM (#451562) Journal

          The companies involved should create their own independent organization to [certify and test similar to Underwriters Laboratories]

          Let's get corporations to police themselves. Foxes should be put in charge of hen houses.

          I think the policing must be done by the government. There must be a penalty for selling an easily hackable device. I think the FTC is doing the right thing here. Now if the companies want to work together to form a testing laboratory that rates and/or certifies IoT devices, I don't see a problem. However that certification doesn't get them off the hook for liability of damages by their devices getting hacked and causing massive damage. That certification merely serves as a consumer guide on which toasters you want to avoid because they might burn your house down. Even better is if IoT companies work together to pool effort in making things more secure. Some IoT base distributions designed for different levels of IoT devices. Some IoT Best Practices, etc.

          Also imagine this: companies offer rewards for being the first to privately disclose to them a vulnerability in their IoT product. They would have an incentive to offer such bounties on bugs if they had financial liability for damages by their IoT devices getting hacked and participating in a cyber pearl harbor attack.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 1) by nitehawk214 on Monday January 09 2017, @07:07PM

          by nitehawk214 (1304) on Monday January 09 2017, @07:07PM (#451575)

          I think there is a slight difference in magnitude between a organization that rates "this game might show boobies" and "this device might participate in a botnet that wrecks the internet" and "this device might burn down your house".

          --
          "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
      • (Score: 4, Insightful) by bob_super on Monday January 09 2017, @06:35PM

        by bob_super (1357) on Monday January 09 2017, @06:35PM (#451556)

        The problem is that a properly-designed oven, properly maintained by the user, is certifiable by UL to be safe for an extended lifespan. Built it right, with enough padding, and you can sell it with limited worries.

        ANY Internet-connected device using a standard software package (i.e. all of them), can be found to have a security flaw in less time than it takes to print the UL label, let alone ship or install it.
        A label would give people a false perception of safety.
        They might think it's safe right now, which could be correct, but without a commitment from manufacturers to provide quick reliable painless updates for well over a decade, it's only a lie to be parted with money. Wanna guess how many manufacturers will want to provide the support to match the label?

        • (Score: 5, Insightful) by DannyB on Monday January 09 2017, @06:55PM

          by DannyB (5839) Subscriber Badge on Monday January 09 2017, @06:55PM (#451564) Journal

          An ideal, of course, is to make IoT devices need as few updates as possible. Ideally zero over their lifespan.

          If companies had liability for damages caused by their IoT devices, they would invest in security. They would reduce attack surface area. Eliminate default credentials. No back doors intended for the manufacturer's use. Compartmentalize processes better. Tighten up permissions. Etc.

          It may be impossible to have absolute security, but it is possible to come way closer to it than IoT devices do today. Consider the hoops you have to jump through to get PCI compliance for a web site that processes credit cards. If you've ever looked at that you see that there is a LOT more that could be done. If manufacturers had an incentive, they would work together to make it easier for all of them to be secure.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Monday January 09 2017, @09:30PM

      by Anonymous Coward on Monday January 09 2017, @09:30PM (#451656)

      > Should the FTC be able to take action against the vendor of a toaster that is known to burn down people's homes?

      No, but if the item is FCC marked then the consumer should be able to sue.

      > When I buy an appliance device (eg, smart tv, router, light bulb) I don't expect it to get hacked and participate in a botnet.

      If it's FCC stamped it shouldn't burn your house down. But FCC tests vs electrical faults and noise and drop-ability.

      The issue is that there's no FCC-like group for software/firmware/hardware security. And there can't really be; the FCC tests against eg. overvoltage. How are you going to standardize a test set for appliances with digital inputs and outputs?

      • (Score: 0) by Anonymous Coward on Monday January 09 2017, @11:14PM

        by Anonymous Coward on Monday January 09 2017, @11:14PM (#451732)

        What the fuck does the FCC have to do with any of this?

    • (Score: 2) by Hairyfeet on Monday January 09 2017, @10:26PM

      by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Monday January 09 2017, @10:26PM (#451690) Journal

      Except they have zero proof this toaster ever burnt a single home, they are just saying it MIGHT at some time in the future POSSIBLY burn down a home.

      I'm sorry but people here are waaaay too fucking trusting to not see the nastiness at play here, we're talking about busting a company not for what they DID, but what MIGHT happen in the future.....sounds like a trivial way for the *.A.A and any other corp to just ban any competitive product, just lobby the FTC that it might do bad things in the future and voila! No more product.

      Seriously guys if there is one thing you should have learned from Wikileaks the past 5 years is that you can't trust the US gov to be doing things in the interests of the people and that there is waaay too much collusion between big business and gov here. After all the shit we've seen the gov pulled in the past 5 years do you REALLY trust the gov enough to give them the blanket ability to just ban products with no actual proof they have caused harm? Really? Because I can think of several products that big business would be happy to have banned and this would give them an easy peasy way to do so, just have the FTC label it as "potentially harmful".

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
  • (Score: 4, Informative) by bradley13 on Monday January 09 2017, @06:10PM

    by bradley13 (3053) on Monday January 09 2017, @06:10PM (#451541) Homepage Journal

    Some tidbits:

    - The FTC press release [ftc.gov]: They note that "The Commission files a complaint when it has “reason to believe” that the law has been or is being violated".

    - The complaint itself [ftc.gov] charges D-Link with "engaging in unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)"

    - Section 5 of the Federal Trade Commission Act [federalreserve.gov] prohibits "unfair or deceptive acts or practices in or affecting commerce."

    - Specifically, the FTC is trying to use this definition: "To be unfair, an act or practice must cause or be likely to cause substantial injury to consumers. Substantial injury usually involves monetary harm. ... Trivial or merely speculative harms are typically insufficient for a finding of substantial injury."

    D-Link claims that the complaint is speculative, since the FTC does not cite any specific incidents of consumer harm. Moreover, most IoT problems currently involve using devices in BotNets, which generally do no real harm to the device owner.

    So, whaddya think? A good complaint? Or nonsense?

    --
    Everyone is somebody else's weirdo.
    • (Score: 3, Informative) by DeathMonkey on Monday January 09 2017, @06:27PM

      by DeathMonkey (1380) on Monday January 09 2017, @06:27PM (#451549) Journal

      It's weird that they didn't cite any of the hacks that targeted D-Link devices because they have occurred:

      Mirai, for example, targeted D-Link [bleepingcomputer.com]

      Maybe it's because they weren't in the US. Or, maybe they simple filed the complaint before this occurred, who knows.

  • (Score: 0, Interesting) by Anonymous Coward on Monday January 09 2017, @06:42PM

    by Anonymous Coward on Monday January 09 2017, @06:42PM (#451559)

    D-Link only need to stall until Trump gets in to power. He'll make sure corporations no longer have to face any responsibility for their actions.

    • (Score: 3, Interesting) by DannyB on Monday January 09 2017, @06:58PM

      by DannyB (5839) Subscriber Badge on Monday January 09 2017, @06:58PM (#451566) Journal

      Wouldn't the corporations have to face responsibility?

      Two of the Republican mantras are:
      1. Personal Responsibility
      2. Corporations are people too!

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2) by PinkyGigglebrain on Monday January 09 2017, @07:15PM

        by PinkyGigglebrain (4458) on Monday January 09 2017, @07:15PM (#451578)

        And everyone knows that people can do what ever the fuck they want as long as they pay off the right people.

        --
        "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
    • (Score: 2) by cubancigar11 on Tuesday January 10 2017, @08:21AM

      by cubancigar11 (330) on Tuesday January 10 2017, @08:21AM (#451944) Homepage Journal

      I don't think so, considering D-Link is not an American company.

  • (Score: 0) by Anonymous Coward on Monday January 09 2017, @07:45PM

    by Anonymous Coward on Monday January 09 2017, @07:45PM (#451582)

    While on the face of it I think that this actually is a good idea -- that is, to punish manufactures that make internet appliances that are blantantly insecure.
              However, what worries me is that this will lead to a regulation scheme that requires that every single device connected to the internet be government approved, and in a government approved configuration. That homebrew router you want to use? Banned. That computer running an open source operating system? Banned. Devices without a government backdoor for access? Banned. You get the idea. So, I'm kind of torn on this issue.

  • (Score: 3, Informative) by digitalaudiorock on Monday January 09 2017, @08:49PM

    by digitalaudiorock (688) on Monday January 09 2017, @08:49PM (#451616) Journal

    As far as routers are concerned, proprietary firmware really is just plain evil. You're lucky if they have one or two firmware updates and a year later, it sucks to be you. Fuck that.

    I finally bit the bullet recently and got a Linksys WRT1900ACS and installed dd-wrt. OMG...I should have done that ages ago. I can't say enough about that. It's like I have a real server now...gets better the more I learn about it,