from the Russians-hacked-my-toaster.-Again. dept.
TechDirt reports
Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in some of the most devastating DDoS attacks the internet has ever seen. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities.
Hoping to, you know, help prevent that, the folks at Consumer Reports this week unveiled a new open source digital consumer-protection standard that safeguards consumers' security and privacy in the internet-of-broken things era. According to the non-profit's explanation of the new standard, it's working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledges is early and requires public and expert assistance.
As it stands, most of the proposals are common sense and take aim at most of the common issues in the IoT space. For example, encouraging companies to spend a few minutes engaged in "penetration testing" of their products before shipping (a novel idea!). The standard also hopes to ensure companies notify consumers of what's being collected and who it's being shared with, and that devices aren't using default login credentials. But Consumer Reports also notes that it hopes to develop these standards with an eye on more broadly incorporating them into product reviews.
"The standard should be easy enough for consumers without a technical background to understand, yet sophisticated enough to guide testing organizations such as Consumer Reports as we develop precise testing protocols. We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance."
Related Stories
El Reg reports
The US Federal Trade Commission is holding off regulating the Internet of Things industry until there is an event which "harms consumers right now", according to its acting head.
Maureen Ohlhausen, the American regulator's acting head, told a gathering of cyber security professionals that she was not inclined to impose mandatory regulations on IoT devices.
"We haven't taken a position", she said, according to The Guardian.
"We're saying not 'Let's speculate about harm five years out', but 'Is there something happening that harms consumers right now or is likely to cause harm to consumers'", she added. The British newspaper contrasted her position with the Dyn cyberattack last October, when millions of hacked IoT devices crapflooded Dyn's widely used DNS servers and knocked many big websites offline, including Reddit, Netflix, and Github.
Previous: Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking
This was posted on the consumerist website on Monday, October 30:
This is our last post on Consumerist.com. We're deeply proud of all the work we've done on behalf of consumers, from exposing shady practices by secretive cable companies to pushing for action against dodgy payday lenders.
We've had a tremendous run as a standalone site. Now you'll be able to get the same great coverage of consumer issues as part of Consumer Reports, our parent organization.
Since they've defeated those secretive cable companies and payday lenders, I guess they had nothing left to do...
Additional coverage at the New York Post entitled "Consumerist site shuts down after alleged mismanagement".
Related: What happened to Consumerist's Worst Company in America contest?
Consumer Reports Proposes Open Source Security Standard
Consumer Reports Pulls Recommendation of Microsoft Surface Hardware Due to Poor Reliability
(Score: 1, Insightful) by Anonymous Coward on Sunday March 12 2017, @03:57PM (3 children)
These security issues are something that these people didn't even think could happen.
Most software is total trash, especially now that Javascript Script Kiddies have grown up and started moving into industry.
(Score: 2) by Kilo110 on Sunday March 12 2017, @07:17PM (1 child)
Why not both?
(Score: 1, Insightful) by Anonymous Coward on Sunday March 12 2017, @08:21PM
When something is produced in a lazy manner, then improving it is simply a matter of putting in the foregone work.
When something is produced in an incompetent manner, then it's virtually possible to improve it; it must be torn down and rebuilt.
(Score: 5, Insightful) by Thexalon on Sunday March 12 2017, @08:57PM
Actually, it's neither. The real cause is that all the incentives are wrong.
If you ask a manager to extend the project schedule 2 weeks to get the security right, I can guarantee you that the answer will be an emphatic "No" every time. That's because management sees security breaches on their products as something not in any way determined by the quality of the software involved, has no way of measuring the quality of software anyways, and any breaches that do happen are at most a minor PR problem for a few weeks until the noise dies down. Meanwhile, by launching the product before the next round of project management performance reviews, the manager in question will look far better to the boss to have gotten things out in time.
And that doesn't change after the product is launched. Management doesn't care about improving product that has already been sold. And why should they? They already have the money!
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2, Informative) by Anonymous Coward on Sunday March 12 2017, @06:15PM (1 child)
That term is IoT.
The title, as submitted, was
Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking
Stripping away significant stuff is a bad "editing" technique.
-- OriginalOwner_ [soylentnews.org]
(Score: 1) by Scruffy Beard 2 on Monday March 13 2017, @04:39PM
When forwarding the story to a friend I added IoT back in to the title (without even checking the original submission)
(Score: 2, Insightful) by Anonymous Coward on Monday March 13 2017, @02:13AM
The device must be able to operate with full functionality on an isolated network, disconnected from the internet. It is OK to require a server, but any such server must be available for installation on that network. In other words, it needs to be operable in a moving submerged submarine.
(Score: 0) by Anonymous Coward on Monday March 13 2017, @04:52PM
All public companies in the USA are required by law to prioritize profits over all other concerns. The SEC comes knocking if they don't act in shareholder's short-term interests. They don't give a fuck-all about your long-term security or privacy.