×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Companies Knowingly Ship Insecure Devices

Soulskill posted more than 2 years ago | from the not-enough-tps-reports dept.

Businesses 123

wiredmikey writes "A recent survey which included responses from 800 engineers and developers that work on embedded devices revealed that 24% of respondents knew of security problems in their company's products that had not been disclosed to the public before the devices were shipped. But just what that means in terms of attitudes towards security may be more complex than it seems. Additionally, just 41% said their company has 'allocated sufficient time and money to secure' its device products against hacks and attacks. Despite this, 64 percent felt that when engineers call attention to potential security problems, 'those problems are addressed before the device is released.' So, what exactly does this illustrate about the state of security in the development process? The answer, some say, is a jumbled collage of business pressures, bug prioritization and varying attention to security."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

123 comments

Only Apple does security (-1, Troll)

Anonymous Coward | more than 2 years ago | (#37068970)

That's why I buy only Apple devices. Windows and Android just suck. Apple has been far ahead and the best.

Only those who can not afford Apple buy other stuff.

Also, it's very open model and it's unix while Windows is a close system. Anybody can look at Apple code and file a report if it's insecure and Apple fixes it right away.

Re:Only Apple does security (0)

Anonymous Coward | more than 2 years ago | (#37069014)

I like Granny Smiths too. I mean, you can't climb through one of those, unlike those damned Windows.

Re:Only Apple does security (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#37069106)

Hmm cant tell if trolling or just stupid.

Re:Only Apple does security (1)

DickBreath (207180) | more than 2 years ago | (#37069644)

> Hmm cant tell if trolling or just stupid.

The choices are not mutually exclusive. Think checkboxes, not option buttons.

Which?
(*) Trolling
(_) Stupid


Which?
[x] Trolling
[x] Stupid

Re:Only Apple does security (2)

Hognoxious (631665) | more than 2 years ago | (#37070138)

Hmm cant tell if trolling or just stupid.

The choices are not mutually exclusive.

Yes they are.

Re:Only Apple does security (1)

mfh (56) | more than 2 years ago | (#37069162)

This is pretty funny considering that all laptops are manufactured by the same company, including Apple's laptops. As for security, they just demonstrated a total kernel pwn for ios recently, so I'd be willing to go on record that all the companies suck at security. When it comes down to it, if you want to break into something you can find a way. These companies would get a lot farther if they realized that nothing is really secure and instead they decided to give people what they want out of the box instead of collectively dismissing our rights to purchase real property.

Re:Only Apple does security (1)

wsxyz (543068) | more than 2 years ago | (#37069222)

Being manufactured by Foxconn does not mean that Foxconn does the hardware design and writes the bios and OS code too.
I hesitate to believe that the screwing, and and glueing that Foxconn does affects the security in any significant way.

Re:Only Apple does security (1)

rickb928 (945187) | more than 2 years ago | (#37069510)

Acer, for one, would not find that funny at all. They seem to think they manufacture laptops also.

There are more than three laptop manufacturers, even if you limit yourself to mainstream brands.

Re:Only Apple does security (0)

Anonymous Coward | more than 2 years ago | (#37069292)

I think you're probably trolling, but just in case:

Every time you see a jailbreak, that's a root exploit. When you see a site like Jailbreakme.com that's an exploit that can be executed through your browser, which is incredibly disturbing. If someone wanted to use the same hole to deliver malware they would have no problems doing so. That payload doesn't necessarily have to be a jailbreak for your device, it could be wiping the entire device, sending your contacts to an unknown person, etc.

Re:Only Apple does security (1)

CCarrot (1562079) | more than 2 years ago | (#37069470)

Here's a refreshing WHOOSH for you!

Don't feel bad, judging by the modding so far, you're not the only one...

Re:Only Apple does security (0)

Anonymous Coward | more than 2 years ago | (#37069540)

Anybody can look at Apple code

Wahahaha! Thank-you, that made me laugh!

Excuse me while I go compile iOS. Or better yet, I'll just download the Mac OSX source, remove the hardware checks, and compile and run it on my super-badass custom-built PC with more processing power than a handful of iPads put together.

I think you're getting confused between Linux and Apple. Linux is "very open-model and it's unix" and "anybody can look at [Linux] code and file a report if it's insecure and [Linux developers] [fix] it right away".

Not important enough (4, Informative)

Anrego (830717) | more than 2 years ago | (#37068978)

Security isn’t important enough or visible enough to the end user, and insecurity doesn’t cost companies enough money.

If company A spends 100,020 extra on securing their product, whereas company B spends $1,020 extra .. and neither product “gets hacked” .. there is no perceived value increase. If company A has to sell their product at a higher cost .. most consumers will go with company B’s product.. _even if_ company A can somehow demonstrate that their product is more secure (and aside from a clean track record, this is hard).

If Company B’s product gets hacked, 99% of users don’t know or don’t care.. and company A gets exactly 3 new customers (always 3.. regardless of scale) who are concerned with company B’s security track record and assume company A makes a more secure product.

More importantly, if legislation went through saying that companies were liable for insecurity and the damage that is caused, everything would triple in cost and the masses with piss soup in rage

Re:Not important enough (2)

shadowfaxcrx (1736978) | more than 2 years ago | (#37069048)

Done in 1. (I don't count the troll above you)

Start fining the hell out of companies for knowingly exposing their customers to risk (any risk, whether security or e-coli) and companies will clean up their acts.

Yes, regulating companies makes (sometimes) the end product cost more. That was true when airlines were regulated. We also didn't have incidents like Valujet when airlines were regulated. Safety/security costs more up front, but costs less in the long term.

Re:Not important enough (2)

0123456 (636235) | more than 2 years ago | (#37069352)

Start fining the hell out of companies for knowingly exposing their customers to risk (any risk, whether security or e-coli) and companies will clean up their acts.

No, they'll stop making stuff because unlimited liability for 'any risk' is simply insane. If they can't get insurance then there'd be no point being in business if you could be bankrupted at any time (e.g. Joe Loser sues Dell for selling a PC with Windows installed, which clearly exposes them to serious risks).

Re:Not important enough (0)

Anonymous Coward | more than 2 years ago | (#37069998)

1. No. Companies will not pack up and leave (and you're either stupid or malicious to suggest this).

2. Microsoft would have to clean up their act, not Dell.

Re:Not important enough (1)

Obfuscant (592200) | more than 2 years ago | (#37070226)

No, they'll stop making stuff because unlimited liability for 'any risk' is simply insane.

This. I wish I had mod points today.

Everything anyone does has risk. The only secure computer is one that is turned off. The only secure cell phone is one that has the battery removed. The only secure ... well, you get the idea.

Absolute security is an impossible dream, an unreachable goal, and a continuous drain on money and time. At some point, we all have to weigh the cost/benfit ratios of what we are doing and get on with our lives. E.g., the value of getting to work greatly outweighs the risks involved in driving there, so I do it. The value of cleaning oneself outweighs the risks involved in taking a shower.

That's the equation that people seem to forget when talking about safety and hacking. There is a cost to safety and security, and sometimes the cost is more than the risks would cost. What would it cost to put a thermal/smoke detector in every toaster, connected to an internal fire extinguisher and cell phone that dials 911 in an emergency? Well, toasters sometimes start to burn, wouldn't the safety be worth it? That $20 toaster would now cost $200 and nobody would buy it. Or you could get the government to write a law saying you had to buy that kind of toaster, just like they have laws saying you must have smoke detectors in certainly residences. The former is economics at work; the latter a governmental distortion of those principles. And look out when one of those toaster safety features doesn't work, the company will be sued anyway.

Re:Not important enough (1)

cdrguru (88047) | more than 2 years ago | (#37070288)

How many companies make vaccines today? What companies make the chemicals used for executions?

The risk became too great and just about everyone got out of the business. The last round of vaccine production for flu required the government to provide immunity to the manufacturer before they would do it.

Re:Not important enough (1)

davester666 (731373) | more than 2 years ago | (#37070668)

Companies have stopped making and/or selling the chemicals for executions because of investor pressure.

But these kind of calculations by corporations have been going on for a long time, in many more ways that common people would think of as morally bankrupt. For example, for auto manufacturing design flaws, auto manufacturers regularly price out the cost of fixing the problem versus the cost of settlements to families of people who will be injured or killed. See Ford Pinto gas tank, GM Truck gas tank.

Re:Not important enough (1)

Bengie (1121981) | more than 2 years ago | (#37070548)

Well, the idea is to fine companies who don't try "enough". There will always be security problems, but companies that don't even keep up with the industrial minumum should be heavily fined.

How we determine this, I don't know.

Re:Not important enough (1)

brainzach (2032950) | more than 2 years ago | (#37069374)

The company that is focuses too much security is going to get fired for being behind schedule and making them lose money.

Re:Not important enough (1)

jellomizer (103300) | more than 2 years ago | (#37069424)

Then expect no new devices to be released. And put the world into a worse recession..

If you fine them too much then they will calculate that it isn't a profitable sector to be in... Then they won't be in the sector.
There is only a limit on how prices will rise for a personal device. Airline travel can allow a high price variant as the value of getting there faster is very high. However for your Personal Device getting the newest and greatest if it is too expensive will not add any value to the customer. They won't buy them at a high price.

Most security holes do not have a wide effect, and can be fixed before major problems occur. In the meantime they can have sold thousands or millions of units before then.

And what about Open Source developers... You release some code to the public and you may know there is a security hole in it, perhaps because you don't know how to fix it, and looking for a better solution, perhaps someone uses your code and gets hacked who is responsible... Probably you so you get to pay a nice hefty fine.

When the government needs to control and fine products to meet a particular standard they need to be careful about it, lets say a device cost the life of one person... However being able to ship the device 5 years earlier can save the lives of 50 people. Too tight regulation is just as bad as having no regulations.

Re:Not important enough (2)

Runaway1956 (1322357) | more than 2 years ago | (#37069938)

Open source is distributed for free, as-is, with no warranty, and plenty of disclaimers that the product may not be suitable for your purposes, or any other purposes.

Unlike the other side of the road, where the code is a closely held secret, you pay for the privilege of using it, and there are generally at least implied warranties that the product is fit for consumer use.

In short - if the company is willing to rape the consumer for huge profits, while supplying shoddy products, then they DESERVE to be sued. Open source, not so much. "Yeah, you can mess with my code, if you like, but be warned, it's a mishmash of ideas that may or may not work, so you're on your own. Call me if you have problems, and MAYBE we can work things out!"

Re:Not important enough (1)

tepples (727027) | more than 2 years ago | (#37070448)

Open source is distributed for free, as-is, with no warranty

Regulation of the industry would likely make such disclaimers null and void.

Re:Not important enough (1)

Anonymous Coward | more than 2 years ago | (#37071324)

Open source is distributed for free, as-is, with no warranty, and plenty of disclaimers that the product may not be suitable for your purposes, or any other purposes.

Unlike the other side of the road, where the code is a closely held secret, you pay for the privilege of using it, and there are generally at least implied warranties that the product is fit for consumer use.

Umm... You might want to *read* the EULA for one of those 'other side of the road' products. They disclaim all liability that they're legally allowed to, and then additionally limit their liability to the price you paid for the product. You're in, *at best*, exactly the same situation with 'the other side of the road' as you are with Open Source.

Re:Not important enough (1)

dubl-u (51156) | more than 2 years ago | (#37069740)

Safety/security costs more up front, but costs less in the long term.

Not necessarily true. If you blindly make producers liable for all risk, and pile on top of that a substantial regulatory framework, you could create costs well above benefits.

I have a friend that makes jam. It's good jam. If she were to sell it at the farmer's market, people would happily buy it. And the sorts of people who buy jam at the farmer's market know what they're getting into. If by some fluke one of the jars doesn't seal properly, they'll deal with it. But in your world, she'd be exposing herself to substantial legal liability, plus the need to comply with a bureaucratic system that proves she has taken all possible steps to mitigate risk. Equipment, procedures, documentation, keeping up with regulations, filing reports. She wouldn't do that just to sell a few jars of jam.

For software, it's even worse. Regulating software creation uniformly is like regulating the creation of things made out of atoms: the variety is too wide to talk about it sensibly. The whole point of writing software is to do new things, which guarantees many risks won't be well understood. And software processes are moving to very fast cycles, where the goal isn't to completely prevent errors, it's to keep any impact very small. Regulation-induced ritual can wreck that.

Customers should generally be able to choose what level of risk they're accepting except where the risks are catastrophic and hard to understand (e.g., flying on a commercial airline). Without that freedom, we won't get small jam producers, we won't get companies that do bungee jumping or skydiving, and we won't get a great deal of the innovative software we now get.

Re:Not important enough (1)

shadowfaxcrx (1736978) | more than 2 years ago | (#37070484)

There's a big difference between selling jelly at the farmers market and knowingly releasing devices that facilitate identity theft, or knowingly selling meat that was contaminated with feces when the guy working in the factory cut too deep.

Note the key word "knowingly."

Re:Not important enough (1)

dubl-u (51156) | more than 2 years ago | (#37070596)

There's definitely a big difference, which is why I think the "any risk" standard you suggest is too extreme.

"Knowingly" is a good start. But there's a problem with that, too; it discourages knowing, or activities that lead to knowing, like investigation or research. A lot of the corporate criminals who caused the economic crash we're suffering from got away with it because they had plausible deniability. They just didn't know! And we happily ignored that they could have known, and probably should have known, and that they rigged things so that they wouldn't know.

We need corporate cultures that encourage investigation and honest reporting, but a standard of "knowingly" works against that.

Re:Not important enough (1)

Obfuscant (592200) | more than 2 years ago | (#37070840)

There's a big difference between selling jelly at the farmers market and knowingly releasing devices that facilitate identity theft,

Xerox, Canon, Ricoh, and several other companies knowingly manufacture devices that facilitate not only identity theft but copyright violation and child pornography. They're called "copy machines". Several companies knowingly manufacture devices that facilitate copyright violations, namely "DVD recorders".

Many many companies knowingly distribute devices that knowingly allow the violation of many different laws. I can buy radios from Kenwood, Motorola, Tait, EF Johnson, and a host of other companies that allow me trivially to jam police communications. Or aircraft/ATC communications. I can buy credit card readers that allow the theft of CC info. I can buy cars that allow me to speed, and even run people over.

or knowingly selling meat that was contaminated with feces when the guy working in the factory cut too deep.

There's a big difference between commiting an act that by itself causes damage to individuals, and providing a device that can be used in illegal or damaging ways.

Somebody sold that guy who "cut too deep" the knife he used to make that cut. Is the knife manufacturer liable for the misuse of the product because he knew that someone using the product to "cut too deep" at a meat packing plant would cause contamination of the meat product? Note the word "knowingly".

Re:Not important enough (1)

shadowfaxcrx (1736978) | more than 2 years ago | (#37071410)

Xerox, Canon, Ricoh, and several other companies knowingly manufacture devices that facilitate not only identity theft but copyright violation and child pornography. They're called "copy machines". Several companies knowingly manufacture devices that facilitate copyright violations, namely "DVD recorders".

Oh come on. That's bullshit. You know as well as I that the intended use standard applies. Copy machines are not intended to be used for kiddie porn or counterfeiting. Conversely, meat is meant to be eaten, and smart phones are meant to be used on the internet. There's a very obvious difference.

Re:Not important enough (0)

Anonymous Coward | more than 2 years ago | (#37069758)

Done in 1. (I don't count the troll above you)

Start fining the hell out of companies for knowingly exposing their customers to risk (any risk, whether security or e-coli) and companies will clean up their acts.

Yes, regulating companies makes (sometimes) the end product cost more. That was true when airlines were regulated. We also didn't have incidents like Valujet when airlines were regulated. Safety/security costs more up front, but costs less in the long term.

The above after going through the US far right filter:

Blah blah blah stupid hippy nerd talk blah blah blah risk blah blah blah REGULATING COMPANIES MAKES blah THE END PRODUCT COST MORE blah blah blah blah blah SAFETY/SECURITY COSTS MORE blah blah blah.

So, good luck with that.

Re:Not important enough (1)

swordgeek (112599) | more than 2 years ago | (#37070020)

Agreed, except for "any risk." Sooner or later, companies will just stop trying to produce anything. The small private airplane market was a perfect example of this: The government assigned essentially indefinite liability to the manufacturer of an airplane, and after a while Cessna et al just quit making small planes.

Re:Not important enough (1)

cdrguru (88047) | more than 2 years ago | (#37070232)

ValuJet got a bunch of oxygen generators loaded on a plane in spite of a strict regulatory environment. They partly adhered to the regulations and partly did not. There were no inspectors on site to verify compliance, and they took some shortcuts. No amount of regulation would have changed that unless they had on-site inspectors. The cargo handlers had a box to move and they put it on a plane to move it. They were not supposed to, they knew they were not supposed to but did it anyway.

Alaska Air did shoddy maintenance on planes, again in spite of a strict regulatory environment. One plane crashed and I believe a lot more were taken out of service because of maintenance issues relating to the elevator jackscrew.

American Airlines did shoddy maintenance on DC-10 engines and this resulted in Flight 191 crashing in spite of a strict regulatory environment. Again, the only thing that would have stopped them would have been on-site inspectors, which there were none and are none today.

Sorry, but regulation doesn't solve problems. Companies following regulations is generally a good thing, but the problem today is we have regulations like those in the wake of Prop 65 in California. Sure, putting up a sign that says "Enter here and risk your life, your children's lives and all of the rest of humanty" is really effective when it is required on nearly every business in the state. The problem is when there are too many silly regulations all regulations are going to be treated as silly and ignored - and there is no monitoring. Enforcement is great, but it is after the fact - after people have died.

Oh, so you think the solution is more monitoring and enforcement? What do you think it would take to effectively monitor, say aircraft maintenance? Shouldn't be too hard because there are only around 600 airports and maybe 100 maintenance facilities in the US. To do the job in a weak and pathetic manner it only takes a few inspectors as we have today. To do the job in a way that would eliminate cargo handlers putting the wrong box on a plane would take 7000 or more inspectors with a cost likely over a billion dollars. Just a tiny drop in the bucket, but nobody is going to spend that on inspectors today when if everyone follows the rules these inspectors are completely unnecessary.

Re:Not important enough (0)

Anonymous Coward | more than 2 years ago | (#37070506)

That's like saying we don't need cops because when people follow the rules cops are totally unnecessary. Another one of your statements I interpret as akin to, "the real problem is we have so many needless laws about speeding and jaywalking, so our rules about robbery and arson are being treated as silly and ignored". After all, to hire enough officers to totally prevent all crime is prohibitively expensive, therefore there's just no need for cops at all.

Re:Not important enough (1)

shadowfaxcrx (1736978) | more than 2 years ago | (#37071152)

Exactly. No, I don't think more on-site monitoring is necessary, provided the penalties for *knowingly* dicking around with safety/security are severe.

That DC10 crash you're talking about happened because of company stupidity. Douglas had told them to remove the engine, and then the pylon from the wing when performing maintenance. Some airlines, including AA, figured they could save time if they removed the engine/pylon as one unit rather than taking 2 steps to do it. It was tricky, but saved money. On this particular plane, ground maintenance didn't get it right, and rammed the pylon into the wing. Then they re-attached everything, didn't make sure there was no damage (there was) and as a result the engine fell off. There were also problems with the crew's action during the disaster (the DC10 can take off just fine with 1 engine dead, but the aircrew tried to climb too fast, there was no stick shaker on the copilot's controls, and the pilots controls had been knocked out by the engine falling off, and the flight engineer failed to hit the switch that would have brought the pilot's side back online) but the primary cause was corporate penny pinching in violation of the (for want of a better term) service manual.

AA should have been fined so heavily that it would have damn near gone out of business as a result of this crash. Instead, they were fined half a million dollars, which to an airline is beer money, and meanwhile people were dead and Douglas's business was badly hurt as a result of undeserved animosity toward the DC-10.

If AA had been fined as heavily as it should have been, I think industry would have taken the lesson more to heart. "If I'm gonna try to pull shenanigans with safety, I'd better be damned sure I can get away with it or I might just lose my whole company." That's a pretty good incentive to make sure you're not cutting corners.

Re:Not important enough (0)

Anonymous Coward | more than 2 years ago | (#37070330)

I, for many devices and most software, would happily buy an insecure version which is cheaper than a secure one.
I only need one secure PC for banking and ebuying. For the rest, I take the tradeoff thanks. It's not that my media center getting hacked gets me many trouble (beside, it's running without antivirus now to be more performant, if it dies, I restore the harddrive image I made in march and lose one or two house md episodes tops.

Re:Not important enough (1)

shadowfaxcrx (1736978) | more than 2 years ago | (#37071236)

That's great. And I don't mind you having that choice. But the company should be giving you that choice, by clearly labeling their product as "NOT SECURE."

Instead they're shipping this shit out, telling customers "oh it's great, you can shop and bank with this thing from anywhere!" without telling them "oh and by the way when you do anyone who wants it can steal your info and also shop and bank with your account."

Re:Not important enough (1)

robthebloke (1308483) | more than 2 years ago | (#37069118)

More importantly, if legislation went through saying that companies were liable for insecurity and the damage that is caused, everything would triple in cost and the masses with piss soup in rage

No, it would simply force the hand of developers to release all security related code under a GNU license to avoid the liabilities of being the maintainers of the software. That or (very brave) specialsed hardware/software security companies would start providing middleware for that purpose.

Re:Not important enough (1)

Opportunist (166417) | more than 2 years ago | (#37069430)

Brave? You needn't be brave. Just start a subsidiary company that does the security baloney, cash in, transfer the money and when the shit hits the fan, the subsidiary goes bankrupt.

Re:Not important enough (1)

jellomizer (103300) | more than 2 years ago | (#37069496)

Consultants, they will hire consultants to do the work. Then point their finger back at them when there is a problem and go BAD BAD consultants, then hire them for the next job. That is what the government does. If they need to do something that is politically risky they get a consultant to do it, if it succeeds they person get the credit, it it fails they blame the consultant, which privately the consultant happily takes because he knows that he will probably get the next job as well because why would the government authority get rid of a perfectly good skate-goat, for any mistakes (probably due to bad leadership).

Re:Not important enough (1)

darth dickinson (169021) | more than 2 years ago | (#37070400)

I was thinking of this just this morning. It seems we hear more and more about damn *stupid* security breaches. SQL Injection, etc... heck, didn't the CitiBank credit card cracker simply modify the URL to scrape thousands of card numbers? Given what we know about outsourcing (not necessarily offshoring, but simply farming out the latest "Web 2.0!!!" design to companies like Accenture) it's hard to believe that a lot of these faulty web sites were designed by one of a few companies.

It left me wondering, "Why hire these people if they churn out insecure code like this?" I think it's partially the fact that no one will admit publicly what company provided the faulty code, but more the parent's post... "We here at MegaTelcoBank are secure, none of *our* employees would churn out crap code like that!!"

Re:Not important enough (1)

jellomizer (103300) | more than 2 years ago | (#37070458)

What you forgot is durring the process the Consulting company may really try to say you should do it this way it is more secure, but normally it will not go threw because consultants are not to be trusted.

Re:Not important enough (1)

darth dickinson (169021) | more than 2 years ago | (#37070716)

It's been my experience (working for a subsidiary of an international bank) that the opposite is true. "Oh we should do what the consultants say, they do this all the time."

Re:Not important enough (1)

rickb928 (945187) | more than 2 years ago | (#37069536)

So the solution is to use the GNU license to avoid liability.

You must work in the industry. Maybe as a CEO?

And time (1)

Weaselmancer (533834) | more than 2 years ago | (#37069146)

Remember that sales people typically make percentages based on sales. You don't get that percentage until you ship. So you get a lot of pressure to deliver quickly. And you can't do security in a rush. Typically your engineering head will do a security assessment and sales will go over it (usually in a series of small hops and jumps) and then ship anyways, because that's how they get paid. They'll have engineering bang out patches later on. If anyone complains.

Bottom line is that engineers don't get to make these kinds of decisions usually.

Re:Not important enough (1)

mfh (56) | more than 2 years ago | (#37069204)

When Playstation Network was hacked I laughed because I wasn't stupid enough to give them my personal info or a password used in multiple other places. I had a distinct password sent to them and they never saw a dime from me over a credit card.

When it comes down to it, what other people call paranoia, I call standard practice.

Re:Not important enough (1)

Anrego (830717) | more than 2 years ago | (#37069318)

When it comes down to it, what other people call paranoia, I call standard practice.

In a world where a huge company like Sony can fuck up on such an epic scale and get little more than a wrist slap.. and will probably keep right on doing business they way that've been doing... yup!

Unfortunately it's hard to "not participate". Everyone wants all your personal info for everything. There are ways around this (temporary credit card numbers) but it's pretty hard to avoid giving someone enough data to do damage while still living a relatively enjoyable life.

Also.. two digit UID.. jebus!

Re:Not important enough (1)

Opportunist (166417) | more than 2 years ago | (#37069566)

What bothers me most, from a pure security point of view, is that this pretty much turned the PCI-DSS into a weak joke and a laughing stock of the IT-Security community. Sony pretty much had to be compliant, i.e. get the cert. They stored credit card info, they are most likely even a level 1 (highest possible level, more than 6 million transactions annually (or already had a breach, i.e. if they were not, they are now), highest possible security risk) merchant, in other words, they pretty much had to get audited at the very least every 3 months. And yet they dropped the ball badly.

Ok, it's not like we thought that those certs mean jack anyway, but I guess it starts to become visible outside the business now...

Re:Not important enough (1)

Anrego (830717) | more than 2 years ago | (#37069664)

but I guess it starts to become visible outside the business now...

Problem is it really doesn't.

Sure, people think about it a bit when it's in the news.. and maybe down the road someone will be looking into something and this incident will be used as a case study... but for the most part... people forget this shit as soon as it's out of the headlines.

Re:Not important enough (1)

maxume (22995) | more than 2 years ago | (#37069984)

If you start from the premise that the credit card companies are the ones that could go ahead and implement secure authentication (with card readers or token generators or whatever), the security of the whole industry is a joke.

Of course, they are more worried about costs than security so it isn't a big surprise.

Re:Not important enough (1)

Opportunist (166417) | more than 2 years ago | (#37070104)

Forget security tokens or other security features that the customer would have to use. The customer doesn't give half a shit, if you "force" a security token on him, he'll use a different CC provider that doesn't. Especially since, hey, if someone abuses my card, the CC company will cover it, so why bother?

That the merchant he bought at will most likely discontinue business with him (because he, eventually, gets to foot the bill) is another matter. And I guess a lot of people would be pissed if Amazon, EBay or Paypal would discontinue doing business with them because of it. But hey, as long as it doesn't happen, no damage done.

The sad truth is that nobody really wants security. Aside of a small minority that just simply doesn't count.

Re:Not important enough (1)

maxume (22995) | more than 2 years ago | (#37070722)

Chip cards seem to work for the Netherlands (but they are relatively small and the banking industry chose to work together on it).

If American Express offered a secure payment system that meant I was authorizing single transactions to a single vendor, I'd use it in a heartbeat.

Re:Not important enough (1)

maxume (22995) | more than 2 years ago | (#37071000)

And I guess the more sarcastic response is something like "Yeah, that's the part that is a joke."

Or whatever. The general point is that the activities they classify as 'security' are largely tilting at windmills, at least when compared to what is technically possible.

Re:Not important enough (1)

pnewhook (788591) | more than 2 years ago | (#37069400)

So clearly you must own a Blackberry if you are concerned about security since all other smartphones can be eavesdropped onto. You must also have timfoiled your house.

Re:Not important enough (0)

Anonymous Coward | more than 2 years ago | (#37069444)

Adding to the parent: When the skript-kiddiez come along and break into the system and make off with the keys to everyone's kingdom, the engineers and the company that sold the highly insecure gadget/operating system/whatever are usually let off the hook, and all the rage is pointed toward the kiddiez. The company might offer an extra 'security bundle', which somehow doesn't make people ask 'why didn't you ship it as a secure/reliable product in the first place?', but that rarely happens. For the odd occasional few who might ask those questions, the company will set up a second company which offers products to secure the insecure products offered by their parent company. I agree that even though most people know eating their vegetables is good for them, they will fight like hell about having veggies interspersed between their steak and beer. "Don't you dare tell me blah blah blah!" ...but, but your particular steak is 86% fat and carcinogens and you will die within 48 hours..... "I don't care, now get your damn veggies away from my steak! ...and gimmie another beer!"

Re:Not important enough (1)

danhaas (891773) | more than 2 years ago | (#37070210)

That "full responsibility" approach led the american health system to its present state.

Sometimes you just have to learn to live with the risk, and try to manage it instead of eliminating it.

Re:Not important enough (2)

Hadlock (143607) | more than 2 years ago | (#37070272)

Yep. Your job as a product manager is to
 
1. Ship the product
2. Ship the product on time and
3. Do it under budget
 
Pick any two. #1 is not optional. As long as conditions 1 and 2 or 3 are met you get to keep your job, and possibly a project completion bonus (if you're lucky). As long as security flaws aren't getting in the way of two of those three objectives, you can ignore them and patch them in a later firmware/software update.
 
Complaining to your manager that you need to delay the product and that you're going to have to exceed your budget to address security concerns that a junior engineer mentioned in a memo is probably not going to net you that fully paid team building exercise that involves playing golf in the Cayman Islands for a week next month. The fact that you blew your project over something like "security" isn't helping matters with the wife; that $3000 bonus you decided to eschew in favor of security isn't helping pay for the pair of diamond earrings, the new 47" plasma TV, new PS3 for junior who made a 3.8 last semester, or the 15th wedding anniversary trip to hawaii.

Greed (1)

TaoPhoenix (980487) | more than 2 years ago | (#37069002)

Nah, the author and submitter made a valiant attempt but the real reason is that we are "satisfied" to just release stuff and let the general public be un/underpaid debug labor.

If all that debug was properly full-costed these companies would lose years of profits.

Re:Greed (1)

Anrego (830717) | more than 2 years ago | (#37069068)

That and customers arn't willing to pay the costs of doing it properly. Especially when your competitor is not doing it properly and as such can offer their product cheaper than yours.

Consumers are as cheap and greedy as the companies who make the products. Can't sell what people don't care about and arn't willing to pay for..

WE AIM TO PLEASE !! (0)

Anonymous Coward | more than 2 years ago | (#37069006)

We just don't care who that is !!

Business Pressures (0)

Anonymous Coward | more than 2 years ago | (#37069044)

Full stop. You can either make money or take the time to do it right and go bankrupt, and then someone else picks up your project on the cheap and profits from it.

For those of us who've been in development .... (0)

Anonymous Coward | more than 2 years ago | (#37069100)

For those of us who've been in development for any length of time, we all learn that the ship date that the PHBs set the most important thing to them. Ship it and worry about the little things later. Miss the ship date? Well the World comes to an end! The Mayans predicted this: in 2012, a developer will miss his ship date, that's how the World will end - at least that's the attitude of the PHBs!

Say it ain't so! (1)

barlevg (2111272) | more than 2 years ago | (#37069134)

Engineers are saying their products are being rushed to market, and that they're not being given enough time to come out with a perfect product?

What's the world coming to?

Next thing you'll be seeing teachers complain about being underpaid and under-appreciated and the president saying that partisan bickering is preventing him from getting anything accomplished.

Just because it's true doesn't make it news.

History needs to repeat (1)

Tablizer (95088) | more than 2 years ago | (#37069216)

GM engineers discovered a safety problem in a vehicle they were designing, and designed an extra part to fix it. But management decided to save $5 per vehicle and skip it. GM ended up getting their cabooses sued off for that decision after the legal "discovery" process found out about the intentional shortcut. They Jury handed them their ass.

Perhaps a similar situation has to happen with software in gizmos before companies "care".

Re:History needs to repeat (1)

kbonin (58917) | more than 2 years ago | (#37069306)

This is the real reason why most large companies now have email retention policies and auto-delete everything after 30..90 days.

It is a cheaper "fix".

Re:History needs to repeat (1)

dubl-u (51156) | more than 2 years ago | (#37069800)

This is the real reason why most large companies now have email retention policies and auto-delete everything after 30..90 days.

It is a cheaper "fix".

That is an incredibly important point. You could fix the email problem, but you can't fix people refusing to know. Almost everybody responsible for crashing our economy escaped accountability, and many of them claimed that they were blameless because they didn't know what was going on, after setting up companies in such a way that they were guaranteed to not know what was going on.

It's an endemic problem in corporate America, and we need to find a way to fix it.

Re:History needs to repeat (1)

0123456 (636235) | more than 2 years ago | (#37069384)

GM engineers discovered a safety problem in a vehicle they were designing, and designed an extra part to fix it. But management decided to save $5 per vehicle and skip it.

[citation needed]

I remember some similar stories (the Pinto gas tank?) of poor engineering design in American cars that management wouldn't change until they had to, but I'm pretty sure the story as you tell it is an urban legend.

Re:History needs to repeat (1)

Anguirel (58085) | more than 2 years ago | (#37070430)

Yes, the Pinto was the one that would be the origin of that sort of story. The Exploding Gas Tank could have been fixed by a $1 plastic bit, and they knew that before they went to manufacturing.

http://motherjones.com/politics/1977/09/pinto-madness

What kind of security problems (1)

Osgeld (1900440) | more than 2 years ago | (#37069236)

there is a huge fucking difference inbetween "oops we left the programming interface exposed so some hacker can rewrite the firmware in his xbox controller" and "oops we just gave all your personal data to the Chinese, dont enter any credit cards"

And please drop this magic cloud of "embedded devices" just for the sake of clarity? Cause for fucks sake that could mean anything from the intellegent disk controllers in a C-64 to a ipad to a army rifle

Re:What kind of security problems (1)

0123456 (636235) | more than 2 years ago | (#37069304)

Take my webcam for example. Telnet to port 50000 and you get a root shell with no password required; took two minutes to discover that with nmap after I connected it to my home LAN.

Or you did, as the first firmware upgrade removed that feature.

Re:What kind of security problems (1)

Andy Dodd (701) | more than 2 years ago | (#37069718)

Yup. It's interesting, some of the things done in the name of "security" actually piss off a vocal minority of technically-oriented users. This vocal minority is often trusted by less-technical friends to make recommendations on what to buy.

As a result, a device that's locked-down from tinkerers is going to get less recommendations from "trusted friends". A device that's open to tinkerers might have those tinkerers rave about their device to their less-techie friends.

The problem is that a lot of routes used by tinkerers to bypass lockdown can also be used by malware. For example, the root exploits in Android were probably used 95%+ of the time for good (users rooting their own device), and 5% of the time for bad (malware installed by dumb people). In the case of iOS jailbreaks, it's probably 99/1. (Although from Apple's perspective, those 99% are in the "bad" category.)

They don't care because you don't care (1)

Opportunist (166417) | more than 2 years ago | (#37069378)

Quite frankly, and in a nutshell: Why should a company spend time and money on securing a device if the customer does not honor it?

Take two companies, A and B. A spends engineering time on working out and ironing out all the security bugs and flaws, ending up with a more expensive product than company B who doesn't. Net result? Customer goes and buys the insecure product from company B.

Then there's that part where insecurity actually works in the customer's benefit. For reference, see DRM and how it gets circumvented ("softmodding" pretty much means "using a security bug to gain root access" nearly every time).

Companies will not spend time and money on securing a product if the customer does not care, or even prefers an insecure product. It's that simple.

Re:They don't care because you don't care (1)

erroneus (253617) | more than 2 years ago | (#37069582)

The insecurity that favors the customer is where companies are more inclined to spend their time and money.

And "customers don't care" is not the same as "customers don't understand" or "customers don't know about it." Customers, when informed of a security issue, almost always care. I refer you to the classic slashdot car-analogy and ask yourself if you were informed, before purchase, of a serious vulnerability in your car, would you buy it? And if you bought it without knowing and were later informed, would you be upset? I think it goes without saying that presuming the customer doesn't care is false. The reality is that the customer isn't informed and cannot care about something he doesn't know.

Re:They don't care because you don't care (1)

brainzach (2032950) | more than 2 years ago | (#37069848)

Try telling customers to develop unique passwords with special characters for every website they have an account with. They might care about security, but they care more about remembering their passwords so that they can log in.

Re:They don't care because you don't care (1)

erroneus (253617) | more than 2 years ago | (#37070536)

I'll respond in the form of a comic:

http://xkcd.com/936/ [xkcd.com]

To make a password strong, 8 characters, having punctuation, numbers and mixed case is not as great an idea as you might think.

On the other hand, if you tell people to pick four words of varying length that normally don't have anything to do with one another, and you have a pretty good password. It would invariably be longer than 8 characters and WAY harder for traditional cracking methods.

Re:They don't care because you don't care (1)

Comrade Ogilvy (1719488) | more than 2 years ago | (#37070064)

"Caring" is a meaningless word, unless proven with action. The question is how much resources, in both time and money, are the consumers willing to invest in order to be more secure.

"Informing" the consumer is problematic, because once we get past some rock bottom basics about passwords and credit card numbers and phishing, the average consumer cannot understand the specific issues involved without enormous, tedious research and education which they just are not going to do. Informing sounds nice, but if they lack the fundamental understanding to make a sound decision in the full technical context, it is a lot of noise that makes the product look bad to no obvious useful purpose.

The answer is to have standards, created by experts. Something like the moral equivalent of UL certification that this toaster is very unlikely to kill you.

The less than ideal but practical answer is to have name brands. It is one of the many reasons that Apple can charge a premium -- it is very rare for their products to be screwed up by random viruses or driver issues. For all that serious hackers often decry the locked gates, many consumers are intentionally paying more money for exactly that.

Re:They don't care because you don't care (1)

erroneus (253617) | more than 2 years ago | (#37070588)

Actually, informing the consumer is the responsibility of the manufacturer and in many states in the US, failure to disclose such knowledge is a serious violation of law. We are talking about products shipping where the producer is already aware of problems and vulnerabilities aren't we?

As for "...it is a lot of noise that makes the product look bad..." goes, that argument doesn't stop them from pushing EULAs in peoples faces and then expecting the user to abide by them.

There are standards... or there were... before the MBAs started taking over. Engineers have standards "built in." It is "other factors" which compromise those standards.

Re:They don't care because you don't care (1)

Opportunist (166417) | more than 2 years ago | (#37070072)

And "customers don't care" is not the same as "customers don't understand" or "customers don't know about it." Customers, when informed of a security issue, almost always care.

Oh yes, I can see the PSN being virtually deserted now.

And oh yes, the people were mighty upset about it. I can still see the laments on many, many message boards what an outrage it is. They shut up quickly as soon as PSN went back online and they could play again.

W.C Fields... (0)

Anonymous Coward | more than 2 years ago | (#37070344)

I already took your money now, so go away kid... you bother me.

i suppose the story (1)

nimbius (983462) | more than 2 years ago | (#37069484)

can be approached from a standard of practicality. Those of us who have spent time working in computing and technology will readily concede security as an illusion and that devices can and will always manifest some element of insecurity. The question the author is trying to ask i suspect is 'are manufacturers doing enough to ensure the security of their devices.'

harkening back to the days of manufacturing before the CPSC, Americans basked in the glory of such products as stainless steel lawn darts and carcinogenic drink additives. the common board game 'operation' was unquestionably fed from a 120 volt AC source. In short it took a federal regulatory agency to ensure customers were protected against the ruthless profiteering of conglomerates willing to drive their product, in the case of lawn darts quite literally, into their market without so much as a second thought.

I cant propose a government agency because these days even the most controversial items to be regulated, for example hydraulic fracturing, are met with "cautious optimism" and nothing less. Our relentless pursuit of the golden calf called the free market has made us incapable of asking questions like 'why does my favorite company ship something insecure?' Because there are no penalties on their part for the insecurity of their product, theres no incentive. Because customers are barely capable of understanding the products controls in most cases, let alone the repercussions of misuse, the customer is complacent. And thanks to hardworking patrio-tastic lobbyists and ideological politicians, no regulatory body on the planet can approach the manufacturer with anything less than 'cautious optimism.'

the solution is death. more customers with more insecure products must exist and a tipping point must be reached before a digital CPSC is created to ensure your internet-capable refridgerator cant be hacked to burn down your house, or your pacemaker doesnt allow a malevolent 14 year old to use it as a midi controlled device. You arent a lobbyist, and you hold no corporate or political power beyond "voting" and "buying" dis-respectively.

Re:i suppose the story (1)

Grapes4Buddha (32825) | more than 2 years ago | (#37069894)

the common board game 'operation' was unquestionably fed from a 120 volt AC source

I'm pretty sure that "Operation" has always been a battery-powered game.

Re:i suppose the story (1)

cdrguru (88047) | more than 2 years ago | (#37070438)

Operation was introduced in 1965 well after the time when things were "unquestioningly fed from a 120 volt AC source". There is no question it was always battery powered. Heck, I remember wanting one when it first came out when I was like 10 or something.

TL;DR? It's the MBAs (1)

erroneus (253617) | more than 2 years ago | (#37069506)

Most people here on Slashdot understand very well the "engineering" perspective of product development. We tend to believe that a better product will sell better and that, conversely, products that sell better are presumed to be better products.

MBAs know better. What they know is that marketing, public relations and public image/perception is far more critical to "success" than quality.

So is it any wonder that quality takes a back seat to marketing and releasing a product?

Re:TL;DR? It's the MBAs (1)

0123456 (636235) | more than 2 years ago | (#37069576)

MBAs know better. What they know is that marketing, public relations and public image/perception is far more critical to "success" than quality.

No, that's what they believe... and in the short term they're correct. In the long term, however, it's hard to keep selling people crap when they've had too many bad experiences with your earlier products.

Look at Sony, for example. My first two Sony camcorders lasted a decade each; in fact, I'm still using the DV camcorder I bought in 1996 because of the design flaw in the HD camera I bought in 2004 where if you remove the battery before the hardware has completely shut down it fries the logic board and costs more to fix than the camera is worth.

Suffice it to say, my next camcorder probably won't be Sony, no matter how good their marketing and PR may be.

Re:TL;DR? It's the MBAs (1)

erroneus (253617) | more than 2 years ago | (#37069760)

Good for you, Mr. Engineer. You display logic and wisdom that few people display.

For example, people continue to vote for Democrats and Republicans and completely exclude alternatives despite the fact that the two leading "brand names" continually fail them. And Sony's continued success despite their quality issues is an important indicator that you are an anomaly and not a mainstream consumer. Mainstream consumers keep buying Sony because they believe Sony is cool technology.

Re:TL;DR? It's the MBAs (1)

ilsaloving (1534307) | more than 2 years ago | (#37070554)

I don't buy from Sony either, for the same reasons. However, I seen more than enough people walking home with a sony product under their arm to realize most people really don't care enough to do their research before buying. Heck, look at all the PS3s being sold, and the rabid fanboy community that exists around it.

So now I just sit back and laugh when someone gets all indignant that their Sony product either failed or somehow abused the purchaser.

Re:TL;DR? It's the MBAs (1)

brainzach (2032950) | more than 2 years ago | (#37069654)

Security is only one element of a quality product. Adding a new feature or improving ease can increase a products quality at the expense of security.

Re:TL;DR? It's the MBAs (1)

erroneus (253617) | more than 2 years ago | (#37069862)

You are presuming they are always mutually exclusive. While it is often the case, it is not ALWAYS the case.

But you are right in that people tend to favor convenience at the expense of security for consumer products. However, this is best coupled with consumer ignorance because once they discover there is something about their product that makes them or their information vulnerable to attack, they won't care that it was so they could have a more convenient user experience. They will just be pissed off.... and then they will buy "version 2" of the same thing from the same company.

Re:TL;DR? It's the MBAs (0)

Anonymous Coward | more than 2 years ago | (#37070774)

I'm a software engineer, and I'll be honest: if I am making an attempt to improve product quality, it's not necessarily because I think that will make the product sell better. Neither is it the other common motivation I see at work: improving some perception of "quality" as a form of sucking up to managers. For the most part I don't do it for the monetary or career rewards, I mostly do it because to a certain extent I feel like I have some obligations that are beyond economics and beyond office politics.

To know of a serious problem in the product and let it ship like that... Many people I work with have no problem with this. I'm bothered by it. If I know that some percentage of customers are inconvenienced due to lack of foresight at my workplace, even if the percentage is small, that's bad. Never mind that the customer is paying money for our product and it ends up causing them some amount of distress in return; that's like I've just inconvenienced a stranger for no good reason. I am not at all a religious person, but that bothers me ethically, in the sense that I don't go around punching strangers in the face, so why should I do the moral equivalent through software? Sometimes working with managers I feel that they forget the consequences of their actions in real terms; all they care about is the perception of their managers so it doesn't matter if they're churning out crap.

There is of course the other side of this coin: There is no such thing as bug-free software; bug fixes can introduce other bugs; a disproportionate amount of time fixing bugs will lead to something that never ships. That's just no excuse to write off all your bugs without blinking and neglect quality.

24% of companies liable already (0)

Anonymous Coward | more than 2 years ago | (#37069614)

Why do people think we need MORE laws to protect us. Depending on the devices function we already have sufficient consumer protection laws to guard against 'faulty equipment'. If a device is supposed to be secure (e.g. a firewall) and a company knowingly ships it with a defect, than they can be sued...any decent lawyer should be able to do the job...if it's not a device designed for 'security' (e.g. a simple web server) than it's got nothing to do with the price of rice in china...

A door in and of itself is totally insecure...but the if you put an expensive deadbolt on it that can be easily 'cracked' than the manufacturer of the deadbolt lock is liable not the door maker...

Adding security costs money (1)

sl4shd0rk (755837) | more than 2 years ago | (#37069636)

And doesn't necessarily increase revenue. Besides that, in my history anyway, managers do not want to spend another $5k because a product is "More Secure". They would much rather put the $5k into a product with a dead-simple API than put it into some hypothetical circumstance which they have no direct experience with.

Security is one of those things you can only truly understand by getting burned by it.

The answer (0)

Anonymous Coward | more than 2 years ago | (#37070202)

Got to ship it first to get market share, so: Don't worry..... Be Crappy

tighter security = more returns (1)

Miamicanes (730264) | more than 2 years ago | (#37070670)

The more secure you make an embedded device or appliance against information leakage and harvesting-type vulnerabilities, the more likely it is to end up getting returned to stores by frustrated consumers who can't get it to work.

Just look at WPA-2 -- it's unquestionably more secure than WEP. It's also rarely used in public settings because statistically, it never fucking works. You can take any access point, and any device that supposedly supports WPA-2, and know beyond doubt that there's about a 50-50 chance it won't work on the first try, and only slightly better odds that it'll eventually work after an hour or more of work (likely victims include anything with Vista or newer, or an Android phone that hasn't been rooted & reflashed to AOSP or Cyanogen.

'Secure' is not a boolean (1)

Junta (36770) | more than 2 years ago | (#37070894)

If you ask me if a product I've worked on is 'secure', my immediate thought is 'what is your criteria?'. There are 'degrees' of secure and the line where someone says 'it's secure' shifts according to whose making the call. Some may say they 'secured' their unattended installer data because they base64 encoded the administrator password (looking at you, microsoft). They would argue they did enough to protect from over the shoulder (visual exposure only, with no opportunity to transcribe it to paper). The attacker couldn't remember the base64 string long enough to put it into a base64 decode. In theory they could have taken it a step farther (like kickstart and autoyast for example), and stored the NTLMv2 hash in the file instead of password. More would say 'secure', but then some would say 'NTLMv2 hashes are trivially broken by rainbow table, so it's not appreciably better'. Let's say they even went so far as to redo their local account store to use something as well salted as modern /etc/shadow entries. Some would still say it's insecure because even with the cipher text pretty well protected against practical rainbow tables, GPUs can crunch through the problem space too quickly.

Then when faced with the continuum between 'wide open' and 'uselessly secure', there are tradeoffs. For example, ssh keys are widely used for convenience (and frequently can be fairly considered 'more' secure). When used for convenience, they are often stored without a passphrase. This means some will say it's less secure because they fear an offline attack or other attack that compromises the key. So you slap a passphrase on and have to type it everytime. You are back to the same level of inconvenience of password every time. ssh-agent mitigates this and things like gnome-keyring mitigate it further, but I'm sure some would call the 'attack surface' larger and therefore less secure somehow.

Some tasks can be rendered impossible by 'perfect' security. Like auto-deploy of new equipment being enabled by well-known default credentials being very convenient, but we all know how 'default credentials' can be considered very very bad if a piece of equipment is popular and installers are lazy.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...