Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Consumer Reports To Consider Cyber Security in Product Reviews (reuters.com) 47

Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of electronic products, cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products. From a report: The group, which issues scores that rank products it reviews, said on Monday it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured. Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organization's director of electronics testing, said in a phone interview. "This is a complicated area. There is going to be a lot of refinement to get this right," Rerecich said. The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things.
This discussion has been archived. No new comments can be posted.

Consumer Reports To Consider Cyber Security in Product Reviews

Comments Filter:
  • About damn time... (Score:4, Interesting)

    by TWX ( 665546 ) on Monday March 06, 2017 @03:45PM (#53987341)

    ...and really, most products should get terrible marks to start with.

    This is in many ways what IIHS did, that compelled the auto industry to make ever safer cars. The NHTSA crash testing is so hobbied by laws designed to make it ineffective that it took the insurance companies, tired of paying out claims for AD&D to embarrass car makers into making safer cars.

    I have a feeling that if Consumer Reports isn't successful, increasing payouts by insurance companies when breaches occur might be.

    • by AmiMoJo ( 196126 )

      tired of paying out claims for AD&D to embarrass car makers into making safer cars.

      People were outing AD&D players at car makers to embarrass them into making safer cars?

      Wow. I knew there was some social stigma, but... Wow.

  • by MobyDisk ( 75490 ) on Monday March 06, 2017 @03:48PM (#53987367) Homepage

    This is great. I've been promoting the idea that independent test labs such as uL, or standards such as the CE mark, should include product security as well. Having consumer ratings include them could significantly increase awareness of security. We, as tecnhologists and consumers, really need to hit hard against companies selling inherently insecure products. With the rise of botnets, insecure products are no longer just a threat to our own networks, but to national security as well.

    • by AK Marc ( 707885 )
      Yeah, but CR is incompetent hacks that are prone to sensationalize results to drive magazine subscriptions. Anyone else would be better than them.
    • by AmiMoJo ( 196126 )

      I wonder what the tests will be. Run NMAP perhaps? Check web pages behind log-in screens are not accessible? Look for exploits like unsanitised input?

      Or some kind of meta check, based on previous performance of the manufacturer, frequency of updates etc.

      • by MobyDisk ( 75490 )

        Yeah, others have questioned if CR has the skills to do this. I hope they hire some real security people. Your "meta check" concept would be pretty weak, but that is the kind of thing they might do.

  • I applaud the effort, but are they really qualified to be doing this, or are they going to limit it to basic "best practices?" I can see picking up that there is an open port, but backdoor accounts, phoning home, etc are equally important.
    • RTFA:

      " ...it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured. "
    • by bws111 ( 1216812 )

      Here is what they are using as criteria: https://thedigitalstandard.org... [thedigitalstandard.org]

      • Here is what they are using as criteria: https://thedigitalstandard.org... [thedigitalstandard.org]

        No...that's what they are saying they are using as criteria. Knowing where to look something up and understanding it are different things. I don't believe Consumer Reports will be hiring any real security experts to conduct their reviews. They'll do the same thing they've always done--best effort approach using reviewers who know how to meet deadlines for writing review text. If you're an expert in a field, you don't take advice from Consumer Reports. Just look at their reviews for product areas in whi

        • It's nice that they've added a column to their matrices about "Security", but for me, a dot in that column is meaningless.

          ...but perhaps no dot in that column is cause for huge concern/outright dismissal for even considering the product.

        • I doubt they would want to risk some big hack where it becomes evident that they missed a glaring hole. Even if they do, it will change shortly after said event happens.
    • by tlhIngan ( 30335 )

      I applaud the effort, but are they really qualified to be doing this, or are they going to limit it to basic "best practices?" I can see picking up that there is an open port, but backdoor accounts, phoning home, etc are equally important.

      They're probably not qualified, in that it's consumer reports.

      They review stuff for the masses - if you're an expert in the field, you already know what to look for and thus they don't contribute anything. However, if you're not already in the know, they test things as "Jo

  • by mykepredko ( 40154 ) on Monday March 06, 2017 @04:03PM (#53987447) Homepage

    One of the first things I thought of when I read this is how would they rate a Windows 10 PC, Mac or a Chromebook? What about a smartphone or tablet? Even many PCs with Linux already installed would be suspect with different packages that come with the system.

    It's great that they'll rate connected appliances, cars and streaming boxes but that's leaving out the classes of devices which are the biggest risk to consumers data - the systems they handle almost literally 24 hours a day.

    Ironically, CR doing this is a great way of making the great unwashed more aware and concerned about their cyber-security.

    • by wiredog ( 43288 )

      Ironically, CR doing this is a great way of making the great unwashed more aware and concerned about their cyber-security.

      How is something doing what it's intended to do in any way ironic?

  • by xororand ( 860319 ) on Monday March 06, 2017 @04:18PM (#53987529)

    Say "cyber" one more time...

  • manufacturers to consider cyber security and privacy we'll be good to go.

  • Consumer Reports has shown REPEATEDLY that they don't know shit about computing, and I'd bet they don't know shit about cyber security either.

    Their articles will contain shit like "use complex passwords", "use an anti-virus program", and "don't click on pop-up ads".

    Fucking ninnies. They're good at hardware testing (usually) for cars and appliances but in the realm of computing they've proved to be dunderheads more times than I can count. Plus, computing is a moving target- the shit they test or advise on wi

  • by Anonymous Coward

    A copy of the two job descriptions:
    https://jobs-consumers.icims.com/jobs/2778/product-testing---cybersecurity/job?mode=job&iis=Indeed&iisn=Indeed.com&mobile=false&width=1170&height=500&bga=true&needsRedirect=false&jan1offset=-300&jun1offset=-240

    And also an Intern position in IS:
    https://jobs-consumers.icims.com/jobs/2786/2017-summer-intern%2c-information-security/job?mode=job&iis=Indeed&iisn=Indeed.com

    Key Responsibilities:

    Within Privacy, manages complex pro

  • Maybe they should start doing ratings on cyber security?
  • by Anonymous Coward

    But around 2008 they switch to a pay for ratings and it was VERY OBVIOUS. Models that one month rated at the bottom of the list started showing up at the top of the list. Also, you can see models that have very public recorded issues still show up at the top of the list.

    Sorry, but CR is no longer a reliable source for honest non-bias reviews of products.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...