California May Ban Terrible Default Passwords On Connected Devices (engadget.com) 155
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.
About Time (Score:1)
About time, its a good start. But devices should also have a 'BACKDOOR INSTALLED" sticker if that is the case.
And another sticker 'Device will be unsupported after 1 2 or n years. This way consumers will discriminate against throw away trash
And a fine if string length overflows happen because of lazy coding and lazy compiles.
You would have thought the FCC or similar would have demanded this decades ago, or a list where you can scan your device and find out if defective with no firmware upgrades available.
Re:About Time (Score:5, Insightful)
I like easy default passwords.
I want to be able to hard reset my device and get it setup without a reference. I don't want losing the paper where I wrote it's default password to brick the device on a hard reset.
It's more challenging better to have am easy default, and force a change of password during the setup.
Re: (Score:2)
Re: (Score:3)
What might be the best thing is an e-Ink display or a cheap LCD display. When the device is hard reset, the display will show a random 10-20 digit code on it, which will be the temporary password for the device. Then, once the device is logged into, it will force a password change.
Re: (Score:2)
I like that idea of it showing up on the device. I'd go further though. If the random password is suitably random, then don't let the user change the password. Instead have a button that creates a new password and displays that.
The snag though, is that now you have to have the actual text of the password stored in the device, which can mean that there's a way to get ahold of that password remotely. And manufacturers aren't going to voluntarily add a complicated secure module when they can just print a s
Re: (Score:1)
Most people will change it to "password" which sort of defeats the object.
Re: (Score:2)
The main reason for the forced change is to transfer all responsibility of security to the user as early as possible. If the user wants "hunter2" or "password", that is up to them. It also mitigates any issues, should the password generator for the device wind up being weak, or the screen the password displayed on limited in how many characters it can display. I would say 8 characters would be minimum displayed on the screen, provided it is changed almost immediately.
Re: (Score:2)
Many devices come with a strong default password printed on the case. Can't lose it because it's on the device permanently. It's a good enough password for the user to keep using without changing it, and the physical security of it being in your house is adequate for stuff like WiFi and Bluetooth pairing codes.
Re: (Score:2)
I've had a few travel routers, and they all have this wear off pretty quick. Not to say a device could do it in a way that it won't wear off, but they tended to in my experience.
It looks like the law allows for the simple default plus forced change though (that's what I get for not reading TFS).
Re: (Score:2)
My home Verizon router is both. It has a unique default password printed on a sticker on the device. If you reset it to the defaults that becomes the password.
And the first thing you do to the device when you set it up is to reset it to the defaults with a button on the device.
Now, when I forget the password that I put into it, I can simply reset the device and use the password on the sticker.
Re: (Score:2)
I want to be able to hard reset my device and get it setup without a reference. I don't want losing the paper where I wrote it's default password to brick the device on a hard reset.
But think of the sales opportunities!
Re: (Score:2)
Just require a physical touch to begin the initial setup process.
Re: (Score:1)
Right now it's "power it on to begin the initial setup process". How does your extra physical button help in any way?
Re: (Score:2)
If the process was send it firmware, then push the button.
The window would be incredibly short. I'd argue short enough as to be zero risk.
Someone would have to upload a new firmware between the person setting it up uploaded one, and when they pushed the button.
Re: (Score:2)
Simply do not connect to the internet until the password is changed.
Was that so tough?
Forgot what serial means? (Score:2)
Did you forget what the word "serial" means?
Correct me if I'm wrong but (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:1)
The problem in this situation is NOT companies. It is morons who keep default passwords. California would like to continue to allow moron companies to survive, which is the antithesis of natural selection. Remember, corporations are people my friend.
Re: (Score:2)
Well that's the sort of thing you hear about, but... well, first, in order to see that the database is in plaintext, you have to get access first. It's not uncommon for people to get into the systems because of password reuse or weak passwords or default passwords.
Also, you don't hear much about the compromises that are due to default passwords because it's not a big scary unexpected security flaw. It's written off as, "Yeah, that guy's dumb for leaving the default password." But I think when you're des
Re: (Score:2)
Well, in this case the consequence of well known default passwords are the various botnets of embedded devices, which happen very often.
Good First Step (Score:5, Funny)
Now instead of a default router password, users will be prompted to change it, thus setting it to 'Password1'.
Progress!
Re: (Score:1)
They just need to make a law against that too. Duh
Re: (Score:2)
They should pass laws making it illegal to break the law.
Re: (Score:2)
Now instead of a default router password, users will be prompted to change it, thus setting it to 'Password2'.
Re: (Score:2)
C'mon, that isn't secure... try "Password1!"
Installed OpenHAB to look at it for home automation, and I just kept cringing at how miserable the security model is and just how hard they have made it to put it in a non-routeable VLAN. While this bill doesn't address everything by any means, the "reasonable minimum protections" concept needs to be enshrined somewhere.
Re: (Score:1)
"Eating less" seems to be the answer, but results in hunger pangs, leading to the person not being able to think about anything else than food, and thus stress himself out. And guess what that tends to lead to ...
If you are gaining weight, in most cases it is because you are eating too much (or at least too much of the wrong things). With so many meals in the US having a calorie count in the 4 digits, simply reducing the size of meals and eating until "not hungry" instead of "feeling full" will allow you to lose weight without getting hunger pangs. If you are getting hunger pangs then you are starving yourself. And never cut out a food completely unless directed to by a doctor: doing so only causes cravings that
Three squares a day is BS (Score:1)
So, start with eathing three good, full meals. That definitily helps to quench the snack attacks.
I'm guessing you've never really actually tried to lose weight. That is definitively NOT the advice you will receive from experts on the subject. The three squares a day idea does not derive from any actual evidence about its utility for weight maintenance or health. In fact if most people tried just eating three meals a day and not snacking with an eye towards weight control then they will very likely fail to maintain that regimen for any significant length of time. This has been demonstrated time and
Re: (Score:1)
As so many people who are talking about "dieting" they are both wrong, and have a very short-sighted view.
"Eating less" seems to be the answer, but results in hunger pangs, leading to the person not being able to think about anything else than food, and thus stress himself out. And guess what that tends to lead to ...
So, start with eathing three good, full meals. That definitily helps to quench the snack attacks.
But foremost, try to figure out why you are eating all that stuff (did I already mention stress ? I think I did), and try to get it clear in your mind.
Being aware of what makes you eat definitly helps in breaking the habit. Ofcourse, as you now aware of what bothers you you also have a chance to eliminate the cause of that stress.
If you lookup low carb high fat (LCHF), ketogenic, and carnivore proponents and experimenters, they're the ones getting the long lasting results.
Gary Taubes did his now famous investigation into the history of nutritional science and found how it went all to pot when it shifted to USA and ignored the earlier, actually good scientists, in Germany and Austria, and what they had already been discovering.
In essence, yeah, there are things which cause people to gain weight, and meanwhile, the meme of advising pe
Re: (Score:2)
If you lookup low carb high fat (LCHF), ketogenic, and carnivore proponents and experimenters, they're the ones getting the long lasting results.
I call myself "semi-keto". Greatly reduced carbs (was eating rice probably 3-4 times a week and potatoes 2-3 times a week), but also trying to stay away from really high fat (cook mostly with olive oil, not butter). Pretty sure I haven't gone into ketosis but still down about 15 lbs since Aug 1 and it's still a pretty filling diet.
Re: (Score:2)
I call myself "semi-keto". [...] Pretty sure I haven't gone into ketosis
That's not even vaguely semi-keto, then. Keto is short for ketogenic, not for low-carb. And it isn't low fat, either. All you're doing is calorie reduction, which has no relation to the ketogenic diet whatsoever.
Re: (Score:2)
If you lookup low carb high fat (LCHF), ketogenic, and carnivore proponents and experimenters, they're the ones getting the long lasting results.
I call myself "semi-keto". Greatly reduced carbs (was eating rice probably 3-4 times a week and potatoes 2-3 times a week), but also trying to stay away from really high fat (cook mostly with olive oil, not butter). Pretty sure I haven't gone into ketosis but still down about 15 lbs since Aug 1 and it's still a pretty filling diet.
Yes, I gather the point at which people go into ketosis will be different for different people. As the other person said, that's not what keto looks like on paper, but then, if you are eating few enough carbs that you can manage to go into a fasting state overnight, whilst asleep, you might find you are in ketosis by the time you wake up, especially if it has been over 12 or maybe 16 hours since last eating.
Unfortunately the testing strips are expensive, but they're interesting to use. I do full fat, lots o
Re: (Score:2)
Its the nanny state (Score:1)
Go figure a somewhat reasonable default is replaced by a consumer who decides they cannot remember the password so they change it to 12345.
at least it's a start (Score:1)
sure, as with any law it will be incomplete, contain loopholes and be vague in certain areas, but at least it is better then nothing.
default passwords are a big part of security issues of IoT devices, so if we can already scrap that of the list of things to worry about, that can only be a good thing.
Re: (Score:1)
Comment removed (Score:5, Funny)
Re: (Score:2)
Indeed, let's wait for the free market in California to resolve this problem on their own!
Please let me know when that happens.
Re: (Score:2)
I've also heard there are new laws in the planning that will require everyone in California be happy and rich.
Can't wait to see how those are enforced.
Everybody will be required to discard needles and feces in the streets. When everybody is special, nobody is.
Have they really thought this through? (Score:4, Insightful)
OK. I drop my toothbrush and it breaks. So I go to the store and find all six of the toothbrushes I can choose from are internet connected. I pick one, go home, plug it in. Now I enter a new password. How do I do that? It's a toothbrush.
------
My (conceptual and imaginary) grandmother buys a new "smart" TV. (Seriously, "They" apparently don't make dumb TVs any more). She plugs it in getting many of the connections right. It asks (in colloquial Latvian because it's a bit confused about where it is) for a new password. She at least has an input device-- the remote. She pushes random buttons until the weird prompt(s) go away. Congratulations grandma, you've set an unknown password and effectively bricked your new TV. Who is going to unbrick it? How?
-----
I'm not sure the world needs politicians "solving" problems nobody understands. Quite likely a case of "Now you have two Problems"
Re: (Score:2)
There is the possibility of unique passwords being issued with each device.
So instead of the devices being compromised one by one, they will all be compromised at once after the manufacturer is compromised.
Re: (Score:2)
Manufacturers will avoid those problems because they don't want a huge number of returns. They will set a decent default password, as many already do.
When thinking about these consumer laws you have to remember that manufactures always want to avoid customers having problems with their products, at least until the warranty expires, because most places make it their problem to fix it.
Re: (Score:2)
The problem with "decent default passwords", is that it turns out that far too often its literally just something like HASH(MAC_ADDRESS) - so it is easy to figure out just from connecting to the device itself. They practically TELL you their default password. This has been done to keep the firmware flashing process "easy", since it is the same for all devices, instead of programmatically generating that one little string on a per-flash basis.
Re: (Score:2)
Re: (Score:2)
She pushes random buttons until the weird prompt(s) go away. Congratulations grandma, you've set an unknown password and effectively bricked your new TV. Who is going to unbrick it? How?
First, devices often have some method to reset the password. They hold a button a 'reset' button while they reboot the device, and the password gets reset. So the TV doesn't need to be bricked.
Second, when talking about the various dangers of internet connected devices, it's this kind of unknowing user that make this default password such a big problem. A lot of grandmothers (and other people), instead of pressing random buttons to get past the prompts, will just leave all the default settings, leaving
Re: (Score:2)
No, I'm actually in favor of regulation. The problem is your inability to see the difference between sensible regulation and compounding problems that exist because of crackpot engineering and general lunacy. In point of fact internet connected toothbrushes are an example of a device that is useful only for a small number (quite possibly zero) of users. But incredibly they do exist and marketplaces do not seem to be very good at efficiently consigning such products to oblivion. Also there is the inconve
Re: (Score:3)
"If the toothbrush needs to be connected to internet, there must be some way to configure it."
The issue of an internet connected toothbrush is kind of interesting. I picked it because it's a blatantly nutty idea. But Google assures me that such things do exist. How DO you configure it? The obvious notion would seem to be via a web server on port 80. But that implies that the crazy thing can get to the network -- which suggests that it either has an RJ45 network connector (who has network ports in their
Jesus Christ (Score:1)
Does everyone in the tech industry have to use vegan references in an analogy that is completely preposterous?
The better analogy would be like classifying all driver's licenses as aviation licenses. Then you'll have millions of untrained, and uneducated pilots flying airplanes.
The moral of the story; A vast majority of people who use a network, should probably not be allowed to use the network or internet without a personal administrator. If you are going to allow all people to use the internet without I
White boxes (Score:5, Interesting)
The fundamental issue is that most IOT gear is really just really cheaply made and designed white box devices from obscure Chinese vendors consumers have never heard of and which the companies under whose name the devices are sold to consumers just order them from the vendor with their name and logos slapped on at the vendor's factory. Until you can force the white box vendors to properly secure their cheaply made and designed hardware, we're just not going to be able to make a dent in the problem.
Re: (Score:2)
California is a huge segment of the US market - and not one that a seller can ignore and remain competitive.
The easiest way to do that is to make their buyers care about security specs. The easies
Re: (Score:3)
When car makers make sure all of their U.S cars are compliant with the more stringent California Air Resource Board standards they've spend billions developing them and obviously need to sell a lot of them to recoup the development costs. Companies that sell white box hardware w
stereotypical government (Score:1)
Caifornia takes the super liberal thing too far. (Score:1)
Penalties for negligent companies (Score:3)
You can't "law" stupid away.
No but you can make penalties for it for companies that do stupid things. Companies are supposed to be able to hire smart people to figure this stuff out and if they fail to do that there should be consequences with teeth.
Some things you just have to let them work themselves out.
Product liability isn't one of them. Neither is negligence.
If you have a brand of devices that are constantly getting compromised. People will stop buying them.
HAHAHAHAHAHAAAA!!!! I refer you to Microsoft Windows, Adobe Flash, and Microsoft Office. Not to mention countless shitty routers and IOT devices that get pnwned every day. People buy things all the time with vast security prob
Re: Caifornia takes the super liberal thing too fa (Score:2)
When those security holes are exploited to create botnets that then attack a 3rd party it's not a personal freedom to be stupid issue. Antivaxxers threatening herd immunity is a rather direct analogy.
Re: (Score:1)
IoT devices should each get (Score:2)
California...really? (Score:2)
Is this the most pressing need? CA is a state full of idealists that "fix" things, then move on to the next shiny issue. Five years later, they fix the "fix" that never worked. All the while bleeding money.
from the show-me-your-password dept. (Score:1)
California Government: I need to see your password in order to determine if it's secure. (facepalm)
Instead, legislate fine them for security lapses (Score:3)
In general, legislating one particular best practice does not fix an industry. And there are better ways than writing laws. Some ideas:
Any of the above would mean that, for example, California government would no longer buy Western Digital hard drives. These suggestions intentionally do not state what the specific best practices is, and other than the last one they don't require laws, which are slow to change. The specific practices can be defined by some of the many organizations that already do that. Ex: OWASP top 10, static analysis, pen testing, etc. This is similar to what the FDA did with medical devices, to make manufacturers stop doing idiotic things like using unauthenticated Wifi on insulin pumps so hackers could remotely kill people.
Re: (Score:2)
Provide funding to startup a commercial product security certification organization, similar to what underwriters laboratory (UL) [wikipedia.org] does for safety.
You know what underwriters do? They back insurance risks. Fires are very expensive. There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
Re: (Score:2)
You know what underwriters do? They back insurance risks. Fires are very expensive.
That's what UL was for back in the 1800s. Things do a lot more than fire safety these days.
There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.
That's why all of my options included making security a liability for those companies. My last bullet point was explicit financial liability. The other options involved liability of the form "This is a liability because a large organization won't buy my product."
Re: (Score:3)
Stuff like this sounds great in practice, and even makes a good amount of sense - why not use capitalism itself to promote desired behavior? But these kind of restrictions on government purchasing are why government pays twice as much to make what should be easy purchases. "Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork. This also excludes small companies who don't have staff dedicated to filling out government paperwork.
Re: (Score:2)
...pays twice as much...
Yes, security costs money. And auditing companies to make sure they comply costs money. Today people demand the cheapest parts possible, so companies don't bother with proper security. If we want security, we have to pay for it. If I had the choice between a Western Digital Passport drive (regarding the story earlier today), and another vendor that had real security but cost twice as much, I would take the one with security. And if California wants secure devices, they should too. Hopefully, we can m
Nanny-state (Score:2)
Re: (Score:2)
Re: (Score:2)
Laws shouldn't be passed to protect people from stupidity.
Nobody can be an expert on everything. Especially without awareness that there are important things that they need to know. You can't go out and learn what you don't know you need to know.
There's really no reason or defense for the insane defaults we have now. Cars don't default to having the airbags disabled. Refrigerators don't default to temperatures outside of the food safety zone.
What's next? Shoestring knots? (Score:1)
The governor and state legislature in California are doing their best to advance the nanny state to protect all of us. Just recently, they passed a state law that schools could not open before 8:30 am so that the students would get enough sleep. And, of course, the plastic bag and plastic straw bans are spreading across California like a fungus. Now they are passing a law to force us to lock up our wireless routers properly. Next will be a law prescribing a particular method of shoe-tying so that none o
The bill should not be either-or... (Score:2)
Idiocracy (Score:2)
This is how Idiocracy becomes real.
By preventing the stupid from hurting themselves.
I prefer my cameras to have no password (Score:2)
2 factor authentication (Score:2)
Because we want to be sure that we know what person the surveillance devices are watching.
The real question is why we need so many miscelaneous devices connected to the internet with with anything more than a one-way data link.
Or... (Score:2)
Just make the default password some ugly long gibberish and the users are likely to change it to their dog's name just because they don't want to type that monstrosity again.
They passed it! (Score:2)
Update from the future: The law passed [slashdot.org]
Re:It should be (Score:5, Interesting)
You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
While having the source code available is helpful to see if there are security issues, that doesn't mean they will be found. Open source doesn't provide for greater security though. Open source == licensing model, not a security process.
With many software projects, open source or closed, there are often only a few people who understand the software well enough to even notice those bugs.
I don't think forcing a particular operating system down vendors throat is the solution. My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
Strict liability and products (Score:5, Insightful)
You think "security" is something that can be "built in." Security in software development is a mindset.
A mindset in a software developers head is a useless thing to an end user. It might start there but it has to actually become something more than that. Ultimately security has to manifest itself in products (software and hardware) and processes to use those products. A developer's mindset will not keep a network or device or data safe any more than and engineer thinking about how to stop a car will actually cause one to halt. So yes, security ultimately has to be built into whatever device(s) and software you are using.
My idea is, everytime a vendor has a security issue on their device, I want a refund.
Then you would have no devices because it's impossible to prove that non trivial devices and software have no security issues. Nobody could ship a product and be sure there was no security issue they missed. It is arguably reasonable however to apply strict product liability [wikipedia.org] laws to software and to hold companies financially accountable for damages. Current application of product liability laws routinely provide software makers too much wiggle room to avoid responsibility for their failures, particularly with regard to security.
Re: (Score:3)
How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
Well the IoT manufacturer also has to do their job in building whatever web interface they build, but it certainly helps to start from a secure OS.
While having the source code available is helpful to see if there are security issues, that doesn't mean they will be found. Open source doesn't provide for greater security though.
Well it doesn't inherently completely make for better security. It does have some advantages, though. There's the obvious fact that there are generally more eyes on an open source project, so security problems may be more likely to be noticed. Also, frankly, security is hard to do well, and having a bunch of random developers coming up with their own solution
Re: (Score:2)
Is the web interface on the actual device, or in the back office? I've worked on devices that don't have room to fit even the simplest web interface and with no convenient way to talk to them without specialized equipment. From the devices I've worked on, the security doesn't start in the OS, most small operating systems don't come with security built in and when they do they're inappropriate for your product (ie, you'll rarely find a PKI solution). The OS has no idea what you need as security, what pro
Re:It should be (Score:4, Informative)
You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.
Security in everything is a mindset... However a good mindset on it's own is useless. You need to give the user the tools as well.
What we have needed for years in connected home appliances is for the first configuration screen to be "Change this default password before the device becomes usable". Laws here in the UK have meant that ISP's aren't permitted to hand out devices with generic or default passwords, so every router you get has a sticker on it with your individual password.
Re: (Score:2)
This is fine if a person's freedoms don't interfere with other people's freedoms. Often there's a collision; once two people meet the freedoms they had as isolated individuals are now diminished (either through physical intimidation by one party or a set of rules and guidelines set up by a government). This is not socialism except by the distorted rewriting of the dictionary by the alt-right. Even many rabid libertarians I know agree that government has a responsibility here.
A government clearly has a vest
Re: (Score:2)
My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
Everything internet connected should be sold with a lifespan and support for X number of years (and labeled as such on the package). They do this with carbon monoxide detectors. After 7 years, they turn off and won't work anymore and just beep constantly. This is safety feature. IOT devices should probably come with the same thing. After they stop receiving patches, they should stop connecting to the internet. This would be a safety feature not only for the purchaser but to protect the rest of the inte
Re: (Score:2)
that sounds suspiciously like the windows 10 update mindset, and it's a fiasco.
If you buy hardware, it is yours, and you should retain ultimate control over it.
If i'm a dummy and don't update my webcam's password, or refuse to heed the warnings that its security has been compromised -- well guess what? That's my fault, and no on elses.
Re: (Score:2)
If i'm a dummy and don't update my webcam's password, or refuse to heed the warnings that its security has been compromised -- well guess what? That's my fault, and no on elses.
That's fine but ISPs should also start terminating connections of people whose devices are unknowing participants of botnets.
The other problem is that you're assuming there are updates. What happens when that webcam has a security flaw and the company doesn't fix its firmware (or even has the ability to do so). Changing the default password isn't the only problem, it is the idea that the manufacturer's responsibility ends as soon as money is exchanged. There should probably some sort of contract with all
Re: (Score:2)
Many cell phones never get a single update after they are sold and cheaper consumer devices get even fewer updates if any.
How does a cheaper device get fewer than zero updates? Do they revert to an earlier version?
Re: (Score:2)
My idea is, everytime a vendor has a security issue on their device, I want a refund. They sold me a defective device with defective software. We need to stop calling software buggy and call it what it really is, DEFECTIVE.
Do you happen to own a buggy whip factory? Cause your proposal would result in a complete backslide in technology. Humans err. If they did not intentionally create a defect and are willing to help you get it fixed, why do you think you ought to get a refund? Did you get zero utility out of the software before a defect was found?
Re: (Score:3)
You think "security" is something that can be "built in." Security in software development is a mindset.
You mean I can't just order my embedded software from a Chinese menu and check the box for "Yes, security please" ?
My crash course in security paired down to what I could reasonably fit into a post:
The process of threat modeling is a formal analysis of the security of a system. One easy to remember process is to use the mnemonic STRIDE [wikipedia.org] - Spoofing, Tampering, Repudiation (sharing of access tokens or accounts between users, man-in-the-middle, social engineering, phishing scams, etc), Information disclosure, D
Re: (Score:2)
This depends upon what the security is for. Validating passwords sounds like an application front end, most IoT devices usually only talk to other devices. So you need to make sure your networking security is good so that you can't be spoofed, and you can verify certificates from neighboring devices or a back office (pre-shared keys is a recipe for disaster). Then you want security so that your device can't be cloned more cheaply by someone else, so lock down the firmware and encrypt it, etc.
Then there a
Re: (Score:3)
main software developers all building a single OS for IoT with security built in
A software monoculture is great for security. Much more efficient to take down the entire globe at once when a flaw is discovered.
Re: (Score:2)
A single OS for IoT is ridiculous. IoT is not like a PC or smartphone where one size fits almost everyone. Every IoT device is unique with unique goals and purposes. What is appropriate for a sensor device that runs unattended for twenty years in the field on a single battery should not have to have the same OS as a consumer IoT device that tells you if your refrigerator is on or not.
Re: (Score:2)
The intent of the law is to make your device more secure, and the initial password change (or any p/w change) is an ideal time to enforce strong p/w security rules.
How long before that happens?
User name: SLIPPERY
Password: SLOPE
Re: (Score:2)
There's a new breed of libertarian that thinks freedom is about letting a corporation do whatever it wants to do. Apparently even citizens believe that corporations are people too.