In my dreams, manufacturers have to fully cover the costs of everyone’s time wasted on their broken shit. They have to cover the costs of cleanly and safely disposing of their products. They have to cover the lifetime medical costs of people injured during the production/installation/disposal of their products.
We shouldn’t reward offloading your costs onto everyone else, companies selling shit like this should be fined into the ground.
Obviously you can’t sue everyone, but I don’t think you would need to to have an impact.
Another dream non-solution is to sue for damages_caused / likelihood_of_getting_caught so the expected value of cheating is 0. I expect the denominator is way too small for that to work out in practice though.
I hope they sue all of them. Otherwise, the foreign ones will keep improving their stuff while Americans' hardware will remain in current state. Then, we might have a repeat of Toyota in the networking, hardware market. America doesn’t need that shit.
Although, I also encourage them to try to only go after foreign companies out of nationalistic bias. I want the secure hardware rather than American companies pocketing my dough. Either possibility works out for me. :)
re sue all of them. The idea is to use one win as a stepping stone toward others. They could do it sequentially with the low number of vendors making any individual’s odds of being next high enough to merit action. Assuming the first suit works that is. Once a few precedents are established, private parties will pick up from there doing it themselves and for more device categories. Eventually, the big firms will throw their lawyers at the problem to stall or reverse the process. Meanwhile, the baseline security of the embedded devices might go up just due to the risk of time period in between.
re Amazon and Walmart. Good thinking. I didn’t consider hitting them at the retailers with image issues. That could be done without lawsuits by suitable PR campaigns on places where consumers and retailer representatives see the message. That could also be combined with a legal strategy for a double whammy. There needs to be clear action and/or alternatives regardless of the strategy used.
re too far
A subset of what was in Common Criteria for network devices (i.e. protection profiles) with a few techniques of modern, embedded security should do fine. Especially methods to allow easy updates, prevent/reduce code injection, secure administration, and sane configuration defaults. There’s basically a ton of free stuff out there for doing three of these. The code injection part is a little work but a baseline isn’t hard. Examples included Sidewinder using MAC-enabled BSD, GENU using OpenBSD, HYDRA using INTEGRITY RTOS, Secure64 using SourceT, and Sirrix et al using L4-based platforms. Each of these started as a smaller company just integrating FOSS or building custom components in ways that were sane. As in, they just gave a shit & had at least one person in there that knew something about security. Maybe two or more. ;)
Easiest route, depending on difficulty of subsetting OpenBSD, would be to build on a popular router/firewall-oriented BSD. Might even get standardized among router vendors if enough components get in it. Plus, there’s already hardware/software architectures securing FreeBSD. Embedded systems that are BSD-oriented might get high-security benefits down the line if any of those get commercially deployed.
Is this not a rather slippery slope? Most vendors ship buggy products full of holes.
Oh god I hope so.
In my dreams, manufacturers have to fully cover the costs of everyone’s time wasted on their broken shit. They have to cover the costs of cleanly and safely disposing of their products. They have to cover the lifetime medical costs of people injured during the production/installation/disposal of their products.
We shouldn’t reward offloading your costs onto everyone else, companies selling shit like this should be fined into the ground.
Yes, I agree. But are they going to sue every vendor or just a few select (non-US) ones?
Obviously you can’t sue everyone, but I don’t think you would need to to have an impact.
Another dream non-solution is to sue for
damages_caused / likelihood_of_getting_caughtso the expected value of cheating is 0. I expect the denominator is way too small for that to work out in practice though.I hope they sue all of them. Otherwise, the foreign ones will keep improving their stuff while Americans' hardware will remain in current state. Then, we might have a repeat of Toyota in the networking, hardware market. America doesn’t need that shit.
Although, I also encourage them to try to only go after foreign companies out of nationalistic bias. I want the secure hardware rather than American companies pocketing my dough. Either possibility works out for me. :)
[Comment removed by author]
re sue all of them. The idea is to use one win as a stepping stone toward others. They could do it sequentially with the low number of vendors making any individual’s odds of being next high enough to merit action. Assuming the first suit works that is. Once a few precedents are established, private parties will pick up from there doing it themselves and for more device categories. Eventually, the big firms will throw their lawyers at the problem to stall or reverse the process. Meanwhile, the baseline security of the embedded devices might go up just due to the risk of time period in between.
re Amazon and Walmart. Good thinking. I didn’t consider hitting them at the retailers with image issues. That could be done without lawsuits by suitable PR campaigns on places where consumers and retailer representatives see the message. That could also be combined with a legal strategy for a double whammy. There needs to be clear action and/or alternatives regardless of the strategy used.
re too far
A subset of what was in Common Criteria for network devices (i.e. protection profiles) with a few techniques of modern, embedded security should do fine. Especially methods to allow easy updates, prevent/reduce code injection, secure administration, and sane configuration defaults. There’s basically a ton of free stuff out there for doing three of these. The code injection part is a little work but a baseline isn’t hard. Examples included Sidewinder using MAC-enabled BSD, GENU using OpenBSD, HYDRA using INTEGRITY RTOS, Secure64 using SourceT, and Sirrix et al using L4-based platforms. Each of these started as a smaller company just integrating FOSS or building custom components in ways that were sane. As in, they just gave a shit & had at least one person in there that knew something about security. Maybe two or more. ;)
Easiest route, depending on difficulty of subsetting OpenBSD, would be to build on a popular router/firewall-oriented BSD. Might even get standardized among router vendors if enough components get in it. Plus, there’s already hardware/software architectures securing FreeBSD. Embedded systems that are BSD-oriented might get high-security benefits down the line if any of those get commercially deployed.
What would prompt vendors to stop that?
I just had to quote this out of context :)