"risks had been heeeded"
Everyone should take heeed of any risks.
Researchers have found 207,000 publicly-accessible Baseboard Management Controllers (BMCs) can be hacked with a "handful" of basic command and config flaws, despite previous warnings about the problem. The exposed devices were found during a global trawl of UDP 623 that netted 230,000 public BMCs, half of which ran holey 13- …
Farmer was also highly critical of the protocol stating it was vulnerable by design and contained next to no documentation pointing users to ways to improve their security postures. "This was tantamount to major server manufacturers 'harming their customers', he said.
Do not assign to stupidity what can easily be explained by well-funded malice.
Do not assign to stupidity what can easily be explained by well-funded malice.
Hanlon's razor? "Never attribute to malice that which is adequately explained by stupidity," or more to the point, "Any sufficiently advanced incompetence is indistinguishable from malice." I think the latter covers the issue at hand.
* Vendors get busted for wilfully or negligently selling stuff that is insecure by design - and failing to notify customers / public in a timely manner.
* People wilfully/negligently exposing said stuff to the internet *after* being informed about it being broken get busted.
I think that all the legislation required is already there, plod/trading standards need pull their finger out & enforce it... It's definitely possible - car manufacturers are already held to this standard.
"People wilfully/negligently exposing said stuff to the internet *after* being informed about it being broken get busted."
12 million-odd PCs infected with malware in the UK, many of which will be consumer PCs. Are you saying security bulletins amount to informing people, and if so, have you ever met anyone outside IT who's read one? Should I make the arrests, or will you?
Car manufacturers are only held to 'that standard' for a few safety related subsystems and for a limited amount of time. Same with medical devices.
If you expect me to retrofit old products because issues are found way down the road, you've lost your damn mind. You have absolutely no concept of how much that would cost the end users. You realize that's who would pay right? It sure as fuck won't be me.
It is the users responsibility to upgrade their 'stuff' to reflect the evolution of technology, not the manufacturers. A perfectly sound product today can be rendered wholly unsafe/insecure tomorrow by new developments, the end user isn't entitled to functionality that prevents them from having to make investments in the future to keep pace.
Now, just because what you've suggested is completely and utterly unreasonable doesn't mean you can't go out and establish a company that retroactively updates their products as a value added component of the purchase. Do try to buy the latest in equipment though. When you're selling your assets at year end I'll get them for pennies and get a couple of years good use out of them.
"If you expect me to retrofit old products because issues are found way down the road"
No, I expect vendors (I'm guessing the 'me' in the sentence above) to inform their customers that their stuff is broken, ie: don't hide the faults a la GM, Ford et al. ;)
"You have absolutely no concept of how much that would cost the end users."
Informing folks about the flaws in your products should not be a major expense, chip vendors publish errata. As a vendor you really should be tracking flaws, the information can be used to improve customer satisfaction and generate repeat/ongoing business.
"You realize that's who would pay right? It sure as fuck won't be me."
Sure, the folks who buy the gear, just as they do today...
"It is the users responsibility to upgrade their 'stuff' to reflect the evolution of technology, not the manufacturers."
The suggestion is worded quite carefully. As we all know anyone (Yahoo, your grand father etc) hooking gear up to the inet can be pwned, and while they may not give a fuck, other folks can and do get screwed over through no fault of their own (eg: smtp open relays, DoS attacks etc).
The aim is to ensure folks are informed that the junk they're hooking up to the inet is broken by the vendor, and having been informed they will then have an obligation to make sure their junk is fixed/removed from the inet. As I said I suspect that we don't need new laws for this, it just requires a bit of education & enforcement.
The linked article does say that baseboard management controllers provide out-of-band monitoring etc, so the problem is really people not keeping their management network separate or firewalled. Then the protocol can safely be horribly flawed, if no miscreant can access it.
The turnip-brained idea was that IPMI could share the only ethernet connector on the motherboard with the internet connection to save money and reduce the number of cables. Add to that the fact that you are dependent on the vendor for security updates and you can see the disaster train accelerating hard towards the cliff. It could have been worse... Imagine what would happen if firmware upgrades required a digital signature from the vendor.
Mine is running the latest firmware. It dates from 2012. God knows how old the kernel actually is, but I'd reckon a few vulns have been discovered since then. And don't talk about my little DLink hub. It is old enough that it is firewalled from the internet using physical means.
All the more reason to verify openwrt or one of the other open sources projects supports your router BEFORE you buy it. Yes Yes I understand this is not an option for Grandma and many on here don't want to mess with custom firmware but from what I see at least in the home router space its the only way your router has any chance of not being trivial to pwn (all the major brands firmware are garbage security wise and most performance wise as well). If you are super serious about security you will run OpenBSD or pfsense on a dedicated PC router between your home network and the intertubes but the setup, fan noise and increase in electric bill are a bridge to far for most non nerds.
contained next to no documentation pointing users to ways to improve their security postures
hehe
He says that like it's a bad thing.