For how long though? How long should a company be legally required to update firmware/software on a device? 3 years? 5 years? 20 years after they've stopped producing that model?
For how long though? How long should a company be legally required to update firmware/software on a device? 3 years? 5 years? 20 years after they've stopped producing that model?
Public safety is one thing, but what about something that interfaces with a vehicle. A next gen thermostat that turns on the A/C when it receives a signal from your car stating that you are on your way home. If a security flaw is discovered that allows it to install a rootkit on the vehicle, is the thermostat manufacturer legally bound to develop and issue a fix for the thermostat? (Bad example I know, as the vehicle is at fault for allowing the thermostat to install the rootkit.)
To be fair, car recalls are also a bad example.
My actual feelings on it are that I don't think the manufacturer should be bound to provided unlimited firmware updates to prevent lawsuits, but in exchange for that money saving feature they should be forced to allow users more freedom in updates / modification of OS.
Which is a pipe dream but yeah.
You can only hold them to that to a certain extent, things that are secure today might be broken in a week or month from now due to some super obscure bug. Look at some of the vulnerabilities just last year where they just found stuff in code that is 15+ years old or more. There are a lot of lines of code to sift through and fuzz and it might only be exploitable given a perfect circumstance that sometimes people find just by chance. Now if you're talking about products like some of the IoT devices that come with like 4 webservers built in, all running without letting you know that in any manual and all configured with stuff like "admin/admin" then yeah, there needs to be some responsibility. However if a company can show they actually took steps and effort to securing something, what else can you do?
Everything can be updated for security patches for the most part, wether they are or not is another story and that falls both on you the user, and keeping up to date with the fucking massive amount of security patch information out there, or relying on a company like Microsoft to be able to assess and patch them correctly WITHOUT opening up new avenues of attack, which sometimes happens. Again...there is a shit ton of stuff going on under the hood and every little piece can be exploited in some way using it in some fashion it was not intended to be used it, but it is literally impossible to see everything.However, it also shouldn't come with a firmware/OS that can't be or isn't updated and has known vulnerabilities
That is why we have threat analysis, you patch up the big holes and hope that's enough and mitigate the rest through other means, sometimes just saying "yup we'll get to that hopefully"
Just kinda some context; but I see a lot of people(outside this thread), shocked at all this access.
It's common knowledge to computer scientists that any device in which an attacker has physical access to is always 100% insecure, encryption doesn't matter when you have physical access to the device because all electronics not operating at absolute zero(aka none), leak data in some way that allows you to either retrieve the data or break the encryption.
This s why the FBI stuff was hilarious, because it showed how immensely incompetent they are given the above. So incompetent they'd rather change the law than do the work.
I fully agree with this. I often get questions from customers asking what they can do to be 100% safe if the government was to target them. The answer is always the same, they can't, unless they stop using electronics altogether. Even then, given enough money, they probably still would be able to find you.
The notion of forcing tech companies to be fully responsible and foresee any possible exploit is ridiculous. It can't be done. A lot of companies hire security companies for an independent audit to find exploits and weaknesses, but even then it's hard to find all exploits. As long as they do their very best to find exploits that's good enough..
The CIA has spent millions if not billions to find some of these exploits. And some of them aren't even an exploit as much as it is physical tampering. They literally have a program which pretends to run an anti-virus scan while they gather data. How is that an "exploit"?
If you want to stay safe online, you always need to take extra precautions yourself. And common sense goes a long way.
A much more worrying and damming leak is how they use the Frankfurt US embassy as a European HQ, and issue their hackers with diplomatic passports to travel in Europe. That's certain to hurt US operations and diplomacy.
Why would they do all that and go to Germany? Are they circumventing US laws or what?
Because Frankfurt is in the heart of Europe and allows you to travel to 22 other countries without having to show a passport. Frankfurt is also an important Internet exchange point, why would you not want to place hackers near that? It's a great strategically position for everything cyber related.
As a matter of fact, Frankfurt's DE-CIX is the world's largest. The question is not why would they, it is why would they not place hackers Frankfurt? It's hard to find a better strategical position in Europe.
It's not at all a surprise they have hackers there. What's surprising is that the leak states they do, where, and how they get there, as well as the covers they use.
That part of the leak seem to be one that most people for whatever reason overlook in lieu of "OMG my TV", even though I'd consider it one of the most important parts of the leak.
FBI issue was different from what I remember, the phone was encrypted and I think via at 512bit RSA key at that. Even with physical access to that system it would take forever to break that encryption (literally, there's no way to break it before the sun dies out). Though with physical access they could do a bit to bit clone of the device and then attempt to figure out a back door or brute force it (brute forcing original device would have killed it after x amount of failed attempts I believe), or attempted some method of extracting the key from the device. That's basically what they wanted from Apple, just a back door into their encryption...which would have made it weak, once a backdoor is known it's just a matter of time until it's discovered in the wild and leveraged by everyone.
I disagree Meresgi, no security is safe from physical access; case in point a security firm easily opened the San Bernardino phone in question.
When you have physical access to the device the entire point is you don't *need* to brute force the encryption key. Electronic devices leak data in other ways(heat, sound, vibration, power draw, etc etc etc) that are all more viable than brute forcing the keys.
Most don't even have to go that far, most professionals can figure out a key eventually with just an oscilloscope, because only the most hardened military devices protect their electrical paths.
So imho the key never really entered the equation(again, a 3rd party embarrassed the FBI and unlocked it in a couple days). The FBI was simply incompetent and either wanted to push a political agenda, or would rather change the law than invest in the proper resources to do their job.
Case in point, researchers broke RSA4096 by listening to a computer via a microphone. The US government has even commissioned sound-proof cases to defeat this type of attack, although I can't seem to find the link to the article for that one.
https://www.extremetech.com/extreme/...-computers-cpu
Seriously, if there's physical access to something, its not secure. Everything has to be maintained, and the sneaker net always wins.
@jimsciutto
10m
BREAKING: US authorities have prepared charges to seek the arrest of @wikileaks founder Julian Assange, US officials tell CNN
Assange only has himself to blame.
Maybe Trump can pardon him lol
For what exactly? Wouldn't his 1st Wikileaks dump a long time ago have warranted this?
Guess he'll be hanging out in that Ecuadorian embassy for the rest of his life.
https://www.nytimes.com/2017/05/19/w...eden-rape.html
Swedish rape charges dropped.
But London is still enforcing the warrant.