<div dir="auto">+1<div dir="auto"><br></div><div dir="auto">Now how do we get the tech industry to embrace it? They have $$$$$ and can lobby against this so they must instead be redirected to support this. Then they use the $$$$$ the they steal from us (profits) to lobby to curtail bad corp behavior. Then we get laws.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Jun 8, 2017 9:14 AM, "DJ-Pfulio" <<a href="mailto:djpfulio@jdpfu.com">djpfulio@jdpfu.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Which is why - and I can't believe I'm saying this - we need national laws<br>
(cough, cough, cough) to mandate support periods (5-10 yrs?) and mandatory<br>
patching at least quarterly for all connected devices if more than 200 are sold.<br>
<br>
"connected" means **any** networking capability.<br>
<br>
The penalties need to be >> corporation ending << for failure to comply and tied<br>
to the management team, so they cannot be serial failures selling the same basic<br>
thing and going out of business every few years.<br>
<br>
Plus, this will prevent companies from adding networking, unless there is a<br>
really good reason, due to the patching required - looking at many TVs.<br>
<br>
I'm tired of Google thinking a $300-$1500 device has a 3 yr life.<br>
_Supported-until at-least_ dates on packaging, mandatory. If a company is sold,<br>
those support dates MUST be carried forward. Sorta a poison pill to prevent that<br>
old loophole.<br>
<br>
I'm tired of router companies putting out crap $20-$250 routers and NEVER making<br>
any patches available. Yes, many of those $250 routers are crap.<br>
<br>
<br>
On 06/08/2017 08:45 AM, Jim Kinney wrote:<br>
> The merest hint of "set and forget" devices left live online forever scares the<br>
> poo out of me. Colossally stupid idea. Add the "use of this device releases the<br>
> manufacturer of all liability" license crap and it starts looking like a smokers<br>
> convention at a fireworks factory.<br>
><br>
> There's a responsibility level that software production just hasn't accepted<br>
> yet. Sometimes 'release early, release often' is really translated to 'break<br>
> early, break often, release anyway".<br>
><br>
><br>
><br>
> On Jun 8, 2017 8:31 AM, "DJ-Pfulio" <<a href="mailto:DJPfulio@jdpfu.com">DJPfulio@jdpfu.com</a><br>
> <mailto:<a href="mailto:DJPfulio@jdpfu.com">DJPfulio@jdpfu.com</a>>> wrote:<br>
><br>
> Perhaps IoT devices need this too?<br>
><br>
> Bruce Schneier's blog ...<br>
> <a href="https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html" rel="noreferrer" target="_blank">https://www.schneier.com/blog/<wbr>archives/2017/06/safety_and_<wbr>secu.html</a><br>
> <<a href="https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html" rel="noreferrer" target="_blank">https://www.schneier.com/<wbr>blog/archives/2017/06/safety_<wbr>and_secu.html</a>><br>
> "Last year, on October 21, your digital video recorder — or at least a<br>
> DVR like yours — knocked Twitter off the internet. Someone used your<br>
> DVR, along with millions of insecure webcams, routers, and other<br>
> connected devices, to launch an attack that started a chain reaction,<br>
> resulting in Twitter, Reddit, Netflix, and many sites going off the<br>
> internet. You probably didn't realize that your DVR had that kind of<br>
> power. But it does."<br>
><br>
><br>
> A few years ago during a national election is a smaller country, the<br>
> entire country was taken off line using internet attacks.<br>
><br>
> IoT (or Internet of Shit-devices) have amplified this power.<br>
><br>
><br>
> On 06/08/2017 08:09 AM, Jim Kinney wrote:<br>
> > Hah!<br>
> ><br>
> > Sad but true.<br>
> ><br>
> > Certain aspects of programming should be required to be<br>
> > run/directed/managed by licensed professional engineers. Finance,<br>
> > utilities, and medical are the top three for me that scream for real<br>
> > professional programming. We don't let precocious high schoolers build<br>
> > bridges just because they were really good with lego blocks. Engineering<br>
> > of physical things protects itself with professional standards.<br>
> > Engineering of virtual things needs to do the same.<br>
> ><br>
> > On Jun 8, 2017 7:44 AM, "Adrya Stembridge" <<a href="mailto:adrya.stembridge@gmail.com">adrya.stembridge@gmail.com</a><br>
> <mailto:<a href="mailto:adrya.stembridge@gmail.com">adrya.stembridge@<wbr>gmail.com</a>><br>
> > <mailto:<a href="mailto:adrya.stembridge@gmail.com">adrya.stembridge@<wbr>gmail.com</a> <mailto:<a href="mailto:adrya.stembridge@gmail.com">adrya.stembridge@<wbr>gmail.com</a>>>><br>
> wrote:<br>
> ><br>
> > For $250 they got about what they paid for.<br>
> ><br>
> > On Thu, Jun 8, 2017 at 6:42 AM, DJ-Pfulio <<a href="mailto:DJPfulio@jdpfu.com">DJPfulio@jdpfu.com</a><br>
> <mailto:<a href="mailto:DJPfulio@jdpfu.com">DJPfulio@jdpfu.com</a>><br>
> > <mailto:<a href="mailto:DJPfulio@jdpfu.com">DJPfulio@jdpfu.com</a> <mailto:<a href="mailto:DJPfulio@jdpfu.com">DJPfulio@jdpfu.com</a>>>> wrote:<br>
> ><br>
> > Of the 17 commissioned projects by Tripwire (a security firm), 10<br>
> > websites were completed and purchased.<br>
> ><br>
> > The researchers found that every website had critical security<br>
> > failures.<br>
> > Read more here:<br>
> ><br>
> > <a href="https://www.helpnetsecurity.com/2017/06/08/website-security/" rel="noreferrer" target="_blank">https://www.helpnetsecurity.<wbr>com/2017/06/08/website-<wbr>security/</a><br>
> <<a href="https://www.helpnetsecurity.com/2017/06/08/website-security/" rel="noreferrer" target="_blank">https://www.helpnetsecurity.<wbr>com/2017/06/08/website-<wbr>security/</a>><br>
> > <<a href="https://www.helpnetsecurity.com/2017/06/08/website-security/" rel="noreferrer" target="_blank">https://www.helpnetsecurity.<wbr>com/2017/06/08/website-<wbr>security/</a><br>
> <<a href="https://www.helpnetsecurity.com/2017/06/08/website-security/" rel="noreferrer" target="_blank">https://www.helpnetsecurity.<wbr>com/2017/06/08/website-<wbr>security/</a>>><br>
> ><br>
> > * Unauthorized users allowed (all) - Check<br>
> > * Allowed hackers to upload a PHP webshell (all) - Check<br>
> > * Allowed auth bypass via SQL injection (several) - Check<br>
> > * Allowed content modification via SQL injection (half) - Check<br>
> ><br>
> > Short, but interesting read.<br>
><br>
<br>
______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
</blockquote></div></div>